<< Previous Next >>
make
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/freebsd-update
# make obj && make depend && make && make install
# chmod 0700 /var/db/freebsd-update
VI. Correction details
The following list contains the revision numbers of each file that was
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libopie
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/rtld-elf
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On
amd64 systems where the i386 rtld are installed, the operating system
should instead be recompiled as described in
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart
VI. Correction details
The following list contains the revision numbers of each file that was
@@ -659,7 +662,7 @@ apply_window(svn_txdelta_window_t *window, void *b
>= ab->sbuf_offset + ab->sbuf_len)));
/* Make sure there's enough room in the target buffer. */
- size_buffer(&ab->tbuf, &ab->tbuf_size, window->tview_len, ab->pool);
+ SVN_ERR(size_buffer(&ab->tbuf, &ab->tbuf_size, window->tview_len, ab->pool));
/* Prepare the source buffer for reading from the input stream. */
if (window->sview_offset != ab->sbuf_offset
to do a single click on a malicious website it is possible to retrieve
every HTTP cookie from the unsuspecting victim user. The PoC uses
VBScript to show the ability to steal sensitive information from any
local files with either text or binary contents.
There are several steps involved in order to make the attack path clear.
The following diagram shows the files involved and the calling order.
Details concerning the relationship between these files will be
explained along the walkthrough:
/-----------
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart
VI. Correction details
The following list contains the revision numbers of each file that was
About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.
Over the past years I had the chance to audit and test a lot of critical
infrastructures that, amongst other things relied on security products
(and on security notifications from vendors) and have witnessed various
About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.
Over the past years I had the chace to audit and test a lot of critical
infrastructures that (also) relied on products (and about security
notification from vendors) and have witnessed various ways of setting
About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.
Over the past years I had the chance to audit and test a lot of critical
infrastructures that (also) relied on products (and about security
notification from vendors) and have witnessed various ways of setting
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libc
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
php -r 'include("/etc/passwd/");'
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As you can see the file is succesfully included (it works with every
single filesystem function of PHP that makes use of _php_stream_fopen()
and similiar functions).
This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/lukemftpd
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/ftpd
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
dissemination, it only took 15 minutes to crash all the Internet
infra-structure and let us know that a new age was coming out.
2. Blaster was the very first worm targeting almost all Microsoft
Windows OS versions, incredible infecting machines around the world. After
Blaster we saw Sasser, and, apparently, underground became to use a “worm
template” to make new worms dissemination.
These two facts combined could give us a good lesson. But, even after 1988,
we didn't learn how to deal with worms and I think we have a long, long path
to reach this point. So, imagine a worm using polymorphic techniques. It is
the worst nightmare we couldn’t even imagine.
allowed, the username and a ciphered challenge/response will be sent to
the IP_OR_HOSTNAME specified.
Internet Explorer reacts different when a requested resource is directly
accessed or when it's found after a redirection. If a page hosted in
domain A makes a reference to a resource located at domain B, the user
will be prompted to download this file from the B domain. But if the
resource is requested, for example, in the following way:
/-----------
file system behavior, i.e. *BSD, AIX, MacOS, HP-UX, and very old
Sun/Linux systems. The fix and workarounds are simple.
There are efforts to get the non-standard behavior approved by
standards (a function called llink). Today's fix for Solaris, Linux
etc. also makes Postfix future-proof for such changes.
Wietse
1. Postfix local privilege escalation via hardlinked symlinks
=============================================================
estimated publication date of the advisory to February 25th.
. 2008-01-30: Contact email re-sent to Wonderware asking for a software
security contact for Wonderware InTouch.
. 2008-02-06: New email sent to Wonderware asking for a response and for
a software security contact for Wonderware InTouch.
. 2008-02-28: Core makes direct phone calls to Wonderware headquarters
informing of the previous emails and requesting acknowledgement of the
notification of a security vulnerability.
. 2008-02-28: As requested during the phone call, Core re-sends the
original notification mail, stating that an advisory draft describing
the vulnerability is available since January 30th. The publication of
attention that needs to be paid to UPnP.
UPnP allows you to perform administrative functions. Some functions
are very standardized and supported by most devices. Examples include
obtaining network settings, and enabling port forwarding rules. Other
functions are make/model specific. Some very scary functions such as
obtaining administrative username and password pairs have been
reported [2] in the past. As a reminder, this works without submitting
any administrative password whatsoever since UPnP is a
authenticationless protocol. On top of this, most IGDs support UPnP by
default.
action you feel is appropriate.
If there is no reason (business, personal, or otherwise) for traffic
from the US or the UK to be reaching your network, then by all means
block all of it if that is what you choose to do. If you re-read my
post, you'll see that the purpose for the sets is for people to make
*educated* decisions regarding what they may choose to block and from
where. In my case (and cases where colleagues tested this) blocking all
SMTP from China resulted in a dramatic (not just "noticeable") reduction
in overall SPAM. In the case of the site that I own (HoG) I decided to
actually block ALL traffic from China across the board. Does this mean
action you feel is appropriate.
If there is no reason (business, personal, or otherwise) for traffic
from the US or the UK to be reaching your network, then by all means
block all of it if that is what you choose to do. If you re-read my
post, you'll see that the purpose for the sets is for people to make
*educated* decisions regarding what they may choose to block and from
where. In my case (and cases where colleagues tested this) blocking all
SMTP from China resulted in a dramatic (not just "noticeable") reduction
in overall SPAM. In the case of the site that I own (HoG) I decided to
actually block ALL traffic from China across the board. Does this mean
attacker can query (ns.victim.com). Victim's server runs Microsft DNS
server. Attacker wants victim's DNS cache to think that www.hotmail.com
has IP address 127.0.0.1 (or any other).
First the attacker gathers a sample of DNS transaction IDs that
ns.victim.com uses for outgoing queries. He makes a number of recursive
queries to ns.victim.com for hosts in cache-poisoning.net zone.
Ns.victim.com will query the name server for cache-poisoning.net. The
attacker records the transaction IDs of the requests sent to the name
server of cache-poisoning.net by ns.victim.com.
$plockview="";
?>
The "subject" and the "contenent" values is "htmlentitiesed", so we can't type a malicious code there...but the "image" value is not filtred, so we can execute a malicious code!
Don't worry if the directory is not readable, using the directory traversl variable we can make a file where we want, and so we can read that! The file name will be the "fid" value that we send via POST, and the file wont have any estension, it will be like: fid_1 (or something like that). Then, editing the cid value like: "evilfile.php\0", we can make a malicious file.
Ps. u gotta use nullbyte not encoded, like: \0
if u try to use %00 it will be not considered like nullbyte ;)
---------------------------------------------------------------
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/tar
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump/tcpdump
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
guess this would probably take down a lot of servers.
5. Gaining ops on channels that get empty on one side of a netsplit
-------------------------------------------------------------------
A bug in how channel TS is handled in .12 makes it possible to gain ops on a
channel if you're the only one in it, without lowering the TS. This could
be abused during a split to takeover a channel.
This works with zannels disabled and enabled.
Cause:
we are vanguard warriors, ironclad as we step bravely forth. Though our
quests begat rewards, these trinkets shield us not from the futility of our
march; for it is the year 2010AD, and the end is nigh.
So, warriors, shamans, hobbits and humble herdspersons, let us burn the lanolin
of our final muster and make merry, for tomorrow, the future arrives and we
have seen the ominous cloud thrown up by its blackened hooves pounding the
horde ever nearer. We cannot stall, our protestations weaken it no longer; for
these are the end times...
-----[ THE FINAL MUSTER
206
207 return len;
208 }
As you can see, $ORIGIN is only expanded if it is alone and first in the path.
This makes little sense, and does not appear to be useful even if there were
no security impact. This was most likely the result of an attempt to re-use the
existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally
introducing this error.
Perhaps surprisingly, this error is exploitable.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<<Previous Next>>
|
