Archive for Vulnerability
Author: Dave Lewis
April 28, 2008 at 10:42 am · Filed under Vulnerability
This one is just off the wire this morning. To fellow WP users out there be aware of this vulnerability and be sure to upgrade your instance as soon as feasible.
From Secunia:
Description:
Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and to compromise a vulnerable system.
1) A vulnerability is caused due to improper access restriction of the administration section. This can be exploited to bypass the authentication mechanism and gain administrative access by setting a specially crafted cookie. This can further be exploited to execute arbitrary PHP code.
Successful exploitation of this vulnerability requires that registering new accounts is enabled.
The vulnerability is reported in version 2.5.
2) Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Article Link
Tags: Wordpress, Wordpress XSS, Wordpress Vulnerability
Author: Myrcurial
April 15, 2008 at 9:47 am · Filed under Data Security, Vulnerability
I think that El Jefe must’ve slept in as the daily news isn’t up yet…
I’m surprised at how quickly this story is spreading…
It seems that the CIA has had a bit of an XSS problem (as it turns out, for a while now) and Wired’s Threat Level thought it would be a good one to exploit — purely for the props ya know.
In an age where JavaScript is so ubiquitous that some websites won’t even load if you don’t enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people’s code.
Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA’s site that THREAT LEVEL can’t resist.
For those of you who don’t see it after clicking through, notice that the links lead to the CIA’s site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.
Ryan goes on to take a mea culpa for the Wired site having roughly the same problem, which I find to be really a mature response to an “oops”.
I’m a pretty ballsy guy, but I’m not sure I would’ve gone as far as to goof around with the nice folks at the Company.
What do you think of this sort of “information sharing and disclosure” in a public forum?
Tags: oops, cia, xss, threat level, wired
Author: Dave Lewis
March 27, 2008 at 12:57 pm · Filed under OS Security, Vulnerability
I can’t say that I’m overly surprised. I had loaded up a copy of 2008 that I received at Black Hat last year into a virtual machine. I poked around in it for a couple minutes and shut it down. I just didn’t have the stomach to deal with it at the time. Well, it appears that others had the intestinal fortitude that I was sorely lacking.
From eWeek:
Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, says the weaknesses could lead to privilege escalation attacks opens the door for a skilled hacker to take complete control of the operating system.
“[We found] from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services — NETWORK SERVICE and LOCAL SERVICE — to bypass new Windows services protection mechanisms and elevate privileges, Cerrudo explained.
He said the discovery also affects Internet Information Services 7 in the default configuration, allowing ASP.NET applications to “completely compromise” operating system security.
Cerrudo, a security researcher who is highly regarded for his work on database security, said the problem also afects Windows Vista, Windows XP and Windows 2003.
“On Windows XP and Windows 2003 the problem is especially severe since any Windows service, even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all web applications deployed on Internet Information Services 6,” he added.
He’ll be releasing details of his fun with Windows at HITB 2008 Dubai.
Article Link
Author: Dave Lewis
March 27, 2008 at 7:44 am · Filed under Patches, Vulnerability
Out today are multiple vulnerabilities from Cisco. There are patches available from Cisco to tackle data manipulation and denial of service issues in their IOS.
From Secunia:
Description:
Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, or to cause a DoS (Denial of Service).
1) A memory leak exists in the handling of completed PPTP sessions, which can be exploited to exhaust memory on an affected system.
2) An error exists in the handling of PPTP sessions when virtual access interfaces are not removed from the interface descriptor block (IDB) and are not reused. This can result in an exhaustion of the interface descriptor block (IDB) limit.
Vulnerabilities #1 and #2 are reported in Cisco IOS versions prior to 12.3 with VPDN enabled.
3) Some errors exist in the Data-Link-Switching (DLSw) feature when processing UDP and IP protocol 91 packets. This can be exploited to cause a reload of the system or a memory leak.
4) An error exists in the processing of IPv6 packets, which can be exploited to prevent the interface from receiving additional traffic or to cause the device to crash (if RSVP service is configured on the interface) by sending a specially crafted IPv6 packet to the device.
Successful exploitation of this vulnerability requires that IPv6 and certain IPv4 UDP services are enabled.
5) An error exists in the implementation of Multicast Virtual Private Networks (MVPN), which can be exploited to create extra multicast states on the core routers via specially crafted Multicast Distribution Tree (MDT) Data Join messages. This can also be exploited to receive multicast traffic from VPNs that are not connected to the same Provider Edge (PE).
Successful exploitation of the multicast traffic leak requires that the attacker knows or guesses the Border Gateway Protocol (BGP) peering IP address of a remote PE router and the address of the multicast group that is used in other MPLS VPNs.
Ger yer patch on.
Article Link
Author: Dave Lewis
March 20, 2008 at 8:01 am · Filed under Vulnerability
Adobe Flash is back in the news with a new vulnerability that affects how files are parsed.
From Secunia:
Description:
cocoruder has reported some vulnerabilities in Adobe Flash, which can be exploited by malicious people to compromise a user’s system.
The vulnerabilities are caused due to unspecified errors when parsing specially crafted FLA files.
Successful exploitation may allow execution of arbitrary code when opening a malicious FLA file.
