==Description==

“Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers.” [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
“mount_webdav” utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

“args” is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
“pa_socket_namelen” field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple’s management of security issues.
Local denial-of-service issues are by nature low impact – many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple’s security team was
contacted prior to disclosure, and I’m sure they’ll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

— webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
}

/* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+ error = EINVAL;
+ goto bad;
+ }
+
MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)

==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg () gmail com).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/

Source

“We’ve sent detectives out to every gas station within a mile of (U.S.) Interstate (highway) 75,” says Lt. Steve Maynard, spokesman for the Alachua County Sheriff’s Office in Gainesville, Fla., which last Thursday was first notified about a suspicious skimming device discovered by a maintenance worker at a Shell Station. So far, three card-skimming devices hidden in gas pumps at three stations have been discovered by the Alachua County Sheriff’s Office, and the U.S. Secret Service has been notified as part of the gas-pump card-skimming investigation.

The Secret Service may be best known as the U.S. president’s bodyguard, but it is also responsible for investigating fraud and computer crime.

The Alachua County Sheriff’s Office, along with other local police departments, are trying to inspect as many gas stations in the area as possible, especially focusing on those along I-75. But law enforcement is encouraging gas station operators to look for signs of the skimmers at their pumps and contact them if they think they’ve found something. The Secret Service has indicated there’s a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami, Maynard says.

Nearby St. Johns County in Florida has also been hit by the gas-pump card skimmers. Maynard says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps. It’s not known if the gas-pump skimming operation involves insiders or not. Law enforcement is encouraging gas-station operators to train video surveillance they may use on the pumps.

The particular card-skimmers seen in Alachua County have put together devices with computer components and in this case, a Bluetooth wireless capability to easily send the card information to the thieves. It’s not yet known how many credit cards may have been stolen by means of the skimmers and fraudulently used. The investigation is “ongoing,” Maynard says. “We’re nowhere near closure. We wish we were.”

Source

I’d like to let you know that there’s been a compromise of the
unrealircd website and ftp and the 3.2.8.1 tarball release had been
replaced by a backdoored copy.

I’m attaching Syzops original security advisory from

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Yours,
satmd
UnrealIRCd support staff

Hi all,

This is very embarrassing…

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t
allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at
least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we’re taking precautions
so this will never happen again, and if it somehow does that it will be
noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in
practice
(very) few people verify files, it will still be useful for those
people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be
safe, but you should really double-check, see next.

How to check if you’re running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by
running ‘md5sum Unreal3.2.8.1.tar.gz’ on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you’re running the backdoored/trojanized
version.
If it outputs nothing, then you’re safe and there’s nothing to do.

What to do if you’re running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed
running the
backdoored version, as mentioned above. Otherwise there’s no point in
continuing, as the version on our website is (now back) the good one
from April 13 2009 and nothing ‘new’.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to ‘clean’ UnrealIRCd
without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running ‘md5sum Unreal3.2.8.1.tar.gz’, it should
output: 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the
initial 3.2.8.1 announcement to the unreal-notify and unreal-users
mailing list.

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Source

Author: Pratul Agrawal Date: 13/06/2010
Indian Hacker

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: High

Tested on: Microsoft IE 7.0

Details:

Yahoo mail filter fails to detect script attributes in combination with
the style attribute as a tag, leaving everyone using yahoo mail service
with MSIE vulnerable to Cross Site Scripting including Cookie Theft and
relogin attacks. This is a high risk security vulnerability because the
attacker wont have to make the victim click on any link, all he/she has
to do is to send the javascript code as an html email to the target and
once the victim open the email the malicious code will be executed in
his/her browser.

Impact:

This is totally a dom based xss attack. an application takes the user suplied data and directly feed it into the API
designed to show the Newly created folder name n the yahoomail. Throug this an attacker can easily perform a cookie
theft attack, Site defacement attack and many more.

Steps of Exploit code:

1. Login the yahoomail with valid credentials.

2. Click on inbox.

3. Now click on Move to < create New Folder.

4. Now enter the javascript "> in the field given for creating new folder.

5. Press OK and the script get executed. yahhhhooooo

HuReee hUreYYYY

Source

The update also fixes a further 10 vulnerabilities, eight of which are classified critical. Two of the vulnerabilities were discovered by Apple – both Chrome and Apple’s Safari being WebKit based. An update for Safari which fixed 48 vulnerabilities was released yesterday. One of the vulnerabilities in Chrome affects only the Linux version and enables escape from the sandbox.

As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities with $500. In special cases, a committee can decide to increase the amount to a maximum of $1,337, but the maximum is only awarded for vulnerabilities which are particularly critical, or for particularly clever reports on vulnerabilities and their exploitation.

Google is hoping that this will improve the security of its browser and therefore the security of its users. It’s not clear why Google raised the sum to $2,000 in this case.

Source

An uninitialised buffer in the EVP_PKEY_verify_recover() function in version 1.0.0 can be exploited to make an invalid RSA key appear to be valid. Since very few applications have used this recently-introduced function, the scope of this problem is limited. The OpenSSL developers say that pkeyutl is currently one of the only OpenSSL tools to access this function.

