Next Page >>
exploit
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
present fixes/workarounds to some of the vulnerabilities.
The archive with code that is a part of this advisory can be found at
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
of kernel memory, leading to a loss of privacy. (Ubuntu 10.10 was not
affected.) (CVE-2010-2942, CVE-2010-3477)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
update provides the corresponding updates for Ubuntu 10.04.
Original advisory details:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
all the necessary changes.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
perform this as well.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
------------------------------------------------------------------------------------------------------------------------
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/39
###################################################################################
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
not have been fatal if the ``execute'' statements on lines 181 and 1276
were updated to use the fnameescape() function to sanitize the
arguments.
5. EXPLOIT
The exploit needed a small update in order to work with the current Vim.
It produces error messages, and the exploit text is not hidden. Making
the exploit fully compatible would be just a matter of spending some
more time. The updated exploit is called ``filetype.vim.updated'':
- linux-ti-omap4: Linux kernel for OMAP4 devices
Details:
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
Gents,
As announced in recent emails here, we have just released 13 0days and
new offensive concepts against most of the tools currently used by web
attackers, like web shells, exploit packs, etc, during our new talk at
SyScan Singapore 2010 : http://www.syscan.org/Sg/speakers.html#012
We have given new methods to counter-strike intruders with our new
exploits giving you remote shells, remote SQL injection, permanent XSS
and dangerous XSRF, against remote tools used by attackers.
Hi Crispin,
I agree with almost everything you say until here:
"I continue to dismiss the requirement that an 0day be found
maliciously exploiting machines, because that requires inferring
intent."
IMO, everybody in this thread is taking this from an
inside-to-outside approach, whereas a '0day' is the opposite.
Combining this method with the system command shell one can execute any shell command sequence
within the remote user context(e.g. format, del, copy ...) providing '/c' switch as a first parameter
for the cmd.exe ("execute and exit" option).
At this point, owning the shell commands execution access, CreateProcess() win32 Api function access
and access to the system directory, we can construct an armed remote code execution exploit.
All we need is to use the shell access to build remotely a batch file that after executed will
launch 'ftp.exe' Windows NT ftp client utility, download arbitrary remote file into local system
and execute it afterwards.
Such an exploit however, would have a visible cmd shell window during the exploit driven
download process, so it would be easily noticeable and it would have been canceled by alerted user.
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that MySQL incorrectly handled certain requests with the
UPGRADE DATA DIRECTORY NAME command. An authenticated user could exploit
this to make MySQL crash, causing a denial of service. This issue only
affected Ubuntu 9.10 and 10.04 LTS. (CVE-2010-2008)
It was discovered that MySQL incorrectly handled joins involving a table
with a unique SET column. An authenticated user could exploit this to make
5.Credits
6.Technical description
6.1.NTLMv1 authentication protocol
6.2.The Flaws
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
6.4.Exploiting duplicate challenges
6.4.1.Proof-of-Concept Exploit
6.5.Predicting challenges
6.5.1.SMB service: challenge generation process
6.5.2.Proof-of-Concept Exploit
7.References
Vim version 7.2b
zip.vim version: v21
netrw.vim version: v127
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
Casper.Dik@Sun.COM wrote:
>> But then there is the important concept of the "private 0day", a new
>> vulnerability that a malicious person has but has not used yet.
>>
> But the point is there is no such thing as a 0day *vulnerability"; there's
> a 0day exploit, an exploit in the wild before the vulnerability id
> discovered.
>
An excellent point. Sorry I overlooked that. Exploit development today
is so fast that I tend to equate knowledge of a vulnerability with "...
and can have an exploit by tomorrow afternoon."
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
Original advisory details:
It was discovered that the Linux kernel did not correctly handle memory
protection of the Virtual Dynamic Shared Object page when running
a 32-bit application on a 64-bit kernel. A local attacker could
exploit this to cause a denial of service. (Only affected Ubuntu 6.06
LTS.) (CVE-2009-4271)
It was discovered that the r8169 network driver did not correctly check
the size of Ethernet frames. A remote attacker could send specially
crafted traffic to crash the system, leading to a denial of service.
According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007
Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
2. mt-scode CAPTCHA (plugin for Movable type and Drupal)
Same check pairs may be used for multiple postings
Hey Dan,
Freaking THANK YOU first and foremost. I've been waiting for someone to say that for days now, and was just about to myself.
Just because everyone and their brother want's to show off that they can compile & run some software (herp a derp, good job) DOESN'T mean they should immediately post it here. I tested it against an OLDER KERNEL on purpose because I actually read the headers and the exploit worked as expected. I knew that this was responsibly disclosed, so it was already patched on any system that I updated. If you don't have the proper symbols, then the exploit doesn't have the proper offsets, and the exploit will fail. Plain and simple. *THEN* there's people who don't even bother to read that "Red Hat does not support Econet by default". DOES NOT. As in the exploit WON'T WORK!
It's pathetic that the original exploit dev has to waste his time saying the same thing 5 times.
</rant>
perform this as well.
Details follow:
It was discovered that KVM did not correctly initialize certain CPU
registers. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-3698)
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
In general, a standard system update will make all the necessary changes.
Details follow:
Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc
requests. An attacker could exploit this issue to cause the PHP server to
crash, resulting in a denial of service. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)
It was discovered that the pseudorandom number generator in PHP did not
provide the expected entropy. An attacker could exploit this issue to
all the necessary changes.
Details follow:
Tavis Ormandy discovered that the Linux kernel did not properly implement
exception fixup. A local attacker could exploit this to crash the kernel,
leading to a denial of service. (CVE-2010-3086)
Dan Rosenberg discovered that the Linux kernel TIPC implementation
contained multiple integer signedness errors. A local attacker could
exploit this to gain root privileges. (CVE-2010-3859)
I understand that this is a vain hope that bugtraq will start posting something useful.
Author:Michael Brooks (Rook)<br>
Application:OpenClassifieds 1.7.0.3<br>
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
or default urls:<br>
Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Some last specifics (mostly reiterating what I said in my earlier posts) -
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
----------------------------------------------------------------------------------------------
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
Date: 2008/19/08
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
[_] Discovred by : DATA_SNIPER
[_] Greets to: hacker c&c Team , Arab4Services team on www.arab4services.net , AT4RE Team on www.at4re.com
[_] Special thanks go to: Andrey Bayora and all arabian hackers specialy algerian hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
Date: 2008/19/08
Next Page>>
|
