Exploits and Security » Exploits and Bugs

PHP vulnerabilities

Exploitx — Thu, 19 Jul 2007 00:22:57 +0000

Ubuntu Security Notice USN-485-1 July 17, 2007
php5 vulnerabilities
CVE-2007-1864, CVE-2007-2728

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libapache2-mod-php5 5.1.2-1ubuntu3.9
php5-xmlrpc 5.1.2-1ubuntu3.9

Ubuntu 6.10:
libapache2-mod-php5 5.1.6-1ubuntu2.6
php5-xmlrpc 5.1.6-1ubuntu2.6

Ubuntu 7.04:
libapache2-mod-php5 5.2.1-0ubuntu1.4
php5-xmlrpc 5.2.1-0ubuntu1.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the PHP xmlrpc extension did not correctly check
heap memory allocation sizes. A remote attacker could send a specially
crafted request to a PHP application using xmlrpc and execute arbitrary
code as the Apache user. (CVE-2007-1864)

Stefan Esser discovered a flaw in the random number initialization of the
PHP SOAP extension. This could lead to remote attackers being able to
predict certain elements of the authentication mechanism. (CVE-2007-2728)

Dovecot vulnerability

Exploitx — Thu, 19 Jul 2007 00:22:17 +0000

Ubuntu Security Notice USN-487-1 July 17, 2007
dovecot vulnerability
CVE-2007-2231

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
dovecot-common 1.0.beta3-3ubuntu5.5

Ubuntu 6.10:
dovecot-common 1.0.rc2-1ubuntu2.2

Ubuntu 7.04:
dovecot-common 1.0.rc17-1ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Dovecot, when configured to use non-system-user
spools and compressed folders, would allow directory traversals in
mailbox names. Remote authenticated users could potentially read email
owned by other users.

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.diff.gz

Size/MD5: 469298 29bd87efba635fd5eedb3895d20acc46

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3-3ubuntu5.5.dsc

Size/MD5: 867 5036d7a6d364a2ad840b0d54e3339f38

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.beta3.orig.tar.gz

Size/MD5: 1360574 5418f9f7fe99e4f10bb82d9fe504138a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 962840 6cca1d5abd731afba38bb29f6c9933f5

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 532874 e9e41c0952c466de86cb5ce0e6587a22

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_amd64.deb

Size/MD5: 500994 bc7b6969f03f5f311848410e935dfded

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 838814 753181c3a1179a6ec1bd72b13dc5b9a4

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 486092 d11b682eb421301f797e80194b51b67b

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_i386.deb

Size/MD5: 456858 d8ca7cb44101b96455b891e9e42bc5b3

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 941292 e1d73b71061280687181e8f938b8e264

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 526582 4f89130337e474c68a419f4724cf1aa4

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_powerpc.deb

Size/MD5: 494322 ebbdc5b738172d4dfc6b25ec39ddfa91

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 855402 12181c54c433922b9eee15f585a0ae8f

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 492088 9d4880192868043bbc62096ea23ac2e0

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.beta3-3ubuntu5.5_sparc.deb

Size/MD5: 462252 5f62fd110c14911bcfb406a84703cb5d

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.diff.gz

Size/MD5: 473084 483a9eb80e9750acdf385ed824056db9

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2-1ubuntu2.2.dsc

Size/MD5: 900 11dc25bceb20c8e6d6870b53f38bdc3c

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc2.orig.tar.gz

Size/MD5: 1257435 e27a248b2ee224e4618aa2f020150041

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 936296 0ae0d9e4217dae4b910b489670f25a5e

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 387028 dee13d869de26b760f55f2ca79aa9459

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_amd64.deb

Size/MD5: 353208 7f8cd14c0f45fa2d60b81112361e47ea

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 833674 a8f0594ac17eaf15b7b8574bed437d8a

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 354212 31a82ddd4094a0293bd80e20387e734a

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_i386.deb

Size/MD5: 323498 69cb3e9d2aad06b53627a0da1f2f0cf5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 924998 9158a6ee1b882ec64d2e7bd0ad337ebe

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 385336 9608f3975460aea5cf553d454f6522ff

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_powerpc.deb

Size/MD5: 352020 9facc03f70e9d7ad823ef0ed4b6fc20c

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 820528 97f8b26eba76a6351c60f2ff2d02a48d

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 347752 b8ce2d4174b4aefee2ddaa311d0db376

