| New User, Welcome! Login |
<< Previous Next >>
wrote
Google had already non affected Chrome 4, and Mozilla and Opera promised to
fix it (we'll see when and how they do it), then you can see that my
approach works. And responsible full disclosure can force browser vendors to
attend more at security of their software.
Soon I'll write to security mailing lists about new vulnerabilities in
different browsers. And you can not worry about that - in those advisories
I'll use a littler different approach of informing browser vendors. You will
like it ;-).
> Let's take one for example. Did you email secure@microsoft.com? I have
>> That can hardly be called a real security hole, since the behaviour
>> described above is expected, and is as it was conceived by design.
>> If the file owner in fact allows writing to it, why should Linux
>> prevent that from happening?
>
> No, I do not think this is expected. You could not write to that file
> under traditional unix, and you can not write into that file when
> /proc is unmounted.
>
> I do not think mounting /proc should change access control semantics.
>
> polymorphic code ?
Well, YES... The "collums" showing the exploit structure should
address this misunderstood. Anyway, here is a question: What happens
if we apply Alpha2.c, or any other polymorphic shellcode engine, to
the entiry data we should write in the stack? Will the exploit work? I
don't think so. Touche!!!
>> That is the reason some
>> IPS/IDS can easily add signatures.
below.
At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.
The VideoLAN project has issued a security advisory describing this
vulnerability [2], partially quoted below.
VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files. If successful, a malicious
third party could trigger execution of arbitrary code within the context
of the VLC media player, or otherwise crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based
terminals write scrollback buffer data to /tmp filesystem
Report date: 2011-03-06
Reported by: Mark Krenz
Severity: High depending on use and expectations
Thus, effectively stalling the ability to use TcpWindowScaling is
stopped by SynAttackProtect too, so an attacking system/app sending a
setsockopt of 0 for this SHOULD also be nullified, on a server also...
(However/Again - Workstations are easily taken care of , vs. servers,
just by what I wrote up above either by PORT FILTERING)
IP Security Policies, which can work on ranges of addresses to block,
OR, single systems as well you either ALLOW or DENY to talk to your
system, still can help also... vs. a DDOS though? SynAttackProtect is
your best friend here... you'd use netstat -b -n tcp to see which are
It's not a racial slight, it's spellchecker not working and I didn't
realize I spelled it wrong. My deepest apologies if anyone reads that
wrong.
Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust
On Sat 2009-10-24 01:12:51, Dan Yefimov wrote:
> On 24.10.2009 0:35, Matthew Bergin wrote:
> >doesnt look like the original owner is trying to write to it. Shows it
> >cant, it had guest write to it via the proc folders bad permissions.
> >Looks legitimate
> >
> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an
> attacker? No, that was the owner of 'unwritable_file', nobody else.
> What the 0666 file mode means? It means, that everybody can write to
> the file, can't he? So why do you believe that pretension
> wrote
> in both advisories, this attack via iframes can also be conducted without
> JavaScript. So even turning JS off will not help.
>
> Due to advantages of JS exploit for these vulnerabilities over non-JS
> exploit, I wrote JavaScript exploits for these advisories and I'd write
> for
> future advisories (but I'd be reminding about possibility of attacking
> without JS). But soon I'll present one exploit also in "pure-iframe"
> version
> (without JS) for Internet Explorer and other applications - in case when
[Andreas Schmidt]
fix RANDOM_UID setting in jcop_mifare_access.cap/jcopmifare.py (you will
need a secret key from NXP)
add jcoptool.py - JCOP toolkit (work in progress)
mrpkey.py changes:
fix binary mode when reading files under Windows (for WRITE to card)
fix computation of composite checksum digit
support reading non-BAC passports
specify a dummy MRZ or simply the keyword 'PLAIN' for Plain Access if
there is no Basic Access Control
support writing non-BAC passports (only for vonJeek cards)
By tightening up the protection on the directory the sysadmin can
mitigate the problem. It is in fact the standard way of doing this.
On Sat, 2009-10-24 at 01:12 +0400, Dan Yefimov wrote:
> On 24.10.2009 0:35, Matthew Bergin wrote:
> > doesnt look like the original owner is trying to write to it. Shows it
> > cant, it had guest write to it via the proc folders bad permissions.
> > Looks legitimate
> >
> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an attacker?
> No, that was the owner of 'unwritable_file', nobody else. What the 0666 file
issue and only drew attention to attacking with JS vector). That, as I wrote
in both advisories, this attack via iframes can also be conducted without
JavaScript. So even turning JS off will not help.
