Next Page >>
directory
O_RDONLY) = -1 ENAMETOOLONG (File name too long)
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Will result in ENAMETOOLONG but this limitation of glibc can be overcame
using directories.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
strace -e open -s 100000 php -r
'include("includes/".addslashes(urldecode("../../../tmp/something".str_repeat("foo/",
Unix/Linux:
1. Log on to your system using the installation owner account and
make sure the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres system files
2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility
directories.
2. Change directory to the root directory of the Ingres
installation or use a previously created directory.
cd $II_SYSTEM/ingres
or
cd <patch_directory>
Cisco Unified Communications Manager, formerly CallManager, contains
a privilege escalation vulnerability in the IP Phone Personal Address
Book (PAB) Synchronizer feature that may allow an attacker to gain
complete administrative access to a vulnerable Cisco Unified
Communications Manager system. If Cisco Unified Communications
Manager is integrated with an external directory service, it may be
possible for an attacker to leverage the privilege escalation
vulnerability to gain access to additional systems configured to use
the directory service for authentication.
Cisco has released free software updates that address this
logging using an attacker controlled computer or using session fixation.
Were a method of setting the "$_SESSION['username']" found without
having to log in, this exploit would become a remote root (for the
application, not the host).
These methods can also be used to escalate privileges to a nonexistent
account. In that case, a home directory is created for that "phantom"
user, and the system behaves normally, but no account is created. The
phantom user's data can be retrieved by repeating the exploit.
============================================================================================================================
3.4.2. Exploits
All the exploits are created using the accompanying Makefiles in the respective
subdirectories. When open in vim (or ex, view), the exploits create a file
called ``pwned'' in the current directory. To create all the exploits in a
certain subdirectory, run ``make all'' in that subdirectory. See the respective
Makefile sources for details.
It is also possible to use the Makefile in the root directory of this archive.
-----BEGIN PGP SIGNED MESSAGE-----
CA20111116-01: Security Notice for CA Directory
Issued: November 16, 2011
CA Technologies Support is alerting customers to a potential risk
with CA Directory. A vulnerability exists that can allow a remote
attacker to cause a denial of service condition. Remediation is
available to address the vulnerability.
- HTC devices running Android 2.1

- HTC devices running Android 2.2
References: http://www.seguridadmobile.com/android/android-security/HTC-Android-OBEX-FTP-Service-Directory-Traversal.html
Summary:
HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.
Description:
In the present HTC / Android phones include a Bluetooth stack, which provides Bluetooth communications with other remote devices. The File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.
The OBEX FTP service is a software implementation of the File Transfer Profile (FTP). The File Transfer Profile (FTP) is intended for data exchange and it is based on the OBEX communications client-server protocol. The service is present in a large number of Bluetooth mobile phones. This service can be used for sending files from the phone to other remote devices and also allows remote devices to browse shared folders and download files from the phone.
Also not affected are the following configurations: a) maildir-style
delivery with the Postfix built-in local or virtual delivery agents;
b) mail delivery with non-Postfix local or virtual delivery agents;
c) mailbox-style delivery with the Postfix built-in virtual delivery
agent when virtual mailbox parent directories have no "group" or
other write permissions.
The following configurations are known to be affected on Linux
kernel >= 2.0, Solaris >= 2.0, OpenSolaris 11-2008.5, IRIX 6.5, and
other systems where users can create hardlinks to symlinks: a)
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02522633
Version: 1
HPSBUX02587 SSRT100215 rev.1 - HP-UX Directory Server and Red Hat Directory Server for HP-UX, Local Disclosure of Information, Privilege Escalation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-09-22
Last Updated: 2010-09-22
are located that reference this inode and what permissions are on the
directory and path up to the root.
The real fun with unexpected results is with Microsoft Windows ACLs
and inheritable permissions on directories. If you move files around
there, the effects on the resulting access permissions of a file
are quite often surprising, especially if the files are moved
across device boundaries.
readme.txt /../../../../../../../../asdf.exe
It's same situation with folders. If one directory name is, for example,
"../../../../../../../../asdf", then all the subdirectories and files
will be extracted to folder named "asdf", created on the root of
partition.
Both file and directory name modifications are shown in the
PoC file provided (TEST1, TEST2 folders).
