Re: [Full-disclosure] Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover
]/icx_define_pages.DispPageDialog?p_mode=CREATE
The injected script will be executed when the user accesses the main URL:
http://host:port/pls/[DADName]/OracleMyPage.home
It is important to note that our testing has indicated that different
versions have different mitigation levels of this vulnerability, requiring,
in some situations, utilizing XSS evasion techniques to overcome certain
input validation and sanitation mechanisms:
* For earlier versions, injecting a simple SCRIPT suffices:
SCRIPTalert('XSS')SCRIPT
* Some versions limit the permitted characters, and thus require the tester
to inset Java-script without utilizing tags, by injecting a script into the
text box as follows:
);alert('XSS');//
* Later versions appear to also enforce server-side length restrictions on
the vulnerable parameters. As a result, multiple separate injections are
required to achieve script execution, such as:
);/*
*/alert/*
*/(/*
*/'XSS'/*
*/);//
===
IV. Exploit
===
The exploit is performed by combining the three vulnerabilities, as
described in the following scenario:
A. Initially, an attacker gains guest access to the system, by first
accessing:
http://host:port/OA_HTML/OA.jsp
While an error is generated at this step, the attacker can proceed now to
the My Homepage page, which will now allow guest access:
http://host:port/pls/[DADName]/OracleMyPage.home
B. The attacker now goes to edit his personal homepage, by accessing the
Edit Page List URL:
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
The attacker then selects his homepage, and clicks Rename (opening the
following URL):
http://host:port
/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
p_page_id=[page_id]
C. The attacker now changes the [p_page_id] to the [p_page_id] of the
victim's page (as this is an incremental ID, simple trial and error could
be
used until the administrator's user page is identified).
D. The attacker then uses the Rename Form to change the name of the page
from its original name to an embedded script:
);alert('XSS');//
This script can now be replaced with the relevant payload, for instance, a
script that steals the session ID and sends it to the attacker.
===
V. Affected Systems
===
This vulnerability was tested and identified in Oracle eBusiness Suite
versions 10 and 11.
==
VI. Vendor's Response/Solution
==
Oracle's security alerts group has been notified of this vulnerability in
early November.
According to Oracle, the first issue is not a vulnerability - guest access
is permitted by design. The other two have been acknowledged by Oracle, and
have been fixed in the Jan-2009 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
an2009.htmlhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj%0Aan2009.html
It is important to note that the default fix for this vulnerability is a
script removing this interface (which is now replaced with a new OA
Framework). Customers unwilling or unable to switch to the new interface,
should apply patch 7567354 which, according to Oracle, fixes these
vulnerabilities on the obsolete packages (Hacktics has not performed tests
to verify this patch).
===
VII. Credit
===
These vulnerabilities were discovered by:
Shay Chen, Technical Leader, Security Services, Hacktics.
Additional Contribution:
Gil Cohen, Application Security Consultant, Hacktics.
Oren Hafif, Application Security Consultant, Hacktics.
---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel
Web: www.hacktics.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Best wishes,
Freddie Vicious
http://twitter.com/viciousf
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gadi Evron: SecuriTeam: The Mossad: IE 0day for sale
Obviously you were banned for a reason, n3td3v. Spread your bullshit elsewhere. On Sat, Dec 12, 2009 at 12:56 PM, cyber armageddon cyberarmaged...@googlemail.com wrote: Please don't give to Gadi Evron and/or The Mossad that would be a crime against humanity and the west. Remember folks, Securiteam.com is a front for Gadi Evron and The Mossad, do _not_ send to them under any circumstances. Only last month The Mossad were caught planting fake car bombs in Tel Aviv, thats not a people you want to be associated with. They fake car bombs could be a prep for anywhere, you don't know where they were training for, it could be against any of us. Report from BBC: http://news.bbc.co.uk/1/hi/world/middle_east/8377746.stm Analysis by Reuters: http://blogs.reuters.com/axismundi/2009/11/25/frayed-cloak-rusty-dagger/ On Sat, Dec 12, 2009 at 3:12 AM, Jeff Williams jeffwilli...@gmail.com wrote: And the question is now: should the Mossad, NSA, etc be considered as bad guys ? 2009/12/12 Jeff Williams jeffwilli...@gmail.com If idefense pay 7000$ for a RCE on IE, it's possibly because they sell theses bugs to the NSA, MOSSAD, MI10 ? From my understanding, MS do not pay for any reported vulnerability, or maybe i missed the make a donation icon on idefense website ? 2009/12/12 Shyaam shy...