Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Mon, 28 May 2012 08:02:06 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=2032162575&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=TCP%20Files%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2Ffiles%2Ftags%2Ftcp%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.2032162575.1338192126.1338192126.1338192126.1%3B%2B__utmz%3D32867617.1338192126.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/112951/nmap-6.00.tgz http://packetstormsecurity.org/files/112951/nmap-6.00.tgz http://packetstormsecurity.org/files/112951/Nmap-Port-Scanner-6.00.html Tue, 22 May 2012 04:00:28 GMT Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. http://packetstormsecurity.org/files/112538/CORE-2012-0123.txt http://packetstormsecurity.org/files/112538/CORE-2012-0123.txt http://packetstormsecurity.org/files/112538/SAP-Netweaver-7.0-EHP1-EHP2-Buffer-Overflows.html Tue, 08 May 2012 15:15:15 GMT Core Security Technologies Advisory - SAP Netweaver is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the "Dispatcher" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered. http://packetstormsecurity.org/files/112484/Netzob-0.3.2.tar.gz http://packetstormsecurity.org/files/112484/Netzob-0.3.2.tar.gz http://packetstormsecurity.org/files/112484/Netzob-0.3.2.html Sun, 06 May 2012 02:04:45 GMT Netzob supports the expert in reverse engineering, evaluation, and simulation of communication protocols. Its main goals are to help security evaluators to assess the robustness of proprietary or unknown protocol implementations, simulate realistic communications to test third-party products (IDS, firewalls, etc.), and create an Open Source implementation of a proprietary or unknown protocol. Netzob provides a semi-automatic inferring process, and includes everything necessary to passively learn the vocabulary of a protocol and actively infer its grammar. The learnt protocol can afterward be simulated. Netzob handles text protocols (like HTTP and IRC), fixed field protocols (like IP and TCP), and variable field protocols (like ASN.1-based formats). http://packetstormsecurity.org/files/112396/NGS00118-1.txt http://packetstormsecurity.org/files/112396/NGS00118-1.txt http://packetstormsecurity.org/files/112396/Symantec-pcAnywhere-Remote-Code-Execution.html Wed, 02 May 2012 02:11:17 GMT Symantec pcAnywhere versions 12.5 and below are vulnerable to a remote code execution vulnerability. A flaw exists in the authentication component listening on TCP port 5631 which does not sufficiently validate user-submitted data. http://packetstormsecurity.org/files/112446/samhain-3.0.4.tar.gz http://packetstormsecurity.org/files/112446/samhain-3.0.4.tar.gz http://packetstormsecurity.org/files/112446/Samhain-File-Integrity-Checker-3.0.4.html Tue, 01 May 2012 15:43:58 GMT Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. http://packetstormsecurity.org/files/112084/VSR-2012-4-20.txt http://packetstormsecurity.org/files/112084/VSR-2012-4-20.txt http://packetstormsecurity.org/files/112084/HTC-IQRD-Android-Permission-Leakage.html Mon, 23 Apr 2012 18:40:49 GMT VSR identified a vulnerability in IQRD. The IQRD service listens locally on a TCP socket bound to port 2479. This socket is intended to allow the Carrier IQ service to request device-specific functionality from IQRD. Unfortunately, there is no restriction or validation on which applications may request services using this socket. As a result, any application with the android.permission.INTERNET permission may connect to this socket and send specially crafted messages in order to perform potentially malicious actions. http://packetstormsecurity.org/files/111305/cisco-sa-20120328-smartinstall.txt http://packetstormsecurity.org/files/111305/cisco-sa-20120328-smartinstall.txt http://packetstormsecurity.org/files/111305/Cisco-Security-Advisory-20120328-smartinstall.html Thu, 29 Mar 2012 03:55:11 GMT Cisco Security Advisory - Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. http://packetstormsecurity.org/files/111418/samhain-3.0.3.tar.gz http://packetstormsecurity.org/files/111418/samhain-3.0.3.tar.gz http://packetstormsecurity.org/files/111418/Samhain-File-Integrity-Checker-3.0.3.html Wed, 28 