Due to advantages of JS exploit for these vulnerabilities over non-JS
exploit, I wrote JavaScript exploits for these advisories and I'd write for
future advisories (but I'd be reminding about possibility of attacking
without JS). But soon I'll present one exploit also in "pure-iframe" version
(without JS) for Internet Explorer and other applications - in case when
small amount of iframes lead to crash.
>>>
>>> P.S.
>>>
>>> People, I'm not subscribed to bugtraq, so if you want to answer me,
>>> than
>>> write directly to my email.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
For files, permissions are checked during open(); they don't get
re-checked during subsequent operations on the returned descriptor.
E.g. if you successfully open() a file O_RDWR, the permissions aren't
re-checked for every read() and write(). If the permissions are
removed, read() and write() won't suddenly fail (note that neither
read() nor write() can fail with EPERM).
open() checks that the user has the necessary privilege, then records
that information in the descriptor for use by subsequent operations.
> control return address, like required in JMP ESP technique used in this
> exploit.
>
> --Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:
>
> GL> no, MKDIR is *not* required, also write access is *not* required.
>
> GL> Assuming a directory with a name that starts with "A" exists and that is
> GL> at least 14 chars long, this pattern will trigger the overflow:
>
>
My idea was to made blocking DoS attack on Chrome (first exploit was
blocking DoS, second was blocking DoS and DoS via resources consumption).
Which I wrote about last year in my Classification of DoS vulnerabilities in
browsers (http://websecurity.com.ua/2550/). In 2008 I wrote about many
blocking DoS vulnerabilities in browsers, and this year I continued to write
about such holes, and after this one I'd write about another one soon (which
I found last year). Like these DoS vulnerabilities in Firefox, IE, Chrome
and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in
Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to
DoS vulnerabilities in Firefox, Opera and Chrome
>
> But guest has permissions to ptrace() his own processes. If we
> remember your original report, he abuses input redirection of bash
> run by himself. So again, there's no real security hole here.
guest abuses ptrace permissions on his own processes to write to
pavel's files... no, that obviously is not security hole :-).
Whatever. I agree that it is obscure, but I believe that it is
security problem, and the one that should be fixed. By now, someone is
probably working for a fix. (I took a stab at patching kernel, too).
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
1. *Advisory Information*
On Mon, Oct 26, 2009 at 07:37:38PM +0100, Ansgar Wiechers wrote:
> On 2009-10-24 Derek Martin wrote:
> > 1. It circumvents the fact that to write to a file, you MUST be able
> > to write to its directory, so that the file attributes can be updated.
>
> Wrong, because the file's attributes aren't stored in the directory, but
> in the respective inode.
Ah, sorry, you're right, but if (as in the example) the user has no
permissions on the directory, he normally won't be able to write to
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
see e.g. oriDHCPServerPrimaryDNSIPAddress
Also not affected are the following configurations: a) maildir-style
delivery with the Postfix built-in local or virtual delivery agents;
b) mail delivery with non-Postfix local or virtual delivery agents;
c) mailbox-style delivery with the Postfix built-in virtual delivery
agent when virtual mailbox parent directories have no "group" or
other write permissions.
The following configurations are known to be affected on Linux
kernel >= 2.0, Solaris >= 2.0, OpenSolaris 11-2008.5, IRIX 6.5, and
other systems where users can create hardlinks to symlinks: a)
mailbox-style delivery with the Postfix built-in local delivery
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'
Impact:
///////
Remote code execution
Remote system registry read/write access
Remote shell command execution
>
> Only if you *choose* to run the userland utilities. If you don't, all the
> queuing in the world won't get those commands executed.
>
> > However, I propose an alternate attack scenario: if the host system is
> > compromised, then the program is able to write to the VMware Disk
> > files or the physical partition that the virtual machines are
> > installed in. This means that you can write arbitrary things to it or
> > change files around, so you can have the same effect if you, say, add
> > a command to the root user's crontab...
>
CVE-2010-1903 - MS10-056
INTRODUCTION
There exists a vulnerability within the way Word handles html linked objects, which leads
to attacker controlled memory write and code execution.
There is a poc.doc file that demonstrates the vulnerability and is available to interested
parts.
This problem was confirmed in the following versions of Word and Windows, other versions
> * CVE-2010-4258
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * CVE-2010-4258
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
<<Previous Next>>
|
|
|
