Next Page >>
Behavioral Analysis
Summary: Solaris and Linux file system behavior has changed over
time, breaking one of the assumptions in Postfix. See below for a
description of the behavior and how it disagrees with standards.
Postfix is not affected on systems with standard (POSIX, X/Open)
file system behavior, i.e. *BSD, AIX, MacOS, HP-UX, and very old
Sun/Linux systems. The fix and workarounds are simple.
There are efforts to get the non-standard behavior approved by
standards (a function called llink). Today's fix for Solaris, Linux
Note that the only users who can access the VM this way are either the
same users who have powered on the VM or an administrator on the host.
*Affected products:*
This behavior is only present in Workstation 6.0 and VMware Player 2.0.
This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.
*How to disable this behavior*
same users who have powered on the VM or an administrator on the host.
*Affected products:*
This behavior is only present in Workstation 6.0, Workstation 6.0 with
ACE Option Pack, and VMware Player 2.0.
This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.
Access Control List Bypass Vulnerability
+---------------------------------------
A vulnerability exists in the Cisco ASA and Cisco PIX security
appliances that may allow traffic to bypass the implicit deny behavior
at the end of ACLs that are configured within the device. Cisco ASA and
Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this
vulnerability.
Determination of Software Versions
>>>
>>> They appear to /bin/ls as symlinks, but observation suggests that they
>>> "act" as hardlinks. Could that be fixed somehow? (I did look at the
>>> kernel fs/proc/base.c but did not make much sense to me...)
>>>
>> Just looked more carefully at fs/proc/base.c. That behavior is due
>> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
>> that in turn contains the reference to the open file dentry and
>> hence inode. That's exactly why those symlinks behave as hardlinks.
>> This behavior assumes, that if you were able to open the file,
>> you've all necessary transition permissions to access it's inode.
bypass this protection on the server side.
Versions Affected
-----------------
The described end-of-line interpretation behavior exists in all versions
of the Cisco CSS and Cisco ACE (Application Control Engine) and has
only been partially updated in version 8.20.4.02 and ACE A2(3.0).
Cisco has stated that the new behavior to address this issue in the CSS
applicance is to look for the terminator of LFLF if the separator that
>>>>>
>>>>> They appear to /bin/ls as symlinks, but observation suggests that they
>>>>> "act" as hardlinks. Could that be fixed somehow? (I did look at the
>>>>> kernel fs/proc/base.c but did not make much sense to me...)
>>>>>
>>>> Just looked more carefully at fs/proc/base.c. That behavior is due
>>>> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
>>>> that in turn contains the reference to the open file dentry and
>>>> hence inode. That's exactly why those symlinks behave as hardlinks.
>>>> This behavior assumes, that if you were able to open the file,
>>>> you've all necessary transition permissions to access it's inode.
Autodesk Maya [2] is a high-end 3D computer graphics and 3D modeling
software package.
Autodesk Maya offers so called "Script Nodes" as a way to program
animation behavior using MEL (Maya Embedded Language) and the Python
programming language. The Autodesk Maya file formats support embedding
of scripting code as part of a scene package. Programs embeded in Maya
files using scripting code are automatically executed upon opening of
the file. An attacker can take control of a system where Maya is
installed by sending a specially crafted scene package and enticing
> >
> >They appear to /bin/ls as symlinks, but observation suggests that they
> >"act" as hardlinks. Could that be fixed somehow? (I did look at the
> >kernel fs/proc/base.c but did not make much sense to me...)
> >
> Just looked more carefully at fs/proc/base.c. That behavior is due
> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
> that in turn contains the reference to the open file dentry and
> hence inode. That's exactly why those symlinks behave as hardlinks.
> This behavior assumes, that if you were able to open the file,
> you've all necessary transition permissions to access it's inode.
> >>>
> >>>They appear to /bin/ls as symlinks, but observation suggests that they
> >>>"act" as hardlinks. Could that be fixed somehow? (I did look at the
> >>>kernel fs/proc/base.c but did not make much sense to me...)
