Next Page >>
File system
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
problems:
CVE-2008-3528
Eugene Teo reported a local DoS issue in the ext2 and ext3
filesystems. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to output error messages in an
infinite loop.
CVE-2008-4554
implementation.
CVE-2008-3528
Eugene Teo reported a local DoS issue in the ext2 and ext3
filesystems. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to output error messages in an
infinite loop.
CVE-2008-4554
* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service
Vulnerability
* Unauthorized File System Access Vulnerability
These vulnerabilities are independent; a release that is affected by
one vulnerability is not necessarily affected by the others.
Cisco has released free software updates that address these
VSR Security Advisory
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Coda Filesystem Kernel Memory Disclosure
Release Date: 2010-08-16
Application: Coda kernel module for NetBSD and FreeBSD
Versions: All known versions
Severity: Medium
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
"Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
UNIX-based foundation that is engineered for stability, reliability, and
performance. The kernel environment is built on top of Mach 3.0 and provides
high-performance networking facilities and support for multiple, integrated
file systems."
Vulnerability Overview
- ----------------------
Roel Kluin discovered inverted logic in the skfddi driver that
permits local, unprivileged users to reset the driver statistics.
CVE-2009-0745
Peter Kerwien discovered an issue in the ext4 filesystem that
allows local users to cause a denial of service (kernel oops)
during a resize operation.
CVE-2009-0746
The actual fallacy of the "problem report" is the flawed assumption
about what a link count of 1 tells you.
The link count of a files tells you the number of hard links that
are persisted within the same filesystem. It is _NOT_ a promise
that there are no other means to access the inode of the file.
/proc creates a virtual reference to an inode, and since it is
virtual (and in a different filesystem) and not persisted in the
original filesystem, you will not see it in the link count of
BACKGROUND
Veritas Storage Foundation 5.0 from Symantec provides a complete
solution for heterogeneous online storage management. Based on the
industry-leading Veritas Volume Manager and Veritas File System, it
provides a standard set of integrated tools to centrally manage
explosive data growth, maximize storage hardware investments, provide
data protection and adapt to changing business requirements.
SUMMARY
automatically on system boot/shutdown.
II. Problem Description
In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path. In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.
Furthermore, I know some BIOSs will still boot without a valid MBR
partition table in the first place.
> 2. Corrupted NTFS file system crashed EnCase during acquisition.
>
> Response: The authors state that “this issue appears to be caused by an attempt to read past the end of the buffer.” However, EnCase features an option to de-select the automatic reading of the file system during the acquisition process. Thus, there is an easy work-around. Also, by corrupting the NTFS partitions, the perpetrator would likely render his file system dysfunctional, which calls into question both the likelihood and feasibility of such a tactic. Thus, the chances of this specific scenario occurring in the field are extremely remote; however, Guidance Software will test and, if verified, place this anomaly in its development queue to address the crashing problem in the future.
So really all I need to do is wrap my partition/file-system in a
corrupted NTFS (btw NTFS file system is redundant), and poof I potentially
following problems:
CVE-2006-5823
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted cramfs filesystem.
CVE-2006-6054
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext2 filesystem.
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
NAME {"A" x 1072}GGGG
STATUS ON
SIZE 100 100
Kyle Bader reported an issue in the tty subsystem that allows local
users to create a denial of service (NULL pointer dereference).
CVE-2010-2226
Dan Rosenberg reported an issue in the xfs filesystem that allows local
users to copy and read a file owned by another user, for which they
only have write permissions, due to a lack of permission checking in the
XFS_SWAPEXT ioctl.
CVE-2010-2240
UNC: http://servername/pandora_console/ajax.php?page=//server/share/test
As well, ajax.php allows to include any php file in the disk
filesystem:
http://servername/pandora_console/ajax.php?page=../../../../../directory/file
Character %00 is not allowed due safe_url_extraclean function filtering,
and is not possible to include other files distinct that php files, but
still allows . and / characters.
with physical access to a system's USB ports could obtain elevated
privileges using a specially crafted USB device.
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-2209
kernel that may lead to a denial of service or the execution of arbitrary
code.
The package versions referenced in the initial DSA-1503 advisory
introduced a regression that can cause hangs on systems that make use of
the ext2 filesystem. The regression has been resolved in the package
versions referenced by this updated advisory.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 17.04.2010
- - Pub.: 21.05.2010
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-1576
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-1576
linux-powerpc, linux-amd64-generic), a standard system upgrade will
automatically perform this as well.
Details follow:
The minix filesystem did not properly validate certain filesystem
values. If a local attacker could trick the system into attempting
to mount a corrupted minix filesystem, the kernel could be made to
hang for long periods of time, resulting in a denial of service.
(CVE-2006-6058)
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
exists which may allow remote users to cause a denial of service
condition (oops).
CVE-2009-4020
Amerigo Wang discovered an issue in the HFS filesystem that would
allow a denial of service by a local user who has sufficient
privileges to mount a specially crafted filesystem.
CVE-2009-4021
>
> The actual fallacy of the "problem report" is the flawed assumption
> about what a link count of 1 tells you.
>
> The link count of a files tells you the number of hard links that
> are persisted within the same filesystem. It is _NOT_ a promise
> that there are no other means to access the inode of the file.
It used to be promise before /proc was mounted.
> /proc creates a virtual reference to an inode, and since it is
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco
Unified IP Interactive Voice Response (Unified IP-IVR) contain a
directory traversal vulnerability that may allow a remote,
unauthenticated attacker to retrieve arbitrary files from the
filesystem.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability.
files without execute permission when accessed via an nfs4 mount.
CVE-2009-1633
Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
the CIFS filesystem which allow remote servers to cause memory
corruption.
CVE-2009-1895
Julien Tinnes and Tavis Ormandy reported and issue in the Linux
Current Privilege Level (CPL) before accessing a debug register,
which allows guest OS users to cause a denial of service (trap)
on the host OS via a crafted application. (CVE-2009-3722)
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
remote attackers to cause a denial of service (NULL pointer
dereference), and possibly have unspecified other impact, via a
crafted read-only filesystem that lacks a journal. (CVE-2009-4308)
The eisa_eeprom_read function in the parisc isa-eeprom component
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02822174
Version: 1
HPSBMI02632 SSRT100379 rev.1 - HP/Palm webOS, Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized File System Write Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-09
Last Updated: 2011-05-09
Internet Explorer (IE) is the most widely used Web browser, with an
estimated count of 1,100 million users according to a worldwide survey
conducted and published in 2008 [1]. This advisory describes a
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
Vulnerability overview/description:
-----------------------------------
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
Next Page>>
|
