<< Previous Next >>
file systems
UNC: http://servername/pandora_console/ajax.php?page=//server/share/test
As well, ajax.php allows to include any php file in the disk
filesystem:
http://servername/pandora_console/ajax.php?page=../../../../../directory/file
Character %00 is not allowed due safe_url_extraclean function filtering,
and is not possible to include other files distinct that php files, but
still allows . and / characters.
The Printer Job Language (PJL) was developed by Hewlett-Packard to
provide a method for switching printer languages at the job level
and for status exchange between the device and a host computer.
Besides the possibility to view and change parts of the printer's
configuration or modify control panel messages PJL allows some limited
form of file system access. PJL is used "above" other printer languages
such as PCL and is usually accessible on port 9100. Detailed
information about PJL can be found in the PJL Technical Reference
Manual [1].
Description:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02822174
Version: 1
HPSBMI02632 SSRT100379 rev.1 - HP/Palm webOS, Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized File System Write Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-09
Last Updated: 2011-05-09
Here is the section:
Successful exploitation of these vulnerabilities may allow unauthorized,
remote users to access the filesystem on the IOS device, cause the
affected device to reload, or execute arbitrary code.
Unauthorized users could retrieve the device's startup-config file from
the filesystem. This file may contain information that could allow the
attacker to gain escalated privileges.
Updated: July 28, 2009
INTRODUCTION
There exists a vulnerability within a function of Linux eCryptfs (Enterprise
Cryptographic Filesystem), which when properly exploited can lead to
compromise of the vulnerable system. This vulnerability was confirmed by us in
the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have
eCryptfs support and may be also affected.
DETAILS
BACKGROUND
Veritas Storage Foundation 5.0 from Symantec provides a complete
solution for heterogeneous online storage management. Based on the
industry-leading Veritas Volume Manager and Veritas File System, it
provides a standard set of integrated tools to centrally manage
explosive data growth, maximize storage hardware investments, provide
data protection and adapt to changing business requirements.
SUMMARY
The server side of the Secure Copy (SCP) implementation in Cisco
Internetwork Operating System (IOS) contains a vulnerability that
allows any valid user, regardless of privilege level, to transfer files
to and from an IOS device that is configured to be a Secure Copy
server. This vulnerability could allow valid users to retrieve or write
to any file on the device's filesystem, including the device's saved
configuration. This configuration file may include passwords or other
sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by
default. Devices that are not specifically configured to enable the IOS
Updated: July 28, 2009
INTRODUCTION
There exists a vulnerability within a function of Linux eCryptfs (Enterprise
Cryptographic Filesystem), which when properly exploited can lead to
compromise of the vulnerable system. This vulnerability was confirmed by us in
the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have
eCryptfs support and may be also affected.
DETAILS
Application: DOSBox
http://dosbox.sourceforge.net
Versions: <= 0.72 and current CVS
Platforms: Windows, Linux, *BSD and Mac
Bug: access to the filesystem
Exploitation: local
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The device file system (devfs) provides access to system devices, such as
storage devices and serial ports, via the file system namespace.
VFS is the Virtual File System, which abstracts file system operations in
the kernel from the actual underlying file system.
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2008-4307
Bryn M. Reeves reported a denial of service in the NFS filesystem.
Local users can trigger a kernel BUG() due to a race condition in
the do_setlk function.
CVE-2008-5079
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2232
Debian Bug : 490921
Anders Kaseorg discovered that afuse, an automounting file system
in user-space, did not properly escape meta characters in paths.
This allowed a local attacker with read access to the filesystem to
execute commands as the owner of the filesystem.
For the stable distribution (etch), this problem has been fixed in
PHP filesystem attack vectors - Take Two
Name PHP filesystem attack vectors - Take Two
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad_2.txt
Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)
Problem Description:
The default behaviour of autofs 5 for the hosts map did not specify the
nosuid and nodev mount options. This could allow a local user with
control of a remote NFS server to create a setuid root executable on
the exported filesystem of the remote NFS server. If this filesystem
was mounted with the default hosts map, it would allow the user to
obtain root privileges (CVE-2007-5964). Likewise, the same scenario
would be available for local users able to create device files on
the exported filesystem which could allow the user to gain access to
important system devices (CVE-2007-6285).
inodes which have been marked bad.
CVE-2006-5823
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted cramfs filesystem.
CVE-2006-6053
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext3 filesystem.
Gabor Gombas wrote:
>
> On Mon, Nov 02, 2009 at 08:53:26PM +0100, Pavel Machek wrote:
>
> > > The link count of a files tells you the number of hard links that
> > > are persisted within the same filesystem. It is _NOT_ a promise
> > > that there are no other means to access the inode of the file.
> >
> > It used to be promise before /proc was mounted.
NOPE. There _NEVER_ was such a promise.
