DunceHats

Product: phpMyAdmin
Vendor: phpMyAdmin
Affected versions: All versions
Criticality of threat: Critical
Likelihood of threat: Critical
Skill required: DBA

Details:
DunceHats have observed a critical vulnerability in phpMyAdmin. phpMyAdmin versions prior to 2.11.2.1 were vulnerable to SQL injection using database name.

Impact:
An attacker may be able to perform SQL operations using phpMyAdmin.

Resolution:
As yet, DunceHats have not had any communication from the vendors. DunceHats recommend

…mind your head. In the true spirit of DunceHats half(zero)-disclosure initiative, we announce that it is possible to gain user access level on integrated remote web servers. The bug/feature does not rely on any client/server vulnerabilities nor client/server misconfiguration issues. All an attacker needs to do to exploit the weakness is to lure a victim, part of an integrated network, to a malicious website. The attack results into remote access to the web server with the access level of a current user. The success of this attack relies on the fact that port 80/tcp is typically open on web servers and that no authentication is required as part of the Web 2.0 protocol.

No authentication is required as part of the Web 2.0 protocol

This article was written by our guest author bdb

Looks like there’s a new 0-day doing the rounds that will exploit both Windows and Unix systems… check here for more information. BTW if anyone wants to sell us the warez, we’re thinking of starting a pay per exploit service ala Zero Day Initiative.

Greets all, it appears DunceHats may be under attack from legitimate, non malicious agencies working for the good guys. In the past few months we have seen up to half a dozen connections from IPs that reverse resolve to hosts within the .mil, .gov and .gov.uk DNS zones. Our official response:

“j00ll n3v3r t4k3 u5 d0wn!!!1111oneoneone” — Anonymous

Location: Hotels used by security professionals
Vendor: Numerous vendors including Days Inn (confirmed)
Affected versions: Days Inn, Derby (confirmed)
Criticality of threat: Serious
Likelihood of threat: Moderate
Skill required: Moderate

Details:
DunceHats have observed a moderate vulnerability in hotels used by security professionals. Due to the innordinate stupidity of numerous hotels, it has been observed that hotels often tape authentication credentials to their billing these devices. Specifically it was observed that Days Inn, Derby use authentication credentials of till, till1.

Impact:
Whilst it is impossible to confirm without further research it is believed that this could lead monetary wallet leak denying security professionals service at their favourite strip joint, hash house or 5 star restaurant.

Resolution:
As yet, DunceHats have not had any communication from the vendors. DunceHats therefore recommend that security professionals do not stay in hotels. security professionals are advised to contact their employer for a chartered concord allowing them to sleep in their own beds. For the vendors, DunceHats would recommend that all employees are RFID chipped and that password lengths are of 0×31337 bytes in length. Only an employee with a valid RFID chip and the correct password should be granted access to any device on the hotel site.

Location: Hotels used by security professionals
Vendor: Numerous vendors including Days Inn (confirmed)
Affected versions: Days Inn, Derby (confirmed)
Criticality of threat: Serious
Likelihood of threat: Moderate
Skill required: Moderate

Details:
DunceHats have observed a serious vulnerability in hotels used by security professionals. Due to the innordinate stupidity of numerous hotels, traffic encrypted using SSH is rejected by their routers preventing secure communications with head office. This vulnerability has forced security professionals to drop back to known insecure protocols such as telnet.

Impact:
Whilst there is no direct vulnerability, an attacker may be able to MITM the alternative telnet based connection through the use of layer 2 and 3 routing attacks. It is believed that this vulnerability has been known about by blackhats who successfully used this technique at Defcon in Las Vegas.

Resolution:
As yet, DunceHats have not had any communication from the vendors. DunceHats therefore recommend that security professionals do not stay in hotels. Security professionals are advised to contact their employer for a chartered concord allowing them to sleep in their own beds.

Location: Datacentres
Vendor: All vendors
Affected versions: All versions
Criticality of threat: Moderate
Likelihood of threat: Moderate
Skill required: Low

Details:
DunceHats have observed a moderate vulnerability in datacenters. Due to the network cabling procedures in place at all known datacenters, it is possible to enumerate VLANs by the colours of the network cables between devices. As an example, a DunceHat consultant was able to identify the clean and dirty VLANs as the clean network cables were green whilst the dirty network cables were red.

Impact:
Whilst there is no direct vulnerability, an attacker may use the information disclosed to connect to the dirty VLAN bypassing the firewall.

Resolution:
As yet, DunceHats have not had any communication from the vendors. DunceHats therefore recommend that all NOC staff carry a jumble up bag containing a variety of colours of cable and that a call to a randomisation subroutine is added to the cable selection process.

List: bugtraq@securityfocus.com
Vendor: Symantec
Affected versions: All versions post Symantec buy out
Criticality of threat: Critical
Likelihood of threat: Unknown
Skill required: Unknown

Details:
DunceHats have observed a critical vulnerability in the bugtraq mailing list. Under certain as yet unidentified conditions, bugtraq will incorrectly fail to relay advisories sent to it despite making them available on the private paid for list and via their web site. Advisories known to trigger this bug include Movable Type Arbitrary Blog Creation Path Vulnerability, although there are numerous other examples.

Impact:
Security professionals relying on bugtraq for their daily fix of advisories will not be fully up to date on issues that may affect their clients.

Resolution:
As yet, DunceHats have not had any communication from the vendor. DunceHats therefore recommend that all advisories are sent to full-disclosure@lists.grok.org.uk which does not suffer from this vulnerability. At the very minimum the command mail -s subscribe full-disclosure-request@lists.grok.org.uk should be executed.

List: sec-adv@secunia.com
Vendor: Secunia
Affected versions: All versions
Criticality of threat: Critical
Likelihood of threat: Critical
Skill required: Unknown

Details:
DunceHats have observed a critical vulnerability in the sec-adv mailing list. Under certain as yet unidentified conditions, sec-adv will incorrectly relay advisories sent to it corrupting them in such a manner that they will for all intents appear worthless to their recipents. Corruption can involve the removal of key information as well as the insertion of red herrings designed to mislead the recipient. Advisories known to trigger this bug include Movable Type Multiple Weaknesses and Vulnerabilities, although there are numerous other examples.

Impact:
Security professionals relying on sec-adv for their daily fix of advisories will be misinformed on issues that may affect their clients.

Resolution:
As yet, DunceHats have not had any communication from the vendor. DunceHats therefore recommend that all advisories are sent to full-disclosure-request@lists.grok.org.uk which does not suffer from this vulnerability. At the very minimum the command mail -s subscribe full-disclosure-request@lists.grok.org.uk should be executed.

In a world where everything goes (/me tips hat to full-disclosure), I thought it was about time I enlightened people on some of the issues I’ve spotted on networks but haven’t had the time to write advisories for.

• Network suffers from MAC address disclosure
• Wiki is subject to HTML injection allowing defacement
• Website is vulnerable to malicious code injection via FTP server

Maybe some of the other duncehats on full-disclosure would like to try and make a name for themselves by writing advisories for these issues.

DunceHats is a satirical look at the security industry today. The contents of DunceHats is primariliy base on the experiences of one anonymous security professional from the UK. Of course it’s not easy being annoymous in this day and age, and we’ve not made it too hard to track us down.

We invite content from our peers, as long as you’re willing to laugh at yourself and the industry you represent.