Next Page >>
data structures
Background
==========
Each Cyrus SASL authentication mechanism is implemented with a) one
statically-allocated shared data structure containing data and
pointers to functions that implement the mechanism, and b)
dynamically-allocated session context data structures with
authentication state.
When the Postfix SMTP server receives "AUTH CRAM-MD5" (line 8 above),
print "<pre>Bugzilla::Chart object:\n";
print Data::Dumper::Dumper($self);
print "</pre>";
}
The dump() method then prints the given data structures without any
further checks. This includes user-defined variables sent as URL or HTTP
POST parameters, especially "label0". As the content of this variable is
not checked for malicious input, it can be used to inject arbitrary
JavaScript code into the debugging output. In fact, any variable of the
form "labelXXX", where "XXX" is an arbitrary number, will work. The
When tried randomly, these read beyond bounds often hit an invalid
memory page, for example at the end of the Flash movie. Perhaps because
of this, out of bounds reads are, often incorrectly, considered harmless
by developers and testers. Unbounded reads which result in side effects
can still be used to expose sensitive information however. iSEC was
able to read sensitive data structures from process memory using this
technique. Since the Flash movie is located in an region of process
memory that is highly fragmented, the memory following our Flash movie
is often unavailable, and in its place is an invalid page. When this
page is encountered an exception will be thrown. Using the behavior of
the memory management system to guide us, we can reduce the size of the
beginning or very end of a kernel-mode service routine (a generic term
referring to interrupt handlers and system call handlers), on certain
x64 operating systems. Exploitability in such a case depends on the
operating system's use of the x64 SWAPGS instruction as the sole
mechanism for switching the GS base address between user-mode and
kernel-mode system data structures, and it requires that the operating
system act on the data at GS: in an exploitable way, without any
preclusive safety checks. (For more information on SWAPGS and the GS:
segment override in the x64 architecture, see "AMD64 Architecture
Programmer's Manual" Volumes 2 and 3, "24593.pdf" and "24594.pdf".)
beginning or very end of a kernel-mode service routine (a generic term
referring to interrupt handlers and system call handlers), on certain
x64 operating systems. Exploitability in such a case depends on the
operating system's use of the x64 SWAPGS instruction as the sole
mechanism for switching the GS base address between user-mode and
kernel-mode system data structures, and it requires that the operating
system act on the data at GS: in an exploitable way, without any
preclusive safety checks. (For more information on SWAPGS and the GS:
segment override in the x64 architecture, see "AMD64 Architecture
Programmer's Manual" Volumes 2 and 3, "24593.pdf" and "24594.pdf".)
- Advanced Trojans, worms and backdoor technique
- Encryption & decryption technique
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique,
vulnerability research)
- Traffic analysis
- Intrusion detection and anti-detection technique
necessary changes.
Details follow:
Pavel Polischouk discovered that Pan incorrectly handled certain data
structures. If a user were tricked into viewing malicious nntp data, a
remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
Updated packages for Ubuntu 8.04 LTS:
- Encryption & decryption technique
- Routing device
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355
Description:
In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data
did not properly clean up data structures used in openssl's zlib
compression methods. As a result, applications which called
CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3
requests would leak significant amounts of memory per request.
In particular, this is known to affect systems running Apache httpd
On Konqueror 3.5.9, what happens is that this childish code builds a huge string, eats memory, causes swapping, and finally blows away Konq. Linux and X and everything else stay up and recover nicely. (Gentoo/AMD64X2/3G mem)
This isn't an exploit -- at least not on Linux -- it's just kiddie stupidity. It doesn't take any particular cleverness to blow memory by dynamically creating bigger and bigger data structures. With virtual memory and 64-bit pointers, when exactly do we return -ENOMEM?
>> - Advanced Trojans, worms and backdoor technique
>> - Encryption & decryption technique
>>
>> --- Intrusion detection/forensics analysis
>> - File system analysis & recovery
>> - Real-time data structure recovery
>> - Reverse engineering (malicious code analysis technique,
>> vulnerability research)
>> - Traffic analysis
>> - Intrusion detection and anti-detection technique
>>
> All good ideas, but I believe stillborn at this point. You would get
> far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
> separate data and control channel for the browser, and then look at
> something like this for dynamic auth tokens, combined with data
> structure nonces as well. Kill two birds with one stone. Folks that
> want strong dynamic auth are probably largely the same folks who want
> strong data structures enforced.
Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew. I'd love to redesign digest
> - Advanced Trojans, worms and backdoor technique
> - Encryption & decryption technique
>
> --- Intrusion detection/forensics analysis
> - File system analysis & recovery
> - Real-time data structure recovery
> - Reverse engineering (malicious code analysis technique,
> vulnerability research)
> - Traffic analysis
> - Intrusion detection and anti-detection technique
>
craig@airnet.net wrote:
> On Konqueror 3.5.9, what happens is that this childish code builds a huge string, eats memory, causes swapping, and finally blows away Konq. Linux and X and everything else stay up and recover nicely. (Gentoo/AMD64X2/3G mem)
>
> This isn't an exploit -- at least not on Linux -- it's just kiddie stupidity. It doesn't take any particular cleverness to blow memory by dynamically creating bigger and bigger data structures. With virtual memory and 64-bit pointers, when exactly do we return -ENOMEM?
>
>
Could you be a bit more specific as to the circumstances of the DOS
exploit and how this could be replicated?
Thank you.
