Posts

Showing posts from August, 2012

Multiple Windows Applications | Unencrypted Sensitive Information Storage in Memory

CWE-316: Plain-text Storage in Memory
(http://cwe.mitre.org/data/definitions/316.html)
Attack Phase: Post-Exploitation
Activity Class: Sensitive Data Harvesting


1. OVERVIEW

An insecure application development practice is still prevalent in
popular applications that load sensitive information (i.e. user
credentials) unencrypted in their respective process memory. Remote
attackers who compromise a user's system or malicious softwares could
scan a particular process memory for sensitive information.


2. AFFECTED SOFTWARES

- iTunes (Tested on 10.x)
- pfingoTalk (Tested on version: 4.x)
- pidgin (Tested on version: 2.x)
- Tencent QQ (Tested on version: QQ2009 SP3)
- zFTP Server (Tested on version: 2011-04-13)
- FileZilla (Tested on version 3.x)
- ...

3. PROOF-OF-CONCEPT/EXPLOIT

- a) pmdump.exe [Process ID] Process.dump
- b) bin_find.py Process.dump [Password/Username]
or
strings.exe -a -n 5 Process.dump


4. CREDIT

This vulnerability was discovered by Myo Soe, htt…

ocPoral CMS 8.x | Session Hijacking Vulnerability

1. OVERVIEW

ocPoral CMS 8.x and lower versions are vulnerable to Session Hijacking
flaw which could allow attackers to compromise administrator session.


2. PRODUCT DESCRIPTION

ocPortal is the website Content Management System (a CMS) for building
and maintaining a dynamic website. ocPortal's powerful feature-set
means there's always a way to accomplish your vision. Not only does
ocPortal's CMS have all the features you'd expect: for instance photo
galleries, news, file downloads and community forums/chats, but it
does so whilst meeting the highest accessibility and professional
standards. It is also smart enough to go beyond page management, to
automatically handle search engine optimisation, and provide
aggressive hack attack prevention.


3. VULNERABILITY DESCRIPTION

The ocPoral CMS generates 7-digit session IDs for logged-in users;
thus it is possible to work out a valid session ID through brute
forcing. Successful hijacking requires the "Enforce…

ocPoral CMS 8.x | Cross Site Request Forgery (CSRF) Vulnerability

1. OVERVIEW

ocPoral CMS 8.x and lower versions are vulnerable to Cross-site
Request Forgery (CSRF / XSRF).


2. PRODUCT DESCRIPTION

ocPortal is the website Content Management System (a CMS) for building
and maintaining a dynamic website. ocPortal's powerful feature-set
means there's always a way to accomplish your vision. Not only does
ocPortal's CMS have all the features you'd expect: for instance photo
galleries, news, file downloads and community forums/chats, but it
does so whilst meeting the highest accessibility and professional
standards. It is also smart enough to go beyond page management, to
automatically handle search engine optimisation, and provide
aggressive hack attack prevention.


3. VULNERABILITY DESCRIPTION

ocPoral CMS 8.x and lower versions contain a flaw that allows a remote
Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists
because the application does not require multiple steps or explicit
confirmation for sensitive t…