##########################################
Comtrend HG536+ poligon firmware tftp vuln
Vendor url: www.comtrend.com
Vendor: www.adslzone.net/firmware-adslzone-poligon.html
Advisore Url:http://lostmon.blogspot.com/2009/06/
comtrend-hg536-poligon-firmware-tftp.html
Vendor notify: NO Exploit: see explanation.
#########################################
##############
History
##############
This is a extended research from those vulns =>
http://lostmon.blogspot.com/2009/04/comtrend-hg536-vulnerabilities.html
And =>
http://www.securityfocus.com/bid/32975
poligon firmware have all the same flaws.
#####################
Description By vendor
Comtrend
#####################
The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.
###################
Description poligon
firmware by adslzone
####################
Poligon ADSLzone comes from several firmwares manufacturers
and suppliers that use Internet (Asus, U.S. Robotics, Comm Net
, Broadcom, Deutsche Telekom, Alice Italy, Pirelli (Italy),
Bungury (Russia) and Vodafone (Thailand).
################
Vulnerabilities
################
This firmware have a flaw in tftp
service ,if a user have enable lan access
to tftp server and/or access from Wan ,
this router is prone vulnerable to a DoS
condition.
in the configuration file we can look for
services enabled at this line =>
---------------------------------------------------
srvCtrlList ftp="lan" http="lan" icmp="lan"
snmp="disable" ssh="disable" telnet="lan" tftp="lan"
----------------------------------------------------
in this case we have enabled tftp access from lan
oks create a new html file for example tweaking.html
(this file exists in poligon firmwares but you can use other
that´s have in yopur router in the /webs folder).
let´s try to upload it from my machine to /webs router folder
tftp -i 192.168.1.1 PUT c:\tweaking.html /webs
the file is aparently upload and the tftp server is configured
for reboot the router after upload finished.
Them i make the same test via Wan access and i have
the same result the router is reboot...
This can cause a DoS to a user , because a atacker
can force to reset all time, the victim´s router.
###############
versions
###############
Comtrend HG536+ router with this firmwares:
firmware Comtrend A101-302JAZ-C01_R05
firmware A101-302JAZ-C03_R14.A2pB021g.d15h
firmware Poligon, Release.0810b_1525 ADSLZONE v.1.10.08.11b (tftp issue)
##############
Solution
#############
No solution was available at this time.
by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN for tftp service.
Configure to disable tftp and
Grant access to device ,only to trust users.
################# €nd #############
Thnx To Brink for test with me and for
his patience wen i reboot his router :P
Brinkxd@gmail.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Caja Granada ha Parcheado Su web
Wednesday, June 10, 2009
###################################
Caja Granada ha Parcheado Su web
vendor Url:http://caja.caja-granada.es/
###################################
La web de La entidad bancaria Caja granada bajo uno
de sus diferentes dominios,se vio afectada por una
serie de errores de validacion de tipo Cross-site
scripting (XSS) y de tipo (CSRF)
Estas vulnerabilidades fueron descubiertas y
estudiadas por mi hasta descubrir las vulnerabilidades
o vectores de ataque, en la parte externa de la web;es
decir en la parte no autentificada de la web.
Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
despues del intercambio de unos mails, ha quedado parcheada
la parte mas critica de estas vulnerabilidades, la cual
permitia la inclusion de todo un sitio web bajo un frame
sobe el dominio principal de la entidad.
Caja Granada vuelve a ser segura en esos puntos reportados.
Ningun cliente de Caja granada pudo verse afectado , ya que
las comunicaciones se produjeron con absoluta discreccion
por ambas partes.
En el caso de la inclusion del sitio, ademas de haber sido
corregido , se nos muestra un mensage advirtiendonos de si
de verdad hemos accedido a esa url atraves del dominio de
caja Granada.
No se da ninguna prueba de cocepto por motivos evidentes.
Referencias :
http://caja.caja-granada.es
http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html
http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html
################## €nd ###################
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Caja Granada ha Parcheado Su web
vendor Url:http://caja.caja-granada.es/
###################################
La web de La entidad bancaria Caja granada bajo uno
de sus diferentes dominios,se vio afectada por una
serie de errores de validacion de tipo Cross-site
scripting (XSS) y de tipo (CSRF)
Estas vulnerabilidades fueron descubiertas y
estudiadas por mi hasta descubrir las vulnerabilidades
o vectores de ataque, en la parte externa de la web;es
decir en la parte no autentificada de la web.
Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
despues del intercambio de unos mails, ha quedado parcheada
la parte mas critica de estas vulnerabilidades, la cual
permitia la inclusion de todo un sitio web bajo un frame
sobe el dominio principal de la entidad.
Caja Granada vuelve a ser segura en esos puntos reportados.
Ningun cliente de Caja granada pudo verse afectado , ya que
las comunicaciones se produjeron con absoluta discreccion
por ambas partes.
En el caso de la inclusion del sitio, ademas de haber sido
corregido , se nos muestra un mensage advirtiendonos de si
de verdad hemos accedido a esa url atraves del dominio de
caja Granada.
No se da ninguna prueba de cocepto por motivos evidentes.
Referencias :
http://caja.caja-granada.es
http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html
http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html
################## €nd ###################
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Caixa Sabadell Parchea sus dominios web
Wednesday, June 03, 2009
#######################################
Caixa Sabadell Parchea sus dominios web
vendor: http://www.caixasabadell.es
#######################################
La web de Caixa Sabadell bajo dos de sus diferentes dominios,
se vio afectada por una serie de errores de validacion de tipo
Cross-site scripting (XSS).
Estas vulnerabilidades fueron descubiertas y estudiadas por mi
hasta descubrir las vulnerabilidades o vectores de ataque, en
la parte externa de la web;es decir en la parte no autentificada
de la web.
Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
Estas ediciones han sido solucionadas ya a dia de hoy, y asi
caixa Sabadell vuelve a ser segura en esos puntos reportados.
No se da ninguna prueba de cocepto por motivos evidentes.
Referencias :
http://www.caixasabadell.es
http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html
http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html
################## €nd ###################
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Caixa Sabadell Parchea sus dominios web
vendor: http://www.caixasabadell.es
#######################################
La web de Caixa Sabadell bajo dos de sus diferentes dominios,
se vio afectada por una serie de errores de validacion de tipo
Cross-site scripting (XSS).
Estas vulnerabilidades fueron descubiertas y estudiadas por mi
hasta descubrir las vulnerabilidades o vectores de ataque, en
la parte externa de la web;es decir en la parte no autentificada
de la web.
Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
Estas ediciones han sido solucionadas ya a dia de hoy, y asi
caixa Sabadell vuelve a ser segura en esos puntos reportados.
No se da ninguna prueba de cocepto por motivos evidentes.
Referencias :
http://www.caixasabadell.es
http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html
http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html
################## €nd ###################
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari 4 Automatic explorer.exe launch
Tuesday, May 12, 2009
###############################
Safari for windows automatic command line launch
advisory:http://lostmon.blogspot.com/
2009/05/safari-4-automatic-explorerexe-launch.html
vendor notify:yes
###############################
###########
Description
############
Safari 4 public beta (528.16) is prone vulnerable
to a local file comandline automatic launch.
I test it in windows vista & windows 7 rc
first take a look ..=>
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#app_reg
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#url_inv
In this documentation in "security alert" say :
"Applications handling URL protocols must be robust
in the face of malicious data.
Because handler applications receive data from untrusted
sources, the URL and other parameter values passed to
the application may contain malicious data attempting to
exploit the handling application. For this reason, handling
applications that could initiate unwanted actions based on
external data must first confirm those actions with the user"
Take a look, how to use search-ms protocol handler:
http://msdn.microsoft.com/en-us/library/bb266520.aspx
and
how to display windows objects in a command line :
http://www.codeproject.com/KB/system/ExplorerObjects.aspx
With all of this information a user can compose a html
document that call search-ms protocol handler , and use
some explorer objetcs.
########
testing
########
search-ms:query=microsoft&
search-ms:query=vacation&subquery=mydepartment.search-ms&
search-ms:query=seattle&crumb=kind:pics&
search-ms:query=seattle&crumb=folder:C:\MyFolder&
If you compose a html document with a iframe or a link that
contains any of those search-ms url firefox,google chrome,and
IE8 show a warning.( this is correct)but if you click in accept
it open explorer.exe and execute the search...
If you test the same with safari,this browser, opens
directly the iframe or the link without any prompt
or any warning.