Problem Description:
The default behaviour of autofs 5 for the hosts map did not specify the
nosuid and nodev mount options. This could allow a local user with
control of a remote NFS server to create a setuid root executable on
the exported filesystem of the remote NFS server. If this filesystem
was mounted with the default hosts map, it would allow the user to
obtain root privileges (CVE-2007-5964). Likewise, the same scenario
would be available for local users able to create device files on
the exported filesystem which could allow the user to gain access to
important system devices (CVE-2007-6285).
Credit: Steve Ocepek of Trustwave's SpiderLabs
CVE: CVE-2010-2860
Finding:
The Celerra appliance's NFS server freely exports its "/" file system and
enforces access using a factory-defined list of authorized IP addresses.
The addresses found on a recent model are listed in the showmount example
below, however this list may differ depending on product version. The IP
addresses are intended for communication internal to the appliance, but are
still accepted from external sources. An attacker can mount this file system
Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can
exploit a race condition to cause a denial of service (kernel panic).
CVE-2011-0711
Dan Rosenberg reported an issue in the XFS filesystem. Local users may
obtain access to sensitive kernel memory.
CVE-2011-0726
Kees Cook reported an issue in the /proc/pid/stat implementation. Local
...
508 return len;
509 }
On line 494, snprintf is called to generate the output for the proc file
system entry. By supplying a count value of 1, snprintf will only write
a single byte to the destination buffer. However, the function will
return the number of bytes that would have been written if enough space
were available. The "*eof" value is never set, and the "*ppos" value is
never used.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497
Description:
Previous versions of the e2fsprogs package are vulnerable to multiple
integer overflows that may be exploited by crafted filesystem images.
In particular, this may allow a user with elevated privileges in a
Xen guest domain to execute arbitrary code as root in domain 0 via
a maliciously crafted filesystem image if e2fsck is run in domain 0
on the guest-domain filesystem.
Vulnerability overview/description:
-----------------------------------
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
Vendor Notification Date. 7-Mar-2011
Product. Collaborative Passwords Manager (cPassMan)
Platform. Independent (PHP)
Affected versions. 1.82 (verified), and possibly others
Severity Rating. Medium
Impact. Local file system access
Attack Vector. Remote without authentication
Solution Status. Upgrade to v2.0, v1.x branch no longer
updated
CVE reference. Not yet assigned
code. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2006-6058
LMH reported an issue in the minix filesystem that allows local users
with mount privileges to create a DoS (printk flood) by mounting a
specially crafted corrupt filesystem.
CVE-2007-5966
- ----------------------
On December 3rd, VSR identified a directory traversal and file retrieval
vulnerability in the TANDBERG's Video Communication Server. This issue would
allow an authenticated attacker (who has access as an administrator or less
privileged user on the web administration interface) to retrieve files from the
filesystem which are readable by the "nobody" system user.
Product Background
- ------------------
The TANDBERG Video Communication Server is a Linux-based appliance which
to a privilege escalation, denial of service or information leak. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-2524
David Howells reported an issue in the Common Internet File System (CIFS).
Local users could cause arbitrary CIFS shares to be mounted by introducing
malicious redirects.
CVE-2010-3875
Current Privilege Level (CPL) before accessing a debug register,
which allows guest OS users to cause a denial of service (trap)
on the host OS via a crafted application. (CVE-2009-3722)
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
remote attackers to cause a denial of service (NULL pointer
dereference), and possibly have unspecified other impact, via a
crafted read-only filesystem that lacks a journal. (CVE-2009-4308)
The eisa_eeprom_read function in the parisc isa-eeprom component
mode that allows a high degree of control over the load operation, and a secure
mode (libc_enable_secure) intended to prevent users from interfering with the
loading of privileged executables.
$ORIGIN is an ELF substitution sequence representing the location of the
executable being loaded in the filesystem hierarchy. The intention is to allow
executables to specify a search path for libraries that is relative to their
location, to simplify packaging without spamming the standard search paths with
single-use libraries.
Note that despite the confusing naming convention, $ORIGIN is specified in a
Current Privilege Level (CPL) before accessing a debug register,
which allows guest OS users to cause a denial of service (trap)
on the host OS via a crafted application. (CVE-2009-3722)
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
remote attackers to cause a denial of service (NULL pointer
dereference), and possibly have unspecified other impact, via a
crafted read-only filesystem that lacks a journal. (CVE-2009-4308)
The eisa_eeprom_read function in the parisc isa-eeprom component
injections on the target host, the user can choose among a variety of
options to perform an extensive back-end database management system
fingerprint, retrieve DBMS session user and database, enumerate users,
password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or
write either text or binary files on the file system, execute
arbitrary commands on the operating system, establish an out-of-band
stateful connection between the attacker box and the database server
via Metasploit payload stager, database stored procedure buffer
overflow exploitation or SMB relay attack and more.
<<Previous Next>>
|
