Javascript Injection in Microsoft Lync

Posted by bede on June 10, 2011
Posted in: Advisories. Leave a Comment

I discovered a single XSS finding, with the ability to pop-up only a numeric value. I was able to see that my variable was getting included inside of some javascript in the returned page. I started adding more commands with a semi-colon at the end and low and behold they worked! As long as I didn’t use a ‘>’ character and trigger the .NET validation routines. It’s interesting because you can inject just about any javascript you want, and that leaves a lot of room for client-side mischief like false web sites to harvest passwords, etc.

For the latest advisory Click Here

Multi-Tech Systems “MultiModem iSMS” Multiple XSS Vulnerabilities

Posted by n8 on June 2, 2011
Posted in: Advisories. Leave a Comment

Multi-Tech Systems “MultiModem iSMS” appliance is affected by multiple XSS (cross-site scripting) vulnerabilities, which potientally leads to the comprimise of the device.

For the latest advisory Click Here

Attack #2 is more interesting because it can be remotely exploited via a SMS message.

When reporting this issue it did come into question the 160 character limitation of SMS technology and if this would to limit the attacker.  In the proof of concept video, you can see exploitation was successful with 158 characters using the Browser Exploitation Framework BeEF!

please visit www.securitypentest.com for the original advisory.

Trustwave – Security begins with Trust, then you get 0wned!

Posted by n8 on May 25, 2011
Posted in: Advisories. Leave a Comment

Trustwave’s WebDefend console software is prone to static MySQL database passwords in the binary files, which leads to a comprimise of sensitive information.

For the latest advisory Click Here

Below are the steps that led up to the discovery of this low hanging fruit:

  • I first started by using tcpdump to capture traffic between the appliance and a workstation running the console software.
  • When using the console software to login, I noticed the authentication was done over port 5000.  After I logged in, the console software started to load data over MySQL port 3306. What I found interesting was all the sql traffic was getting initated by the workstation. At this point I wanted to know how the workstation was able to login to the MySQL server on the appliance.
  • By using several sysinternal tools on the workstation, I was able to determine which binary files the console software was using when the sql connection got initiated.
  • I then used a combination of strings and IDA Pro to search through the binaries for the sql login and bingo found it!

please visit www.securitypentest.com for more WebDefend advisories

Wireless HostAP “Karma” Patch Update

Posted by jmk on March 4, 2011
Posted in: General. Leave a Comment

I’ve posted an updated version of my “Karma” patch for HostAP (hostap_0_7_2-775-g9fc6aa9). This patch adds Karma-style automatic probe response, in addition to PEAP/MSCHAPv2 authentication logging (think all-in-one FreeRadius-WPE). See the Wireless page for a link to the old Hostap 0.6.9 patch and the newer version.

Praeda Release

Posted by percX on January 29, 2011
Posted in: General. Tagged: , . Leave a Comment

PercX has been furiously hacking multi-function printers, and the result is a new tool called Praeda. Praeda is used to interrogate printers from a variety of manufacturers in an effort to gain information about a target network, or compromise credentials. You can get it here. It’s written in perl.

Required perl modules:

LWP::Simple
LWP::UserAgent
HTML::TagParser
URI::Fetch
HTTP::Cookies

Praeda syntax:
praeto.pl TARGET_FILE TCP_PORT PROJECT_NAME OUTPUT_FILE

TARGET_FILE = List of IP addresses or Host names to enumerated
TCP_PORT = port address of targets to scan ” At present only one port can be specified. This is expected to be modified in future version”
PROJECT_NAME = the name for this project. This will create a folder under the folder where Praeda was executed to contain logs and export info.
OUTPUT_FILE = name of log file for data output

Example:
./praeda.pl  target.lst 80 project1 data-file

The results will create a folder called project1 and save all information in that folder. Praeda will also create a log file called data-file.log to store output and diagnostics.

Symantec AMS Intel Alert Handler Design Flaw

Posted by n8 on July 22, 2010
Posted in: Advisories. Leave a Comment

This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there. Upon further investigation I discovered this flaw went against the Intel Alert Handler Service (hndlrsvc.exe) over TCP port 38292.

POC: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt

For the latest advisory Click Here

Twitter Instant Password And Storage

Posted by admin on July 2, 2010
Posted in: Stuff. Tagged: . Leave a Comment

This is old, but might be interesting to fellow security geeks. The idea here is to challenge concepts of what a password is and how it should be secure. In essence, using this system will allow you to keep your uber-secret in a public place such as twitter. There’s some other crufty code (firefox plugin) to go with this, but it’s really just for fun.

http://foofus.net/~omi/tipas/

http://twitter.com/tipas/