Mar 2012 17:41:37 GMT Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. http://packetstormsecurity.org/files/111175/ultravnc_viewer_bof.rb.txt http://packetstormsecurity.org/files/111175/ultravnc_viewer_bof.rb.txt http://packetstormsecurity.org/files/111175/UltraVNC-1.0.2-Client-vncviewer.exe-Buffer-Overflow.html Mon, 26 Mar 2012 20:38:31 GMT This Metasploit module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack. http://packetstormsecurity.org/files/110602/ICMP_Covert_Channel.pdf http://packetstormsecurity.org/files/110602/ICMP_Covert_Channel.pdf http://packetstormsecurity.org/files/110602/Covert-Channel-Over-ICMP.html Fri, 09 Mar 2012 04:59:59 GMT This whitepaper discusses using ICMP as a covert tunnel for traffic. An example of this technique is tunneling complete TCP traffic over ping requests and replies. More technically it works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. http://packetstormsecurity.org/files/110171/samhain-3.0.2a.tar.gz http://packetstormsecurity.org/files/110171/samhain-3.0.2a.tar.gz http://packetstormsecurity.org/files/110171/Samhain-File-Integrity-Checker-3.0.2a.html Fri, 24 Feb 2012 06:23:04 GMT Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. http://packetstormsecurity.org/files/110170/ONAPSIS-2012-08.txt http://packetstormsecurity.org/files/110170/ONAPSIS-2012-08.txt http://packetstormsecurity.org/files/110170/Oracle-JD-Edwards-Security-Kernel-Information-Disclosure.html Fri, 24 Feb 2012 06:21:50 GMT Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), then it would be possible to validate arbitrary (USER, ROLE, ENVIRONMENT) tuples, in order to detect valid ones. http://packetstormsecurity.org/files/110167/trendmicro_cmdprocessor_addtask.rb.txt http://packetstormsecurity.org/files/110167/trendmicro_cmdprocessor_addtask.rb.txt http://packetstormsecurity.org/files/110167/TrendMicro-Control-Manager-5.5-Buffer-Overflow.html Fri, 24 Feb 2012 06:12:52 GMT This Metasploit module exploits a vulnerability in the CmdProcessor.exe component of Trend Micro Control Manager up to version 5.5. The specific flaw exists within CmdProcessor.exe service running on TCP port 20101. The vulnerable function is the CGenericScheduler::AddTask function of cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet, controlled data is copied into a 256-byte stack buffer. This can be exploited to execute remote code under the context of the user. http://packetstormsecurity.org/files/110148/ONAPSIS-2012-03.txt http://packetstormsecurity.org/files/110148/ONAPSIS-2012-03.txt http://packetstormsecurity.org/files/110148/Oracle-JD-Edwards-SawKernel-Arbitrary-File-Read.html Fri, 24 Feb 2012 04:17:32 GMT Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system. http://packetstormsecurity.org/files/110147/ONAPSIS-2012-02.txt http://packetstormsecurity.org/files/110147/ONAPSIS-2012-02.txt http://packetstormsecurity.org/files/110147/Oracle-JD-Edwards-Security-Kernel-Remote-Password-Disclosure.html Fri, 24 Feb 2012 04:14:08 GMT Onapsis Security Advisory - If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the Security Kernel is enabled and SignonSecurity is configured, then it is possible to retrieve the password of arbitrary users. http://packetstormsecurity.org/files/110105/linux-bash333tcp.c http://packetstormsecurity.org/files/110105/linux-bash333tcp.c http://packetstormsecurity.org/files/110105/Linux-x86-BackShell-TCP-bash-dev-tcp-execve-bin-sh-Shellcode.html Thu, 23 Feb 2012 05:14:43 GMT 62 bytes small Linux/x86 BackShell-TCP bash[/dev/tcp],execve(/bin/sh) shellcode. http://packetstormsecurity.org/files/109913/threaded-syn-port-scanner-4.0.zip http://packetstormsecurity.org/files/109913/threaded-syn-port-scanner-4.0.zip http://packetstormsecurity.org/files/109913/Multi-Threaded-TCP-Port-Scanner-4.0.html Sat, 18 Feb 2012 03:19:11 GMT This is a basic TCP SYN scanner that is multi-threaded. http://packetstormsecurity.org/files/109583/ZDI-12-031.txt http://packetstormsecurity.org/files/109583/ZDI-12-031.txt http://packetstormsecurity.org/files/109583/Zero-Day-Initiative-Advisory-12-031.html Wed, 08 Feb 2012 22:42:19 GMT Zero Day Initiative Advisory 12-031 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Server. Authentication is