1. Snort HTTP Inspect Pre-Processor Uricontent Bypass
"The evasion technique allows an attack to bypass detection of
"uricontent" rules by adding a carriage return to the end of a URL, directly before the HTTP protocol declaration. This affects thousands of rules in the standard Snort base rule sets.
Due to the seriousness of this vulnerability, we have developed a
working patch for public review. See below. This patch addresses the carriage return bug and should catch the known evasion attempts but further research needs to be done to determine if there are any other possible impacts of this bug. The detection for evasion is turned on
by default under all profiles but can also be used as a server configuration option:
-----HTTP Inspect Server Configuration-----
non_std_cr
This option generates an alert when a non standard carriage return character is detected in the URI.
-----end-----
More information including a pre-patched tarball, a simple proof of
concept, and a copy of this patch ..."
http://www.demarc.com/support/downloads/patch_20060531
http://www.osvdb.org/25837
feofil@gmail.com
2. Squirrelmail local file inclusion
Squirrelmail local file inclusion bug in functions/plugin.php .
Tested on the latest 1.4.x version.
No authentication needed.
#if (isset($plugins) && is_array($plugins)) {
# foreach ($plugins as $name) {
# use_plugin($name);
# }
...
#function use_plugin ($name) {
# if (file_exists(SM_PATH . "plugins/$name/setup.php")) {
# include_once(SM_PATH . "plugins/$name/setup.php");
# $function = "squirrelmail_plugin_init_$name";
# if (function_exists($function)) {
# $function();
# }
# }
#}
....
If register_globals is on we can control the $name variable.
In order to avoid errors SM_PATH needs to be defined. Exploitation
is done through src/redirect.php ( it includes functions/plugin.php
prior to authentication and it defines SM_PATH ).
magic_quotes_gpc needs to be off.
Example:
http://[host]/[squirrelmail dir]/src/redirect.php?plugins[]=../../../../etc/passwd%00
Denix Solutions
Unix/Linux Solutions for your Business
http://www.denixsolutions.com
3. VMware ESX Server Cross Site Scripting issue
Title: VMware ESX Server Cross Site Scripting issue
Date: 14.11.05
Application: VMware ESX prior to 2.5.2 upgrade patch 2
VMware ESX prior to 2.1.2 upgrade patch 6
VMware ESX prior to 2.0.1 upgrade patch 6
Environment: VMware ESX
Author: Stephen de Vries [stephen.de.vries@corsaire.com]
Audience: General distribution
Reference: c051114-002
-- Scope --
The aim of this document is to clearly define an issue that exists with the VMware ESX Server product [1] that will allow a remote attacker to inject arbitrary active scripting content, such as JavaScript, into a web session.
-- History --
Discovered: 11.11.05 (Stephen de Vries)
Vendor notified via client: 15.11.05
Vendor notified directly: 19.05.06
Document released: 01.06.06
-- Overview --
VMware ESX Server is described [1] as virtual infrastructure software for partitioning, consolidating and managing servers in mission-critical environments.
The software provides a virtualization layer that allows multiple x86 based operating systems to run on the same hardware concurrently. The ESX Server product differs from other VMware products in that it does not require a "host" operating system to be provided by the user. Instead, it uses a custom x86 kernel as the host, along with a customised Linux operating system as a "console O/S".
VMware ESX Server includes a number of network services and a web application, called the "VMware Management Interface" that can be used to perform remote administration of the system.
-- Analysis --
The VMware ESX Server product provides a web application to perform management of the system. One of the functions of this application is to allow administrative users to view log files, such as syslog, through a browser. No encoding of syslog data is performed to ensure that HTML meta-characters are not interpreted by the browser. This allows an attacker to inject HTML content, including JavaScript, into the syslog file where it would be rendered or executed when viewed through the Management Interface. Since the raw syslog data is displayed between
tags, it is necessary to close the tag for a clean injection. Two injection methods were detected:
1. An attacker could simply attempt to log in to the Management Interface with a username that contains the injection script, such as:
#//
<$cript>alert('XSS')1. An attacker could simply attempt to log in to the Management Interface with a username that contains the injection script, such as:
#//
2. An attacker could attempt to log in to the ftp server with a username containing a similar injection string.
It should be noted that the ftp server is not enabled by default, however, the Management Interface is.
This flaw could be used to conduct any number of Cross Site Scripting attacks [2], such as Session Hijacking, Cross Site Request Forgery or apparent falsification of the syslog data.
The risk of this vulnerability is increased due to the fact that only administrative users have permission to view the syslog files through the Management Interface. Should a Session Hijacking attack be successful, it would therefore likely yield administrative access.
-- Recommendations --
Upgrade to a version of the VMware ESX product that does not exhibit this issue:
VMware ESX 2.5.2 upgrade patch 2 and later
VMware ESX 2.1.2 upgrade patch 6 and later
VMware ESX 2.0.1 upgrade patch 6 and later
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3619 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems.
-- References --
[1] http://www.vmware.com/products/esx/ [2] http://www.aspectsecurity.com/topten/xss.html
-- Revision --
a. Initial release.
b. Minor edits.
c. Released.
-- Distribution --
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information.
4. Microsoft Windows "mhtml:" URI Handling Remote Buffer Overflow Vulnerability
Technical Description
A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service or potentially take complete control of an affected system. This flaw is due to a buffer overflow error in the Microsoft Internet Messaging library "inetcomm.dll" that does not properly handle an overly long "mhtml:" URL, which could be exploited by attackers to crash an affected application (e.g. Internet Explorer or Windows Explorer) or potentially execute arbitrary commands by convincing a user to visit a specially crafted web page or open a malformed Internet shortcut.
Note : Arbitrary code execution has not been confirmed at the moment.
Affected Products
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Solution
The FrSIRT is not aware of any official supplied patch for this issue
Vulnerability reported by Mr.Niega
5. MySQL Multi-byte Encoding Processing Remote SQL Injection Vulnerability
Technical Description
A vulnerability has been identified in MySQL, which could be exploited by remote attackers to bypass security restrictions and execute arbitrary SQL commands. This flaw is due to an error when operating in multi-byte character sets (e.g. SJIS, BIG5 and GBK) and parsing certain ASCII characters escaped with the "mysql_real_escape_string()" function, which could be exploited by malicious people to bypass standard string-escaping methods and conduct SQL injection attacks against a supposedly secure script.
Affected Products
MySQL version 4.1.19 and prior
MySQL version 5.0.21 and prior
MySQL version 5.1.10 and prior
Solution
Upgrade to MySQL version 4.1.20, 5.0.22, or 5.1.11 :
http://dev.mysql.com/downloads/
References
http://www.frsirt.com/english/advisories/2006/2105
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-20.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-11.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html
http://bugs.mysql.com/bug.php?id=8378
Credits
Vulnerability reported by Josh Berkus
And plus 2 advisories regarding FreeBSD 5.X and 6.X Release. ypserv and smbfs
check ur systems.
Comments
Post a Comment