From coley at linus.mitre.org Mon Jun 1 17:43:26 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 1 Jun 2009 13:43:26 -0400 (EDT) Subject: [VIM] Flax Article Manager SQL injection explanation Message-ID: http://www.milw0rm.com/exploits/8800 This is labeled as SQL injection but the cookie is merely being set to some URL-encoded value ",21232f297a57a5a743894a0e4a801fc3", then the "2/" portion of the exploit implies that you effectively need to know the ID and password already. Anybody know what's going on here? (BTW the product link is at http://www.flaxweb.com/products/articles) - Steve From str0ke at milw0rm.com Mon Jun 1 18:04:05 2009 From: str0ke at milw0rm.com (str0ke) Date: Mon, 01 Jun 2009 13:04:05 -0500 Subject: [VIM] Flax Article Manager SQL injection explanation In-Reply-To: References: Message-ID: <4A241815.5060601@milw0rm.com> Its bunk, throwing it into null vill. Steven M. Christey wrote: > http://www.milw0rm.com/exploits/8800 > > This is labeled as SQL injection but the cookie is merely being set to > some URL-encoded value ",21232f297a57a5a743894a0e4a801fc3", then the "2/" > portion of the exploit implies that you effectively need to know the ID > and password already. Anybody know what's going on here? (BTW the > product link is at http://www.flaxweb.com/products/articles) > > - Steve > > From str0ke at milw0rm.com Fri Jun 5 16:10:38 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 05 Jun 2009 11:10:38 -0500 Subject: [VIM] [Fwd: LightOpenCMS 0.1 pre-alpha Remote SQL Injection] Message-ID: <4A29437E.1080807@milw0rm.com> Seems this vulnerability was already found. http://milw0rm.com/exploits/8724 -------------- next part -------------- An embedded message was scrubbed... From: "Salvatore \"drosophila\" Fresta" Subject: LightOpenCMS 0.1 pre-alpha Remote SQL Injection Date: Fri, 5 Jun 2009 15:38:17 +0200 Size: 5422 Url: http://www.attrition.org/pipermail/vim/attachments/20090605/fed1f8f0/attachment.eml From coley at linus.mitre.org Wed Jun 10 17:36:15 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 10 Jun 2009 13:36:15 -0400 (EDT) Subject: [VIM] IIS WebDav Vulnerability CVE ID In-Reply-To: <22b0e07b0905210901j52a9cfddredc049fab6d5ddf9@mail.gmail.com> References: <22b0e07b0905210901j52a9cfddredc049fab6d5ddf9@mail.gmail.com> Message-ID: Hi, Just to confirm, these are duplicate IDs - they were assigned on the same day, independently, by both MITRE and Microsoft. Please use CVE-2009-1535; we're rejecting CVE-2009-1676. See below. - Steve ====================================================== Name: CVE-2009-1535 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535 Reference: FULLDISC:20090515 IIS6 + webdav and unicode rides again in 2009 Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009 Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009 Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html Reference: MISC:http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf Reference: MISC:http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html Reference: MISC:http://isc.sans.org/diary.html?n&storyid=6397 Reference: MISC:http://view.samurajdata.se/psview.php?id=023287d6&page=1 The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability." ====================================================== Name: CVE-2009-1676 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1535. Reason: This candidate is a duplicate of CVE-2009-1535. Notes: All CVE users should reference CVE-2009-1535 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. From sanhill at us.ibm.com Wed Jun 10 17:39:44 2009 From: sanhill at us.ibm.com (Sandra Hill) Date: Wed, 10 Jun 2009 13:39:44 -0400 Subject: [VIM] IIS WebDav Vulnerability CVE ID In-Reply-To: Message-ID: Hey Steve, what about CVE-2009-1122? Is it a duplicate of CVE-2009-1535 also? Sandra Hill Security Analyst, X-Force Database Team Direct: +1 (404) 236 3297 Mail: sanhill at us.ibm.com Web: www.ibm.com / www.iss.net "Steven M. Christey" Deapesh Misra Sent by: cc vim-bounces at attri vim at attrition.org tion.org Subject Re: [VIM] IIS WebDav Vulnerability CVE ID 06/10/2009 01:36 PM Please respond to Vulnerability Information Managers Hi, Just to confirm, these are duplicate IDs - they were assigned on the same day, independently, by both MITRE and Microsoft. Please use CVE-2009-1535; we're rejecting CVE-2009-1676. See below. - Steve ====================================================== Name: CVE-2009-1535 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535 