Trustwave’s WebDefend console software is prone to static MySQL database passwords in the binary files, which leads to a comprimise of sensitive information.

For the latest advisory Click Here

Below are the steps that led up to the discovery of this low hanging fruit:

• I first started by using tcpdump to capture traffic between the appliance and a workstation running the console software.
• When using the console software to login, I noticed the authentication was done over port 5000.  After I logged in, the console software started to load data over MySQL port 3306. What I found interesting was all the sql traffic was getting initated by the workstation. At this point I wanted to know how the workstation was able to login to the MySQL server on the appliance.
• By using several sysinternal tools on the workstation, I was able to determine which binary files the console software was using when the sql connection got initiated.
• I then used a combination of strings and IDA Pro to search through the binaries for the sql login and bingo found it!

please visit www.securitypentest.com for more WebDefend advisories

This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there. Upon further investigation I discovered this flaw went against the Intel Alert Handler Service (hndlrsvc.exe) over TCP port 38292.

POC: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt

For the latest advisory Click Here