Source

According to a report on the Netcraft security site, an XSS vulnerability was uncovered on the Cyber Security Challenge UK website — before the site had even been made ready for candidates to register.

The Cybersecurity Challenge was established by a management consortium of key figures in cybersecurity, and is designed to test the mettle of security professionals.

The simple coding error was demonstrated by James Wheare, according to the report. Wheare told Netcraft that he was prompted to look for the hole after reading a friend’s tweet and noticed insufficient encoding in the page’s tags.

Netcraft says it has informed the Cybersecurity Challenge about the flaw.

Source

Some things have changed. Moore, for example, could be seen at SOURCE Boston this week walking around in a suit and tie, which some saw as out of character. But on the technology side, the company appears intent on maintaining the tool’s integrity.

The vendor of unified vulnerability management, compliance and penetration testing tools said it would use Metasploit to enhance its NeXpose product. It also promised to “sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success.”

This week, the company announced the latest step in that strategy with the unveiling of Metasploit Express, which it billed as an affordable, comprehensive and easier-to-use penetration testing tool for organizations with limited resources.
According the company’s official announcement, features include:

Comprehensive penetration testing capabilities. Based on the world’s largest tested and integrated public database of exploits and payloads, Metasploit Express runs exploits and detects and tests insecure configurations, such as weak passwords, the company said. Unlike other existing penetration testing solutions, Metasploit Express lets penetration testers examine trust relationships between systems for a more accurate risk profile. In addition to testing standard PCs and servers, the product can compromise a range of network devices and offer data collection and automation capabilities for such devices.

Affordable ease of use. Available at a price point that a broad range of security professionals in large corporations, consulting organizations and small business can leverage, Metasploit Express’ network penetration testing capabilities are enhanced by the product’s graphical user interface and the Metasploit Express Workflow Manager, an advanced workflow engine that provides a step-by-step model to simplify and accelerate testing programs and eliminates the burden of many manual processes found with traditional exploit attack platforms.

Fully integrated and open. Rapid7 said Express integrates with all editions of the company’s vulnerability management product, Rapid7 NeXpose, including the Community Edition, free vulnerability software for commercial use. Users can launch a NeXpose scan directly from within the Metasploit Express user interface and the vulnerability information from NeXpose is directly linked to the exploit data in Metasploit Express. As a result, Rapid7 said, users can detect vulnerabilities in their IT infrastructure and then use Metasploit Express to test for the ability to penetrate the vulnerabilities and launch an attack, decreasing the time to test and increasing the efficiency in real threat detection.

Continued support from and for the open source community. Rapid7 and the Metasploit Project are preparing for the release of version 3.4 of the Metasploit Framework, which will include improvements to the Meterpreter payload, the expansion of the framework’s brute-force capabilities and the complete overhaul of the back-end database schema and event subsystem. In addition, more than 60 exploit modules and 40 auxiliary modules will be added with version 3.4.

Source

The Qakbot worm spreads through web pages with Javascript that tries to exploit vulnerabilities in Microsoft IE and Apple Quick Time. When the exploit is successful, malicious miles get installed on it in the user profile data directory.

Qakbot’s main goal is to collect information – credit card information, online credentials, search histories, and other – and upload it to FTP servers, where they are made available to the creator(s) of the worm. It hides its presence and actions behind legitimate processes, and it is able to download updates for itself in several different ways. It spreads over network shares.

Symantec researchers have been following two of the six FTP servers to which the data is sent, and during a period of two weeks, some 4 GB of data was uploaded to them. “Given that these figures are based on the evidence from logs obtained from only two servers over two weeks, the actual numbers may be higher,” they say.

“One unusual aspect of Qakbot is that even though its purpose is to steal information associated with home users, it has also been successful at compromising computers in corporate environments as well as government departments,” muse the researchers. The NHS is just one example; some 100 compromised computers have also been detected on a Brazilian regional government network.

The researchers have no evidence about medical records being stoled at this time, but warn that it’s not only the information stealing that the users should be worried about. The Qakbot has also downloader functions that can be used to further infect the machines with other malware.

Source

The XSS, or cross-site scripting, bug on Amazon Wireless allowed attackers to steal the session IDs that are used to grant users access to their accounts after they enter their password. It exposed the credentials of customers who clicked on this link while logged in to the main Amazon.com page.

It was discovered by Nir Goldshlager, a researcher from security consulting company Avnet. It was purged from Amazon about 12 hours after The Register brought it to the attention of the website’s security team.

“This is very bad news,” web application expert Jeremiah Grossman of WhiteHat Security said of the flaw shortly before it was fixed. People who fell for the attack would likely be unaware anything was amiss “since it all takes place on Amazon’s website.”

XSS bugs are the most commonly found security vulnerability, Grossman added. A similar flaw was recently exploited to give malicious hackers access to a heavily fortified server operated by the security-conscious Apache Foundation. ®

Source