@gmail.com :) Good one Valdis. That is what I was exactly trying to do. #1. If his intent was good, he would have sent it to the vendor and to the US Cert. #2. His aim is to get money: a. Instead of selling it directly to black market and not getting any returns, or having some legal agency stepping onto his doors he could as well sell it to these companies. b. These companies DO NOT sell stuff to BLACK MARKET. Straighten your facts before you accuse any of the below: zdi,idefense,securiteam,immunity,etc. They have better things to do than to sell it off to the bad guys. Besides, many people have that kind of a notion only because there are many hollywood movie fanatics out there, who suspect every single entity around you. Thanks for your creative response though :). You really cracked me up :) Shyaam On Sat, Dec 12, 2009 at 2:31 AM, valdis.kletni...@vt.edu wrote: On Fri, 11 Dec 2009 20:13:52 EST, Jeff Williams said: zdi,idefense,securiteam,immunity,etc is a front, your exploit will anyways end up on the blackmarket by selling it to theses company. How can you be that naive ? You're talking to somebody willing to sell to the highest bidder on F-D. Draw your own conclusions about whether they actually care if it ends up on the black market. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE 0day for sale
Hello list, I offer a 0day exploit on Microsoft Internet Explorer, versions 8, 7, 6. Tested on Windows 2000/XP/2003/Vista/2008/7. Serious offers only, no bullshit please :) -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE 0day for sale
Mr. Valdis Kletniesks, I'll provide proof only for serious bidders. As I said, no bullshit please. On Fri, Dec 11, 2009 at 6:38 PM, valdis.kletni...@vt.edu wrote: On Fri, 11 Dec 2009 18:23:54 +0200, Freddie Vicious said: I offer a 0day exploit on Microsoft Internet Explorer, versions 8, 7, 6. Tested on Windows 2000/XP/2003/Vista/2008/7. Serious offers only, no bullshit please :) Extraordinary claims require extraordinary proof - so convince us that you in fact have one. -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I miss Netdev.
That's lame... I don't think anyone miss n3td3v. On Fri, Oct 16, 2009 at 7:03 AM, Steven James vomithatst...@yahoo.comwrote: Awww... My self esteem. :,( Message: 14 Date: Thu, 15 Oct 2009 07:00:40 -0400 From: McGhee, Eddie eddie.mcg...@ncr.com Subject: Re: [Full-disclosure] I miss Netdev. To: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Message-ID: def48b74c2b9a041b12df257e0e136dd022b21f...@susday212.corp.ncr.com Content-Type: text/plain; charset=us-ascii From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Steven James Sent: 15 October 2009 02:31 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] I miss Netdev. So I wrote him a song: http://www.soundclick.com/bands/page_songInfo.cfm?bandID=866231songID=8216151 I actually don't know what's gayer, netdev or the person who spent time to write the song. -- next part -- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20091015/79be29ec/attachment-0001.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote buffer overflow in httpdx
Just saw this on Twitter, an MSF exploit published: http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/ On Fri, Oct 9, 2009 at 7:58 PM, pankaj...@gmail.com wrote: The addr value used is required to reach the ret instruction. The value used 0x63b8624f lies in idata segment of n.dll Note that in order to reach ret instruction, value at addr+0x0e0f should be non-zero for if(isset(client-serve.redirect)) to succeed = 004069E1 CMP BYTE PTR DS:[EAX+0E0F],0 and addr+0x0f24 should be writable for client-state = STATE_DONE to execute. = 00406AAF MOV DWORD PTR DS:[EAX+0F24],0 The other two addresses used are ret1 = 0x64f8134b (pop ret in core.dll) to pop addr and return to ret2 ret2 = 0x7c874413 (jmp esp in kernel32.dll) to jump to shellcode following ret2. Though I am able to get a shell, the retn/offsets used are not universal. Thanks, Pankaj -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote buffer overflow in httpdx
Can't reproduce it too (XPSP3 En + httpdx 1.4.0)... On Fri, Oct 9, 2009 at 8:49 AM, dr_...@hushmail.com wrote: this didn't seem to work for me. Test system XPSP3 + httpdx 1.4.0. Definitely causes a crash but the retn/offsets must not be universal? -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yeah that's prrety obvious that there's one way or another to bypass DEP and ASLR but if you chose not to share it and don't have anything useful to say, it'll be better not to say anything. On Thu, Oct 1, 2009 at 12:55 PM, Berend-Jan Wever berendjanwe...@gmail.comwrote: FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now there's no reliable method to exploit memory corruption vulnerabilities on it? I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in the IFRAME overflow exploit [1] which have been used by almost every IE memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP and ASLR protections, making heap spray useless. Then Mark Dowd and Alexander Sotirov published their great paper - Bypassing Browser Memory Protections [2] providing some excellent techniques, mainly the .NET binary technique which bypasses DEP and ASLR which was used by Nils on the latest Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC, Microsoft released Internet Explorer 8 RTM and blocked the option to load .NET DLL’s from Internet zone and Restricted sites zone. Due to the fact that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local machine zone, this makes the .NET DLL technique irrelevant most of the times. So my question is - Is there no reliable method to exploit memory corruption vulnerabilities in Internet Explorer 8? [1] http://milw0rm.com/exploits/612 [2] http://taossa.com/archive/bh08sotirovdowd.pdf [3] http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [4] http://milw0rm.com/exploits/8969 -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