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc2-1ubuntu2.2_sparc.deb

Size/MD5: 316908 d5b9a64f49f61f617e73d6371a3f9ed1

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.diff.gz

Size/MD5: 99862 9bf881b3592e2d48e4b31123fe43563b

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17-1ubuntu2.1.dsc

Size/MD5: 1099 c657aea243cfbeac420794c0a43bae95

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_1.0.rc17.orig.tar.gz

Size/MD5: 1512386 881bcc7d2c8fba6d337f3e616a602bf7

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 1274644 46145219067be168cfe05961140faabf

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 586540 eac2b3216e1f76c20354c322f3b1bae0

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_amd64.deb

Size/MD5: 552280 cffa97e43063a8c27382b302541cf00b

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 1164578 45655df2ab5d68ab09c17a52b286fef5

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 554174 33f48b9b7d8639ccb75cbccbaa48e59d

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_i386.deb

Size/MD5: 521498 c7094f9dd1fabcae02f4e535d24c9c7f

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 1291064 6b55bb639475bcecbf00655ad6cd27ea

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 590906 6afd3063c2bbe6c46119d7c2bf0114a1

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_powerpc.deb

Size/MD5: 556068 009c76cc27d1812d2abf6d997116e500

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-common_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 1158070 25978232a1680992b84edc754f9f42e9

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-imapd_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 549476 d9d6f94295f77b1d42f6775e38475fd1

http://security.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot-pop3d_1.0.rc17-1ubuntu2.1_sparc.deb

Size/MD5: 517012 58f2daca2b94c95c66f30277f8401373

Bugs and Exploits 03-dec

Exploitx — Sat, 03 Dec 2005 22:56:14 +0000

Zen-Cart <= 1.2.6d blind SQL injection / remote commands execution

http://www.exploitx.com/forum/azbb.php?1133649937

PHP-Fusion v6.00.109 SQL Injection and Info. Disclosure

http://www.exploitx.com/forum/azbb.php?1133650018

DMA[2005-1202a] – ’sobexsrv – Scripting/Secure OBEX Server format string vulnerability’

http://www.exploitx.com/forum/azbb.php?1133650100

[Updated] [FLSA-2005:166943] Updated php packages fix security issues

http://www.exploitx.com/forum/azbb.php?1133650166

eXtreme Styles mod <= 2.2.1 Multiple Vulnerabilities

http://www.exploitx.com/forum/azbb.php?1133650298

MDKSA-2005:223 – Updated webmin package fixes format string vulnerability

http://www.exploitx.com/forum/azbb.php?1133650370

[OpenPKG-SA-2005.027] OpenPKG Security Advisory (php)

http://www.exploitx.com/forum/azbb.php?1133650418

MDKSA-2005:222 – Updated mailman packages fix various vulnerabilities

http://www.exploitx.com/forum/azbb.php?1133650461

[OpenPKG-SA-2005.026] OpenPKG Security Advisory (lynx)

http://www.exploitx.com/forum/azbb.php?1133650529

A flaw in Google’s G-Mail system allowed anyone access to any mailbox

Exploitx — Sat, 03 Dec 2005 17:13:48 +0000

This bug has already been corrected, that’s why it’s been published.

In this manual you will see step by step how to exploit Gmail’s
vulnerability, that gave you access to any account, reported by
Anelkaos, colaborator of elhacker.net’s forum and patched by Google by
October 18. Due to the bug’s gravity (that allowed in a few simple steps
to login in any Gmail account), it was decided not to publish this
document while the bug was still active. Motives are more than obvious
because ALL Gmail accounts were vulnerable to the bug.

Google hasn’t declared definitively this topic, and they seem to have no
intention of publishing the bug. The veracity of the failure was
demonstrated to the editors of the Magazine “Seguridad0″, logging into
an account created for that purpose, just as described in

http://www.elistas.net/lista/informativos/archivo/indice/61/msg/79/.

They also “dared” to publish this news in CyruxNET and PCWorld.

The bug was discovered in October 14 and it was patched in October 18
because ANELKAOS decided to conctact GMail instead of publishing the bug
in a list of security, and lamentably we couldn’t do more demos in other
sites that we sent the news, and because we’re not HBX Networks, all the
people claimed for a “hacking’ test”. Thanks to heaven, we have saved
all the mails where Google recognize the failure. .

Unlike the reported by HBX and published by BetaNews last year, this bug
doesn’t require cookie robbery, and because of that, the bug’s danger
was considerably higher.

*PROCEDURE*

This is the way Sirdarckcat (EHN’s user) developed the exploit, although
the original method is easier, the concept is the same one.

