Next Page >>
environment variable
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
In general, a standard system update will make all the necessary changes.
Details follow:
Tavis Ormandy discovered multiple flaws in the GNU C Library's handling
of the LD_AUDIT environment variable when running a privileged binary. A
local attacker could exploit this to gain root privileges. (CVE-2010-3847,
CVE-2010-3856)
Updated packages for Ubuntu 8.04 LTS:
}
-5--
-6--
main/php_open_temporary_file.c
/* On Unix use the (usual) TMPDIR environment variable. */
{
char* s = getenv("TMPDIR");
if (s && *s) {
int len = strlen(s);
same-origin policy by using modal calls with JavaScript. If JavaScript were
enabled, an attacker could exploit this to steal information from another
site. (CVE-2010-3178)
Dmitri GribenkoDmitri Gribenko discovered that Thunderbird did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker could
exploit this to execute arbitrary code as the user invoking the program.
(CVE-2010-3182)
Updated packages for Ubuntu 10.04 LTS:
load libraries via various LD_ environmental variables.
II. Problem Description
When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.
III. Impact
Eduardo Vela Nava discovered that Firefox could be made to violate the
same-origin policy by using modal calls with JavaScript. An attacker could
exploit this to steal information from another site. (CVE-2010-3178)
Dmitri GribenkoDmitri Gribenko discovered that Firefox did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker could
exploit this to execute arbitrary code as the user invoking the program.
(CVE-2010-3182)
Updated packages for Ubuntu 8.04 LTS:
the necessary changes.
Details follow:
Jan Oravec discovered that Tomboy did not properly setup the
LD_LIBRARY_PATH environment variable. A local attacker could
exploit this to execute arbitrary code as the user invoking
the program.
Updated packages for Ubuntu 6.06 LTS:
than CVE-2010-0296 (CVE-2011-1089).
locale/programs/locale.c in locale in the GNU C Library (aka glibc
or libc6) before 2.13 does not quote its output, which might allow
local users to gain privileges via a crafted localization environment
variable, in conjunction with a program that executes a script that
uses the eval function (CVE-2011-1095).
Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or
libc6) 2.13 and earlier allows context-dependent attackers to cause a
denial of service (application crash) via a long UTF8 string that is
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent
attackers to cause a denial of service (file truncation) via a key with
the NULL byte. NOTE: this might only be a vulnerability in limited
circumstances in which the attacker can modify or add database entries
elseif(is_readable('shared/global.php'))
include_once 'shared/global.php';
elseif(is_readable('yacs/shared/global.php'))
include_once 'yacs/shared/global.php';
else
exit('The file shared/global.php has not been found. Please reinstall or mention home directory in file yacs.home or configure the YACS_HOME environment variable.');
// load libraries used in this script
include_once $context['path_to_root'].'feeds/feeds.php'; // some links to newsfeeds
include_once $context['path_to_root'].'links/links.php'; // <= 2 (i dont give fuck)
privilege escalations. Default Ubuntu installations were not affected.
Original advisory details:
Tavis Ormandy discovered multiple flaws in the GNU C Library's handling
of the LD_AUDIT environment variable when running a privileged binary. A
local attacker could exploit this to gain root privileges. (CVE-2010-3847,
CVE-2010-3856)
Updated packages for Ubuntu 8.04 LTS:
Description
===========
Viesturs reported that the default configuration for Gentoo's init
script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment
variable when starting Firebird. It will be used when no password is
supplied by a client connecting as the "SYSDBA" user.
Impact
======
CVE-2010-4448
Malicious applets can perform DNS cache poisoning.
CVE-2010-4450
An empty (but set) LD_LIBRARY_PATH environment variable results in
a misconstructed library search path, resulting in code execution
from possibly untrusted sources.
CVE-2010-4465
Malicious applets can extend their privileges by abusing Swing
(simple) Windows shortcut. If a user double clicks such a message,
Outlook will open the link provided by the PR_ATTACH_PATHNAME or
PR_ATTACH_LONG_PATHNAME MAPI property.
Setting PR_ATTACH_PATHNAME to cmd.exe causes Outlook to search the PATH
environment variable for an executable named cmd.exe. If such a file is
found, this file will be executed. Normally this will result in a
command shell. The path name can be set to anything that is supported by
Windows, including UNC names (i.e.
\\servername\sharename\executable.exe) but also URLs (i.e.
http://www.akitasecurity.nl/advisory/RunCalc.exe). For URLs, Outlook
CVE Id(s) : CVE-2010-3847 CVE-2010-3856
Debian Bug : 600667
Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU
libc allows local users to gain root privileges using a crafted
LD_AUDIT environment variable.
For the stable distribution (lenny), this problem has been fixed in
version 2.7-18lenny6.