IV. Workaround
If the sysctl(8) variable security.jail.chflags_allowed is set to 0
(the default), setting the "sunlnk" system flag on /var, /var/log,
/var/log/console.log, and all file system mount points and their
parent directories inside the jail(s) will ensure that the console
log file and mount points are not replaced by symbolic links. If
this is done while jails are running, the administrator must check
that an attacker has not replaced any directories with symlinks
after setting the "sunlnk" flag.
necessary changes.
Details follow:
It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)
Summary
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01433676
Version: 1
HPSBUX02324 SSRT080034 rev.1 - HP-UX Running Netscape Directory Server (NDS), Local Gain Extended Privileges
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-05-05
Last Updated: 2008-05-05
ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.
ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
- HTC devices running Windows Mobile 5.0
- Other vendors’ Windows Mobile devices
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html
Summary:
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
idea what he was getting himself into. =8^)
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
Because securing a file by securing directories that lead to it is a
valid and important (and expected) feature of file access semantics.
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
Security Advisory
http://blog.hispasec.com/lab/
Name : X-Diesel Unreal Commander v0.92 (build 573) multiple
vulnerabilities
Class : Local/Remote multiple directory traversal (Input
Validation Error)
Threat level : HIGH
Discovered : 2007-08-09
Published : 2007-08-23
Credit : Gynvael Coldwind
1.vendor description of software
------------------------------------------------
TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server running on Windows platforms. With it you can easily set up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:
------------------------------------------------
Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an authenticated user to create directories outside the root directory, which may lead to other attacks.
If you could log on the server successfully,
take the following steps to create folders outside the sftp root directory:
1. $ssh2 = Net::SSH2->new();
2. $ssh2->connect($server, $port);
Service Rules
+------------
As an interim step prior to upgrading the Cisco content delivery system
software, it is possible to deny access to sensitive directories via
service rules. The following example shows denying access to move up a
directory level. This also caters for other directory moves, such as
"\.\./", ".\./" or "\../":
rule enable
On Mon, Oct 26, 2009 at 12:14:36PM -0400, Stephen Harris wrote:
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
psz@maths.usyd.edu.au wrote:
> > According to POSIX, if you open the directory with O_SEARCH then openat()
> > does not re-check search (+x) permissions.
>
> My 2.6.26 kernel (or Debian lenny) does not seem to know about O_SEARCH.
> But anyway... even if openat() does not re-check permissions, it should
> surely fail when in fact it does not have permissions? Surely, directory
> contents are not cached? Or, do you have an example (of a running OS)
####################
- Discussion:
####################
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
Synopsis
========
A search path vulnerability in Portage allows local attackers to
execute commands with root privileges if emerge is called from
untrusted directories.
Background
==========
Portage is Gentoo's package manager which is responsible for
Besides changing the default password for the admin user and removing
the install.php script, no specific instructions are provided to secure
the installation of FWS. The manual assumes that FWS is installed on a
LAMP server (Linux, Apache, MySQL & PHP). If the ZIP archive is
extracted or the files are uploaded to the document root of the
webserver, the new files and directories will be created based on the
active umask. In most cases, this will give read & write access to
the owner of the files and read access for all other users.
Since FWS needs to write to certain files and directories, the
instructions in the manual tell you to specifically set file permissions
The mount.vmhgfs utility checks that the user-provided mountpoint is owned by
the user attempting to mount an HGFS share prior to performing the mount.
However, a race condition exists between the time this checking is performed
and when the mount is performed. Successful exploitation allows a local
attacker to mount HGFS shares over arbitrary, potentially root-owned
directories, subsequently allowing privilege escalation within the guest.
CVE-2011-2145:
The vmware-user-suid-wrapper utility attempts to create a directory at
/tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this
2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions (archlinux, debian, ubuntu, ...)
This software mounts cifs partition to directories authorized by fstab.
3. DESCRIPTION
-------------------------
On 24.10.2009 10:47, Anton Ivanov wrote:
> Following your logic we should all abandon directory permissions and
> stick to file-only ones. Hmm... Dunno, probably the blood level in my
> coffee subsystem is too high this morning, but I do not quite relish
> that idea.
>
I didn't affirm that. I only told, that directory permissions can't in fact
restrict access to the file it contains, they can only hamper accessing that
file via that directory.
Next Page>>
|
