Next Page >>
log file
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter
File /home/joxean/oracle11g/product/11.1.0/db_2/network/admin/listener.ora
Listener Log File /home/joxean/oracle11g/diag/tnslsnr/joxeandesktop/
listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))
Services Summary...
Service "ORCL11" has 2 instance(s).
Vulnerability overview:
-----------------------
A format string vulnerability exists in the logfile parsing function of
SonicOS. An attacker could crash the system or execute arbitrary code by
injecting format string metacharacters into the logfile, if an
administrator subsequently uses the SonicOS GUI to view the log.
Debian-specific: no
CVE Id : CVE-2009-4235
It was discovered that acpid, the Advanced Configuration and Power
Interface event daemon, on the oldstable distribution (etch) creates
its log file with weak permissions, which might expose sensible
information or might be abused by a local user to consume all free disk
space on the same partition of the file.
For the oldstable distribution (etch), this problem has been fixed in
Proof-of-concept:
---------------
In 4.0.0.810, the bug can be beautifully demonstrated by supplying a
crafted config file and then viewing the debug logfile. A configuration
like this...
<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
notifies the user about the message and the attached files making the
attack invisible for the target.
The other bug is a logging file content manipulation vulnerability
allowing the attacker to use the data inside protocol's packet to
disrupt the log file with control characters like '\n' and others. This
bug is not very important alone, but could be combined with the
traversal bug to cover tracks about the file upload inserting false log
lines or control characters.
In the following code the the program obtains the filename from the
8.4. *Directory traversal*
[BID 32945] Insufficient validation in 'log.jsp' allows remote attackers
to read any .log file that the user running Openfire has access to. The
vulnerable code located in 'log.jsp' is the following:
/-----------
File logDir = new File(Log.getLogDirectory());
Escape sequences are special characters sequences that are used to
instruct the terminal to perform special operations like executing
commands [4, 5] or dumping the buffer to a file [6, 7].
When the webserver is executed in foreground in a pty or when the
logfiles are viewed with tools like "cat" or "tail" such control chars
reach the terminal and are executed.
III. ANALYSIS
Summary:
Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure
Product: Alkacon OpenCms
http://www.opencms.org/
OpenCms contains a vulnerability in the Logfile Viewer Settings function. Input to Parameter filePath.0 in page opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp is not sufficiently validated and/or sanitized. This can be exploited as a cross-site scripting issue but also as a file access issue, which allows a disclosure of arbitrary files that are readable in the OS security context of the JSP container process. The resulting page even has a "Download" button, which facilitates retrieving binary files. Possible targeted files could be /etc/passwd, /proc pseudo-files, Java keystore, OpenCms configuration file (with database password), etc.
Only OpenCms users in administrator roles have access to the vulnerable URL, which partially reduces the severity of the file disclosure aspect.
Certain input passed in HTTP requests to the CAD service is not
properly sanitised before being logged. This can be exploited to
insert arbitrary HTML and script code into dsmerror.log, which is
executed in a user's browser session in context of the affected site
when e.g. viewing the log file via the web-based interface using the
"FILE" functionality of the CAD service.
======================================================================
4) Solution
- http://www.tempest.com.br/advisories/tsi-adv-1201/
=====[ Detailed description ]===========================================
The web management interface on the Polycom device allows users to
download two log files ("system log" and "error log"). This feature is
available through the following menus:
Diagnostics --> System Log --> Download Logs
The access to these log files is provided by the script "a_getlog.cgi",
If the sysctl(8) variable security.jail.chflags_allowed is set to 0
(the default), setting the "sunlnk" system flag on /var, /var/log,
/var/log/console.log, and all file system mount points and their
parent directories inside the jail(s) will ensure that the console
log file and mount points are not replaced by symbolic links. If
this is done while jails are running, the administrator must check
that an attacker has not replaced any directories with symlinks
after setting the "sunlnk" flag.
V. Solution
SEC Consult Security Advisory < 20101021-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Sawmill - Universal Log File Analysis
vulnerable version: Sawmill Enterprise < v8.1.7.3
fixed version: v8.1.7.3
impact: critical
homepage: http://www.sawmill.net
found: 2010-07-20
by: J. Greil / SEC Consult / www.sec-consult.com
The HTTP Digest Access Authentication implementation performed
insufficient countermeasures against replay attacks.
CVE-2011-2204
In rare setups passwords were written into a logfile.
CVE-2011-2526
Missing input sanisiting in the HTTP APR or HTTP NIO connectors
could lead to denial of service.
CA Arcot WebFort Versatile Authentication Server (VAS) 6.2.5
How to determine if the installation is affected
Check the CA Arcot WebFort Versatile Authentication Server log file
to determine the installed release version.
1) Using Windows Explorer, navigate to the following directory
"%ARCOT_HOME%\logs"
10 C: *
11 S: 501 5.7.0 Authentication aborted
12 C: AUTH DIGEST-MD5
13 Connection closed by foreign host.
In the mail logfile, Postfix will log a warning similar to:
postfix/master[2213]: warning: process /usr/libexec/postfix/smtpd
pid 22585 killed by signal 11
Background
C] termination of FxIAList
--------------------------
FxIAList is a service which runs on the TCP port 6162 and is used for
the logging operations which include the commands "exit", "trace on"
"verbose", "trace off" and the name of the log file to create
(xxxx.xx.xx) and its content.
The main problem is that the server doesn't require authentication so
anyone can send the "exit" command and the service will just terminate.
upload and execute the Metasploit payload stager when stacked queries
SQL injection is not supported, for instance on MySQL/PHP and
MySQL/ASP, but there is a writable folder within the web server
document root (Bernardo and Miroslav).