Due to the fact that this demonstration was realized against another’s
person account, all data that could bring legal consequences have been
hiden. In AUTH variable goes the ciphered address of the mail’s
propetary, and although we don’t know how to decipher it, we’ve
preferred to hide its values, in case “someone else” could .

First of all, we need two sessions. For that we’ve chosen to use
Internet Explorer and Mozilla. We start the session normally… for
example, in Mozilla..

If we pay attention, we notice that the login screen is now different.
It doesn’t just ask if you’ve forgotten your password, it also asks now
for the user. Too much casualty, isn’t it? That soon and coinciding with
the publishing of the bug’s existence it has changed the authentication
is too much coincidence, isn’t it? We’re talking about 10 days ago .

Well, let’s continue. Now we need some data we’ll modify. For that we
will also iniciate an Internet Explorer session, but we stop the browser
as soon as it says “Loading…”.

We simply look at the source code and we save the value of the “ver”
variable, that we will need later.

Then we allow the page to continue loading, and we look the direction of
the inbox, that we can see by pressing right clicking, and then Properties.

We will need the “zx” variable, and we save it.

Now we go to ‘mail/?username=victim&zx=[zx Variable]‘

And we stop the charging of the page just when it stops Loading,
getting inside:

We stop again the browser, and we look at the source code.

Here we have the code of AUTH that we need to initiate session as our
victim, but our cookie disagree (not the same).

We take a look inside the cookie, and we change the value of “ID” for
the one we got in the “ver” variable we got before, this what surprising
does is to return a valid value! It doesn’t have related information,
why does that happen? Who knows…

GMail confirms that it’s well ciphered, and completes correctly all the
rules. Nevertheless, even the content is not related, it doesn’t return
an error.

Once modified the cookie, in the Explorer session, we enter into the
following page:

http://mail.google.com/mail?gxlu=victim&zx=[zx Variable]

In this moment we haven’t already started the session, we’ve just
associated with the victim’s account.

So we go to: www.google.com/accounts/ServiceLoginAuth
.

And it sends you to:

mail.google.com/mail/?auth= [CODIGO auth]

At this point all we have to do is to modify the values of the cookie
that will expire… At least we give it 1 minute of life.

We enter mail.google.com/mail/?&&rm=false&null=Entrar&continue

We stop the loading because if we don’t, Google is going to close our
session, so we write:

javascript:document.cookie+=”;expires=Thu,%2001%20Jan%202070%2000:00:00%20GMT”;

Once extended the cookie’s life, we enter
http://mail.google.com/mail/?auth=[AUTH Code]

And we start the session as the victim.

Complete access, of course .

*GOODBYE AND CLOSE.*

OK, it’s a Beta version, and they don’t have to report anything. But if
they would have recognized it and published a thank you note, this
information wouldn’t had been published. We have 3 ways to get to the
same result, the others 2 are quite easier, and because of that easily
we can deduce that it’s a multibug, and a design error. With all these
clues, they will not take too much to discover new methods.

Source

http://www.indian-hackers.net

Related hyperlinks

http://www.elistas.net/lista/informativos/archivo/indice/61/msg/79/

Google Talk cleartext credentials in process memory

Exploitx — Wed, 30 Nov 2005 20:30:37 +0000

Title: Google Talk Beta Messenger cleartext credentials in process memory

Affected versions: 1.0.0.64 (this version is believed to be the first one released to the public)

Vendor contacted: 25/08/05

Patched version released: 29/08/05

Advisory released: 28/11/05

Author: pagvac (Adrian Pastor)

Homepage: www.ikwt.com – In Knowledge We Trust

Advisory URL: www.adrianpv.com/projects/google-talk-cleartext-credentials-in-process-memory.txt

Description

Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005 (two days after the release of Google Talk) and has already been patched by Google.

This issue would occur regardless of whether the “Save Password” feature was enabled or not.

It was noticed that the Google Talk client was loading all the credentials unencrypted in the memory of the process “googletalk.exe”. It was possible to recover the password by dumping the process memory to a file with PMDump and which could then examined with a hex editor.

The vulnerability would allow anyone with access to the client system to obtain the username and password of the current user. This vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process “googletalk.exe” and then parse the credentials and finally send them to the attacker.

It is also worth mentioning that sometimes, no direct user interaction is required for the execution of malicious code. Crackers often exploit vulnerabilities in web browsers and email clients that allow them to execute malicious code on the victim’s machine without requiring the victim to manually execute the trojaned executable. This means that given the right scenario, this vulnerability could have been exploited in such a way.

References

PMDump – http://ntsecurity.nu/toolbox/pmdump/
Free Hex Editor – http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm
Google Talk – http://www.google.com/talk/