More : http://www.exploit-db.com/exploits/17612/
# ITS ©
# 2009 - 2011
Oct 30, 2011
Mozilla Firefox Array.reduceRight() Vulnerability
More : http://www.exploit-db.com/exploits/17612/
# ITS ©
# 2009 - 2011
Oct 28, 2011
Facebook Attach EXE Vulnerability
----------------------------------------------------------------------------------------------------------------------------------------
1. Summary:
When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.
----------------------------------------------------------------------------------------------------------------------------------------
2. Description:
When attaching an executable file, Facebook will return an error message stating:
"Error Uploading: You cannot attach files of that type."
When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.
To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:
filename="cmd.exe "
This was enough to trick the parser and allow our executable file to be attached and sent in a
message.
----------------------------------------------------------------------------------------------------------------------------------------
3. Impact:
Potentially allow an attacker to compromise a victim’s computer system.
----------------------------------------------------------------------------------------------------------------------------------------
4. Affected Products:
www.facebook.com
----------------------------------------------------------------------------------------------------------------------------------------
5. Time Table:
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed
----------------------------------------------------------------------------------------------------------------------------------------
6. Credits:
Discovered by Nathan Power
www.securitypentest.com
----------------------------------------------------------------------------------------------------------------------------------------
# ITS ©
# 2009 - 2011
Oct 8, 2011
Clickjacking for Shells
Andrew Horton (urbanadventurer) presented Clickjacking for Shells at the OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011.
Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.
# ITS © # 2009 - 2011
Feb 16, 2011
Feb 8, 2011
XSS Shell Zombie Manager
XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by "XSS-Proxy - http://xss-proxy.sourceforge.net/". Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from victim. you can backdoor the page.
You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.
# ITS ©
# 2009 - 2011
Jan 11, 2011
Metasploit and VNC Password Bruteforcing
You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.
This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.
So the scenario is you find yourself on the other end of a VNC server.
Its tedious to password guess like this
Instead let's use the metasploit module
and throw a dictionary attack against the VNC server
Looks like the VNC no auth module had been ported and stuck in there too :-)
# ITS ©
# 2009 - 2011
This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.
So the scenario is you find yourself on the other end of a VNC server.
Its tedious to password guess like this
Instead let's use the metasploit module
and throw a dictionary attack against the VNC server
Looks like the VNC no auth module had been ported and stuck in there too :-)
# 2009 - 2011
Subscribe to:
Posts (Atom)