Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] Objet :Full-disclosure Digest , Vol 1, Issue 2113 (De retour le mardi 28 décembr e.)
From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Wed, 22 Dec 2004 01:51:57 +0100

 En mon absence,  toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou 
(ars_transpac pour tout incident lié à ce réseau)

En cas d'urgence, Vous pouvez contacter :
  La Hot-line Réseaux : 01 49 15 32 53  
  François LEVEQUE au 01 49 15 30 56
  Pascal PAINPARAY au 01 49 15 31 36.
 
  Bonnes fêtes de fin d'année.
  Christophe SAVIN


full-disclosure 12/19/04 01:09 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Re: HOW TO BREAK XP SP2 POPUP BLOCKER: kick itin  the nut !
      (James Tucker)
   2. PHP Input Validation Vulnerabilities (Daniel Fabian)
   3. [MaxPatrol] SQL-injection in Ikonboard 3.1.x
      (aanisimov () ptsecurity ru)
   4. KIT.GED (Raoul Nakhmanson-Kulish)
   5. Gadu-Gadu, another two bugs (Jaroslaw Sajko)


----------------------------------------------------------------------

Message: 1
Date: Thu, 16 Dec 2004 04:43:45 +0000
From: James Tucker <jftucker () gmail com>
Subject: Re: [Full-disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick
        itin    the nut !
To: fulld.20.mandoskippy () spamgourmet com
Cc: 1 () malware com, Valdis.Kletnieks () vt edu, srenna () vdbmusic com,
        full-disclosure () lists netsys com
Message-ID: <e92364c304121520435dc79d73 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

Whilst I have not seen any (although I haven't looked, sorry) I doubt
there are.

What you can do though, as with any application, is distribute locked
registry keys and configuration files for it. Documentation to do with
using firefox with multiple profiles in mutliuser environments is also
available and this is a good source for the start of such a project.

I have seen this done successfully (and properly) in a production
environment so I know it is possible. :-)


On Tue, 14 Dec 2004 08:12:43 -0600, John Omernik
<fulld.20.mandoskippy () spamgourmet com> wrote:
My question is this...
Are their GPO objects for firefox. I would love to deploy firefox, but being
able to control the configuration via Group Policy is a must.

-----Original Message-----
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Scott Renna
Sent: Monday, December 13, 2004 12:24 PM
To: Valdis.Kletnieks () vt edu
Cc: 1 () malware com; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick itin
the nut !

I'd speculate for several reasons.  I've actually heard it said in my
organization that people don't want to use Firefox, because certain
sites don't display properly or at all with it.  Even after being told
there is an extension to view a page in IE, they still use that argument...

Valdis.Kletnieks () vt edu wrote:
On Fri, 10 Dec 2004 23:42:07 EST, Scott Renna said:

Beautiful...how many more fun ones like these until people start to
migrate away from IE.....


If the stuff in the past hasn't already urged them to migrate, why should
a small thing like being able to beat the popup blocker make them move?

I'd put a smiley on that, but it's a serious question - you need to
understand
why they haven't *already* moved before you can even think about getting
them
to migrate.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



------------------------------

Message: 2
Date: Thu, 16 Dec 2004 15:09:55 +0100 (CET)
From: "Daniel Fabian" <research () sec-consult com>
Subject: [Full-disclosure] PHP Input Validation Vulnerabilities
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Message-ID: <3443.83.65.90.98.1103206195.squirrel () 83 65 90 98>
Content-Type: text/plain;charset=iso-8859-1

-------------------------------------------------------------------------
|                PHP Input Validation Vulnerabilities                   |
-------------------------------------------------------------------------

Date: 12-16-2004
Author: Daniel Fabian
Product: PHP
Vendor: PHP (http://www.php.net)
Vendor-Status: vendor contacted
Vendor-Patches: patched versions have been released

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~

PHP version 4.3.9 is vulnerable to meta character attacks. The bug could
enable an attacker to read arbitrary files from the filesystem of a
webserver that hosts PHP scripts.

In addition PHP versions 4.3.6 until 4.3.9 as well as PHP versions 5.0.0
until 5.0.2 contain a bug that enables an attacker to manipulate the file
name of uploaded files to perform directory traversal.