not required to exploit this vulnerability. The flaw exists within the mod_ipp apache module component of the iprint-server, which listens by default on 631/tcp. During the handling of get-printer-attributes requests containing a attributes-natural-language attribute cause a validation routine to be hit. When validating this parameter the contents of the attribute are copied, without validation, to a fixed length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. http://packetstormsecurity.org/files/109567/trixd00r-0.0.1.tar.gz http://packetstormsecurity.org/files/109567/trixd00r-0.0.1.tar.gz http://packetstormsecurity.org/files/109567/trixd00r-0.0.1.html Wed, 08 Feb 2012 22:19:13 GMT trixd00r is an advanced and invisible userland backdoor based on TCP/IP for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP. The client is used to send magic packets to trigger the server and get a shell. http://packetstormsecurity.org/files/109555/ZDI-12-023.txt http://packetstormsecurity.org/files/109555/ZDI-12-023.txt http://packetstormsecurity.org/files/109555/Zero-Day-Initiative-Advisory-12-023.html Wed, 08 Feb 2012 21:36:49 GMT Zero Day Initiative Advisory 12-023 - This vulnerability allows attackers to remotely obtain domain credentials on vulnerable installations of CA Total Defense Suite UNC Management Web Service. Authentication is not required to exploit this vulnerability. The specific flaw exists within the App_Code.dll service listening by default on TCP ports 34444 and 34443 (SSL). The service allows a remote client to request encrypted domain credentials without authentication. The encryption lacks a salt allowing an attacker with a local installation of CA Total Defense Suite UNC Management Web Service to easily decrypt the credentials. http://packetstormsecurity.org/files/109408/rfc6528.txt http://packetstormsecurity.org/files/109408/rfc6528.txt http://packetstormsecurity.org/files/109408/RFC6528-Defending-Against-Sequence-Number-Attacks.html Fri, 03 Feb 2012 23:35:38 GMT This document specifies an algorithm for the generation of TCP Initial Sequence Numbers (ISNs), such that the chances of an off-path attacker guessing the sequence numbers in use by a target connection are reduced. This document revises (and formally obsoletes) RFC 1948, and takes the ISN generation algorithm originally proposed in that document to Standards Track, formally updating RFC 793. http://packetstormsecurity.org/files/109101/p0f-3.03b-win.zip http://packetstormsecurity.org/files/109101/p0f-3.03b-win.zip http://packetstormsecurity.org/files/109101/p0f-3.03b-Windows-Port.html Wed, 25 Jan 2012 23:50:27 GMT P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP). http://packetstormsecurity.org/files/109099/ZDI-12-018.txt http://packetstormsecurity.org/files/109099/ZDI-12-018.txt http://packetstormsecurity.org/files/109099/Zero-Day-Initiative-Advisory-12-018.html Wed, 25 Jan 2012 23:20:45 GMT Zero Day Initiative Advisory 12-018 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec PCAnywhere. Authentication is not required to exploit this vulnerability. The flaw exists within the awhost32 component which is used when handling incoming connections. This process listens on TCP port 5631. When handling an authentication request the process copies the user supplied username unsafely to a fixed-length buffer of size 0x108. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM account. http://packetstormsecurity.org/files/108993/dsa-2392-1.txt http://packetstormsecurity.org/files/108993/dsa-2392-1.txt http://packetstormsecurity.org/files/108993/Debian-Security-Advisory-2392-1.html Tue, 24 Jan 2012 04:15:50 GMT Debian Linux Security Advisory 2392-1 - Antonio Martin discovered a denial-of-service vulnerability in OpenSSL, an implementation of TLS and related protocols. A malicious client can cause the DTLS server implementation to crash. Regular, TCP-based TLS is not affected by this issue. http://packetstormsecurity.org/files/108809/1201.2074v1.pdf http://packetstormsecurity.org/files/108809/1201.2074v1.pdf http://packetstormsecurity.org/files/108809/Reflection-Scan-An-Off-Path-Attack-On-TCP.html Wed, 18 Jan 2012 23:35:30 GMT The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim.