<< Previous Next >>
writing
anyways that's another subject...
regards laurent gaffi
"Apparently, it's allowed to write to /test/, *and* the user perms
used to talk to mysql seem horribly broad, since it can get user
perms. So, since any Apache/PHP/mysql user on a shared host (or
whatever) in the above scenario can write to whatever they want from
mysql to /test/, it's fair game.
CVE-2010-1903 - MS10-056
INTRODUCTION
There exists a vulnerability within the way Word handles html linked objects, which leads
to attacker controlled memory write and code execution.
There is a poc.doc file that demonstrates the vulnerability and is available to interested
parts.
This problem was confirmed in the following versions of Word and Windows, other versions
7. *Credits*
This vulnerability was discovered and researched by Nicolas Economou
from Core Security Exploit Writers Team. The publication of this
advisory was coordinated by Fernando Miranda from Core Security
Advisories Team.
8. *Technical Description / Proof of Concept Code*
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
>
> Hi all,
>
> Just wanted to share the following links/tutorials on writing windows (stack based) exploits :
>
> * Stack based overflows (direct RET overwrite) :
> (Tutorial Part 1)
> http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
>
> * Jumping to shellcode :
> (Tutorial Part 2)
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
active umask. In most cases, this will give read & write access to
the owner of the files and read access for all other users.
Since FWS needs to write to certain files and directories, the
instructions in the manual tell you to specifically set file permissions
on a specific set of files and directories. For files, the owner, group
software, that allows users to edit photos, create graphics, draw and
paint. Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer
overflow when processing malformed FPX files, because it trusts
user-controlled data located inside a FPX file and uses it as a loop
counter when copying data from a FPX file into a fixed-size buffer
located in the heap. This vulnerability can be exploited to overwrite
adjacent heap chunks metadata, and possibly to gain arbitrary code
execution.
4. *Vulnerable packages*
> I can do the example with fd passing and 700 directory, but it would
> be lot of C code. Feel free to play, my example was not nearly the
> only way to demonstrate it, and no, it was not racy.
Here is an example that shows the behavior where a passed read-only fd
can become read-write by reopening it through /proc, when file
permissions allow it (but directory permissions do not):
$ sudo su
# mkdir -m 0700 /dir
# echo "safe" > /dir/file.txt
User2 cannot create a hard link on the file any more now because it
requires search access on the directory, and that has been revoked by
chmod 0700 on the directory.
|| > User1 chmod's file to 0666
|| > User2 can not open the file for read or write access
|| > User2 can not write to file descriptor 4
|| > User2 _can_ write to /proc/$$/fd/4
However, as has been pointed out elsewhere in this thread, openat()
will at this point allow User2 to open the file for writing, provided
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
the CLI view attached to the user does not allow it. This
configuration file may include passwords or other sensitive
information.
2. *Vulnerability Information*
Class: Failure to Constrain Operations within the Bounds of a Memory
Buffer [CWE-119], Out-of-bounds Write [CWE-787]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 37708
CVE Name: CVE-2010-0280
For files, permissions are checked during open(); they don't get
re-checked during subsequent operations on the returned descriptor.
E.g. if you successfully open() a file O_RDWR, the permissions aren't
re-checked for every read() and write(). If the permissions are
removed, read() and write() won't suddenly fail (note that neither
read() nor write() can fail with EPERM).
open() checks that the user has the necessary privilege, then records
that information in the descriptor for use by subsequent operations.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Thanks to the discussion with kuza55, evilaliv3 and Wisec, 3 main uses
of this attack vector were identified:
- Blacklist bypass on write functions (file editors, file writing, etc)
- Blacklist bypass on read functions (source disclosure, etc)
- Regular expressions and IDS/IPS signature evasion
The wrong assumption was that this behaviour was filesystem dependent,
as said it turned out to be dependent on witch PHP version (patched VS
> polymorphic code ?
Well, YES... The "collums" showing the exploit structure should
address this misunderstood. Anyway, here is a question: What happens
if we apply Alpha2.c, or any other polymorphic shellcode engine, to
the entiry data we should write in the stack? Will the exploit work? I
don't think so. Touche!!!
>> That is the reason some
>> IPS/IDS can easily add signatures.
interface when the administrator user views pages such as
'/config/configure-systems.html'. The injected code can perform any
actions within the context of the current session (full administrative
rights).
Although usually the SNMP write community string must be guessed/cracked
for a SNMP injection [1] attack to work, some embedded devices come with
SNMP read/write access enabled by default. Some examples include many
ZyXEL Prestige router models [2] used in residential and SOHO networks,
and also products used in corporate and government environments such as
the Proxim Tsunami MP.11 2411 Wireless Point-to-Multipoint System.
which can be exploited by malicious remote attackers to compromise a
user's system, by providing a specially crafted XSPF playlist file. The
vulnerability exists because the VLC ('demux/playlist/xspf.c') library
does not properly perform bounds-checking on an 'identifier' tag from an
XSPF file before using it to index an array on the heap. This can be
exploited to overwrite an arbitrary memory address in the context of the
VLC media player process, and eventually get arbitrary code execution by
opening a specially crafted file.
4. *Vulnerable packages*
introduced a new technique: SNMP injection a.k.a. persistent HTML
injection via SNMP. Such a technique allowed us to cause a persistent
HTML injection condition on the web management console of several ZyXEL
Prestige router models.
