A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.
The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.
The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:
A WordPress administrator browses the “Comments manager” in the administration panel
She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...
Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.
On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that...
A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…
An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.
First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a...