While both vulnerabilities exist in windows and unix platform versions of
PHP, they can only be successfully exploited on windows systems.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been timely informed and has released patched versions of
the software (PHP 4.3.10/PHP 5.0.3). Those can be downloaded from
http://www.php.net


~~~~~~~~
Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~


addslashes() Vulnerability:
---------------------------

Scope:
PHP version 4.3.9 contains a bug in the function addslashes().
addslashes() can be used to sanitize userinput and render it thus
impossible for an attacker to influence scripts by injection meta
characters. In the default configuration, magic_quotes_gpc is set to "On"
which automagically performs addslashes() on every input value. However
because of a bug, the NULL byte is not correctly encoded by addslashes,
enabling an attacker to read arbitrary files from the file system, if user
input is used within include() or require() directives.

Details:
Addslashes should turn a NULL byte (will be written as %00 in this
advisory) into the string "\0" (backslash zero). In version 4.3.9 the
NULL byte is encoded as "\%00" (backslash null byte). Everything after
the NULL byte is ignored in include and require directives so that an
attacker can truncate the name of the file that is included in the PHP
script. The last character however will always be the backslash. As in
Windows the backslash is the path delimitor, this does not matter - the
file named before the backslash is still loaded.


Example:

Consider the following PHP script:

<?
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
?>

A malicious attacker might open the following URL, disclosing the
boot.ini file:

http://localhost/phpscript.php?whatever=../../../../boot.ini%00

The trailing backslash from the escaped \%00 does for some reason not seem
to be of concern to include().



Upload Path Traversion Vulnerability:
-------------------------------------

Scope:
PHP automatically sanitizes the file name of uploaded files removing
everything before the last slash or backslash. This is done in order to
prevent path traversal attacks with uploaded files. However if an attacker
uploads a file containing a single quote and the attacked web server has
magic_quotes turned on (which is default configuration) or performs an
addslashes() directive on the name of the uploaded file, the quote is
prefixed with a backslash. This occurs after PHP checks for backslashes in
the filename. As the backslash is the path delimitor in windows, this
behavior enables an attacker to traverse the path by one directory level.

Example:
If a file with the name "..'file.ext" is uploaded, PHP turns the name to
"..\'file.ext" and the file is uploaded to the directory below of where
the PHP script copies it.


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to PHP version 4.3.10, respectively 5.0.3.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~

Oct. 08: Notified vendor of addslashes vulnerability
Oct. 14: Vendor reply
Nov. 02: Notified vendor of upload vulnerability
Nov. 04: Vendor reply
Nov. 20: Problems fixed in CVS
Dec. 14: Release of patched versions 4.3.10/5.0.3


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com





------------------------------

Message: 3
Date: Thu, 16 Dec 2004 18:44:50 +0300
From: aanisimov () ptsecurity ru
Subject: [Full-disclosure] [MaxPatrol] SQL-injection in Ikonboard
        3.1.x
To: full-disclosure () lists netsys com
Message-ID: <468664042.20041216184450 () ptsecurity ru>
Content-Type: text/plain; charset=us-ascii


[MaxPatrol] SQL-injection in Ikonboard 3.1.x

   Release Date:     December 16, 2004
   Date Reported:    December 2, 2004
   Severity:         High
   Application:      Ikonboard 3.1.x
   Affects versions: 3.1.0, 3.1.1, 3.1.2 and 3.1.3.
   Platform:         PHP



I. DESCRIPTION

Input passed to the "st" and "keywords" parameters in "ikonboard.cgi" is not properly sanitised before being used in a 
SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


1) SQL injection in "st" parameter

Example:
http://host/support/ikonboard.cgi?act=ST&f=27&t=13066&hl=nickname&st=1&apos;

Result:
Ikonboard CGI Error 
-----------------------------------------------------------------------
Ikonboard has exited with the following error: 

Can't query the data from 'forum_posts' Reason: You have an error in your SQL syntax. Check the manual that corresponds 
to your MySQL server version for the right syntax to use near '', 20'

This error was reported at: line 1 Query: SELECT * FROM iB313_forum_posts WHERE TOPIC_ID = '13066' AND QUEUED <> '1' 
ORDER BY POST_DATE ASC LIMIT 1', 20 

Please note that your 'real' paths have been removed to protect your information. 
-----------------------------------------------------------------------


2) SQL injection in "keywords" parameter

Example:
