Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header.

This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner.

Source: Aditya K Sood’s Blog

Russian security firm Intevydis has made a Windows exploit for a previously unknown security hole in Firefox 3.6 available to its customers. The exploit allows attackers to remotely gain control of a PC. Intevydis develops the commercial VulnDisco add-on for the also commercial Canvas exploit toolkit by vendor Immunity. On the Immunity forum, developer Evgeny Legerov praises his exploit for Windows XP (SP3) and Vista as being quite reliable. The developer says It was an interesting challenge to find the flaw – a buffer overflow – and to exploit it.

While the post dates back to the beginning of February, the hole is likely to remain open since no updates have been released for Firefox 3.6 so far. Secunia rates the problem as critical, but hasn’t provided any further information in its advisories and the Mozilla Foundation has become aware of the problem, but has yet to release an official statement. Whether the exploit has already been widely circulated or used on a large scale remains unknown.

However, according to the analysis on the Extraexploit blog, a significant increase in the number of Firefox 3.6 crashes was noted on the 12th and 13th of February. It is unclear whether the crashes were connected to the exploit being tested. The pages causing the highest number of crashes are listed in Mozilla’s crash reports.

In passing, Legerov also mentions zero day exploits for Lotus Notes 8.5/8.5fp1 and for RealPlayer 11. The exploit for RealPlayer is the modernised version of an exploit that appeared two years ago for a hole that RealPlayer closed only recently.

Description:
The vulnerability affects Kaspersky Internet Security 2010 9.0.0.459 antivirus and its brother, the Kaspersky Antivirus 2010 9.0.0.463 version.

The exploit was discovered on August 18th 2009.

The problem with these two antivirus versions appears when parsing a URL address. Using a lot of consecutive dots inside the address. Kaspersky’s native avp.exe process will soar CPU usage up to 100%. At first, traffic via the browser will get blocked, and eventually, if enough consecutive dots have been passed inside the URL address, the computer will crash.

This exploit can be used inside HTML files, as normal href values or as img image sources. It will also work inside HTML email bodies. The code can be used remotely, and will lead to a Remote Memory Corruption/Denial-of-Service that could alter computer hardware or software.

Tested on Products:

• Kaspersky Internet Security 2010 9.0.0.459 (EN) with Mozilla FireFox in Windows XP Professional SP2 [en-US]
• Kaspersky Anti-Virus 2010 [En] with IE8 in Windows XP Professional SP2 [en-US]

Proof of Concept: http://www.milw0rm.com/exploits/9537

Topic: WordPress <= 2.8.3 Remote admin reset password
Credit: Laurent Gaffié [Laurent.gaffie(at)gmail.com]
Date: 11.08.2009
Proof Of Concept:

The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

Someone has asked to reset the password for the following site and username.

http://DOMAIN_NAME.TLD/wordpress

Username: admin
To reset your password visit the following address:

http://domain_name.tld/wp-login.php?action=rp&key[]=

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.
Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users
WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = ‘resetpass’;

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’,
‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submitting an array to the $key variable.

Business Impact: An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3

Solution: WordPress has fixed this problem last night and has been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

#!/usr/bin/perl
#
# WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit
#
# Discovered and Exploited by SkD (skdrat@hotmail.com)
# -----------------------------------------------------
# WinAmp = http://www.winamp.com
#
# Who doesn't use WinAmp?
#
# This was an 0day for sometime but with the release of
# the new version 5.55, it fixed the buffer overflow vuln.
# I made it universal and very reliable.
# The vulnerability is a mixture of a standard buffer overflow
# with a SEH overflow, so to make it more stable,
# both of the scenarios will be exploited accordingly when one
# is triggered with my exploit .
# The exploit can also run any shellcode (alpha) so this makes
# it ever so useful.
#
# Instructions:-
# -Run script.
# -Copy the created exploit directory "SkD's Skin" to
# "C:\Program Files\WinAmp\Skins" OR just install it.
# -Choose the skin from WinAmp
#
# Enjoy it ladies and gents
#
# Shouts out to: -KkD
# -InTeL
# -Jayji
# -str0ke
#
# Note: Author has no responsibility over the damage done with this!

Exploit: http://www.milw0rm.com/exploits/8158