This vulnerability is still unpatched and the exploit was written by Stephen Fewer and H D Moore, not by Laurent Gaffie, the original bug finder. On Wed, Sep 30, 2009 at 6:34 PM, Nick nic...@gmail.com wrote: A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
And we should give a damn because? On Thu, Oct 1, 2009 at 10:14 AM, Wintermute winterm...@hush.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does it feel to be a hypocrite? And we quote: 22:02 weev im all for white people cleaning up the nigger problem 22:03 weev i hate niggers 22:03 weev i hate niggers. Now besides the fact that weev is an annoying little bitch who cannot seem to find better things to do with his time than augment his racist troll persona, there is a larger irony here: he has two younger siblings who are black. Not that we the undersigned have a problem with this, but our spidey sense tells us that weev does not want you to know. Thus, let us present... Chelsea and Anthony Auernheimer! Chelsea started as a college freshman this year. She is smart and she loves animals. More about Chelsea: http://www.zinch.com/z/Nouchii http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 816event=745571CategoryID=20789 (pic) Anthony is a 9th grader. You can follow him on Twitter here: http://twitter.com/Antsauercool. As a picture is also in order for him: http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 820event=745571CategoryID=20789 Now, we would love to know what these two think of their racist asshole brother, but have had the common courtesy not to bother them with our query. We did, however, more than momentarily entertain the idea of getting in touch with weev's parents to attempt to discover what has made him the way he is. Weev's mother (http://imgur.com/AQpSd.jpg) is a board member of the Richmond PTA and made contributions to the Democratic Party last year. She seems like a nice person. His father (http://imgur.com/CEaNX.jpg), on the other hand, is in his mid 40's, has been CEO of Sealpac USA for the last two years, and is by all accounts a great guy. Either parent is available for comment at (804) 355-2889. If you would prefer postal correspondence, letters can be mailed to: 2038 W Grace St Richmond, VA 23220 Now, being the troll that he is, weev has no problem with living a lie. His recent claim, As I said, I haven't ever committed a crime. I am a truly sinless man. ...is humorous when compared with this admission, delivered while smoking moonrocks: 15:05 weev does anybody know these russians 15:06 weev that they are buying up hacked macs for 43 cents an install 15:26 weev i have access to like 15:26 weev 8k rooted macs 15:26 weev right now 15:26 weev and i would like to make a quick $3500 But we cannot really blame the guy. Our hearts goes out to him when we see admissions such as this: 09:50 weev i gotta get some money 09:50 weev my cashflow sucks 09:51 weev whores 09:51 weev lavish cars 09:51 weev gigantic places to live Actually, scratch that. We just kind of LOL at the iProphet and imagine him LOLing back. And that is all well and good. Standard operating procedure in the life of a troll, along with playing some Sims, getting high with whatever psychoactives he can get his grubby paws on, making stupid videos, and generally proving that he does not know what the fuck he is doing with his life. Is weev's current life better than his past attempt at freelance web and graphic design? Maybe. He kinda sucked at that too. But come on, man, at least aspire to *something*. Weev, the joke is old. Your number is up. Shut up or shape up. Your docs have been pulled. We are ready to drop them at a moment's notice, but we momentarily stop to wonder if it would even be worth it. The devil is in the details, and yours have cocked the gun that has been aimed at your foot for a while. Karma has more butthurt waiting for you (in the form of us) than you know what to do with. Oh, and a representative in Anaheim has been alerted and will be handling this case personally. We are, as always, the collective. An agent is standing by to assist you with any contentions, queries, or comments resulting from this transmission. WINTERMUTE -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrE44kACgkQAN7xmh8YPB2wrQP/QNzi1E+IfPvbVJr6wsxs9+wjknqe Qc3UAC6hSW3xPB7kwDR9g9i0WUhCjlMO9f78YXDkW0xqJ33FWhpj0zQHwmtOp7rMSXie MeeHIihWf/T5tcPBgNPOqFIqjIWm/GiGcQXrn7Ifmd2+lDZ3vf9nK2/lsgSUyPqPVtge 20blkg8= =JvuW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] For sale - Microsoft Internet Explorer 0day
MS Internet Explorer 0day exploit for sale - remote code execution via memory corruption. Serious offers only - fred.vici...@gmail.com -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
