Next Page >>
attacks
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
USN-1074-1 fixed vulnerabilities in linux-fsl-imx51 in Ubuntu 9.10. This
update provides the corresponding updates for Ubuntu 10.04.
Original advisory details:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
After a standard system update you need to reboot your computer to make
all the necessary changes.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
perform this as well.
Details follow:
Joel Becker discovered that OCFS2 did not correctly validate on-disk
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
directly exploit Internet Explorer bugs or to target IE‟s security
----------------------------------------------------------------------------------------------------
Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 2008
----------------------------------------------------------------------------------------------------
+ Author: Fabien KERBOUCI
+ Version/Date: 27/01/2009
+ Keywords: [ benchmark timing benchmarking attacks Windows runas vulnerability password length ]
Get a more detailed version of this advisory with complete tutorial and video in Haking9 Magazine
of May 2009.
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
Microsoft DNS server generates predictable DNS transaction IDs. If the
server is configured to allow recursive queries it is possible to insert
fake records in the DNS cache (DNS cache poisoning) by guessing the next
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
able to send a recursive queries to the caching Microsoft DNS server.
When an attacker sends a recursive query to a caching name server, the
caching server will find the server authoritative for the zone and send
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework in the Cisco Telepresence Multipoint Switch could allow a
remote, unauthenticated attacker to perform actions that should be
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
Unauthenticated CGI Access
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
- linux-ti-omap4: Linux kernel for OMAP4 devices
Details:
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
39| $ip = "UNKNOWN";
40| }
41| return( $ip );
42| }
So, an attacker can spoof his IP, he just have to create
an HTTP packet, add a special header, and send it. The
HTTP packet will look's like this:
GET /index.php HTTP/1.1\r\n
Host: localhost\r\n
| are sold and purchased the accounts are automatically updated.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
Several issues have been found in SQL-Ledger which might lead to attacks
on the confidentiality and availability of business-critical data stored
within SQL-Ledger.
Fraunhofer SIT advises to use SQL-Ledger only in non-critical application
scenarios with low security requirements. Furthermore, risk mitigation in
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
While doing a quick sweep over the code base of FreeWebshop.org (FWS)
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
1. attacker must be logged in as valid user
Test:
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides the corresponding updates for Ubuntu 9.04 and 9.10, along with
additional updates affecting Firefox 3.6.6.
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
this to crash the browser or possibly run arbitrary code as the user
invoking the program. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,
CVE-2010-1212)
An integer overflow was discovered in how Firefox processed plugin
Xulrunner 1.9.2.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API
krb5 mechanism.
MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newer
KDCs blocks the attack.
MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache
Poisoning Attacks
Advisory ID: cisco-sa-20080708-dns
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
"..I am not planning to support my argument in any way.."
That's a shame.
If you can prove your hypothesis, it lends credibility to your claims.
A refusal to do so only weakens your position.
As others have pointed out, your attack only works if security in depth has been blatantly, intentionally ignored.
I'll grant that it's an interesting methodology, but it assumes too much and ultimately fails to prove your claims.
You're absolutely correct; "Security in depth" is a process; no one has argued this.
What no one has stated is that security in depth has an endpoint.
Not only does it require proper analysis, planning and deployment, it's greatly weakened without constant monitoring and adjustment to meet new threats.
-----Original Message-----
From: gjgowey@tmo.blackberry.net [mailto:gjgowey@tmo.blackberry.net]
Sent: Thursday, October 11, 2007 8:28 AM
To: pdp (architect); Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Not to step in to the middle of this, but I once worked for an employer with what I considered the best way of stopping attacks cold: a proxy server that prompted you for your credentials when you went to an external web site and gp settings that disabled the ability to save your username/password locally as well as tight settings on the systems to prevent pretty much anything from being installed or modified. So everytime you opened up a brand new session of ie and tried to access an external site you were prompted for your username/password. Somehow I doubt there's any malware around that is designed to survive in that type of an environment.
Geoff
* Cross-Site-Scripting (XSS) (CVE-2010-3890)
The GET parameter »command« used inside the administration interface is
embedded directly into the HTML source without any input validation or
output sanitization. Using this parameter the attacker can inject arbitrary
Javascript code which will be run in the session context of other users.
As session credentials are stored within cookies, an attacker can steal
the cookie information and impersonate (CVE-2010-3893) the session and
control the web application within the browser context of the victim.
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
Next Page>>
|