Reference: FULLDISC:20090515 IIS6 + webdav and unicode rides again in 2009 Reference: URL: http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0135.html Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009 Reference: URL: http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0144.html Reference: FULLDISC:20090515 Re: IIS6 + webdav and unicode rides again in 2009 Reference: URL: http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0139.html Reference: MISC: http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf Reference: MISC: http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html Reference: MISC:http://isc.sans.org/diary.html?n&storyid=6397 Reference: MISC:http://view.samurajdata.se/psview.php?id=023287d6&page=1 The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability." ====================================================== Name: CVE-2009-1676 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1535. Reason: This candidate is a duplicate of CVE-2009-1535. Notes: All CVE users should reference CVE-2009-1535 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090610/f23d7619/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available Url : http://www.attrition.org/pipermail/vim/attachments/20090610/f23d7619/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: pic31457.gif Type: image/gif Size: 1255 bytes Desc: not available Url : http://www.attrition.org/pipermail/vim/attachments/20090610/f23d7619/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://www.attrition.org/pipermail/vim/attachments/20090610/f23d7619/attachment-0002.gif From coley at linus.mitre.org Thu Jun 11 17:09:41 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 11 Jun 2009 13:09:41 -0400 (EDT) Subject: [VIM] IIS WebDav Vulnerability CVE ID In-Reply-To: References: Message-ID: On Wed, 10 Jun 2009, Sandra Hill wrote: > Hey Steve, > what about CVE-2009-1122? Is it a duplicate of CVE-2009-1535 also? It's not immediately clear. I would expect that Microsoft wouldn't assign duplicate identifiers to the same core issue, but on the surface, the only main difference is the IIS versions. They might have done a split because of different versions and/or different exploit conditions, but that would be an improper split; or, maybe it's a different attack entirely, in which case having separate CVEs would be appropriate. I'll investigate with them and get back to you. - Steve From coley at linus.mitre.org Thu Jun 11 20:27:35 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 11 Jun 2009 16:27:35 -0400 (EDT) Subject: [VIM] Why are SE38042 and SE38043 APARs related to security? Message-ID: Could anybody explain to me why Secunia, Vupen, SecurityFocus, and ISS all created vulnerability database entries for APARs SE38042/SE38043 when neither of these APARs mentions anything about security at all? I don't see any ties to any "parent" document that says these are security patches. Am I missing something obvious? We only have two APAR's of the form "SEnnnnn" in all of CVE. We're going to create a CVE for it since everybody else is talking about it, but it makes me really queasy. We all have enough problems without labeling references as security issues when they don't even use the word, where the only content is "XML Update." Thanks for any clarification, Steve From rkeith at securityfocus.com Thu Jun 11 20:43:02 2009 From: rkeith at securityfocus.com (Rob Keith) Date: Thu, 11 Jun 2009 14:43:02 -0600 Subject: [VIM] Why are SE38042 and SE38043 APARs related to security? In-Reply-To: References: Message-ID: <4A316C56.7020207@securityfocus.com> Hey Steve, When we first saw those two APARs they had Security in the title: SE38042 - JVA-RUN JDK6.0 XML SECURITY PATCH IBM SE38043 - JVA-RUN JDK6.0 XML SECURITY PATCH IBM They've obviously been updated since then. Perhaps it was a mistake initially, or... If it's shown that there is no security impact we will retire the BID. -Rob Steven M. Christey wrote: > Could anybody explain to me why Secunia, Vupen, SecurityFocus, and ISS all > created vulnerability database entries for APARs SE38042/SE38043 when > neither of these APARs mentions anything about security at all? I don't > see any ties to any "parent" document that says these are security > patches. > > Am I missing something obvious? We only have two APAR's of the form > "SEnnnnn" in all of CVE. > > We're going to create a CVE for it since everybody else is talking about > it, but it