* Added support for regular expression based scope when parsing Burp
or Web Scarab proxy log file (-l), --scope (Miroslav).
* Major bug fix and enhancements to the multi-threading (--threads)
functionality (Miroslav).
Complete list of changes at
https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog.
This is not a common situation, especially when doing LFI2RCE attacks
as shown in [5] (Local File Inclusion to Remote Code Execution attacks
are when a LFI can be automatically exploited into an RCE finding a way
to put an attacker controlled payload on the target filesystem in an
existing file, like a logfile, and then including it).
Normally to mount a succesfull LFI attack the attacker must control the
end of the path, since filesystem functions in PHP normally are not
binary safe a nullbyte can be used.
from a lower version of Fusion are affected.
b. vSphere Client internal browser input validation vulnerability
The vSphere Client has an internal browser that renders html
pages from log file entries. This browser doesn't properly
sanitize input and may run script that is introduced into the
log files. In order for the script to run, the user would need
to open an individual, malicious log file entry. The script
would run with the permissions of the user that runs the vSphere
Client.
A vulnerability has been found and corrected in ruby:
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through
patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev
writes data to a log file without sanitizing non-printable characters,
which might allow remote attackers to modify a window's title,
or possibly execute arbitrary commands or overwrite files, via an
HTTP request containing an escape sequence for a terminal emulator
(CVE-2009-4492).
Local exploitation of a directory traversal vulnerability in IBM Corp.'s
DB2 Universal Database allows attackers to cause a denial of service
(DoS) condition or elevate privileges to root.
Some DB2 binaries that are installed setuid-root will save event
information to a log file. When creating the full path to the
destination file, an environment variable is concatenated with "/tmp/".
Since there is no checking for path traversal strings, such as "../",
within the environment variable, an attacker is able to create
arbitrary files on the system.
--------------------------
The problem specifically exists because SYSTEM privileges are not
dropped when accessing the GSC properties from the System Tray applet.
The vulnerability can be exploited by right-clicking the System Tray
icon, choosing "Log", right click "Event Viewer", "Open Log File...".
The opened file selected can be abused by navigating to C:\WINDOWS
\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so
spawns a command shell with SYSTEM privileges.
Option "omit TOG-CUP"
EndSubSection
EndSection
To check if the extension is built-in to the server, grep the output of
the X Server log file as shown below.
grep built-in /var/log/Xorg.0.log
The result will list all built in extensions. The location of the log
file may need to be changed.
http://target.com/index.php?ajax=../../.htaccess%00
+--> Remote Code Execution
This attack should be done in two phases. First use the LFI to inject
the desired php code in the web server
log file. Then use the LFI again to execute it.
For example if you want to run '<?php echo "ShahShah..."; ?>' code,
first send the following HTTP packet:
GET /rss.php?module=../<?php echo "ShahShah..."; ?>%00 HTTP/1.0
Host: target.com
User-Agent: UA
Debian-specific: no
CVE Id(s) : CVE-2008-3714
Debian Bug : 495432
Morgan Todd discovered a cross-site scripting vulnerability in awstats,
a log file analyzer, involving the "config" request parameter (and
possibly others; CVE-2008-3714).
For the stable distribution (etch), this problem has been fixed in version
6.5+dfsg-1+etch1.
Description:
HFS versions 1.5g to 2.3 Beta (and possibly version 1.5f) are
vulnerable to log forging and username spoofing vulnerabilities.
Remote attackers can appear to be logged in with any desired
username or perform log injection in the log file and GUI panel.
Technical details are included below.
----------------------------------------------------------------
Details (Replicating the issues):
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle TimesTen. User interaction is not
required to exploit this vulnerability.
The specific flaw exists in the evtdump CGI module, which is used to
write to an internal log file. The parameter 'msg' does not properly
sanitize format string tokens and can be exploited to execute arbitrary
code.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
A SOAP interface is available at the "/SOAP" URL. It is usually used
through the command-line client "edirutil.exe". This tool enforces
access control internally : the user is never authenticated directly on
the server, and authentication state is kept locally (i.e. client side).
It can by default be exploited to get the full DN, modify the name of
the log file, read its content, stop and start eDirectory components ...
Additional commands (depending of the server configuration) can be used
to backup the database to a file, allowing full compromise of the
directory when combined with the read_logs action.
nicob $> ./eMBox.pl 192.168.1.1 set_logfile c:\\boot.ini
arbitrary code, gain privileges, or cause a denial of service
condition. These vulnerabilities exist in the products and on the
platforms listed below. These vulnerabilities do not impact any
Windows-based Ingres installation. The first vulnerability,
CVE-2008-3356, allows an unauthenticated attacker to potentially
set the user and/or group ownership of a verifydb log file to be
Ingres allowing read/write permissions to both. The second
vulnerability, CVE-2008-3357, allows an unauthenticated attacker
to exploit a pointer overwrite vulnerability to execute arbitrary
code within the context of the database server process. The third
vulnerability, CVE-2008-3389, allows an unauthenticated attacker
The debian package provides sing as a suid binary (actually,
the sid distribution asks the user whether he'd like it installed suid,
I'm not 100% sure, but in etch, it installs it suid, anyway, should
check).
The sing program has the "-L" option to log its output into a log file.
Due to lack of file ownership checking, any file could be overwriten
(more precisely - appended) with its log output.
I tried to play with making the output usable for some privileges
escalation purposes, but failed initially (sing escapes some bad input,
Next Page>>
|
