Next Page >>
local system
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
=======
Summary
=======
Name: Permissively-ACLed cvpnd.exe allows interactive users to run
arbitrary binaries with Local System Privileges
Release Date: 16 August 2007
Reference: NGS00503
Discover: Dominic Beecher <dominic@ngssoftware.com>
Vendor: Cisco
Vendor Reference: cisco-sa-20070815-vpnclient
for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\
{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The
installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other
files. After the installer writes these files to the directory, it will execute
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a
privileged user.
On a standard Windows installation, unprivileged users have write-access to
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes
installation, an unprivileged attacker can create these directories and place a
Altiris packages to allow the Deployment Server to manage software
for machines. It is usually installed to
C:\Program Files\Altiris\AClient and the main running agent
is called AClient.exe.
By default the agent runs under the Local System account and is
vulnerable to numerous Shatter Attack vulnerabilities leading
to an attacker running code under the Local System privilege.
We reported a first instance of this vulnerability which was
then patched, we then alerted Symantec to the second vulnerability.
Summary
=======
Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows
that may allow unprivileged users to elevate their privileges to those of
the LocalSystem account.
A workaround exists for one of the two vulnerabilities disclosed in this
advisory.
Cisco has made free software available to address these vulnerabilities
1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus 2008\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account. There is no protection of service files. It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or to
get privileges or any user (including system administrator) who logons
to vulnerable host. This can be exploited by:
1. During installation of Panda Antivirus 2008 the permissions for
installation folder %ProgramFiles%\Panda Security\Panda Antivirus
2008by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are
started
under LocalSystem account. There is no protection of service files.
It's
possible for unprivileged user to replace service executable with the
file of his choice to get full access with LocalSystem privileges. Or
to
get privileges or any user (including system administrator) who
Vulnerability overview:
-----------------------
A local privilege escalation vulnerability exists in SonicWALL Global
VPN client. By exploiting this vulnerability, a local attacker could
execute code with LocalSystem privileges.
Vulnerability description:
--------------------------
%programfiles%\x-spam\spooler.exe
All mentioned binaries are running under NT AUTHORITY\SYSTEM account.
Replacing any of those programs with appropriate (i.e. cmd.exe) will
spawn process with Local System privileges on next reboot. Because
setup/installation procedure sets insecure default permissions
(Everyone:Full Control) on eScan/MailScan/X-Spam installation directory
any LUA user can perform this task. NOTE: some binaries won't spawn
visible windows.
service allocates memory from the heap based on the 10th and 11th bytes
of the packet (element count). Packet data is then copied into the
allocated buffer based on the first two bytes of the packet (packet
size). These values can be manipulated to create a heap overflow and and
attacker can exploit this to remotely execute arbitrary code in the
context of the service (Local System).
- -- Vendor Response:
WellinTech has issued an update to correct this vulnerability. More
details can be found at:
--Wednesday, August 22, 2007, 2:25:28 PM, you wrote to bugtraq@securityfocus.com:
kvgc> Local Privilege Escalation Through Default ntmulti.exe File Permissions
kvgc> Unprivileged users can execute arbitrary programs that run
kvgc> with the privileges of the LocalSystem account by replacing the
kvgc> Multi-user Cleanup Service executable with arbitrary executables.
kvgc> This vulnerability exists because the default file permissions
kvgc> assigned during installation to ntmulti.exe (the executable for
kvgc> the Multi-user Cleanup Service) allow unprivileged, interactive
kvgc> users to replace ntmulti.exe with any file.
Local Privilege Escalation Through Default ntmulti.exe File Permissions
Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Multi-user Cleanup Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to ntmulti.exe (the executable for the Multi-user Cleanup Service) allow unprivileged, interactive
users to replace ntmulti.exe with any file.
Because the Multi-user Cleanup Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.
BINARY_PATH_NAME : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : EPSON V5 Service4(01)
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
C:\>CACLS "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE"
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F <------[ :( !!!]
C:\>SC QC EPSON_PM_RPCV4_01
The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege escalation vulnerability that allows non-privileged users to gain administrative privileges.
=================
Technical Details
=================
Unprivileged users can execute arbitrary programs that run with the privileges of the LocalSystem account by replacing the Cisco VPN Service executable with arbitrary executables. This vulnerability exists because the default file permissions assigned during installation to cvpnd.exe (the executable for the Cisco VPN Service) allow unprivileged, interactive users to replace cvpnd.exe with any file.
Because the Cisco VPN Service is a Windows service running with LocalSystem privileges, unprivileged users can easily elevate their privileges.
It is possible to work around this vulnerability without a software upgrade.
===[ ABSTRACT ]=========================================================
Insufficient validation of general-purpose register in IA32 system call
emulation code may lead to local system compromise on x86_64 platform.