=======
In newer versions of Cisco IOS software, a new packet forwarding
infrastructure was introduced to improve scalability and performance.
This forwarding infrastructure, called MFI, is transparent to the
user. MFI manages MPLS data structures used for forwarding and
replaces the older implementation, Label Forwarding Information Base
(LFIB). Cisco IOS MFI implementation is vulnerable to a DoS attack
from specially crafted packets that are handled in the software path,
including transit packets that are handled in the software path. Such
packets can be sent from the local segment to the interfaces that are
> Konq. Linux and X and everything else stay up and recover nicely.
> (Gentoo/AMD64X2/3G mem)
>
> This isn't an exploit -- at least not on Linux -- it's just kiddie
> stupidity. It doesn't take any particular cleverness to blow memory by
> dynamically creating bigger and bigger data structures. With virtual
> memory and 64-bit pointers, when exactly do we return -ENOMEM?
When RLIMIT_AS has been exceeded.
If you disable the use of mmap'd-malloc() via mallopt(M_MMAP_MAX, 0),
* The aforementioned researchers also reported that ActionScript 2
does not verify a member element's size when performing several known
and other unspecified actions, that DefineConstantPool accepts an
untrusted input value for a "constant count" and that character
elements are not validated when retrieved from a data structure,
possibly resulting in a null-pointer dereference (CVE-2008-5361,
CVE-2008-5362, CVE-2008-5363).
* The vendor reported an unspecified arbitrary code execution
vulnerability (CVE-2008-5499).
Various communication with the vendors for clarifications, distribution
of PoC code, discussion of fixes, etc.
___________________________________________________________________________
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
Description:
A variety of programming languages suffer from a denial-of-service (DoS)
condition against storage functions of key/value pairs in hash data
structures, the condition can be leveraged by exploiting predictable
collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications and/or
frameworks. In particular, the lack of sufficient limits for the number of
parameters in POST requests in conjunction with the predictable collision
CVE-2007-6716
Joe Jin reported a local denial of service vulnerability that
allows system users to trigger an oops due to an improperly
initialized data structure.
CVE-2008-1514
Jan Kratochvil reported a local denial of service vulnerability in
the ptrace interface for the s390 architecture. Local users can
attachment that would overwrite a file used for execution (as an example the
bashrc profile).
Additionally buffer and heap overflow vulnerabilities can be triggered by
passing a file name exceeding a fixed size of 256 bytes in the TNEF data
structure. This can lead to arbitrary code execution if exploited.
Affected version:
yTNEF, all versions
arbitrary code on vulnerable installations of Cerulean Studios Trillian.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the XML processing code for Trillian.
When parsing specially formulated xml, the application will corrupt an
internal data structure. Whilst deallocating this data structure, the
application can be tricked into freeing a single allocated chunk
multiple times, which can potentially lead to code execution.
-- Vendor Response:
Trillian has issued an update to correct this vulnerability. More
Integer overflow in the sctp_getsockopt_local_addrs_old function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)
arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on
some AMD64 systems does not erase destination memory locations after
an exception during kernel memory copy, which allows local users to
obtain sensitive information. (CVE-2008-2729)
leaking the private ECC key of a TLS server. (Regular
RSA-based keys are not affected by this vulnerability.)
CVE-2011-4576
The SSL 3.0 implementation does not properly initialize data
structures for block cipher padding, which might allow remote
attackers to obtain sensitive information by decrypting the
padding data sent by an SSL peer.
CVE-2011-4619
The Server Gated Cryptography (SGC) implementation in OpenSSL
Integer overflow in the sctp_getsockopt_local_addrs_old function in
net/sctp/socket.c in the Stream Control Transmission Protocol (sctp)
functionality in the Linux kernel before 2.6.25.9 allows local users
to cause a denial of service (resource consumption and system outage)
via vectors involving a large addr_num field in an sctp_getaddrs_old
data structure. (CVE-2008-2826)
Race condition in the directory notification subsystem (dnotify)
in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1,
allows local users to cause a denial of service (OOPS) and possibly
gain privileges via unspecified vectors. (CVE-2008-1375)
- Encryption & decryption technique
- Routing device
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to
have an unspecified impact by triggering failure of a policy check
(CVE-2011-4109).
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before
1.0.0f does not properly initialize data structures for block cipher
padding, which might allow remote attackers to obtain sensitive
information by decrypting the padding data sent by an SSL peer
(CVE-2011-4576).
The Server Gated Cryptography (SGC) implementation in OpenSSL before
X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to
have an unspecified impact by triggering failure of a policy check
(CVE-2011-4109).
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before
1.0.0f does not properly initialize data structures for block cipher
padding, which might allow remote attackers to obtain sensitive
information by decrypting the padding data sent by an SSL peer
(CVE-2011-4576).
The Server Gated Cryptography (SGC) implementation in OpenSSL before
corruption and application crash) or possibly execute arbitrary code
via unknown vectors (CVE-2012-0443).
Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before
3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly
initialize nsChildView data structures, which allows remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via a crafted Ogg Vorbis file
(CVE-2012-0444).
Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0,
==================
Our goal is to poison the cache of a target domain with arbitrary JavaScript
code. We must build a valid cache entry so that Opera would be tricked into
loading our malicious code. This can be achieved in two different ways:
1. Reverse engineer the cache metadata and data structure and build a malicious
cache entry using that knowledge.
2. Abuse Opera in order to build a malicious cache entry.
We will demonstrate the second technique, targeting the domain m.ibm.com:
Next Page>>
|
