Next Page >>
called
Aleph1’s article8. As I mentioned above, a good start to figurate out if ENG
can apply polymorphism in an exploit is check how many return addresses it
will be able to use in its code.
In this particular vulnerability there, at least, two public return
addresses: David Litchfield’s 0x42b48774 (“call esp” @ SQLSORT.DLL”) and
MSF’s 0x42b0c9dc (“jmp esp” @ SQLSORT.DLL). However, there are much more
DLLs we can try to find new return addresses, and we are not sure that there
are no more return addresses in this particular DLL, yet.
From my research, I found two more return addresses in the SQLSORT.DLL and
Disassembly of the code of $SMISS handler, one of SMI handlers in
the BIOS firmware in ASUS Eee PC 1000HE system.
0003F073: 50 push ax
0003F074: B4A1 mov ah,0A1
** 0003F076: 9A197D00F0 call 0F000:07D19
0003F07B: 2404 and al,004
0003F07D: 7414 je 00003F093
0003F07F: B434 mov ah,034
** 0003F081: 9A708000F0 call 0F000:08070
0003F086: 2410 and al,010
*Vulnerability Information*
Class: Invalid memory reference
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 28741 28742 28743 28744
CVE Name: CVE-2008-1735 CVE-2008-1736 CVE-2008-1737 CVE-2008-1738
*Vulnerability Description*
LayerOne 2008 Information Technology Conference
Call for Papers
May 17 & 18, 2008
Los Angeles, California (Pasadena Hilton)
http://layerone.info/
The fifth annual LayerOne information technology conference is now
accepting submissions for topic and speaker selection. As always, we
are interested seeing a broad range of pertinent topics, and encourage
Asterisk Project Security Advisory - AST-2009-006
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | IAX2 Call Number Resource Exhaustion |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+---------------------------------------------------|
kidding. Because of its heavy reliance on FreeBSD source code, Mac OS X is
also affected [2], except for the realpath() case, which is conveniently
#ifdef'd out.
=====================================================
Leakage of file/directory existence via stat() calls
=====================================================
At two points (lines 366 and 436 in crontab.c), crontab makes calls to stat()
on a user-owned temporary file while retaining an euid of 0. Since stat()
follows symbolic links and returns ENOENT when called on a symbolic link
-- Tar File Interface (pi_tar.txt)
3. ATTEMPTED FIX
These are all the ``execute'' and system() calls in the current code
(autoload/tar.vim version 20, 2008-07-30) code. It can be seen that all
the vulnerable statements have been changed. Unfortunately, not all the
changes provide a sufficient fix. (We analyse the vulnerabilities in
section 4 below):
2. *Vulnerability Information*
Class: Client side
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 33178
CVE Name: CVE-2009-1140
3. *Vulnerability Description*
Perhaps not getting to the dialer, but having the dialer launch automatically just from viewing an email?
Collin Mulliner <collin@betaversion.net> wrote:
>Mike,
>
>just getting to the phone dialer is not a bug! That is what the tel:
>protocol is for. All most all mobile phones implement this, every time
>you open a tel: URL you will get to the dialer in some way.
>
>>
>> Vulnerability class:
>> application logic bug
>>
>> Executive Summary:
>> A malicious website can initiate a phone call without the need of user
>> interaction. The destination phone number is chosen by the attacker.
>>
>> Risk: MEDIUM-HIGH
>> Medium to high risk due to the possibility of financial gain through
>> this attack by calling of premium rate numbers (e.g. 1-900 in the
>
>Vulnerability class:
> application logic bug
>
>Executive Summary:
> A malicious website can initiate a phone call without the need of user
> interaction. The destination phone number is chosen by the attacker.
>
>Risk: MEDIUM-HIGH
> Medium to high risk due to the possibility of financial gain through
> this attack by calling of premium rate numbers (e.g. 1-900 in the
Vulnerability class:
application logic bug
Executive Summary:
A malicious website can initiate a phone call without the need of user
interaction. The destination phone number is chosen by the attacker.
Risk: MEDIUM-HIGH
Medium to high risk due to the possibility of financial gain through
this attack by calling of premium rate numbers (e.g. 1-900 in the
versions not checked )
1. Victim is enticed into visiting, by any mean, a specially crafted
webpage.
2. Attacker's payload to be executed under the context of the browser.
3. Attacker calls his girlfriend to inform about the successful
exploitation, who indeed turns out to be very interested in the issue.
She demands more technical details.
4. Attacker wakes up.
be modified to contain the malformed Domain Search List option. On reception of
this malformed packet, RPC on the remote machine would fail. Exploiting this
vulnerability would cause the RPC service to fail, losing any RPC-based services,
as well as the potential loss of some COM functions.
Failing RPC calls might interfere with e.g.