Provided that an attacker has guessed or cracked the write SNMP
community string of a device, he/she would be able to inject malicious
code into the administrative web interface by changing the values of
OIDs (SNMP MIB objects) that are printed on HTML pages.
The purpose behind injecting malicious code into the web console via
directly to the driver, thus transferring it the responsibility of doing
the proper checks to validate the addresses sent from user mode.
The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method
when handling IOCTLs request and does not validate properly the buffer
sent in the Irp object allowing an attacker to write to any memory
address in the kernel-mode.
Let's see the bug on the source. This is the function used to handle the
IOCTL requests at 'SUPDrv-win.cpp'.
======================
The IOCTL call 0xba002848 of the cpoint.sys kernel driver shipped with Panda
Internet Security/Antivirus+Firewall 2008 accepts user supplied input that
doesn't get validated enough. In consequence it is possible to cause an
out-of-bound write in kernel memory.
Disassembly of cpoint.sys (Windows Vista 32bit version):
[...]
.text:00012633 loc_12633:
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
*Vulnerable Packages*
| | need to be authenticated depending on configuration of |
| | the Asterisk installation. |
| | |
| | The first overflow is caused by sending a payload number |
| | that surpasses the programmed maximum payload number of |
| | 256. This causes an invalid memory write outside of the |
| | buffer. While this does not allow the attacker to write |
| | arbitrary data it does allow the attacker to write a 0 |
| | to other memory locations. |
| | |
| | The second overflow is caused by sending more than 32 |
../ characters due parameter id is not filtered
If magic_quotes_gpc is Off, arbitrary files can be included, like
boot.ini using NULL character (%00), if not, only php files are allowed
5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282
- - CVSS 8.0/10
In file operation/agentes/networkmap.php the 'layout' parameter is
handled in an insecure way and it is used to write and delete files on
the filesystem.
Launch an ioQuake3 game server. Set the fs_game cvar to "`echo
TROLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO
> trollme.txt`". Connect to the server with a recent ioQuake3 client for
UNIX-like systems. The client should (after failing to create a directory
with an overly long name) execute a shell command to write a file.
* patches
Several distributors have already been contacted and have prepared patches
for their distributions.
=======
Summary
=======
Name: LibAVCodec AMV Out of Array Write
Release Date: 31 July 2011
Reference: NGS00068
Discoverer: Dominic Chell <dominic.chell@ngssecure.com>
Vendor: VideoLAN
Vendor Reference: CVE-2011-1931
Systems Affected: VLC media player 1.1.9 and earlier releases
Am Samstag, den 24.10.2009, 01:12 +0400 schrieb Dan Yefimov:
> On 24.10.2009 0:35, Matthew Bergin wrote:
> > doesnt look like the original owner is trying to write to it. Shows it
> > cant, it had guest write to it via the proc folders bad permissions.
> > Looks legitimate
> >
> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an attacker?
> No, that was the owner of 'unwritable_file', nobody else. What the 0666 file
> mode means? It means, that everybody can write to the file, can't he? So why do
> you believe that pretension legitimate?
The intention of the Month of PHP Security is to gather the best
research and articles about PHP security topics from the security
community and share them with the rest of the world. This time the goal
is not only to improve the security of PHP itself and applications
directly by fixing security bugs, but also to help PHP developers
around the world to write better and more secure PHP applications.
The Month of PHP Security will be held in May 2010 by SektionEins
GmbH. During the month of May all qualifying entries will be published
at http://php-security.org day by day.
>>
>> But guest has permissions to ptrace() his own processes. If we
>> remember your original report, he abuses input redirection of bash
>> run by himself. So again, there's no real security hole here.
>
> guest abuses ptrace permissions on his own processes to write to
> pavel's files... no, that obviously is not security hole :-).
>
guest abuses ptrace permissions on his own processes to write to ANY file open
by his processes, whose permissions explicitly allow writing to it. Doesn't it
trouble you, that guest's processes still retain open file descriptors and hence
By tightening up the protection on the directory the sysadmin can
mitigate the problem. It is in fact the standard way of doing this.
On Sat, 2009-10-24 at 01:12 +0400, Dan Yefimov wrote:
> On 24.10.2009 0:35, Matthew Bergin wrote:
> > doesnt look like the original owner is trying to write to it. Shows it
> > cant, it had guest write to it via the proc folders bad permissions.
> > Looks legitimate
> >
> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an attacker?
> No, that was the owner of 'unwritable_file', nobody else. What the 0666 file
> b) unlike other hardlinks, you can't see it on the link count
>
> (and c) writing to file descriptor opened read-only is bad).
>
>>> Plus, you may run traditional unix/POSIX application, expecting
>>> directory access controls to prevent the write. (Or can you see a way
>>> to write to that file when /proc is unmounted?)
>>>
>> Directory permissions control an access just to the directory
>> itself, not to the files in it, so your pretensions are in fact
>> illegitimate.
On 24.10.2009 2:05, Pavel Machek wrote:
> On Sat 2009-10-24 01:12:51, Dan Yefimov wrote:
>> On 24.10.2009 0:35, Matthew Bergin wrote:
>>> doesnt look like the original owner is trying to write to it. Shows it
>>> cant, it had guest write to it via the proc folders bad permissions.
>>> Looks legitimate
>>>
>> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an
>> attacker? No, that was the owner of 'unwritable_file', nobody else.
>> What the 0666 file mode means? It means, that everybody can write to
<<Previous Next>>
|