makes me really queasy. We all have enough problems without > labeling references as security issues when they don't even use the word, > where the only content is "XML Update." > > Thanks for any clarification, > Steve -- Rob Keith Symantec From ascii at katamail.com Sat Jun 13 11:47:13 2009 From: ascii at katamail.com (ascii) Date: Sat, 13 Jun 2009 13:47:13 +0200 Subject: [VIM] SugarCRM 5.2.0e Remote Code Execution Message-ID: <4A3391C1.4000208@katamail.com> SugarCRM 5.2.0e Remote Code Execution Name Remote Code Execution in SugarCRM Systems Affected Sugar CRM 5.2.0e and possibly earlier versions Severity High Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P) Vendor http://www.sugarcrm.com Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt Authors Antonio "s4tan" Parata (s4tan AT ush DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it) Date 20090613 I. BACKGROUND >From the SugarCRM web site: "Sugar Express is designed for individuals and small companies. Core CRM features help employees get on the same page while more complex functionality is stripped away. Sugar Express is ideal for providing a single view of the customer from the initial marketing campaign through the sales cycle and on to customer support. With Sugar Express, companies have a single system of truth for managing customer interactions.". II. DESCRIPTION A Remote Code Execution Vulnerability exists in SugarCRM software. III. ANALYSIS Summary: A Remote Code Execution issue has been found in SugarCRM version 5.2.0e. In order to exploit this vulnerability an account on the system is required. The vulnerability resides in the "Compose Email" section. The software permits sending email with attachments (if not disabled by the administrator). When the name of the file is specified, a validation routine is called: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- function safeAttachmentName($filename) { global $sugar_config; $badExtension = false; //get position of last "." in file name $file_ext_beg = strrpos($filename, "."); $file_ext = ""; //get file extension if($file_ext_beg > 0) { $file_ext = substr($filename, $file_ext_beg + 1); } //check to see if this is a file with extension located in "badext" foreach($sugar_config['upload_badext'] as $badExt) { if(strtolower($file_ext) == strtolower($badExt)) { //if found, then append with .txt and break out of lookup $filename = $filename . ".txt"; $badExtension = true; break; // no need to look for more } // if } // foreach return $badExtension; } --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- This routine checks if the extension of the filename is blacklisted, if so the ".txt" extension is appended to the filename. However there is a coding error: the function assumes that the filename (extension excluded) is at least one char long, this assumption is derived from the statement: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- if($file_ext_beg > 0) --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Of course this is a bad assumption, if we set the whole filename to ".php" than the check is skipped and a void extension is assumed. Because void extensions are not in the blacklist, no futher extension is added to the filename. After this check a file is created on the filesystem in the form "". Where "id" is an alphanumeric string. With the trick illustrated we are able to create a file with ".php" extension. To do this upload a new file attachment and set the filename to ".php". After this the attacker has to find the name of the file that was uploaded in the attachment list files. To obtaint the real filename look in the HTML response for a string like: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47. php". Now the attacker has to find the directory where the file resides. Again searching the HTML page for the attribute "assigned_user_id" reveals the needed information: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- At this point the attacker has all the informations to invoke the uploaded file. Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2 To directly request it issue a request to: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- http://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13 1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- As final note: if the user is "administrator", "assigned_user_id" is always "1". IV. DETECTION SugarCRM 5.2.0e and possibly earlier versions are vulnerable. V. WORKAROUND Upgrade to latest version 5.2.0f VI. VENDOR RESPONSE "We have fixed the issue and will be shipping the patch on June 12th. We will be doing a full pass of quality assurance in this area to ensure that no other issues crop up around file uploads. The fix involves modifying the code that handles uploads for email attachments to save the files using just a GUID rather than the original file name. This is similar to how uploads are handled else where in the application and should prevent the code from being executable on the server side." VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20090519 Bug discovered 20090528 First vendor contact 20090528 Vendor Response 20090530 Vendor Confirm the vulnerability 20090602 Vendor propose a possible fix and path release 20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed) 20090613 Advisory released IX. CREDIT Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni "evilaliv3" Pellerano are credited with the discovery of this vulnerability. Antonio "s4tan" Parata web site: http://www.ush.it/ mail: s4tan AT ush DOT it Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Giovanni "evilaliv3" Pellerano web site: http://www.ush.it/, http://www.evilaliv3.org/ mail: evilaliv3 AT ush DOT it X. LEGAL NOTICES Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. From coley at linus.mitre.org Tue Jun 16 23:29:09 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 16 Jun 2009 19:29:09 -0400 (EDT) Subject: [VIM] IIS WebDav Vulnerability CVE ID In-Reply-To: References: Message-ID: On Wed, 10 Jun 2009, Sandra Hill wrote: > what about CVE-2009-1122? Is it a duplicate of CVE-2009-1535 also? They're both directory traversal in WebDAV, but Microsoft recently confirmed to me that they are distinct problems. No other details were provided. - Steve From jpbradle at us.ibm.com Wed Jun 17 00:05:36 2009 From: jpbradle at us.ibm.com (John P Bradley) Date: Tue, 16 Jun 2009 20:05:36 -0400 Subject: [VIM] John P Bradley is out of the office. Message-ID: I will be out of the office starting 06/15/2009 and will not return until 06/22/2009. I will respond to your message when I return. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090616/889b6fa1/attachment.html From str0ke at milw0rm.com Wed Jun 17 14:05:14 2009 From: str0ke at milw0rm.com (str0ke) Date: Wed, 17 Jun 2009 09:05:14 -0500 Subject: [VIM] John P Bradley is out of the office. In-Reply-To: References: Message-ID: <4A38F81A.6010004@milw0rm.com> lol VIM has grown to the point where it needs "out of the office" filtering :) /str0ke John P Bradley wrote: > > I will be out of the office starting 06/15/2009 and will not return > until 06/22/2009. > > I will respond to your message when I return. > From theall at tenablesecurity.com Thu Jun 18 02:10:51 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 17 Jun 2009 22:10:51 -0400 Subject: [VIM] CVE-2009-1392 vs CVE-2009-2043 Message-ID: Steve or anyone in the know... isn't the issue covered by CVE-2009-2043 / BID 35413 just one of those covered by MFSA-2009-24 / CVE-2009-1392 / BID 35370? Both reference https://bugzilla.mozilla.org/show_bug.cgi?id=490425 from what I can see. If so, will you be creating entries for the other memory corruption issues covered by MFSA-2009-24? George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Jun 26 00:44:32 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 25 Jun 2009 20:44:32 -0400 (EDT) Subject: [VIM] false? AN Guestbook LFI Message-ID: Researcher: CraCkEr http://www.milw0rm.com/exploits/9013 The source code for 0.7.8 says: if (__FILE__ == $_SERVER['SCRIPT_FILENAME']) die("This file cannot be executed directly"); include_once ("languages/$g_lang"); which seems to prevent direct request in my environment. This code is in 0.7 as well. The file doesn't exist in 0.6. - Steve From str0ke at milw0rm.com Fri Jun 26 15:43:48 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 26 Jun 2009 10:43:48 -0500 Subject: [VIM] false? AN Guestbook LFI In-Reply-To: References: Message-ID: <4A44ECB4.8030203@milw0rm.com> Ya false on this one, removed from the front end. Steven M. Christey wrote: > Researcher: CraCkEr > > http://www.milw0rm.com/exploits/9013 > > > The source code for 0.7.8 says: > > if (__FILE__ == $_SERVER['SCRIPT_FILENAME']) > die("This file cannot be executed directly"); > include_once ("languages/$g_lang"); > > which seems to prevent direct request in my environment. > > This code is in 0.7 as well. The file doesn't exist in 0.6. > > - Steve > >