> >>>
> >>Just looked more carefully at fs/proc/base.c. That behavior is due
> >>to proc_fd_info() called from proc_fd_link() obtains file->f_path,
> >>that in turn contains the reference to the open file dentry and
> >>hence inode. That's exactly why those symlinks behave as hardlinks.
> >>This behavior assumes, that if you were able to open the file,
> >>you've all necessary transition permissions to access it's inode.
>
> They appear to /bin/ls as symlinks, but observation suggests that they
> "act" as hardlinks. Could that be fixed somehow? (I did look at the
> kernel fs/proc/base.c but did not make much sense to me...)
>
Just looked more carefully at fs/proc/base.c. That behavior is due to
proc_fd_info() called from proc_fd_link() obtains file->f_path, that in turn
contains the reference to the open file dentry and hence inode. That's exactly
why those symlinks behave as hardlinks. This behavior assumes, that if you were
able to open the file, you've all necessary transition permissions to access
it's inode. But in order to follow them you need privileges to read the process
> servers' settings in order to deliver a hosting product that best
> suits their unique customers.
>
> After thoroughly investigating your report, we have come to the
> conclusion that this does not represent any deviation from the
> intended and documented behavior of Apache. As noted in your report,
> Apache's behavior with regard to symlinks is easily configurable via
> the FollowSymlinks and SymLinksIfOwnerMatch options. These settings
> can be changed inside WHM via Service Configuration -> Apache
> Configuration -> Global Configuration. Simply uncheck
> "FollowSymLinks" in the "Directory / Options" section, save your
At this time there aren't any plans to address 4432153 in Solaris 8 or
9. As you may know Solaris 7 is no longer supported. If a service call
was raised with Sun then patches for Solaris 8 and 9 could be generated.
> Under RFC 1288, it seems there should be a mechanism to disable such
> behavior. It certainly is nonintuitive to most folks that 'finger
> 9@host' will display accounts with the GECOS field as described. I
> would also note that other operating systems such as Linux and FreeBSD
> exhibit the behavior that most folks would likely expect:
>
> $ finger 9@localhost
Network Mail Security System Virtual Appliance provide spam
control and preemptive protection for your messaging
infrastructure.
Proventia Network Mail is the only email security solution equipped
with the IBM Intrusion Prevention System (IPS) engine and a behavioral
genotype (SIC!) anti-virus technology, along with remote malware
detection and Sophos signature-based anti-virus.
II. Description
~~~~~~~~~~~~~~~
Billy Rios and Jeff Carr, Microsoft
Sun Tzu was a Hacker - A Examination of the Tactics and Operations
from a Real World Cyber Attack
Olivier Thonnard, Royal Military Academy, Belgium
Behavioral Analysis of Zombie Armies
Lt Col Forrest Hare, OSD, George Mason School of Public Policy
Borders in Cyberspace: Can Sovereignty Adapt to the Cyber Security Challenge?
Amit Sharma, Defence Research and Development Organization, Ministry
ZDI-09-048: Microsoft Internet Explorer CSS Behavior Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-048
August 5, 2009
-- CVE ID:
CVE-2009-1919
-- Affected Vendors:
Microsoft
format, and proceeds as if the minimums were already satisfied. The
decryption operations perform integer subtractions that underflow when
the minimums are not satisfied.
The integer underflows can cause the AES decryption operation to write
to memory located before the caller's output buffer. This behavior
represents the highest risk for execution of arbitrary code, but this
risk is still fairly small. On platforms where malloc(0) (a request
to allocate zero bytes) returns a null pointer, this behavior will not
occur, because this null pointer result triggers adequate error
handling.
Class configuration mode) is enabled.
The FWSM stops processing traffic because one of the Network Processors
(NPs) that is used by the FWSM to handle traffic may use all available
execution threads while handling a specific type of crafted ICMP
messages. This behavior limits the execution threads that are available
to handle additional traffic.