If we look the implementation on this protocol handler,
and we look how to show explorer objects, we can compose
a "special" url that can contain explorer objects in
"location" parameter and we can launch explorer.exe that
can search in a determinate place of our machine.
for example :
search-ms:displayname=Search%20In%20Google.com&crumb=
location:%3A%3A{20D04FE0-3AEA-1069-A2D8-08002B30309D}
&stackedby=System.ItemTypeText&recurring:true
open explorer.exe , and close the tab where
explorer was called and close explorer.exe too
search-ms:displayname=Search%20In%20Google.com
&crumb=location:D%3A%5C&stackedby=System.ItemTypeText
&recurring:true
open explorer and explode the search box:
search-ms:displayname=%3D[]%20OR%20%3D%20OR%20%3D%20OR%20%3D&location:
the displayname param we can use it for spoof location,and
show for example in this case google.com (the victims can
think that the browser is searching in google.com)
If we put directly this url in the address bar of safari
this browser say , that it can´t open this url because
it don´t know the associate program.
But if we pass this ur in a iframe , safari don´t show
any warning and it execute this url and search withing
the files of the victim.
If we pass this url to Firefox , it show a warning , and
if we click in allow , this search is executed,if we pass
the url in a link or in a iframe the result is the same.
With Google Chrome if we pass the url to address bar,
Chrome search this url in google ( not affected directly)
but if we pass the url in a iframe or in a link , it show
a warning , click in allow and the search is executed.
with IE8 show a warning , but the search isn´t executed,
because it is incorrect to explorer, we can compose others
one. (it works too)
Wen explorer.exe is launching , the process is called with
this params:
this "injection" executes at commandline level =>
c:\windows\explorer.exe /separate,/idlist,%1,%L
I'm doing several test and try to obtain this other command line =>
c:\windows\explorer.exe /N,%windir%\system32,
/select,%windir%\system32\calc.exe
but at this moment i can't pass this command line in a
iframe with search-ms protocol.
¿ a remote user can collect the result of this local search ??
i don,t know any way to do it; but for example we can cause a
DoS to explorer if compose a HTML document with tree or four
iframes that call search-ms and it can use tu turn slow the
PC or for abuse of te search indexer or explorer.exe
A link with only put the protocol search-ms: with tree
or four explorer windows , it can be abuse of memory ,
and in some cases eplorer.exe crashes.
I exchange some mails whith MSRC (microsoft) and
the and i in the final conclusion , we think that at
this moment this not supose a security vulnerability
in IE8 , because it show the warnig , and we don´t have
found a vector to attack or to bypass the restrintions on
the search-ms implementation to turn it in a Remote command
execution or remote code execution.
This is the final response from Microsoft:
#######################################
We have completed our investigation into this issue
and believe there is not a security issue here for
Microsoft to address. Our investigation has not shown
any method whereby a search-ms URL could either execute
arbitrary code or return search results to a third party.
Although additional search windows can be generated from
multiple iframe on a web page, this is a temporary DoS
condition. We can find no security issue with the search-ms
protocol itself. As such, this is not something MSRC would track.
Please let me know if you feel we have missed something
in our analysis. Otherwise, I will be closing the MSRC
case down. I do appreciate you taking the time to report
this to us and working with us throughout the investigation.
########################################
but if we remember wen we call search-ms protocol
in a web page it executes this:
c:\windows\explorer.exe /separate,/idlist,%1,%L
them .. at this moment it isn´t a vulnerability in IE
but i think that this issue need to be track ...
###############€nd#####################
Thnx to estrella to be my ligth
Thnx to all Lostmon Team !!
Thnx The Microsoft Research Security Center
for their support. http://blogs.technet.com/msrc/
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows automatic command line launch
advisory:http://lostmon.blogspot.com/
2009/05/safari-4-automatic-explorerexe-launch.html
vendor notify:yes
###############################
###########
Description
############
Safari 4 public beta (528.16) is prone vulnerable
to a local file comandline automatic launch.
I test it in windows vista & windows 7 rc
first take a look ..=>
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#app_reg
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#url_inv
In this documentation in "security alert" say :
"Applications handling URL protocols must be robust
in the face of malicious data.
Because handler applications receive data from untrusted
sources, the URL and other parameter values passed to
the application may contain malicious data attempting to
exploit the handling application. For this reason, handling
applications that could initiate unwanted actions based on
external data must first confirm those actions with the user"
Take a look, how to use search-ms protocol handler:
http://msdn.microsoft.com/en-us/library/bb266520.aspx
and
how to display windows objects in a command line :
http://www.codeproject.com/KB/system/ExplorerObjects.aspx
With all of this information a user can compose a html
document that call search-ms protocol handler , and use
some explorer objetcs.
