attacker/supplied
On Thu, 29 Nov 2007 14:46:06 +0300, 3APA3A said:
> In order to exploit this vulnerability you need to force victim to run
> attacker-supplied BAT file. It's like forcing user to run
> attacker-supplied .sh script under Unix.
And oddly enough, the *very next mail* from Bugtraq said:
> FreeBSD-SA-07:10.gtar Security Advisory
> The FreeBSD Project
An attacker who can intercept a TCP connection being used for SSL or TLS
can cause the initial session negotiation to take the place of a session
renegotiation. This can be exploited in several ways, including:
* Causing a server to interpret incoming messages as having been sent
under the auspices of a client SSL key when in fact they were not;
* Causing a client request to be appended to an attacker-supplied
request, potentially revealing to the attacker the contents of the client
request (including any authentication parameters); and
* Causing a client to receive a response to an attacker-supplied request
instead of a response to the request sent by the client.
On Thu, 2007-11-29 at 23:19 +0100, Valdis.Kletnieks@vt.edu wrote:
> On Thu, 29 Nov 2007 14:46:06 +0300, 3APA3A said:
> > In order to exploit this vulnerability you need to force victim to run
> > attacker-supplied BAT file. It's like forcing user to run
> > attacker-supplied .sh script under Unix.
>
> And oddly enough, the *very next mail* from Bugtraq said:
>
> > FreeBSD-SA-07:10.gtar Security Advisory
the "\\.\Tmfilter" DOS device interface. The permissions on this device
allow "Everyone" write access. This allows a locally logged-in user to
access functionality intended for privileged use only.
Additionally, the IOCTL handler of this DOS device interface for IOCTL
0xa0284403 does not validate the length of attacker-supplied content
when copying to a fixed-size buffer. As such, it is possible to execute
attacker-supplied code in the context of the kernel.
III. ANALYSIS
Dear Rajesh Sethumadhavan,
In order to exploit this vulnerability you need to force victim to run
attacker-supplied BAT file. It's like forcing user to run
attacker-supplied .sh script under Unix. No vulnerability here, except
vulnerability in human. The second scenario is better. All you need is
to force user to type more than 1000 characters (including shellcode)
in filename without mistakes. You should be extremaly good social
engineer...
An attacker who can intercept a TCP connection being used for SSL or TLS
can cause the initial session negotiation to take the place of a session
renegotiation. This can be exploited in several ways, including:
* Causing a server to interpret incoming messages as having been sent
under the auspices of a client SSL key when in fact they were not;
* Causing a client request to be appended to an attacker-supplied
request, potentially revealing to the attacker the contents of the client
request (including any authentication parameters); and
* Causing a client to receive a response to an attacker-supplied request
instead of a response to the request sent by the client.
Vulnerability Description
The help feature of the McAfee UTM Firewall (Firmware 3.0.0 to 4.0.6)
management console is vulnerable to reflected cross-site scripting.
It could allow an attacker to cause a user to execute attacker-supplied
Javascript code. This attack requires the target to have an existing
valid session logged into the UTM device and that the attacker know the
internal IP address for the UTM device.
McAfee recommends upgrading to UTM Firewall Firmware 4.0.7 to mitigate
"The vulnerability exists as an invalid pointer reference of Internet
Explorer. It is possible under certain conditions for a CSS/Style
object to be accessed after the object is deleted. In a
specially-crafted attack, Internet Explorer attempting to access a
freed object can lead to running attacker-supplied code."
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
or
ClientCert-Subject: C=US, ST=MA, L=Boston, O=xxx, OU=xxx, CN=userY
Upon injecting the attacker-supplied HTTP headers the application
would receive an HTTP request similar to that shown below:
POST /targetapp HTTP/1.1
Content-Type: text/xml; charset=utf-8
ClientCert-Subject: C=US, ST=MA, L=Boston, O=xxx, OU=xxx, CN=userY
the letter "G"), the attacker can control the ESP register through the
"lea 0xfffffffc(%ecx),%esp" instruction at 0x0804fdc7. The attacker can
execute code in mapserv's process space by setting the ESP register to
an address that holds a reference to code and letting the "ret"
instruction execute at 0x0804fdca; this will assign the EIP register an
attacker-supplied value.