- network connectivity (no IP address acquired, no IP address release/renew, …)
- applications utilizing COM/DCOM interfaces
- machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7)
2. *Vulnerability Information*
Class: Command injection, Client side
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35105
CVE Name: CVE-2009-1792
3. *Vulnerability Description*
__wakeup() or __destruct() methods and read their code to analyze if
these methods are doing something interesting.
When looking at the Piwik source code one particular class can be
found that allows writing arbitrary configuration files to the
webserver. This class is called Piwik_Config and contains the
following code.
function __destruct()
{
if($this->configFileUpdated === true
_______________
Details
_______________
The following TSQL statement can be called by any user with PUBLIC
access.
RESTORE FILELISTONLY FROM DISK = 'path to file'
By hosting a corrupt SQL database backup on a remote file share
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
privileges. For example, Android's browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed by
third-party apps. An Android app may request specific privileges during its
installation; if granted by the user, the app's capabilities are extended.
Intents are used by Android apps for intercommunication. These objects can be
broadcast, passed to the startActivity call (when an application starts another
activity), or passed to the startService call (when an application starts a
service). Normally, when startActivity is called, the target activity's
onCreate method is executed. However, under AndroidManifest.xml it is possible
to define different launch attributes, which affect this behavior. One example
is the singleTask launch attribute, which makes the activity act as a
kernel execution in a way that allows elevation of privileges.
Currently, the only scenario which the author knows to be exploitable
is when the unexpected kernel exception occurs during the very
beginning or very end of a kernel-mode service routine (a generic term
referring to interrupt handlers and system call handlers), on certain
x64 operating systems. Exploitability in such a case depends on the
operating system's use of the x64 SWAPGS instruction as the sole
mechanism for switching the GS base address between user-mode and
kernel-mode system data structures, and it requires that the operating
system act on the data at GS: in an exploitable way, without any
---------------------------
Microsoft Server Message Block (SMB) Protocol is a Microsoft network
file sharing protocol also used for sharing printers, communications
abstractions such as named pipes and mailslots, and performing Remote
Procedure Calls (DCE/RPC over SMB) [1].
NTLM (NT Lan Manager) is a challenge-response authentication protocol
used by the SMB protocol [2].
Windows systems commonly use the SMB protocol with NTLM authentication
Program received signal SIGSEGV, Segmentation fault.
0x0804fdca in main ()
(gdb) disassemble main
[...]
0x0804fd9e <main+2318>: call 0x804bee0 <sprintf@plt>
0x0804fda3 <main+2323>: mov %edi,0x4(%esp)
0x0804fda7 <main+2327>: mov (%esi),%eax
0x0804fda9 <main+2329>: mov 0x10(%eax),%eax
0x0804fdac <main+2332>: mov %eax,(%esp)
0x0804fdaf <main+2335>: call 0x8074aa0 <msSaveQuery>
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
to bypass intended mmap_min_addr restrictions and possibly conduct
NULL pointer dereference attacks via a crafted assembly-language
application. (CVE-2010-4346)
The sk_run_filter function does not check whether a certain memory
interrupted the connection before the receiving of the data.
In this function the size of the data to send (0x2c) is passed to
ntohl() and stored on the stack buffer where is located the beginning
of the packet to send, but when the exception is raised then the code
flow continues from 01013e86 and after a CALL EAX in msvcrt.dll arrives
on 01013e8a where EDI takes the value at [EBP-4C] which is just
0x2c000000 (yes, it's 0x2c in network endian).
I have "tried" to resume the code flow here:
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1932
Bugtraq ID: N/A
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
.text:01066853 call ds:wcslen ; find the remaining length.
.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
.text:01066861 mov dl, cl
.text:01066863 neg dl
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
.text:01066853 call ds:wcslen ; find the remaining length.
.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
.text:01066861 mov dl, cl
.text:01066863 neg dl
>
> .text:0106684C Unescape:
> .text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
> .text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
> .text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
> .text:01066853 call ds:wcslen ; find the remaining length.
> .text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
> .text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
> .text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
> .text:01066861 mov dl, cl
> .text:01066863 neg dl
3.4.2. Exploits
All the exploits are created using the accompanying Makefiles in the respective
subdirectories. When open in vim (or ex, view), the exploits create a file
called ``pwned'' in the current directory. To create all the exploits in a
certain subdirectory, run ``make all'' in that subdirectory. See the respective
Makefile sources for details.
It is also possible to use the Makefile in the root directory of this archive.
To test all the exploits, run ``make test''. On an unpatched system, this
to the bottom page of a shared memory segment, as demonstrated by a
memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel
does not properly restrict TCP_MAXSEG (aka MSS) values, which allows
local users to cause a denial of service (OOPS) via a setsockopt call
that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer. (CVE-2010-4165)
The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
does not initialize a certain structure, which allows local users to
Next Page>>
|
