This Metasploit module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.
87c833264ee49ea156b8462740c64928a943a3c37c5f3d9c388659dfaa1d03a0SQLite has had 22 security bugs reported including stack buffer overflow and uninitialized memory vulnerabilities. Version 3.8.9 addresses these issues.
dfcb47d73272992e7252b26d33b182b0375b26d2dbe341b5d13c61cb13af7742This Metasploit module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default.
5a376a0f4e8be0b42906123abc72f100a271655c6310963fc913fc7504861155Zalewski has noted that binaries which have dependencies on libbfd may be leveraged for attacks due to libbfd having a large range of possibly exploitable out-of-bounds crashes.
482143b943dd09a0acc6d1703848e32a2c8bccd80bde134ced14a899fc368d68Firefox versions prior to 33 leak bits of uninitialized memory when rendering certain types of truncated images onto canvas tags. Secondly, MSRC case #19611cz is a seemingly similar issue with Internet Explorer apparently using bits of uninitialized stack data when handling JPEG files with an oddball DHT.
8b9a6d35010ff886448c6426873326338f84f0a0385c80c92c4b6d3104a7d64cThis is information regarding more bash vulnerabilities and how the original bash patches are ineffective.
9bef4f643cbc941c231d0995aa7df24f7322c03118f4cd7d60f56a5e05ccb428The recent release of Firefox 32 fixes another interesting image parsing issue found by afl. Following a refactoring of memory management code, the past few versions of the browser ended up using uninitialized memory for certain types of truncated images, which is easily measurable with a simple <canvas> + toDataURL() harness that examines all the fuzzer-generated test cases. Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. This code is a proof of concept for versions prior to 32.
7c5c90b2004b180e2ba9b417077aadeb4d76b33775e460d93cce1e056c3e1b29P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
f2dd6d877e15363bbb90325683e06abdd781aa3fa18b4e97de95fd0b8d904817jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb).
75281af87c2ac01e67120a1b37a4356f62199b948183ba8069556c239c29df05Michal Zalewski put together a really amusing asteroids proof of concept to demonstrate how a modified version of the javascript ":visited" attack can be leveraged based on visibility. Proof of concept js included.
0c1b7330caf6f1622bcdfe153cd13fde591641b80ff7a9881a550469301c5a39Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.
12ea7c74ed8a3fa29668d95172f46c976997cd393c908a7704b97610bfcd350aIt is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition: attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file. Proof of concept code included.
c8e117983282dd44d231f39a10dc8b0b2bf8c46c42490f1cf78aeb4b75db6be8P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
ae853ced1e0f3446f86a75db60b1aa28e2344aae92002f1ae7860e5b0620124eP0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
b4d041b7f5b2f8accca3d9e64e5e1f672057d30337b51ea621cfebdf78c6beaeP0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
dbc8dcdc290b010ac9b9917d53afc6ae8f0fe24ee6aae0ed5b337ca39cd35159JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, history.forward() and history.back(), open some scary possibilities that we are completely unprepared to deal with. This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to conceal its operation, the transitions can be made seamless and very difficult to perceive. Very accurate click prediction can be achieved by carefully measuring mouse velocity and distance to destination, too.
d7658f0d5bd78b6a2d13c915b7f4668b18228fb508f0cca309cdc5652565e5c9Firefox and Opera allow you to omit MIME type in data: URLs, possibly put random garbage into that section, and still get a valid HTML document. This is a natural extension of how the Content-Type header is handled in HTTP, but probably makes little or no sense here. With the use of Unicode homographs, you can create fairly believable URLs especially in Firefox.
8b57d561f4e10efd5110b290028c3daaae1403920829de2c3cc32719b52d7e6eIt seems that relatively few people realize that holding a JavaScript handle to another window allows the attacker to tamper with the location and history objects at will, largely bypassing the usual SOP controls. With some minimal effort and the help of data: / javascript: URLs or precached pages, this can be leveraged to replace content in a manner that will likely escape even fairly attentive users.
fcf6a2f8bd756f73ae0cea59488d296084adcdadeda5ca6d9e401595b8736f42This code is a proof of concept that demonstrates history extraction in Firefox through non-destructive cache timing.
cbb18dbf852eed470c1735fe94fe71da7a9d688fa9c6f2a7c8668720d84a7c08Firefox version 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them.
db05b815023c5d8efd32e05c077cb830085cc4463b38385fc38d090ecd936b12Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.
0682c65365408c6d51c6381d0478bb9155d259a2bdb792defe36472fba43dfe1This is a list of older cross site scripting and bypass vulnerabilities associated with older Juniper IVE releases.
373b779224dfe366049456b486a0f52893693761af7861f0c2f4e45a15feacc4Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.
4f7aab33039ef0826cbb1473f80c7de5c0319bb5c435c94688e44069e395bcd8Michal Zalewski has noted some interested security bugs with Safari, Firefox and WebKit-based browsers.
b2d75a7a2b8d07a15dc2b6df82f44922d3b9274562a07ae028d56c9612463f25Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.
ed3d45cf54770db9cae12422c36f1e3f90857da4381a47956b355bc9d7f35ea0
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed