Next Page >>
administrative privileges
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
galerie_unlink.php is not properly verified before being used to
delete image files. This can be exploited to delete arbitrary files
via directory traversal attacks.
Successful exploitation of this vulnerability requires administrative
privileges.
6) Input passed to the "del_verz" parameter in /engine/inc/
galerie_del_verz.php is not properly verified before being used to
delete galleries. This can be exploited to delete arbitrary
directories via directory traversal attacks.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.
+---------------------------------
Complete these steps:
1. Log in as fgn, and then use the su command to switch to the
superuser.
2. Stop the Condenser and Node Manager:
/etc/init.d/fgnpn<Tab> stop
EMC Documentum Content Server 6.0
EMC Documentum Content Server 6.5
EMC Documentum Content Server 6.6
Vulnerability Summary:
EMC Documentum Content Server contains a privilege elevation vulnerability that may allow an unauthorized user to obtain highest administrative privileges on the system.
Vulnerability Details:
EMC Documentum Content Server contains a security vulnerability that may allow a system administrator to elevate their or other users’ privileges to highest super user privileges without appropriate authorization. Refer to EMC Documentum Content Server documentation for information on Documentum Content Server user and group privileges.
Resolution:
Therefore it is trivial to patch the client software to pass the
authentication.
Furthermore with every "authentication" attempt to the server the attacker
gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client
in
cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
> Let's not over-hype this-- while "Apple's day" has been coming, saying
that users will be "hit hard" on something the user has to
> manually download, manually execute, and explicitly grant
administrative privileges to is *way* over the top.
The future of malware is going to be largely through social engineering.
Does that mean we ignore every threat that comes out because it requires
user interaction? Seems like whistling past the graveyard to me.
Alex
II. DESCRIPTION
Local exploitation of multiple file creation vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. By setting certain
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
> I repeat, signals are in general not a reliable information source since they
> can be generated in a couple of ways, even by an unkind superuser :-) .
You cannot protect against the superuser, nor should you even try.
Programs which attempt to evade control by the owner of the hardware
are normally termed "malware".
II. DESCRIPTION
Local exploitation of an arbitrary file creation vulnerability in IBM
Corp.'s Advanced Interactive eXecutive (AIX) Operating System allows
attackers to execute arbitrary code with super-user privileges.
This vulnerability exists due to the handling of several environment
variables. The libC.a library will open files as specified by the
"_LIB_INIT_DBG" and "_LIB_INIT_DBG_FILE" variables. The attacker's
"umask" will be honored, allowing them to create world-writable files,
Hello,
Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.
1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts are not revealed.
2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Let's not over-hype this-- while "Apple's day" has been coming, saying
that users
will be "hit hard" on something the user has to manually download,
manually execute,
and explicitly grant administrative privileges to is *way* over the top.
> I can sum it up in one sentence: OS X is the new Windows 98. Investing
> in
* IP Gateway Encoder/Decoder Telnet Authentication Vulnerability:
The Telnet server installed on Cisco Video Surveillance IP Gateway
video encoders and decoders does not prompt for authentication.
This may allow a remote user with network connectivity to gain
interactive shell access with administrative privileges on
vulnerable devices. This issue is documented in Cisco Bug ID
CSCsj31729.
* Services Platform/Integrated Services Platform Default
Authentication Vulnerability:
>>>> paramter validation or parsing or something - but I just can't see at
>>>> this stage how it's useful, given that I've been unable to get any of
>>>> these problems to affect the actual antivirus process running in the
>>>> system account (that's the one that does the actual work), without
>>>> administrator privileges (and then as indicated, it's not much of an
>>>> exploit if it requires administrative privileges to pull off.)
>>>>
>>>> Regards,
>>>> Jon.
>>>>
>
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
Player. Attackers with administrative privileges in a guest operating
system could cause a denial of service or possibly execute arbitrary
code on the host operating system. (CVE-2007-4496, CVE-2007-4497)
Updated packages for Ubuntu 6.06 LTS:
authenticated database users might gain additional privileges.
Note that this security update may impact intended communication through
global variables between stored procedures. It might be necessary to
convert these functions to run under the plperlu or pltclu languages,
with database superuser privileges.
This security update also includes unrelated bug fixes from PostgreSQL
8.3.12.
For the stable distribution (lenny), this problem has been fixed in
* Execute arbitrary operating system commands
An attacker could exploit this vulnerability to cause a denial of
service condition, obtain sensitive configuration information,
overwrite configuration parameters, or execute arbitrary commands
with full administrative privileges.
This vulnerability is documented in CVE-2008-1154 and the following
Cisco Bug IDs:
* CSCso53771 - Cisco Unified Communications Manager 5.x and 6.x
II. DESCRIPTION
Local exploitation of a directory creation vulnerability in IBM Corp.'s
DB2 Universal Database could allow attackers to elevate privileges to
the superuser.
This vulnerability exists due to insecure directory creation within
setuid-binaries included with DB2. While creating specific directory
structures, attacker created symbolic links will be followed. This
allows world-writable directories to be created anywhere on the file
DETAILS:
Prerequisites to exploit:
#1: The user has a "Domain User" account that has administrative
privileges on his/her workstation (This is a common configuration for
both small and enterprise networks).
#2: The Microsoft Windows Active Directory domain has not disabled the
use of Group Policy "Interactive logon: Number of previous logons to
cache (in case domain controller is not available)". The default value
for this setting is "10 logons".
> upon the fact that an asynchronous signal cannot be sent to a suid
> process by an unprivileged user.
>
I disagree with you in that. Any hard guarantee can be given only by God.
I repeat, signals are in general not a reliable information source since they
can be generated in a couple of ways, even by an unkind superuser :-) .
> > In fact, PDEATHSIG should be reset for every binary, not just suid/sgid, since
> > it emits signal that exec()ed program may not expect.
>
> Are you talking about the parent exec()ing or the child?
3. Description of Vulnerability
3.1.1. Stored XSS in ESS (Employee Self-Service)
In ESS module, user inputs are not sanitized properly, leading to XSS
vulnerability.
Exploiting this vulnerability would allow a malicious ESS user to gain
administrative privileges.
3.1.2. Stored XSS in the public-accessible jobs.php
module
In the recruitment module, user inputs are not sanitized properly,
According to the post National Security Agency has access both stand-alone systems and networks running Microsoft products.
The post states the following:
"This includes wireless wiretapping of “smart phones” running Microsoft Mobile.
Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030."
According to the Cryptome's source this is typically triggered when devices visit Microsoft Update servers.
Cryptome.org:
http://cryptome.org/nsa-ip-update11.htm
There is a flaw in windows vista benchmarking tool, called winsat.exe, that runs withs administrative privileges.
The problem, is an integer overflow in -totalobj argument, example:
winsat d3d -texshader -totalobj 2147483648
this result in a overflow of the signed int that stores the totalobj argument, and turns it negative, and then, the program crashes.
I'm not sure if you can control some memory using other options in winsat.exe arguments to take advantage of this issue, and exploit it.
[1][2]. During 2008, the big amount of bugs reported by researchers lead
to exploitation by blog spammers [3]. During 2009, a new round of
attacks has appeared and security researchers are reporting new bugs or
wrongly fixed previously-reported bugs [4][5]. A path traversal in local
files included by 'admin.php' has been fixed [6][7] but, in our case, we
report that administrative privileges are still unchecked when accessing
any PHP file inside a plugin folder.
8.2. *Access Control Roles*
Next Page>>
|