########
testing
########
search-ms:query=microsoft&
search-ms:query=vacation&subquery=mydepartment.search-ms&
search-ms:query=seattle&crumb=kind:pics&
search-ms:query=seattle&crumb=folder:C:\MyFolder&
If you compose a html document with a iframe or a link that
contains any of those search-ms url firefox,google chrome,and
IE8 show a warning.( this is correct)but if you click in accept
it open explorer.exe and execute the search...
If you test the same with safari,this browser, opens
directly the iframe or the link without any prompt
or any warning.
If we look the implementation on this protocol handler,
and we look how to show explorer objects, we can compose
a "special" url that can contain explorer objects in
"location" parameter and we can launch explorer.exe that
can search in a determinate place of our machine.
for example :
search-ms:displayname=Search%20In%20Google.com&crumb=
location:%3A%3A{20D04FE0-3AEA-1069-A2D8-08002B30309D}
&stackedby=System.ItemTypeText&recurring:true
open explorer.exe , and close the tab where
explorer was called and close explorer.exe too
search-ms:displayname=Search%20In%20Google.com
&crumb=location:D%3A%5C&stackedby=System.ItemTypeText
&recurring:true
open explorer and explode the search box:
search-ms:displayname=%3D[]%20OR%20%3D%20OR%20%3D%20OR%20%3D&location:
the displayname param we can use it for spoof location,and
show for example in this case google.com (the victims can
think that the browser is searching in google.com)
If we put directly this url in the address bar of safari
this browser say , that it can´t open this url because
it don´t know the associate program.
But if we pass this ur in a iframe , safari don´t show
any warning and it execute this url and search withing
the files of the victim.
If we pass this url to Firefox , it show a warning , and
if we click in allow , this search is executed,if we pass
the url in a link or in a iframe the result is the same.
With Google Chrome if we pass the url to address bar,
Chrome search this url in google ( not affected directly)
but if we pass the url in a iframe or in a link , it show
a warning , click in allow and the search is executed.
with IE8 show a warning , but the search isn´t executed,
because it is incorrect to explorer, we can compose others
one. (it works too)
Wen explorer.exe is launching , the process is called with
this params:
this "injection" executes at commandline level =>
c:\windows\explorer.exe /separate,/idlist,%1,%L
I'm doing several test and try to obtain this other command line =>
c:\windows\explorer.exe /N,%windir%\system32,
/select,%windir%\system32\calc.exe
but at this moment i can't pass this command line in a
iframe with search-ms protocol.
¿ a remote user can collect the result of this local search ??
i don,t know any way to do it; but for example we can cause a
DoS to explorer if compose a HTML document with tree or four
iframes that call search-ms and it can use tu turn slow the
PC or for abuse of te search indexer or explorer.exe
A link with only put the protocol search-ms: with tree
or four explorer windows , it can be abuse of memory ,
and in some cases eplorer.exe crashes.
I exchange some mails whith MSRC (microsoft) and
the and i in the final conclusion , we think that at
this moment this not supose a security vulnerability
in IE8 , because it show the warnig , and we don´t have
found a vector to attack or to bypass the restrintions on
the search-ms implementation to turn it in a Remote command
execution or remote code execution.
This is the final response from Microsoft:
#######################################
We have completed our investigation into this issue
and believe there is not a security issue here for
Microsoft to address. Our investigation has not shown
any method whereby a search-ms URL could either execute
arbitrary code or return search results to a third party.
Although additional search windows can be generated from
multiple iframe on a web page, this is a temporary DoS
condition. We can find no security issue with the search-ms
protocol itself. As such, this is not something MSRC would track.
Please let me know if you feel we have missed something
in our analysis. Otherwise, I will be closing the MSRC
case down. I do appreciate you taking the time to report
this to us and working with us throughout the investigation.
########################################
but if we remember wen we call search-ms protocol
in a web page it executes this:
c:\windows\explorer.exe /separate,/idlist,%1,%L
them .. at this moment it isn´t a vulnerability in IE
but i think that this issue need to be track ...
###############€nd#####################
Thnx to estrella to be my ligth
Thnx to all Lostmon Team !!
Thnx The Microsoft Research Security Center
for their support. http://blogs.technet.com/msrc/
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)