http://brigade.googlebong.com

Diane Vonner GoogleBong

img { border: 2px solid Black }

pre { font: 6pt/8pt }

p,blockquote { font: 16pt; font-family: verdana, arial, 'sans serif' }

h1,h2,h3,h4,ul { font-family: verdana, arial, 'sans serif'; font: 14p }

table,li,td { font-family: verdana, arial, 'sans serif'; font: 12p }

ul { list-style: disc }

ol { list-style: decimal }

body { background: "#EEEEEE" }

h1,h2,h3,h4,hr,p,ul,blockquote,pre { color:Black }

a:link { color:Blue }

a:visited { color:Blue }

a:active { color:"#008000" }

a:hover { color:"#008000" }

h1.header { padding:0em; margin:0 }

div.container { width:100%%; margin:0px; border:1px solid Black; line-height:150%% }

div.header,div.footer { padding:0.5em; color:white; background-color:Black; clear:left }

div.left { width:15%%; margin:0; float:left; padding:0; }

iDefense Security Advisory 01.15.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 15, 2008

I. BACKGROUND

TIBCO SmartSockets is a message passing framework used to transport
messages over disparate channels. The RTserver is the server component
of the framework. More information can be found on the vendor's web
site at the following URL.

http://www.tibco.com/software/messaging/smartsockets/

II. DESCRIPTION

Remote exploitation of multiple untrusted pointer offset vulnerabilities
in TIBCO Software Inc.'s SmartSockets RTserver may allow an attacker to
crash the service or execute arbitrary code with SYSTEM privileges.

When processing requests, SmartSockets uses values from the requests as
offsets added to valid pointers. The resulting pointer values are then
used in various memory operations. Since attackers can control these
offset values, potentially exploitable conditions arise.

III. ANALYSIS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01325239
Version: 1

HPSBST02304 SSRT080003 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-001 to MS08-002

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2008-01-14
Last Updated: 2008-01-14

Potential Security Impact: Please check the table below

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin.

References: MS08-001, MS08-002.

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Storage Management Appliance v2.1 Software running on:

Storage Management Appliance I
Storage Management Appliance II
Storage Management Appliance III

The attached exploit demonstrates that the WordPress SpamBam plugin can
be bypassed due to relying on the client for security.

Vulnerable software:
SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes

Vulnerability:
No matter how hard you ofuscate or encrypt your code, never, under no
circunstances, rely any security aspect on the client. Never!

How the plugin works:
It generates a pseudo-random code both on the client and the server to
generate a key.
On form submit, both key values are checked and they should match to
allow comment insertion.

How the exploit works:
It does nothing but acting as a client. It parses the html, extracts
the javascript, process it to calculate the key and fills the hidden
field with it.

Solution:
There's no fix for this. It's a design flaw.

#!/usr/bin/perl -w

This is a very serious new threat affecting Linux servers and thousands
of boxes have been compromised since December 2007.

Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.

See the following urls for a lot more info on this exploit:

http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)

Cheers,
Denis

On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" gmail.com> wrote:

yep ther eis one yahoo messenger exploit too.

On Jan 14, 2008 9:14 PM, Jose Nazario monkey.org> wrote:

Marcello Barnaba (void) wrote:

An hypotesis is a possible different behaviour depending by the version
of Mac OS, probably bypassable using a modified proof-of-concept or just
not at all.

I have found the following post (in french) which reports a detailed
test made using the latest version of Quicktime on Mac OS X 10.4.11 PPC
and Mac OS X 10.5.1 Intel:

http://forum.macbidouille.com/index.php?act=ST&f=8&t=251685#entry2512134

On both the platforms the code flow has pointed to the return address
specified in the proof-of-concept (on PPC 0x01010119 is just the 0x01
sequence of bytes which was in my PoC before the 'A' sequence).

Anyway this mail is also for pointing out a new
customizable proof-of-concept which I have written yesterday and that
can be used to fully executing code remotely after having passed the
needed valid parameters (my PoC doesn't contain shellcodes, it must be
provided as external file in the classical C/Perl/hexadecimal format
like, for example, those available on The Metasploit Project):

##############################################################

- S21Sec Advisory -

##############################################################

Title: Safari 2 Denial of Service
ID: S21SEC-039-en
Severity: Medium - Remote DoS
History: 15.Jul.2007 Vulnerability discovered
22.Jul.2007 Vendor contacted
27.Jul.2007 Vendor confirmed the vulnerability
26.Oct.2007 Safari 3 in Leopard
14.Nov.2007 Safari 3 in Tiger

Scope: Remote Denial of Service
Platforms: MacOSX
Author: David Barroso (dbarroso@s21sec.com)
URL: http://www.s21sec.com/avisos/s21sec-039-en.txt
Release: Public

[ SUMMARY ]

Rationally my mail didn't want to be a personal attack, unfortunately
yesterday when I wrote it I was a bit stressed due to various things
included the tests I did for solving the doubts raised in the previous
mails.

So please don't consider the first line and the last paragraphs of my
yesterday's mail because non-technical and moreover non-rational.
Right or not, light or weight, nothing on a security mailing list should
be outside the technical matters, moreover if there is no real reason to
reply in a certain way to who simply did a personal test.

---
Luigi Auriemma
http://aluigi.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:011
http://www.mandriva.com/security/
_______________________________________________________________________

Package : rsync
Date : January 11, 2008
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

rsync before 3.0.0pre6, when running a writable rsync daemon that is
not using chroot, allows remote attackers to access restricted files
via unknown vectors that cause rsync to create a symlink that points
outside of the module's hierarchy. (CVE-2007-6199)