NEW VMSA-2013-0010 VMware Workstation host privilege escalation vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2013-0010 Synopsis:VMware Workstation host privilege escalation vulnerability Issue date: 2013-08-22 Updated on: 2013-08-22 (initial advisory) CVE numbers: CVE-2013-1662 - 1. Summary VMware Workstation and VMware Player address a vulnerability in the vmware-mount component which could result in a privilege escalation on linux-based host machines. 2. Relevant releases VMware Workstation 9.x VMware Workstation 8.x VMware Player 5.x VMware Player 4.x 3. Problem Description a. VMware mount privilege escalation VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS. The issue is present when Workstation or Player are installed on a Debian-based version of Linux. The vulnerability does not allow for privilege escalation from the Guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System. Workaround A workaround for the issue is to remove the setuid bit from vmware-mount: # chmod u-s /usr/bin/vmware-mount This workaround is relevant for both Workstation and Player. VMware would like to thank Tavis Ormandy from the Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1662 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version onApply Patch = === === = Workstation 9.x Linux * See section 4. Solution Workstation 8.x Linux * See section 4. Solution Player 4.x Linux * See section 4. Solution Player 5.x Linux * See section 4. Solution Fusion any Mac/OSNot affected ESXiany ESXi Not affected ESX any ESX Not affected * The issue is present if Workstation or Player is installed on a Debian-based version of Linux (e.g. Ubuntu). 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation 9.x, 8.x --- https://www.vmware.com/go/downloadworkstation To remediate the issue, replace /usr/bin/vmware-mount on the host with a fixed version present in the Drivers and Tools tab of the download page for Workstation listed above. VMware Player 5.x, 4.x --- https://www.vmware.com/go/downloadplayer To remediate the issue, replace /usr/bin/vmware-mount on the host with a fixed version present in the Drivers and Tools tab of the download page for Player listed above. 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1662 - --- 6. Change log 2013-08-22 VMSA-2013-0010 Initial security advisory in conjunction with the release of an updated version of vmware-mount for Workstation 8 and Workstation 9 and Player 4 and Player 5. --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2013 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFSFu9lDEcm8Vbi9kMRAu32AKCPNTg8o3hnMUqce2gbqHqSc9ME0wCgmO8+ I3i2ZZfaFD8Yyur2Tr47cWk= =wKD7 -END PGP SIGNATURE-
CVE-2013-4124 samba dos exploit
Hi forks! I added automated offset and second argv to server name for nbt session to my samba dos exploit I released before and I attached the exploit on the article for it samba dos exploit should be works! - samba dos exploit: http://www.x90c.org/exploits/samba_nttrans_exploit.c - the article within analyze: http://www.x90c.org/articles/samba_nttrans_reply_integer_overflow.txt x90c
[ MDVSA-2013:217 ] spice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:217 http://www.mandriva.com/en/support/security/ ___ Package : spice Date: August 23, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated spice packages fix security vulnerability: An user able to initiate spice connection to the guest could use a flaw in server/red_channel.c to crash the guest (CVE-2013-4130). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4130 http://advisories.mageia.org/MGASA-2013-0255.html ___ Updated Packages: Mandriva Business Server 1/X86_64: d258ed3fef4351d03632bff3db3f813a mbs1/x86_64/lib64spice-server1-0.12.2-5.1.mbs1.x86_64.rpm 364d3dc81e024d84432041feea874837 mbs1/x86_64/lib64spice-server-devel-0.12.2-5.1.mbs1.x86_64.rpm eef567111d93c6cc3b5de415b0b72fb4 mbs1/x86_64/spice-client-0.12.2-5.1.mbs1.x86_64.rpm 19c6cea05e9869b346af175b87c308ba mbs1/SRPMS/spice-0.12.2-5.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSFyw3mqjQ0CJFipgRAohZAKDUy5ev5cmDbZ/BmNWcpFEf/SbVZwCfW+kl 2kfOLCZuW0lIEtbOoe8gQEQ= =MRzA -END PGP SIGNATURE-