Administrators may be able to determine if the FWSM has been affected
by this vulnerability by issuing the "show np 2 stats" command. If this
command produces output showing various counters and their values, as
browser engine (Gecko 1.9.2) because new mechanisms were developed
to enforce the same-origin policy between windows and frames. This
object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override
this object to fool a plugin into granting access to data on another
site or the local file system. The behavior of older Firefox versions
has been restored (CVE-2010-0170).
Mozilla developer Justin Dolske reported that the new asynchronous
Authorization Prompt (HTTP username and password) was not always
attached to the correct window. Although we have not demonstrated
CVE-2009-1164.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections. An attacker could use this
behavior to cause an affected device to crash and reload.
Note: A three-way handshake is not required to exploit this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsw40789 and
Skype users via the embedded chat feature.
If a vulnerable client receives a malicious message, the message and all
further messages will be received but not displayed.
It was not possible to reproduce this behavior on different version of
the Skype client for Windows. On the iPhone (Version 1.3.0.275 on iPhone
3gs) the behavior is different. A received message containing the
malicious string is shown but the content not displayed. Instead the
message box contains the hint that the message has been deleted. No
further impact could be determined.
--On Saturday, April 24, 2010 19:15:56 -0600 wborskey@gmail.com wrote:
> After putting the port my WAP is plugged into in a bridge group--cisco
> 2600--and rejecting traffic at layer two from an XP machine, I noticed some
> odd and insecure behavior. At this point I can only assume what is causing
> it.
>
> After adding the MAC of a machine with active tcp/ip sockets to public ip
> addresses an odd thing happened. Instead of sending out DNS requests to
> resolve the hosts, the XP machine started sending ARP requests but ARP
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Some last specifics (mostly reiterating what I said in my earlier posts) -
1. You can take this issue up with the content aggregators (CDN etc) and or
browser engine (Gecko 1.9.2) because new mechanisms were developed
to enforce the same-origin policy between windows and frames. This
object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override
this object to fool a plugin into granting access to data on another
site or the local file system. The behavior of older Firefox versions
has been restored (CVE-2010-0170).
Mozilla developer Justin Dolske reported that the new asynchronous
Authorization Prompt (HTTP username and password) was not always
attached to the correct window. Although we have not demonstrated
The item referred as fd in /proc is not a real file descriptor and as
of that, that 'not-tfor-real file descriptor' is also not re-opend and
so does
not become read-write.
The entire discussion about the file descriptor behavior the past days,
including your statement below is all based on false assumptions...
I'll show you a snip out of my strace of the original scenario, being
performed by
Pavel. But the same mechanism is being performed by you, Jim, in the
following step:
ZDI-10-033: Microsoft Internet Explorer TIME2 Behavior Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-033
April 2, 2010
-- CVE ID:
CVE-2010-0492
-- Affected Vendors:
Microsoft
Use the cacls program to deny access to the DLL containing the
vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from
loading in PowerPoint, which will also prevent users from importing
PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the
default behavior is to block the opening of PowerPoint 4.0 files. If
the default behavior has been changed, restoring it is an effective
workaround.
VI. VENDOR RESPONSE
Use the cacls program to deny access to the DLL containing the
vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from
loading in PowerPoint, which will also prevent users from importing
PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the
default behavior is to block the opening of PowerPoint 4.0 files. If
the default behavior has been changed, restoring it is an effective
workaround.
VI. VENDOR RESPONSE
Use the cacls program to deny access to the DLL containing the
vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from
loading in PowerPoint, which will also prevent users from importing
PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the
default behavior is to block the opening of PowerPoint 4.0 files. If
the default behavior has been changed, restoring it is an effective
workaround.
VI. VENDOR RESPONSE
Use the cacls program to deny access to the DLL containing the
vulnerable code, PP7X32.DLL. This will prevent the vulnerable DLL from
loading in PowerPoint, which will also prevent users from importing
PowerPoint 95 files. If Office 2003 SP3 is being used, then the default
behavior is to block the opening of PowerPoint 95 files. If the default
behavior has been changed, restoring it is an effective workaround.
VI. VENDOR RESPONSE
[Quoted vendor response if available. Otherwise include vendor fix
Next Page>>
|
