Next Page >>
administrator privileges
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.
+ 909090909090
After that run DataAdministration(%OpenEdge%\bin\prowin32.exe) and try to
enter into RDBMS with any UserID and without password.
Application show error message box, but allow to enter into RDBMS with
chosen UserId. If chosen UserID has a Security Administrator privileges,
so attacker gets this privileges. By default in OpenEdge RDBMS all
users have Security Administrator privileges.
Fix Information
***************
+---------------------------------
Complete these steps:
1. Log in as fgn, and then use the su command to switch to the
superuser.
2. Stop the Condenser and Node Manager:
/etc/init.d/fgnpn<Tab> stop
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
II. DESCRIPTION
Local exploitation of multiple file creation vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. By setting certain
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
> I repeat, signals are in general not a reliable information source since they
> can be generated in a couple of ways, even by an unkind superuser :-) .
You cannot protect against the superuser, nor should you even try.
Programs which attempt to evade control by the owner of the hardware
are normally termed "malware".
Hello,
Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.
1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts are not revealed.
2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
II. DESCRIPTION
Local exploitation of an arbitrary file creation vulnerability in IBM
Corp.'s Advanced Interactive eXecutive (AIX) Operating System allows
attackers to execute arbitrary code with super-user privileges.
This vulnerability exists due to the handling of several environment
variables. The libC.a library will open files as specified by the
"_LIB_INIT_DBG" and "_LIB_INIT_DBG_FILE" variables. The attacker's
"umask" will be honored, allowing them to create world-writable files,
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
certain location on the Virtual Machine of the user. On most
recent versions of Windows (XP, Vista) the attacker would need to
have administrator privileges to plant the malicious executable in
the right location.
Steps needed to remediate this vulnerability: See section 3.a.
VMware would like to thank Mitja Kolsek of ACROS Security
Therefore it is trivial to patch the client software to pass the
authentication.
Furthermore with every "authentication" attempt to the server the attacker
gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client
in
cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
certain location on the Virtual Machine of the user. On most
recent versions of Windows (XP, Vista) the attacker would need to
have administrator privileges to plant the malicious executable in
the right location.
Steps needed to remediate this vulnerability: See section 3.a.
VMware would like to thank Mitja Kolsek of ACROS Security
These vulnerabilities can be triggered during the normal operation of
Cisco Security Agent if Data Loss Prevention (DLP) policies are
enabled. The DLP policies are available only on Windows platforms.
When inspected by Cisco Security Agent, a crafted file could allow an
attacker to execute arbitrary code with Administrator privileges.
Vulnerability Scoring Details
+----------------------------
Arbitrary code execution is not possible (not necessary, either).
--- 9. Issue: Privilege escalation by adjusting token SIDs ---
This vulnerability is very similar to the previous one - by adjusting
token SIDs, one could gain administrator privileges.
--- 10. Issue: Privilege escalation by replacing process token with
System process token ---
Issue 7 described SetVistaTokenInformation() method. SABKUTIL.sys and
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
By design the F5 BIG-IP web management interface allows a logged-in user with Resource Manager or Administrator privileges to execute an arbitrary bigpipe shell command through the web "Console" feature. It is possible to craft URL links that would execute the command with a simple HTTP GET request. Cross-site attacks may leverage this functionality to reconfigure the BIG-IP appliance, including creating new administrators.
Example:
https://target/tmui/Control/form?
>>
>>> SUMMARY AND IMPACT:
>>> All versions of Microsoft Windows operating systems allow real-time
>>> modifications to the Active Directory cached accounts listing stored
>>> on all Active Directory domain workstations and servers. This allows
>>> domain users that have local administrator privileges on domain
>>> assets to modify their cached accounts to masquerade as other domain
>>> users that have logged in to those domain assets. This will allow
>>> local administrators to temporarily escalate their domain privileges
>>> on domain workstations or servers.
>>
Description
===========
If using the "expression indexes" feature, PostgreSQL executes index
functions as the superuser during VACUUM and ANALYZE instead of the
table owner, and allows SET ROLE and SET SESSION AUTHORIZATION in the
index functions (CVE-2007-6600). Additionally, several errors involving
regular expressions were found (CVE-2007-4769, CVE-2007-4772,
CVE-2007-6067). Eventually, a privilege escalation vulnerability via
unspecified vectors in the DBLink module was reported (CVE-2007-6601).
>>>
>>>> SUMMARY AND IMPACT:
>>>> All versions of Microsoft Windows operating systems allow real-time
>>>> modifications to the Active Directory cached accounts listing stored
>>>> on all Active Directory domain workstations and servers. This allows
>>>> domain users that have local administrator privileges on domain
>>>> assets to modify their cached accounts to masquerade as other domain
>>>> users that have logged in to those domain assets. This will allow
>>>> local administrators to temporarily escalate their domain privileges
>>>> on domain workstations or servers.
>>>
Description:
Previous versions of star, an archival program, are vulnerable to an
attack in which unpacking an intentionally-malformed tar archive can
overwrite arbitrary files to which the user running tar has write access.
If unpacked by a superuser, this can lead to arbitrary code execution at
root permission levels.
- ---
Copyright 2007 Foresight Linux Project
>>>>
>>>>> Hi David and Sandeep,
>>>>>
>>>>> Perhaps I'm missing something, but everything you're saying I either
>>>>> can't reproduce on my test systems or requires administrator
>>>>> privileges
>>>>> anyway, at which point crashing smc is the least of your problems.
>>>>>
>>>>>
>>>>>> If the Symantec Management Client service was somehow changed from
>>>>>> "smc.exe" to "smc.exe -P" it would effectively prevent the service
> killed, for example, by sadly known OOM killer, all data it operated on must
> remain in a consistent state.
However nice failsafe may be, it is often either impossible or
impractical. In general, a process shouldn't have to protect itself
against the superuser, and in some respects shouldn't even try to.
> > > From another hand,
> > > PDEATHSIG should be always reset on exec() like signal handlers are (I'm not
> > > sure though if that is directly specified by any standard). Please correct me
> > > if I'm wrong.
privileges.
CVE-2007-4573
Wojciech Purczynski discovered a vulnerability that can be exploited
by a local user to obtain superuser privileges on x86_64 systems.
This resulted from improper clearing of the high bits of registers
during ia32 system call emulation. This vulnerability is relevant
to the Debian amd64 port as well as users of the i386 port who run
the amd64 linux-image flavour.
II. DESCRIPTION
Local exploitation of multiple race condition vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. In each case, a race
condition exists between a check to see if an existing file is a
symbolic link and modifying it. By quickly and repeatedly removing and
>>>
>>>> SUMMARY AND IMPACT:
>>>> All versions of Microsoft Windows operating systems allow real-time
>>>> modifications to the Active Directory cached accounts listing stored
>>>> on all Active Directory domain workstations and servers. This allows
>>>> domain users that have local administrator privileges on domain
>>>> assets to modify their cached accounts to masquerade as other domain
>>>> users that have logged in to those domain assets. This will allow
>>>> local administrators to temporarily escalate their domain privileges
>>>> on domain workstations or servers.
>>>
local users to trigger a BUG_ON() call in exit_mmap.
CVE-2007-4573
Wojciech Purczynski discovered a vulnerability that can be exploited
by a local user to obtain superuser privileges on x86_64 systems.
This resulted from improper clearing of the high bits of registers
during ia32 system call emulation. This vulnerability is relevant
to the Debian amd64 port as well as users of the i386 port who run
the amd64 linux-image flavour.
Next Page>>
|
