Re: Should nmap cause a DoS on cisco routers?

During my training classes I always tell the -sV switch is dangerous and known to (sometimes) crash the
target.  

Usually a better tool to test open udp ports is unicornscan, but that doesn't have a switch like -iL. Since
you are testing your own devices and you know the community string, you could insider to loop through the
list of IP's and snmpget a value from the MIB. 

Cor

sent from a mobile device 

----Origineel bericht----
Van: Shang Tsung
Verzonden:  30-06-2010 13:03:32
Onderw.:  Should nmap cause a DoS on cisco routers?

Hello,

Some days ago, I had the task to discover the SNMP version that our 
servers and networking devices use. So I run nmap using the following 
command:

nmap -sU -sV -p 161-162 -iL target_file.txt

This command was supposed to use UDP to probe ports 161 and 162, which 
are used for SNMP and SNMP Trap respectively, and return the SNMP 
version.

This "innocent" command caused most networking devices to crash and 
reboot, causing a Denial of Service attack and bringing down the 

[Bkis-03-2010] Vulnerability in Flash Slideshow Maker

[Bkis-03-2010] Vulnerability in Flash Slideshow Maker

1. General Information
Flash Slideshow Maker is a Flash album creator to make animated photo slide
show with SWF file as the output format. Bkis has just detected a
vulnerability in the software related to the processing of Flash Slideshow
Maker project files (".fss"). This vulnerability permits hackers to execute
malicious code on users' systems. Bkis has informed the vendor.

Details: http://security.bkis.com/vulnerability-in-flash-slideshow-maker/
SVRT Advisory: Bkis-03-2010
Initial vendor notification: 05/31/2010
Release Date: 07/01/2010
Update Date: 07/01/2010
Discovered by: Bui Quang Minh - Bkis
Attack Type: Buffer Overflow
Security Rating: High
Impact: Code Execution
Affected Software: Flash Slideshow Maker < v5.00

2.Technical Description
FSS files are used to store essential information about a Flash Slideshow
Maker Project (in XML format). The software performs an inadequate check on
the length of a Photo_Data tag. This results in a critical buffer overflow
error when this tag is set with an overly long value.

In order to exploit this vulnerability, a hacker might create a specially
crafted ".fss" file and trick users into using it. If successful, hackers
can perform local attack, inject viruses, steal sensitive information and
even take control of the victim's system.

Re: Should nmap cause a DoS on cisco routers?

Hi Shang,

If  this  is  possible  you  have  found  a  vulnerability. Any way to
remotely  cause  DoS  with  special  or  harmless  code  is  per  se a
vulnerability.

Instead  of  telling  somebody  to not scan with -sV you are better of
reporting the vulnerability (ies)

Regards,
Thierry

coc> During my training classes I always tell the -sV switch is
coc> dangerous and known to (sometimes) crash the target.  

coc> Usually a better tool to test open udp ports is unicornscan, but
coc> that doesn't have a switch like -iL. Since you are testing your
coc> own devices and you know the community string, you could insider
coc> to loop through the list of IP's and snmpget a value from the MIB.

coc> Cor

coc> sent from a mobile device 

coc> ----Origineel bericht----
coc> Van: Shang Tsung
coc> Verzonden:  30-06-2010 13:03:32
coc> Onderw.:  Should nmap cause a DoS on cisco routers?

coc> Hello,

Re: Should nmap cause a DoS on cisco routers?

On Jul 1, 2010, at 4:28 PM, Thierry Zoller wrote:

> If  this  is  possible  you  have  found  a  vulnerability.

No - what he's found is a network in which common infrastructure self-protection BCPs haven't been
deployed, that's all.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins <at> arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

MSRC-001: Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability

Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-
after-free Vulnerability

Intro:

Due to hostility toward security researchers, the most recent 
example being of Tavis Ormandy, a number of us from the industry 
(and some not from the industry) have come together to form MSRC: 
the Microsoft-Spurned Researcher Collective.  MSRC will fully 
disclose vulnerability information discovered in our free time, 
free from retaliation against us or any inferred employer.

Vulnerability report:

win32k!NtUserCheckAccessForIntegrityLevel in Vista/Server 2008 
calls LockProcessByClientId() on the specified ClientID. When this 
call fails, the refcount will be first decremented by 
nt!ObfDereferenceObject and then by 
win32k!NtUserCheckAccessForIntegrityLevel again, resulting in a 
refcount leak.  The refcount leak can be abused to have an in-use 
process object deleted. (use-after-free)

Some debugging info:

kd> vertarget
Windows Server 2008 Kernel Version 6002 (SP2)
kd> LM m win32k
start    end        module name
8d460000 8d663000   win32k
kd> BA e 1 8d58d710 "dt nt!_OBJECT_HEADER  <at> edx PointerCount; g"

Re: Should nmap cause a DoS on cisco routers?

Hi Roland,

>o - what he's found is a network in which common infrastructure self-protection
> BCPs haven't been deployed, that's all.

Please pass  those  standing  inline at the Bullshit Bingo counter and
get in first place. How much does your "remote viewing" capability
costs per day ?

If a device crashes when being scanned - it's a vulnerability.

Bye

--

-- 
http://blog.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Should nmap cause a DoS on cisco routers?

On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote:

> If a device crashes when being scanned - it's a vulnerability.

It sounds to me as if what happened was that he ended up driving the CPUs of the devices in question to 100%, and
they stopped handling control-plane traffic and fell over.  There are infrastructure self-protection
best current practices (BCPs) which can be deployed to defend against infrastructure-targeted DoS.

I've only seen this happen a few hundred times or so, so I could be wrong, of course.

;>

As the original poster posited:

> Is this a configuration error of the networking devices?

The answer is, almost assuredly, "Yes."

-----------------------------------------------------------------------
Roland Dobbins <rdobbins <at> arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Someone using Wikipedia to infect others

Original email attached. Analysis of the malisious URL:

http://wepawet.iseclab.org/view.php?hash=ea568f176830f3151538ce46a1182be9&t=1277983472&type=js

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Vulnerabilities in WP-UserOnline for WordPress

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in plugin WP-UserOnline 
for WordPress.

-----------------------------
Advisory: Vulnerabilities in WP-UserOnline for WordPress
-----------------------------
URL: http://websecurity.com.ua/4177/
-----------------------------
Affected products: WP-UserOnline 2.62 and previous versions.
-----------------------------
Timeline:

26.04.2010 - found vulnerabilities.
30.04.2010 - announced at my site.
01.05.2010 - informed developer.
07.05.2010 - developer released WP-UserOnline 2.70. In version 2.70 the
developer fixed XSS, but not Full path disclosure vulnerabilities.
01.07.2010 - disclosed at my site.
-----------------------------
Details:

These are Cross-Site Scripting and Full path disclosure vulnerabilities.

XSS:

With help of special request to the site it's possbile to conduct XSS 
attack. For this it's needed to send GET request in special way (not in 
browser) to page http://site/?<script>alert(document.cookie)</script>.

The Economist, cyber war issue

The upcoming issue will be about cyber war. Check out the front page image:

http://sphotos.ak.fbcdn.net/hphotos-ak-snc3/hs488.snc3/26668_410367784059_6013004059_4296972_499550_n.jpg

	Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/