===[ AFFECTED SOFTWARE ]================================================
Linux 2.6
Linux 2.4
rPath Appliance Platform Linux Service 2
rPath Linux 2
Rating: Major
Exposure Level Classification:
Local System User Deterministic Privilege Escalation
Updated Versions:
httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1
mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1
rPath Issue Tracking System:
rPath Appliance Platform Linux Service 2
rPath Linux 2
Rating: Major
Exposure Level Classification:
Local System User Deterministic Privilege Escalation
Updated Versions:
httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1
mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1
rPath Issue Tracking System:
Sogou input method official version 4.3
Vulnerability Process Description:
When windows is loaded Sogou input method later (after sign-on system),
lock the computer (cltr+alt+del) Switch to Sogou input method, enter the letters appear Sogou Pinyin input method tool bar, click search, will be called iexplorer.exe
Then you can call directly in the IE address bar system32 directory and run the cmd, if the login account for the administrators group. Directly access the local system privileges.
###################################################################
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: k4mr4n_st@yahoo.com
###################################################################
======================================================================
2) Severity
Rating: Not critical
Impact: Disclosure of sensitive information
Where: Local system
======================================================================
3) Vendor's Description of Software
"Bournal is a bash script that allows you to keep a personal,
======================================================================
2) Severity
Rating: Not critical
Impact: Privilege escalation
Where: Local system
======================================================================
3) Vendor's Description of Software
"Bournal is a bash script that allows you to keep a personal,
Local exploitation of a privilege escalation vulnerability in Novell
ZENworks Endpoint Security Management allows attackers to execute
arbitrary code with SYSTEM privileges.
When the ZENworks ESM Security Client is installed on a workstation, the
STEngine service is set to run under the local SYSTEM account. This
service is implemented within the following executable.
File Name: STEngine.exe (1,847,296 bytes)
Version: 3.5.0.20
MD5: B5402A1EC8D04130304EBA89AF843916
rPath Linux 1
rPath Linux 2
Rating: Major
Exposure Level Classification:
Local System User Non-deterministic Vulnerability
Updated Versions:
gzip=conary.rpath.com@rpl:1/1.3.5-4.1-1
gzip=conary.rpath.com@rpl:2/1.3.12-4.1-1
rPath Issue Tracking System:
During testing, it was found that the x4.2.1 firmware runs the web server as the
"nobody" user, which somewhat limits the amount of sensitive information that
may be obtained. However, since shadowed passwords were not configured, it was
possible to retrieve all local system users' password hashes from /etc/passwd.
Additional password hashes are available in /tandberg/persistent/etc/digest.
Versions Affected
- -----------------
Updated packages have been released that fully address the vulnerability.
For reference the original advisory follows.
Chris Howells discovered that policyd-weight, a policy daemon for the Postfix
mail transport agent, created its socket in an insecure way, which may be
exploited to overwrite or remove arbitary files from the local system.
For the stable distribution (etch), this problem has been fixed in version
0.1.14-beta-6etch2.
The old stable distribution (sarge) does not contain a policyd-weight package.
======================================================================
2) Severity
Rating: Less critical
Impact: Exposure of sensitive information
Where: Local system
======================================================================
3) Vendor's Description of Software
"Timeclock-software.net's free software product will be a simple
rPath Linux 1
rPath Appliance Platform Linux Service 1
Rating: Critical
Exposure Level Classification:
Local System User Deterministic Vulnerability
Updated Versions:
kernel=conary.rpath.com@rpl:1-vmware/2.6.22.16-0.1-1
kernel=conary.rpath.com@rpl:1-xen/2.6.16.33-0.2-1
kernel=conary.rpath.com@rpl:1/2.6.22.16-0.1-1
kernel=rap.rpath.com@rpath:linux-1/2.6.22.16-1-1
When the first certificate in the chain is validated, the following
process takes place.
1. The chaining engine will attempt to find the certificate of
the CA that issued the certificate being examined. The chaining engine
will inspect the local system certificate stores to find the parent CA
certificate. The local system stores include the CA store, the Root
store, and the Enterprise Trust store. If the parent CA certificate is
not found in the local system certificate stores, the parent CA
certificate is downloaded from one of the URLs available in the
inspected certificates AIA extensions. The paths are built without
Synopsis
========
Postfix incorrectly checks the ownership of a mailbox, allowing, in
certain circumstances, to append data to arbitrary files on a local
system with root privileges.
Background
==========
Postfix is Wietse Venema's mailer that attempts to be fast, easy to
this zone.
* Local Machine Zone: the Local Machine zone is an implicit zone for
content that exists on the local computer. The content found on the
user's computer (except for content that Internet Explorer caches on the
local system) is treated with a high level of trust.
THE PROBLEM
There are issues in the manner that security policies are applied when a
URI is specified in the UNC form:
Next Page>>
|