This overflow may be triggered by user input as well. Note that the
"mapserv->Id" character array is defined as IDSIZE bytes long and that
the strncpy() call at mapserv.c:406 uses IDSIZE too. Since strncpy(3)
does not null-terminate the destination string if the source string is
vulnerability, an attacker would have to convince the targeted user to
open a maliciously constructed file. This file could be sent directly
to the targeted user or linked from a website.
Insufficient error checking is performed on the input which allows,
among other things, attacker-supplied data to be written to arbitrary
offsets in memory, potentially resulting in arbitrary code execution.
IV. DETECTION
iDefense has confirmed this vulnerability exists in Adobe Reader 8.1 on
The specific flaw exists within the XML processing code for Trillian.
When parsing a malformed XML tag, the application does not allocate
enough space for it's contents. During copying of this to the newly
allocated buffer, the application will overwrite heap structures with
attacker-supplied data that can then be leveraged to achieve code
execution with the privileges of the application.
-- Vendor Response:
Cerulean Studios has issued an update to correct this vulnerability. More
details can be found at:
pncrt.atoi. A buffer is then allocated on the heap of size tag length +
1. Since atoi parses a signed integer, supplying -1, results in a zero
length allocation into which data is copied.
This can be exploited to overwrite a function pointer leading to the
execution of arbitrary attacker-supplied code in the context of the user
under which RealPlayer is running.
===============
Fix Information
===============
A) Reflected XSS
The presence of the Cross Site Scripting plague has been veryfied on
/pentaho/ViewAction parameters. The attacker-supplied code can perform
different actions, such as stealing the victim's session token or
login credentials,
performing arbitrary actions on the victim's behalf, and logging their
keystrokes.
Users can be induced to issue the attacker's crafted request in various ways.
un-sanitized within the server HTTP response header back to the client.
This vulnerability not only gives attackers control of the remaining
headers and body of the server response, but
also allows them to create additional responses entirely under their
control.
Attacker-supplied HTML or JavaScript code could run in the context of
the affected site, potentially allowing an
attacker to steal cookie-based authentication credentials, control how
the site is rendered to the user, and
influence or misrepresent how web content is served, cached, or
interpreted. Other attacks are also possible.
access functionality designed for privileged use only.
Additionally, the IOCTL handlers for this device interface do not
properly validate user-mode buffer passed to them, so an attacker can
supply a fake DeviceObject pointer to a user-mode address. As such, it
is possible to overwrite arbitrary memory or execute attacker-supplied
code in the context of the kernel.
III. ANALYSIS
Exploitation allows an attacker to elevate privileges by overwriting
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
Description:
Previous versions of glib contain a vulnerability in the base64
encode and decode functions which may result in executing
attacker-supplied code when processing large strings. This
vulnerability is present only through applications that accept
user-supplied strings and process them with the base64 encode or
decode functionality of glib.
http://wiki.rpath.com/Advisories:rPSA-2009-0045
existing images rather than generate new images. Many applications
that use gd (including all uses of gd within rPath Linux) us gd
only for generating new images, not for loading existing images.
While rPath Linux itself is not vulnerable to these attacks,
some uses of gd, particularly when loading attacker-supplied
images, will be vulnerable. Some applications which use gd
to load images supplied by remote users are web applications
written in PHP.
Copyright 2007 rPath, Inc.
Local exploitation of a buffer overflow vulnerability in the db2dasrrm
program, as included with IBM Corp.'s DB2 Universal Database, allows
attackers to elevate privileges to root.
This vulnerability exists due to insufficient validation of the length
of the attacker-supplied "DASPROF" environment variable contents. By
setting the variable to a specially crafted string, an attacker can
cause a buffer overflow when the string is copied into a static-sized
buffer stored on the stack. By overflowing the buffer, the attacker can
overwrite execution control structures stored on the stack and execute
arbitrary code.
|
