Next Page >>
exploitable
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
present fixes/workarounds to some of the vulnerabilities.
The archive with code that is a part of this advisory can be found at
2. *Vulnerability Information*
Class: Improper Access Control [CWE-285]
Impact: Security bypass
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 38764
CVE Name: N/A
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
of kernel memory, leading to a loss of privacy. (Ubuntu 10.10 was not
affected.) (CVE-2010-2942, CVE-2010-3477)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
VMware Workstation 6.5
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
update provides the corresponding updates for Ubuntu 10.04.
Original advisory details:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
all the necessary changes.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
VMware Workstation 6.5
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
------------------------------------------------------------------------------------------------------------------------
Release mode: Forced Release
*Vulnerability Information*
Class: Design Error
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 25659
CVE Name: CVE-2007-4901
*Vulnerability Description*
Release mode: Forced Release
*Vulnerability Information*
Class: Design Error
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 25659
CVE Name: CVE-2007-4901
*Vulnerability Description*
perform this as well.
Details follow:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/39
###################################################################################
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
all the necessary changes.
Details follow:
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Jacobson discovered that ThinkPad video output was not correctly access
controlled. A local attacker could exploit this to hang the system, leading
not have been fatal if the ``execute'' statements on lines 181 and 1276
were updated to use the fnameescape() function to sanitize the
arguments.
5. EXPLOIT
The exploit needed a small update in order to work with the current Vim.
It produces error messages, and the exploit text is not hidden. Making
the exploit fully compatible would be just a matter of spending some
more time. The updated exploit is called ``filetype.vim.updated'':
- linux-ti-omap4: Linux kernel for OMAP4 devices
Details:
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
Gents,
As announced in recent emails here, we have just released 13 0days and
new offensive concepts against most of the tools currently used by web
attackers, like web shells, exploit packs, etc, during our new talk at
SyScan Singapore 2010 : http://www.syscan.org/Sg/speakers.html#012
We have given new methods to counter-strike intruders with our new
exploits giving you remote shells, remote SQL injection, permanent XSS
and dangerous XSRF, against remote tools used by attackers.
Hi Crispin,
I agree with almost everything you say until here:
"I continue to dismiss the requirement that an 0day be found
maliciously exploiting machines, because that requires inferring
intent."
IMO, everybody in this thread is taking this from an
inside-to-outside approach, whereas a '0day' is the opposite.
5.Credits
6.Technical description
6.1.NTLMv1 authentication protocol
6.2.The Flaws
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
6.4.Exploiting duplicate challenges
6.4.1.Proof-of-Concept Exploit
6.5.Predicting challenges
6.5.1.SMB service: challenge generation process
6.5.2.Proof-of-Concept Exploit
7.References
Combining this method with the system command shell one can execute any shell command sequence
within the remote user context(e.g. format, del, copy ...) providing '/c' switch as a first parameter
for the cmd.exe ("execute and exit" option).
At this point, owning the shell commands execution access, CreateProcess() win32 Api function access
and access to the system directory, we can construct an armed remote code execution exploit.
All we need is to use the shell access to build remotely a batch file that after executed will
launch 'ftp.exe' Windows NT ftp client utility, download arbitrary remote file into local system
and execute it afterwards.
Such an exploit however, would have a visible cmd shell window during the exploit driven
download process, so it would be easily noticeable and it would have been canceled by alerted user.
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that MySQL incorrectly handled certain requests with the
UPGRADE DATA DIRECTORY NAME command. An authenticated user could exploit
this to make MySQL crash, causing a denial of service. This issue only
affected Ubuntu 9.10 and 10.04 LTS. (CVE-2010-2008)
It was discovered that MySQL incorrectly handled joins involving a table
with a unique SET column. An authenticated user could exploit this to make
Vim version 7.2b
zip.vim version: v21
netrw.vim version: v127
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
Release mode: User release
*Vulnerability Information*
Class: Input Validation Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Client-side Exploitable: No
Bugtraq ID: 27944
CVE Name: CVE-2008-0923
Casper.Dik@Sun.COM wrote:
>> But then there is the important concept of the "private 0day", a new
>> vulnerability that a malicious person has but has not used yet.
>>
> But the point is there is no such thing as a 0day *vulnerability"; there's
> a 0day exploit, an exploit in the wild before the vulnerability id
> discovered.
>
An excellent point. Sorry I overlooked that. Exploit development today
is so fast that I tend to equate knowledge of a vulnerability with "...
and can have an exploit by tomorrow afternoon."
Original advisory details:
It was discovered that the Linux kernel did not correctly handle memory
protection of the Virtual Dynamic Shared Object page when running
a 32-bit application on a 64-bit kernel. A local attacker could
exploit this to cause a denial of service. (Only affected Ubuntu 6.06
LTS.) (CVE-2009-4271)
It was discovered that the r8169 network driver did not correctly check
the size of Ethernet frames. A remote attacker could send specially
crafted traffic to crash the system, leading to a denial of service.
when specific TCP segments are received during the TCP connection
termination phase.
This vulnerability is triggered only when specific TCP segments are sent
to certain TCP-based services that terminate on the affected appliance.
Although exploitation of this vulnerability requires a TCP three-way
handshake, authentication is not required.
This vulnerability is documented in Cisco bug ID CSCsz77717 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0149.
D) Cross Side Scripting (XSS) Vulnerability
A) Remote Code Execution (Windows Only) Vulnerability
A Remote Code Execution vulnerability exists in Vtiger CRM version
5.0.4. In order to exploit this vulnerability an account on the CRM
system is required.
The vulnerability resides in the "Compose Mail" section. The software
permits sending email with attachments and offers a draft save feature.
When this feature is requested and an attachment is specified, the
According to vendor both problems were addressed in Version 2.9.0 on
August 11, 2007
Original article: http://websecurity.com.ua/1501/
Exploit for 1.2: http://websecurity.com.ua/uploads/2007/MoBiC/Peter's%20Custom%20Anti-Spam%20Image%20CAPTCHA%20bypass.html
2. mt-scode CAPTCHA (plugin for Movable type and Drupal)
Same check pairs may be used for multiple postings
Unauthenticated CGI Access
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
Next Page>>
|