Solution:
According to the vendor, the vulnerabilities will be fixed in the next major release of Flash Professional.
Do not open untrusted FLA files.
For the Firefox readers you might want to check out the add-on “noscript“. If you are using IE just breathe into a paper bag slowly. Be aware, surf with care.
Article Link
Author: Dave Lewis
March 19, 2008 at 7:18 am · Filed under Apple, Vulnerability
Apple’s OS X is in the news again this morning with the release of security vulnerabilities aplenty. Time to patch my workhorse MacBook.
From Secunia:
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) Multiple boundary errors in AFP client when processing “afp://” URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used.
3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.
4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow.
5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace.
6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server.
…and it goes on like this.
As well, there was a release concerning the Safari browser.
Get your patch on.
Article Link
Author: Dave Lewis
March 18, 2008 at 6:50 am · Filed under Virtual, Vulnerability
The VMWare folks released patches yesterday to deal with a privilege escalation problem and a security bypass issue as well as five other problems.
From VMWare Advisory:
Problem description:
a. Host to guest shared folder (HGFS) traversal vulnerability
On Windows hosts, if you have configured a VMware host to guest shared folder (HGFS), it is possible for a program running in the guest to gain access to the host’s file system and create or modify executable files in sensitive locations.
NOTE: VMware Server is not affected because it doesn’t use host to guest shared folders. No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture and not a hosted architecture, and it doesn’t include any shared folder abilities. Fusion and Linux based hosted products are unaffected.
and…
b. Insecure named pipes
An internal security audit determined that a malicious Windows user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user.
The same internal security audit determined that a malicious Windows user could exploit an insecurely created named pipe object to escalate privileges or create a denial of service attack. In this situation, the malicious user could successfully impersonate authd and attain privileges under which Authd is executing.
For the rest of the issues please read the full advisory over on VMWare dot com.
Tags: VMWare, VMWare Vulnerabilities
Author: Dave Lewis
March 12, 2008 at 6:38 am · Filed under Patches, Vulnerability
Now that the dust is settling from yesterday’s “Patch Tuesday”, Office is the main culprit this time. There is a report from US-CERT that there is a trojan that leverages a hole in Excel making the rounds.
From US-CERT:
US-CERT is aware of public reports of a trojan that may exploit a vulnerability in Microsoft Excel. This trojan is circulating through email messages that contain attached Excel files. Known file names for these attachments are OLYMPIC.XLS and SCHEDULE.XLS. These files may also contain Windows binary executables that can compromise an affected system.
From vnunet:
The four bulletins in yesterday’s Security Update addressed 12 vulnerabilities in the popular software.
Each of the bulletins fix vulnerabilities which could allow an attacker to remotely execute code on the target system. Microsoft has rated all four as ‘critical’, the highest of its four alert levels.
The bulletins address flaws in Outlook, Excel and Office web components. The update applies to Office XP, 2000, 2003 and 2007. Mac versions of Office 2004 and 2008 were also updated, each receiving fixes rated ‘important’.
XP and Vista ducked the spotlight this time.
Article Link
Tags: Excel trojan, Microsoft Patches, Patch Tuesday, OLYMPIC.XLS, SCHEDULE.XLS
Author: Dave Lewis
February 27, 2008 at 8:07 am · Filed under Malware, Vulnerability
Symantec’s Mail Security products have some issues again. This time the problem lies within a specially crafted .RAR file. I’m wondering if this is a case of a corrupted .rar file or something that has been packed with UPX or MEW. Details are few.
From Secunia:
Description:
Two vulnerabilities have been reported in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
1) A boundary error in Symantec’s Decomposer engine can be exploited to cause a stack-based buffer overflow when handling a specially crafted .RAR file.
Successful exploitation allows execution of arbitrary code.
2) An error in Symantec’s Decomposer engine can be exploited to cause the process to consume large amounts of memory when handling a specially crafted .RAR file.
The vulnerabilities affect all builds of the following products:
* Symantec AntiVirus for Network Attached Storage version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Caching version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Clearswift version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for Messaging version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for MS ISA version 4.3.16.39 and prior
* Symantec AntiVirus Scan Engine for MS SharePoint version 4.3.16.39 and prior
* Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) all versions
* Symantec Mail Security for Microsoft Exchange version 4.6.5.12 and prior
* Symantec Mail Security for Microsoft Exchange version 5.0.4.363 and prior
* Symantec Scan Engine version 5.1.4.24 and prior
Article Link
Original Advisory 1
Original Advisory 2
Tags: Symantec, Symantec RAR Files, Symantec Decomposer
Author: Dave Lewis
February 25, 2008 at 9:48 am · Filed under Vulnerability
From US-CERT:
VMware has released a security alert in response to a vulnerability in Windows-hosted VMware Workstation, VMware Player, and VMware ACE. This vulnerability exists in the host-to-guest shared folders feature and allows applications running in the guest operating system to access the host operating system’s file system. Exploitation of this vulnerability may allow an attacker to circumvent the controls on the guest system and gain read and write access to the host file system.
Article Link
VMWare Advisory
Tags: VMWare Vulnerabilities, VMWare Security, VMWare
Next entries »
Explore
Security Bloggers Network