http://host/support/ikonboard.cgi?act=Search&CODE=01&keywords='&type=name&forums=all&search_in=all&prune=0

Result:
Ikonboard CGI Error 
-----------------------------------------------------------------------
Ikonboard has exited with the following error: 

mySQL error
Can't query the data: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server 
version for the right syntax to use near ') ORDER BY DATE DESC LIMIT 0,200'

This error was reported at: line 1 

Please note that your 'real' paths have been removed to protect your information. 
-----------------------------------------------------------------------


This vulnerability found automatically by full-featured commercial version of MaxPatrol.


II. IMPACT

   A remote user may be able to execute arbitrary SQL commands on the underlying database.

III. SOLUTION

   Not available currently.


IV. VENDOR FIX/RESPONSE

   Notified.


V. CREDIT

   This vulnerability was discovered by Positive Technologies using MaxPatrol
   (http://www.maxpatrol.com) - intellectual professional security scanner.
   It is able to detect a substantial amount of vulnerabilities not published
   yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of
   vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP
   Response splitting).




------------------------------

Message: 4
Date: Fri, 17 Dec 2004 11:33:25 +0300
From: Raoul Nakhmanson-Kulish <raoul () elforsoft com>
Subject: [Full-disclosure] KIT.GED
To: full-disclosure () lists netsys com
Message-ID: <41C299D5.5040905 () elforsoft com>
Content-Type: text/plain; charset=KOI8-R; format=flowed

Hello, all!

On one of our IIS servers (W2K fully patched, IIS Lockdown tool is 
installed) I have found in WWW root directory a file named KIT.GED and 
having size 834552 bytes.

This is a RAR-packed self-executable containing these files:

01.03.2004  18:16               10240 caclsENG.exe
18.01.2004  19:33               53760 carun.dll
24.06.2004  00:58                8609 carun.ocx
19.02.2004  01:15                 498 change.txt
24.06.2004  00:59               11780 chkdrv.vxd
24.06.2004  01:06               24646 install.cmd
01.03.2004  16:33                 356 logoff.txt
01.03.2004  16:32                1234 logon.txt
16.03.2004  02:34                5119 settimedate.exe
23.06.2004  23:02              800256 tskman.exe

Seems that this is a backdoor kit. Fortunately, it wasn't installed on 
this webserver and on any server in our network

But how can somebody put this file in WWW root? What should we do to 
prevent it for future?

Of course, I'll send this file or any listed above if required.

-- 
Best regards,
Raoul Nakhmanson-Kulish
Elfor Soft Ltd.,
ERP Department
http://www.elforsoft.ru/


------------------------------

Message: 5
Date: Fri, 17 Dec 2004 11:23:38 +0100 (CET)
From: Jaroslaw Sajko <sloik () man poznan pl>
Subject: [Full-disclosure] Gadu-Gadu, another two bugs
To: bugtraq () securityfocus com, <full-disclosure () lists netsys com>
Message-ID:
        <Pine.GSO.4.44.0412171116260.12612-100000 () rose man poznan pl>
Content-Type: TEXT/PLAIN; charset=US-ASCII


Product:        Gadu-Gadu, build 155 and older
Vendor:         SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact:         Script execution in local zone,
                Remote DoS
Severity:       High
Authors:        Blazej Miga <bla () man poznan pl>,
                Jaroslaw Sajko <sloik () man poznan pl>
Date:           17/12/04


[ISSUE]

Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.

In addition to the last vulnerabilities there are two another
vulnerabilities in the build which have been released after our last
advisory.


[DETAILS]

Bug 1.
Parsing error. We can send a malicious string which has an url inside.
This url can be a javascript code for example or reference to such a code.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.

Example:

Send such a string to any receipent:
www.po"style=background-image:url(javascript:document.write('%3cscript%3ealert%28%22you%20are%20owned!%22%29%3c%2fscript%3e'));".pl

Bug 2.
Beacause in this build default configuration allows sending of the images
we can send an image. There is some new feature, a loop checking filename
for disallowed characters, but the loop under some circumstances is an
infinite loop. So, if an image name isn't starting with the '..', '/', '\'
or '&#' then Gadu-Gadu applications falls into infinite loop, consumes
resources, and will not receive or send any message anymore. So we have a
simple DoS (livelock).

Example:

Send any image (filename must be a 'normal' filename) to your friend.


[SOLUTION]

Please upgrade to the newest build (build 156).



------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2113
************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Full-Disclosure] Objet :Full-disclosure Digest , Vol 1, Issue 2113 (De retour le mardi 28 décembr e.) Christophe Savin (Dec 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]