Next Page >>
file access
PHP filesystem attack vectors
Name PHP filesystem attack vectors
Systems Affected PHP and PHP+Suhosin
Vendor http://www.php.net/
Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (giovanni.pellerano AT
evilaliv3 DOT org)
Date 20090207
problems:
CVE-2008-3528
Eugene Teo reported a local DoS issue in the ext2 and ext3
filesystems. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to output error messages in an
infinite loop.
CVE-2008-4554
implementation.
CVE-2008-3528
Eugene Teo reported a local DoS issue in the ext2 and ext3
filesystems. Local users who have been granted the privileges
necessary to mount a filesystem would be able to craft a corrupted
filesystem that causes the kernel to output error messages in an
infinite loop.
CVE-2008-4554
* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service
Vulnerability
* Unauthorized File System Access Vulnerability
These vulnerabilities are independent; a release that is affected by
one vulnerability is not necessarily affected by the others.
Cisco has released free software updates that address these
VSR Security Advisory
http://www.vsecurity.com/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Coda Filesystem Kernel Memory Disclosure
Release Date: 2010-08-16
Application: Coda kernel module for NetBSD and FreeBSD
Versions: All known versions
Severity: Medium
Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com >
"Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
UNIX-based foundation that is engineered for stability, reliability, and
performance. The kernel environment is built on top of Mach 3.0 and provides
high-performance networking facilities and support for multiple, integrated
file systems."
Vulnerability Overview
- ----------------------
Jim Paris wrote:
>
> > Therefor it's totally of no influence what you do with the original
> > directory permission. File access has nothing to do with directory
> > permissions...!
>
> Right. However the whole point of this discussion is that that is a
> non-obvious point, there was no other way that the user could have
> opened that file without the use of /proc.
Roel Kluin discovered inverted logic in the skfddi driver that
permits local, unprivileged users to reset the driver statistics.
CVE-2009-0745
Peter Kerwien discovered an issue in the ext4 filesystem that
allows local users to cause a denial of service (kernel oops)
during a resize operation.
CVE-2009-0746
automatically on system boot/shutdown.
II. Problem Description
In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path. In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.
BACKGROUND
Veritas Storage Foundation 5.0 from Symantec provides a complete
solution for heterogeneous online storage management. Based on the
industry-leading Veritas Volume Manager and Veritas File System, it
provides a standard set of integrated tools to centrally manage
explosive data growth, maximize storage hardware investments, provide
data protection and adapt to changing business requirements.
SUMMARY
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
NAME {"A" x 1072}GGGG
STATUS ON
SIZE 100 100
Furthermore, I know some BIOSs will still boot without a valid MBR
partition table in the first place.
> 2. Corrupted NTFS file system crashed EnCase during acquisition.
>
> Response: The authors state that “this issue appears to be caused by an attempt to read past the end of the buffer.” However, EnCase features an option to de-select the automatic reading of the file system during the acquisition process. Thus, there is an easy work-around. Also, by corrupting the NTFS partitions, the perpetrator would likely render his file system dysfunctional, which calls into question both the likelihood and feasibility of such a tactic. Thus, the chances of this specific scenario occurring in the field are extremely remote; however, Guidance Software will test and, if verified, place this anomaly in its development queue to address the crashing problem in the future.
So really all I need to do is wrap my partition/file-system in a
corrupted NTFS (btw NTFS file system is redundant), and poof I potentially
On Mon 2009-11-02 18:53:19, Martin Rex wrote:
> Jim Paris wrote:
> >
> > > Therefor it's totally of no influence what you do with the original
> > > directory permission. File access has nothing to do with directory
> > > permissions...!
> >
> > Right. However the whole point of this discussion is that that is a
> > non-obvious point, there was no other way that the user could have
> > opened that file without the use of /proc.
Kyle Bader reported an issue in the tty subsystem that allows local
users to create a denial of service (NULL pointer dereference).
CVE-2010-2226
Dan Rosenberg reported an issue in the xfs filesystem that allows local
users to copy and read a file owned by another user, for which they
only have write permissions, due to a lack of permission checking in the
XFS_SWAPEXT ioctl.
CVE-2010-2240
following problems:
CVE-2006-5823
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted cramfs filesystem.
CVE-2006-6054
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext2 filesystem.
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Wow. Very nice find. One question: all the cited tools are Windows executables. Has there been any attempt to run the database viewer in Linux via Wine? I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine.
Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list.
with physical access to a system's USB ports could obtain elevated
privileges using a specially crafted USB device.
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-2209
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 17.04.2010
- - Pub.: 21.05.2010
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-1576
files without execute permission when accessed via an nfs4 mount.
CVE-2009-1633
Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
the CIFS filesystem which allow remote servers to cause memory
corruption.
CVE-2009-1895
Julien Tinnes and Tavis Ormandy reported and issue in the Linux
exists which may allow remote users to cause a denial of service
condition (oops).
CVE-2009-4020
Amerigo Wang discovered an issue in the HFS filesystem that would
allow a denial of service by a local user who has sufficient
privileges to mount a specially crafted filesystem.
CVE-2009-4021
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2011-1020
Kees Cook discovered an issue in the /proc filesystem that allows local
users to gain access to sensitive process information after execution of a
setuid binary.
CVE-2011-1576
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
kernel that may lead to a denial of service or the execution of arbitrary
code.
The package versions referenced in the initial DSA-1503 advisory
introduced a regression that can cause hangs on systems that make use of
the ext2 filesystem. The regression has been resolved in the package
versions referenced by this updated advisory.
The Common Vulnerabilities and Exposures project identifies the
following problems:
linux-powerpc, linux-amd64-generic), a standard system upgrade will
automatically perform this as well.
Details follow:
The minix filesystem did not properly validate certain filesystem
values. If a local attacker could trick the system into attempting
to mount a corrupted minix filesystem, the kernel could be made to
hang for long periods of time, resulting in a denial of service.
(CVE-2006-6058)
UNC: http://servername/pandora_console/ajax.php?page=//server/share/test
As well, ajax.php allows to include any php file in the disk
filesystem:
http://servername/pandora_console/ajax.php?page=../../../../../directory/file
Character %00 is not allowed due safe_url_extraclean function filtering,
and is not possible to include other files distinct that php files, but
still allows . and / characters.
Background
==========
E2fsprogs provides utilities for use with the ext2 and ext3 file
systems including the libext2fs library that allows user-level programs
to manipulate an ext2 or ext3 file system.
Affected packages
=================
BACKGROUND
Veritas Storage Foundation 5.0 from Symantec provides a complete
solution for heterogeneous online storage management. Based on the
industry-leading Veritas Volume Manager and Veritas File System, it
provides a standard set of integrated tools to centrally manage
explosive data growth, maximize storage hardware investments, provide
data protection and adapt to changing business requirements.
SUMMARY
Summary: Solaris and Linux file system behavior has changed over
time, breaking one of the assumptions in Postfix. See below for a
description of the behavior and how it disagrees with standards.
Postfix is not affected on systems with standard (POSIX, X/Open)
file system behavior, i.e. *BSD, AIX, MacOS, HP-UX, and very old
Sun/Linux systems. The fix and workarounds are simple.
There are efforts to get the non-standard behavior approved by
standards (a function called llink). Today's fix for Solaris, Linux
File Access Vulnerability in Easy File Sharing Web Server
Discovered by:
Timothy "Thor" Mullen
Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs
Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/
Next Page>>
|