For the upcoming stable distribution (squeeze), this problem has been
a reference count. NOTE: some of these details are obtained from
third party information. NOTE: this vulnerability exists because of
an incomplete fix for CVE-2009-3553 (CVE-2010-0302).
The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable
to determine the file that provides localized message strings, which
allows local users to gain privileges via a file that contains crafted
localization data with format string specifiers (CVE-2010-0393).
The updated packages have been patched to correct these issues.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Tomboy doesn't properly handle environment variables, potentially
allowing a local attacker to execute arbitrary code.
Background
==========
Local exploitation of a buffer overflow vulnerability in the db2dasrrm
program, as included with IBM Corp.'s DB2 Universal Database, allows
attackers to elevate privileges to root.
This vulnerability exists due to insufficient validation of the length
of the attacker-supplied "DASPROF" environment variable contents. By
setting the variable to a specially crafted string, an attacker can
cause a buffer overflow when the string is copied into a static-sized
buffer stored on the stack. By overflowing the buffer, the attacker can
overwrite execution control structures stored on the stack and execute
arbitrary code.
but I don't own a domain:( I tried to attach ZIP archive, but it seems
it's being filtered.
Exploit code is a bit bloated, but because of the code repetition and
redundancy, I decided to aggregate it together in a small application.
Boost library is required for project compilation (read from BOOST
environment variable).
DISCLOSURE TIMELINE:
---------------
2 Feb 2010: Discovery of vulnerabilities
B. Heap-based Buffer Underflow (CVE-2009-0840)
Severity: Medium
By providing a specially-crafted POST request to the "mapserv" CGI
application, an out-of-bounds memory write can be triggered.
Specifically, by setting the "CONTENT_LENGTH" environment variable to
- -1, the code will write a zero byte to "data[ -1 ]", where "data" is a
character array allocated on the heap via malloc(3).
When the following is executed locally on the command line:
The patch I submitted to the Apache group
1) by default makes use of the /dev/urandom device that is available
on most modern open systems OSes
2) allows the user to specify another seed source (such as /dev/random)
via an environment variable
3) prints a warning if it has to fall back to using time()
Users of Microsoft Windows or other target platforms that lack /dev/urandom
might want to improve on this approach with appropriate APIS such as
RtlGenRandom on Windows. Also, the patch provides no updates to the htpasswd
and 1.4.2_29 and earlier for Solaris and Linux allows local standalone
applications to affect confidentiality, integrity, and availability via
unknown vectors related to Launcher. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product's web interface, (b) the configuration of
the print system, and (c) the titles of printed jobs (CVE-2009-2820).
The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable
to determine the file that provides localized message strings, which
allows local users to gain privileges via a file that contains crafted
localization data with format string specifiers (CVE-2010-0393).
The updated packages have been patched to correct these issues.
affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2009-3553,
CVE-2010-0302)
Ronald Volgers discovered that the CUPS lppasswd tool could be made to load
localized message strings from arbitrary files by setting an environment
variable. A local attacker could exploit this with a format-string
vulnerability leading to a root privilege escalation. The default compiler
options for Ubuntu 8.10, 9.04 and 9.10 should reduce this vulnerability to
a denial of service. (CVE-2010-0393)
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
Intermittent segfaults occured on x86_64 with the latest phpmyadmin
and with apache (#53735).
Additionally, some packages which require so, have been rebuilt and
frame. (CVE-2009-0600)
Format string vulnerability in Wireshark 0.99.8 through 1.0.5
on non-Windows platforms allows local users to cause a denial of
service (application crash) via format string specifiers in the HOME
environment variable. (CVE-2009-0601)
This update provides Wireshark 1.0.6, which is not vulnerable to
these issues.
_______________________________________________________________________
code execution possible.
=====[ Exploitation
The LANG environment variable gets copied to a fixed location in
memory. An attacker can achieve arbitrary code execution by
placing his shellcode in the variable, and then overwrite the
return address of GeneratePassword() with the known address that
the value is copied to.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Blam doesn't properly handle environment variables, potentially
allowing a local attacker to execute arbitrary code.
Background
==========
> 1. The directory from which the application loaded
> 2. 32-bit System directory (Windows\System32)
> 3. 16-bit System directory (Windows\System)
> 4. Windows directory (Windows)
> 5. Current working directory
> 6. Directories in the PATH environment variable As
> OracleOciLib is not used on target system, oci.dll does not
> exist, so if a full path is not supplied when calling the dll
> or the search path has not been cleared before the call, we
> will hit our fifth search path and load the library from the
> remote filesystem.
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
tries to locate the icabar.exe file in the directories listed in its
PATH environment variable. If the attacker is able to write in any of
this directories listed in its PATH before the Citrix Metaframe PATH
entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000
Operating Systems is weak and allow any user to create files in the
Next Page>>
|
