Full Disclosure
Posted by filipe on Jan 03
=====[ Tempest Security Intelligence – ADV-7/2016
]=============================
Unsafe DLL search path in Audacity 2.1.2
Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
Tempest Security Intelligence – Recife, Pernambuco – Brazil
=====[ Table of Contents
]======================================================
1. Overview
2. Detailed description
3. Further attack scenarios
4. Timeline of…
Posted by psy on Jan 03
Dear list,
I have released a new Captcha Intruder (CINtruder) code. It includes a
complete Web User Interface (GUI) and some advanced features for:
update, manage dictionaries, etc.
If you’re not already familiar with CINtruder, please read the
DESCRIPTION section below.
[ DOWNLOAD ]
You can download the new Captcha Intruder here:
git clone https://github.com/epsylon/cintruder…
Posted by Dawid Golunski on Jan 03
Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
zend-mail < 2.7.2
Discovered by Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Desc:
An independent research uncovered a critical vulnerability in zend-mail, a
Zend Framework’s component that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in the context
of the web server user and remotely compromise…
Posted by Tim on Dec 30
Hi Erik,
Thanks for backing me up on a number of things. Only one response below.
The site you linked mentioned 64bit block ciphers are vulnerable, even
in CTR mode. Obviously the birthday “paradox” applies. Regardless of
how right or wrong you are about Sweet32, this far from the most
important thing *implementors* should be worried about. Obviously if
they start with AES, then the birthday paradox issues are vastly
reduced. Any…
Posted by Dawid Golunski on Dec 29
Vulnerability:
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Severity: CRITICAL
Desc:
An independent research uncovered a critical vulnerability in SwiftMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web…
Posted by Erik Auerswald on Dec 29
Hi,
That is correct.
That is wrong. CBC mode allows attacks such as “Sweet32”
(https://sweet32.info/), which is not possible with CTR mode.
Correct again, but too simple minded. Any encryption without integrity
protection does not provide confidentiality against an active attacker.
Using the wrong mode with a block cipher can render authentication
irrelevant in attacks on confidentiality.
That is sound advice. In addition, broken…
Posted by Stefan Kanthak on Dec 29
Hi @ll,
the installers of SoftMaker’s FreeOffice 2016, “freeoffice2016.exe”,
available from <http://www.softmaker.net/down/freeoffice2016.exe>,
and its predecessor FreeOffice 2010, “freeofficewindows.exe”,
available from <http://www.softmaker.net/down/freeofficewindows.exe>,
are (surprise.-) vulnerable!
1. They load CABINET.DLL, MSI.DLL, VERSION.DLL and WINSPOOL.DRV from
their “application…
Posted by Luigi Rosa on Dec 27
Dawid Golunski wrote on 26/12/2016 03:31:
Am I wrong or the vulnerability only applies if you use the sendmail method to
send messages and does not apply if you use SMTP on port 25?
I have patched all my PHPMailer installation yesterday, I am asking this only
for personal curiosity.
Thank you
Posted by Tim on Dec 27
All traditional modes that lack integrity protection are vulnerable to
chosen-ciphertext attacks in these kinds of scenarios. CFB isn’t
immune and CTR is catastrophically weak. All traditional modes need a
MAC or similar integrity protection. In light of that, there’s
nothing particularly wrong with using CBC, if it is implemented well.
At least, using it is not *more* wrong than using OFB, CFB, or CTR
without integrity protection….
Posted by Dawid Golunski on Dec 27
PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
(CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)
Discovered by Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Desc:
I discovered that the current PHPMailer versions (< 5.2.20) were still
vulnerable to RCE as it is possible to bypass the currently available
patch.
This was reported responsibly to the vendor & assigned a CVEID on the
26th of December.
The vendor…