Archive for September, 2008


ClamAV Multiple DoS

ClamAV, as a free anti-virus application for Unix and Windows Server 2003/2000/NT, was reported to have multiple bugs which is exploitable remotely. No authentication required for such exploitation. Versions prior to ClamAV 0.94 are vulnerable.

1) ClamAV ‘chmunpack.c’ Invalid Memory Access Denial Of Service Vulnerability
ClamAV is prone to a denial-of-service vulnerability because of invalid memory access errors when processing malformed CHM files.

Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.

Security Focus: ClamAV ‘chmunpack.c’ Invalid Memory Access Denial Of Service Vulnerability

Secunia: ClamAV CHM Processing Denial of Service
CVE 2008-1389

2) ClamAV Multiple Unspecified Memory Corruption Vulnerabilities
libclamav in ClamAV before 0.94 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an out-of-memory condition.

CVE 2008-3912
Security focus: ClamAV Multiple Unspecified Memory Corruption Vulnerabilities
Sourceforge: Release ClamAV 0.94

3) Multiple memory leaks in freshclam/manager.c allow DoS exploitation on ClamAV

Multiple memory leaks in freshclam/manager.c in ClamAV before 0.94 might allow attackers to cause a denial of service (memory consumption) via unspecified vectors related to the “error path.”

CVE 2008-3913

4) ClamAV /libclamav/others.c and /libclamav/sis.c vulnerable to DoS

Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the “error path” in (1) libclamav/others.c and (2) libclamav/sis.c.

CVE 2008-3914

The vendor has released a patch on it, just update to the latest ClamAV(For Windows).


Cisco router vulnerable to Malicious IPv4 Packet Sequence DOS

IPv4 packets handled Cisco IOS device with protocol types of 53 (SWIPE), 55 (IP Mobility), or 77 (Sun ND), all with Time-to-Live (TTL) values of 1 or 0, and 103 (Protocol Independent Multicast – PIM) with any TTL value, may force the device to incorrectly flag the input queue on an interface as full. A full input queue will stop the device from processing inbound traffic and may result in routing protocols dropping due to dead timers.

After a 4 hours (default ARP time out time), no traffic will be processed anymore on the whole device. This exploit won’t trigger any alarm. The attacked device will be reboot to clear the input queue manually. If the attacks are repeated on all interfaces, the device will become remotely inaccessible.

Solution to this attack to update its IOS, which may cost money. Cisco recommend ACL to be applied on the interface to block unknown traffic from unknown destinations and only legimate protocol (HTTP, SIP, SMTP etc) are permitted.

Affection IOS verions could be found here. Other than IOS version detection, the only way to test this vulnerability is to exploit it by sending the crafted IPv4 packets.

Core Impact: Cisco IPv4 DoS v1.21
Cisco security advisory: Cisco IOS Interface blocked by IPv4 Packets.
Security focus: Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability
CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet


Skype IM Client Password disclosure vulnerability

Credit: Aditya K Sood , Founder SecNiche Security
Released date: 11 September 2008

On the date this blog is written, the latest version (3.8) of Skype is vulnerable to IM Client Password Disclosure vulnerability. This exploitation could be launched easily with the tool pmdump.

Upon successful connection, the credential (username and password) of Skype user is stored on local kernel memory. By dumping the kernel memory into the file, the username and password could be disclosed easily.

The proof of concept is provided by, which include 2 command prompt commands:

\>pmdump -list

A list of current process will be display, kindly select the process number:

\>pmdump [process number] [memory dump file location, eg. c:\skypekernelmem.txt]

Open the memory dump file with notepad, you will spot the username and password.

Difficulty on this attack:

  1. Physical access to the local system.
  2. Obviousness of the password (the password is messed with a lot of machine code). Like the picture shown below, how can you make sure that the password is “0skype0”, not “1220030402”, or “coul”?


Cisco Leaking Critical Information

Recently, I met a funny situation:

Users who logon to a Cisco router(without credential), on priviledge 1 (user mode) are able to view critical information like the router access-list setting and interfaces status.

Surprise right? But when you query about applicable command by typing “sh ?“, the options are not shown there.

There is no “access-list” right? But if you type “show access-list“:

Surprise right? The system administrator gonna be headache!!

Ok, let see its interfaces status by enter “show ip interface” command:

See? First, they don’t have outbound access-list! And then, they…

If you can view critical data like access-list and router interface status, then no surprise you can see other things like version, users etc.

At the time you had tried to access all possible information, then there is no much difference than viewing the whole configuration file with the command “show running-config“, just you don’t have the priviledge to modify it directly.

Thus, does modification is necessary for an external attack to occurs? NO! The attacker just need a security hole, so does we always say “Your security is as good as your weakest link!

So far, there is official solution has been released, as Cisco claimed it is an intended design, just not documented properly. CVE record (CVE-2000-0345) for this vulnerability is still under review, since 2000!

Suggested solution:

1. Escalate the privilege needed to run show command by entering commands below:
privilege exec level 15 show

2. Downgrade the user first-logon privilege from 1 to 0, and then downgrade other essential command’s privilege to 0 accordingly.

3. Enable password for user logon (only applicable for certain models).

Don’t blame Cisco! They are still quite good after all.


1. Neohapsis Archive

2. CVE-2000-0345

3. SecurityFocus: Cisco Online-Help vulnerability

4. National Vulnerability Database


Cisco VPN Concentrator – CRLF injection

Some of the old Cisco VPN Concentrators are vulnerable to CRLF injection.

Definition of CRLF injection in OWASP:
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today‚Äôs popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. A CRLF Injection attack occurs when a user managed to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

The attack is applicable on Cisco VPN Concentrator which is offering SSL VPN service. During the attack, attackers are able to inject additional HTTP response headers or by stripping out such CRLF characters (\n or %0d%0a) from the Cisco device in its response to client. Whenever a web server responds to a HTTP request with duplicate headers (i.e.: LF injection attack), browser might neglect the first header and considers the last instance of a duplicate header.

However, Cisco VPN Concentrators had reached its End-of-Life in Feb 2007, which no support on this product after such date is available, and the products will be obseleted.

Hereby, I provide a proof-of-concept attack, which requires Linux Telnet.

The payload utilized here is %0d%0aLocation:%20

If this attack works on your Cisco VPN Concentrator, it means you are using out-dated product. The simplest solution is CHANGE A UPDATED & IN-SUPPORT VPN PRODUCT.


Cisco VPN 3000 Series Concentrators

Mozilla Firefox duplicate header overwrite behaviour


Re:Remove PSW.OnlineGames.AZ… Corrupted drive autorun.inf, can’t open drive by double click

Prior to the post I posted on 22 April, there is a problem remained after virus clearance and registry correction:- corrupted autonrun.inf, where the infected drives, on My Computer, can’t be Open by double click or Open in Explorer mode by right click option.

It is due to the corrupted autorun.inf created by the virus is remain on the drive, hidden as system file.

Deletion is the simplest way to fix it. First, we need to enable the view of the file.

On My Computer, click the menu Options -> Folder Options

On View Tab -> Advanced Setting textbox, untickHide protected operation system files (Recommended)“, and click Yes for the pop up warming.

On all infected drive, delete the file autorun.inf

Since the autorun.inf(s) have been loaded into system memory upon booting, you need restart the PC to get the work done!

Of course, after the reboot, don’t forget to tick backHide protected operation system files (Recommended)” checkbox on Options menu -> Options -> Advanced Setting textbox. You won’t want to see a lot of annoying system files floating around your folders and taking the risk of deleting them accidentally in the future, these consequences may worth re-installing the OS and all applications!!