[ MDVSA-2013:216 ] perl-Proc-ProcessTable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:216 http://www.mandriva.com/en/support/security/ ___ Package : perl-Proc-ProcessTable Date: August 23, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated perl-Proc-ProcessTable package fixes security vulnerability: ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS (CVE-2011-4363). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4363 http://advisories.mageia.org/MGASA-2013-0254.html ___ Updated Packages: Mandriva Enterprise Server 5: 9eaae66463d99011badb3f4cd7cde59b mes5/i586/perl-Proc-ProcessTable-0.48-0.1mdvmes5.2.i586.rpm 2ae96cb98db7c92cc386563310ae9525 mes5/SRPMS/perl-Proc-ProcessTable-0.48-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: b6f1990422bd1eec1fba93a040890394 mes5/x86_64/perl-Proc-ProcessTable-0.48-0.1mdvmes5.2.x86_64.rpm 2ae96cb98db7c92cc386563310ae9525 mes5/SRPMS/perl-Proc-ProcessTable-0.48-0.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 7ddea6ddc57b10531aae66f81ee57cd5 mbs1/x86_64/perl-Proc-ProcessTable-0.480.0-1.mbs1.x86_64.rpm ad37fc01c83f210e545fcd08bbce6231 mbs1/SRPMS/perl-Proc-ProcessTable-0.480.0-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSFyQ4mqjQ0CJFipgRAlN7AJ91z9t8wDGXBwii8HEMM6kuRw0WMQCg3MUL TBDUyrAeaLsA+uZrsuVc9qM= =998B -END PGP SIGNATURE-
[ MDVSA-2013:218 ] python-django
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:218 http://www.mandriva.com/en/support/security/ ___ Package : python-django Date: August 23, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Updated python-django package fixes security vulnerability: The is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes, such as javascript. (CVE-2013-4249). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4249 http://advisories.mageia.org/MGASA-2013-0256.html ___ Updated Packages: Mandriva Enterprise Server 5: af93d44d1a039b04b96bb52878d3f96c mes5/i586/python-django-1.3.7-0.1mdvmes5.2.noarch.rpm 2c4655390685d6c6d4c69b53b95f434f mes5/SRPMS/python-django-1.3.7-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 45e29127045c0011af5fce04e5d168c2 mes5/x86_64/python-django-1.3.7-0.1mdvmes5.2.noarch.rpm 2c4655390685d6c6d4c69b53b95f434f mes5/SRPMS/python-django-1.3.7-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSFzzUmqjQ0CJFipgRApRcAJ9JfItcRYBsafJrCOqAtkRV/pbPMACcD/PD iOmydusTwj7v/4ROLM0Xt60= =I8J+ -END PGP SIGNATURE-
[ MDVSA-2013:219 ] libtiff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:219 http://www.mandriva.com/en/support/security/ ___ Package : libtiff Date: August 23, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated libtiff packages fix security vulnerabilities: Pedro Ribeiro discovered a buffer overflow flaw in rgb2ycbcr, a tool to convert RGB color, greyscale, or bi-level TIFF images to YCbCr images, and multiple buffer overflow flaws in gif2tiff, a tool to convert GIF images to TIFF. A remote attacker could provide a specially-crafted TIFF or GIF file that, when processed by rgb2ycbcr and gif2tiff respectively, would cause the tool to crash or, potentially, execute arbitrary code with the privileges of the user running the tool (CVE-2013-4231). Pedro Ribeiro discovered a use-after-free flaw in the t2p_readwrite_pdf_image\(\) function in tiff2pdf, a tool for converting a TIFF image to a PDF document. A remote attacker could provide a specially-crafted TIFF file that, when processed by tiff2pdf, would cause tiff2pdf to crash or, potentially, execute arbitrary code with the privileges of the user running tiff2pdf (CVE-2013-4232). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232 http://advisories.mageia.org/MGASA-2013-0258.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 26c946236bf17abb20eaff3f27bc880b mbs1/x86_64/lib64tiff5-4.0.1-3.3.mbs1.x86_64.rpm 6204b5dbe8250246d9be4c9eb3d7b87d mbs1/x86_64/lib64tiff-devel-4.0.1-3.3.mbs1.x86_64.rpm 2dc959358955ced919e655171ca8276a mbs1/x86_64/lib64tiff-static-devel-4.0.1-3.3.mbs1.x86_64.rpm 97ca36de8a29a9c4c9c6f89b6652116d mbs1/x86_64/libtiff-progs-4.0.1-3.3.mbs1.x86_64.rpm d57391c99eb0ac5591fe56d189a22c85 mbs1/SRPMS/libtiff-4.0.1-3.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSF0l8mqjQ0CJFipgRAj1aAKDuNjNt51NBDm/YIZxZTbzwLww8AwCfeJL2 YQzU5Y4XwYJx9VOOBoTAxDk= =k48o -END PGP SIGNATURE-
Wordpress videowhisper-live-streaming-integration Plugin Xss vulnerabilities
The Wordpress videowhisper-live-streaming-integration Plugin suffers from a Cross-Site Scripting vulnerability. # # Iranian Exploit DataBase Forum # http://iedb.ir/acc # http://iedb.ir # # Exploit Title : Wordpress videowhisper-live-streaming-integration Plugin Xss vulnerabilities # Author : Iranian Exploit DataBase # Discovered By : IeDb # Email : iedb.t...@gmail.com # Home : http://iedb.ir - http://iedb.ir/acc # Software Link : http://wordpress.org/plugins/videowhisper-live-streaming-integration/ # Security Risk : High # Tested on : Linux # Dork : inurl:/videowhisper-live-streaming-integration/ls/htmlchat.php # # C0de : ?php $room = $_GET['n']; if (!$room) $room = $_POST['n']; //do not allow access to other folders if ( strstr($room,/) || strstr($room,..) ) { echo Access denied.; exit; } $name = $_POST['name']; $message = $_POST['message']; $day=date(y-M-j,time()); $chatfile = uploads/$room/Log$day.html; ? # Exploit : Please open the site vulnerable. Put the script in the Field Name or Message # Dem0 : http://fmi.gov.ng/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php http://www.tambasurfcompany.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php http://www.galactic.to/NETI/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php http://www.piggybankblog.com/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php http://pecelifijianmethodist.org/wp-content/plugins/videowhisper-live-streaming-integration/ls/htmlchat.php # # Exploit Archive = http://www.iedb.ir/exploits-402.html #
PayPal Bug Bounty #110 - Auth Bypass (Session) Vulnerability
Title: == PayPal Bug Bounty #110 - Auth Bypass (Session) Vulnerability Date: = 2013-08-21 References: === http://www.vulnerability-lab.com/get_content.php?id=1056 PayPal Security UID: oebaLK VL-ID: = 1056 Common Vulnerability Scoring System: 9.1 Introduction: = PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: = An independent vulnerability laboratory researcher discovered a Web Vulnerability in the PayPal QR Labs Service Web Application. Report-Timeline: 2012-04-27:Researcher Notification Coordination (Cernica Ionut) 2013-04-28:Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-05-05:Vendor Response (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-08-20:Vendor Fix/Patch (PayPal Inc Developer Team - Bug Bounty Program Reward) 2013-08-21:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == PayPal Inc Product: PayPal Account Service Application 2013 Q2 Exploitation-Technique: === Remote Severity: = Critical Proof of Concept: = The vulnerability can be exploited by remote attackers with low privilege paypal application user account and without user interaction. For demonstration or reproduce ... After testing the web application paypal.com I discovered that if you have an US account and the following page is visited (https://www.paypal.com/us/cgi-bin/?cmd=_bc-signupchannel=1promo=503), you can add a new email from that page. The problem is even the e-mail you try to add to your account is already registered with paypal the new e-mail will be added into your account as unconfirmed. Delete any account on PayPal: After you added an existing email to your account if you go to the account profile an you delete the unconfirmed email, the original account
[SECURITY] [DSA 2740-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2740-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2013http://www.debian.org/security/faq - - Package: python-django Vulnerability : cross-site scripting vulnerability Problem type : remote Debian-specific: no Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed querystrings, worked as intended for HTTP and HTTPS URLs, but permitted redirects to other schemes, such as javascript:. The is_safe_url function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 1.5.2-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSF54KAAoJEHidbwV/2GP+Q0UP/1epNJcIUv9J5/p7efJVaOUI AtjvCuXVQ/RYWZm5v/0Vg+Vsalx8UEXihStmM93uwT/jb9Xhpe7vvBbUnb2F9ijr TFVyzkrg5hnMurONLsjf5gvXfv/EHQ3r0wIoLBBwUGik8tpSNDrc3YaFAT0ZyI3a n1Yb9XKp0qXKcd+pBAWEy/exHCcYhJ/bCVqG5xHMgAtkpD+RSVhTiWR0J+PpEufe 9VvFMXk8VR2gD9jk3eNZGy6vVemcY1HURAb2u6Utr1SFd1wsUQZ/ejkkISZ4c/cv QefllwtxoSuYR0TXzJdz8oDmBVr/DpZCAP0TqrpqLzor7Dyc2SHMTfbLTM7mgbIB U5K3og4ErOSturPCHXNZaId2dU5fDlmt4nFiZldFRc8EwTKcJycXv3Ub2cbgO8AO rpCC2GjageWKDkS2EfnQdTsjWHITL4gONu+QgEU0CceU9ylElzWIcPaSHaVF5UnE OnMSpiWsuES1UFdTMbArPd1IPc3xKba/u+ue1tnnMhvpQmpQMoNrJwIZz259C+u9 /o6SZwguYB2PTgFt2U8lj1/tKWl3pErWkN3I+L1bZ32Fpjh9idAIkQxDDG+ch+yB XHler6fu6axQwn51r0kFHdunEbRH3Ul0Yq810mD36SG4NHRp4BFrk7Ykv01vA0YK taq9A59tvxzUBf1qZ0fL =S66t -END PGP SIGNATURE-