Re: NuralStorm Webmail Multiple Vulnerabilities

[musnt live <musntlive () gmail com>]

On Thu, Jul 15, 2010 at 8:22 AM, Justin Klein Keane <justin () madirish net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
>  as much as I hate to feed the trolls perhaps I should provide some
> more context for my evaluation of NuralStorm webmail.  The project is
> indeed quite aged, so much so that you are required to monkey with the
> default PHP register globals settings to get it to run (which should tip
> anyone interested in the project off that it might not be safe).


    Maybe for to this how disclosure is done in Philadelphia but which
I may ask where is this brotherly love of yours.


> Unfortunately I actually came across the project because I found it as a
> service offering from a legitimate company.  I was careful to mention
> the age explicitly in my advisory because I am aware that it isn't a
> recent project and thus is pretty easy pickings for any dedicated
> security researcher.  Amazingly though, in the eight years since the
> project has been released there have only been a couple security
> vulnerabilities disclosed (notably CVE-2006-5386), which might lead a
> casual observer to conclude that the project was safe for use.  I think
> NuralStorm serves as a great example of the types of false metrics that
> can sometimes be used to justify security.  Nevertheless, it wasn't
> something I just picked out of the trash bin or dug up on random free
> software download archives - NuralStorm is actively deployed, unpatched,
> on the internet, and thus my disclosure was meant to warn folks who
> might have the project in use, as it is immensely exploitable and no
> longer under any sort of active development.  Unfortunately I won't be
> able to work with the developers to try and update and secure this
> project, which should ultimately be the goal of open source security
> research.

    There is be plenty of historic and legacy software installed in
many company throughout Internet web history and our first tactical
goal is plausible deniability. There is be nothing wrong with security
troll researchers downloading all programs, run grep buff *.extension
then post advisory. I give is you all credits for respectable research
for low hanging fruit. Nothing wrong with digging out random garbage
no one care about then writing an exploit that no one too also care
about. It is all about security research recognition.

    When I is come to think of respectable research, I not think of
Bellovin, Sotirov, I think of MustLive and his future advisory - he is
mindreader like Miss. Cleo, I think of you - you like Marty McFly - go
back to the future! SMART! However I must warn full disclosure about
is your statement: "NuralStorm is actively deployed, unpatched, on the
internet" IIS 5.0 is actively deployed, unpatched, on the Internet:
Results 1 - 10  of about 394540 for IIS 5.0
http://www.shodanhq.com/?q=IIS+5.0

    Now is you ask yourself a) Should I be so mad? - For any mad Irish
is danger to society! Nasty leprechauns bring bad luck! b) Should I
write next another advisory against IIS 5.0 because for to it yes be:
"is actively deployed, unpatched, on the internet" c) Whore my
infinite vulnerability skill and write advisory for you is to share?
No, because I musntlive, I give you partial freebie. As always
musntlive is at forefront of edgebleed 0day:

    ProductName:      Crystal Reports
    InternalName:     NOFREEBUGS
    OriginalFilename: NOFREEBUGS
    ProductVersion:   X.X.X.X
    FileVersion:      X.X.X.X
    Comments:         Crystal Reports


0:000> .exr 0xffffffffffffffff
ExceptionAddress: xxxxYYYY (nobugsRfree!DllUnregisterServer+0xyyyZZZ188e)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: yyyyXXXX
NumberParameters: 2
   Parameter[0]: yyyyXXXX
   Parameter[1]: 0badc0de
Attempt to read from address 0badc0de

0:000> g
(3610.c4e8): Access violation - code c0000005 (!!! second chance !!!)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0badc0de ebx=yyyyXXXX ecx=yyyyXXXX edx=xyzxy002 esi=zzzzYYYY edi=ababfa60
eip=0badc0de esp=xyxyeb28 ebp=yxyxeb38 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=zxqz0202
nobugsRfree!DllUnregisterServer+0xxxx88e:
xxxxYYYY xxxx3800        cmp     word ptr [eax],0         ds:0023:0badc0de=????
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffff0badc0de
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:xxxxYYYY cmp word ptr [eax],0


Up for sale is +60 0day on SAP. Remote and is local and is client
side. For to starting price 1,526,246.00 RUB's serious government
agencies is need only apply

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/