Next Page >>
log files
Escape sequences are special characters sequences that are used to
instruct the terminal to perform special operations like executing
commands [4, 5] or dumping the buffer to a file [6, 7].
When the webserver is executed in foreground in a pty or when the
logfiles are viewed with tools like "cat" or "tail" such control chars
reach the terminal and are executed.
III. ANALYSIS
Summary:
notifies the user about the message and the attached files making the
attack invisible for the target.
The other bug is a logging file content manipulation vulnerability
allowing the attacker to use the data inside protocol's packet to
disrupt the log file with control characters like '\n' and others. This
bug is not very important alone, but could be combined with the
traversal bug to cover tracks about the file upload inserting false log
lines or control characters.
In the following code the the program obtains the filename from the
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02821425
Version: 1
HPSBMA02672 SSRT100485 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Local Read and Write Access to Data and Log Files
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-10
Last Updated: 2011-05-10
Debian-specific: no
CVE Id : CVE-2009-4235
It was discovered that acpid, the Advanced Configuration and Power
Interface event daemon, on the oldstable distribution (etch) creates
its log file with weak permissions, which might expose sensible
information or might be abused by a local user to consume all free disk
space on the same partition of the file.
For the oldstable distribution (etch), this problem has been fixed in
Proof-of-concept:
---------------
In 4.0.0.810, the bug can be beautifully demonstrated by supplying a
crafted config file and then viewing the debug logfile. A configuration
like this...
<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
from a lower version of Fusion are affected.
b. vSphere Client internal browser input validation vulnerability
The vSphere Client has an internal browser that renders html
pages from log file entries. This browser doesn't properly
sanitize input and may run script that is introduced into the
log files. In order for the script to run, the user would need
to open an individual, malicious log file entry. The script
would run with the permissions of the user that runs the vSphere
Client.
[...]
> 5. Granted access to the sysbacktrace logs is only possible with
> ssh access to the box however these logs if attached to a support
> ticket through email are sent in the clear, or if these log files are
> routinely dumped and stored the password is avliable in clear text.
> Additionally in most cases MARS will be monitoring Active Directory
> data in order to access Domain Controllers 'Domain Admin' rights must
> be included in the account.
Vulnerability overview:
-----------------------
A format string vulnerability exists in the logfile parsing function of
SonicOS. An attacker could crash the system or execute arbitrary code by
injecting format string metacharacters into the logfile, if an
administrator subsequently uses the SonicOS GUI to view the log.
To disable discovery through Secure NaviCLI
Set the following custom property in the management server user interface by going to Configuration > Product Health > Advanced > Custom Properties:
cimom.provider.clariion.secure=false
Stop the management server service
Move the management server log file (appstormanager.log) and the associated rolled log files into a secure location.
Restart the management server service
Note: When the custom property, cimom.provider.clariion.secure , is set to false the management server will be unable to manage CLARiiON arrays through Secure NaviCLI. CLARiiON systems will no longer be discovered by the management server through Secure NaviCLI.
Note: The log files may be discarded when they are no longer needed for diagnostic purposes.
8.4. *Directory traversal*
[BID 32945] Insufficient validation in 'log.jsp' allows remote attackers
to read any .log file that the user running Openfire has access to. The
vulnerable code located in 'log.jsp' is the following:
/-----------
File logDir = new File(Log.getLogDirectory());
My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.
My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended anyone.
A SOAP interface is available at the "/SOAP" URL. It is usually used
through the command-line client "edirutil.exe". This tool enforces
access control internally : the user is never authenticated directly on
the server, and authentication state is kept locally (i.e. client side).
It can by default be exploited to get the full DN, modify the name of
the log file, read its content, stop and start eDirectory components ...
Additional commands (depending of the server configuration) can be used
to backup the database to a file, allowing full compromise of the
directory when combined with the read_logs action.
nicob $> ./eMBox.pl 192.168.1.1 set_logfile c:\\boot.ini
C] termination of FxIAList
--------------------------
FxIAList is a service which runs on the TCP port 6162 and is used for
the logging operations which include the commands "exit", "trace on"
"verbose", "trace off" and the name of the log file to create
(xxxx.xx.xx) and its content.
The main problem is that the server doesn't require authentication so
anyone can send the "exit" command and the service will just terminate.
modified in a malicious way. To terminate the predefined file-ending a
null-byte has to be appended after the file to be included. The
following GET-request can be used to e.g. receive the content of the
boot.ini-file on a server running Windows as operating system. This
vulnerability can also be used to execute malicious PHP-code (e.g.
PHP-code that has been written into log-files).
PoC request
GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../
discovered to have several weaknesses (CVE-2011-1184).
Apache Tomcat, when the MemoryUserDatabase is used, creates log entries
containing passwords upon encountering errors in JMX user creation,
which allows local users to obtain sensitive information by reading
a log file (CVE-2011-2204).
Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP
NIO connector, does not validate certain request attributes, which
allows local users to bypass intended file access restrictions or
cause a denial of service (infinite loop or JVM crash) by leveraging
10 C: *
11 S: 501 5.7.0 Authentication aborted
12 C: AUTH DIGEST-MD5
13 Connection closed by foreign host.
In the mail logfile, Postfix will log a warning similar to:
postfix/master[2213]: warning: process /usr/libexec/postfix/smtpd
pid 22585 killed by signal 11
Background
- http://www.tempest.com.br/advisories/tsi-adv-1201/
=====[ Detailed description ]===========================================
The web management interface on the Polycom device allows users to
download two log files ("system log" and "error log"). This feature is
available through the following menus:
Diagnostics --> System Log --> Download Logs
The access to these log files is provided by the script "a_getlog.cgi",
malformed images. If a user or automated system were tricked into opening a
crafted PNG image file, a remote attacker could cause a denial of service or
execute arbitrary code with user privileges. In Ubuntu 7.10, 8.04 LTS, and 8.10,
attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-5286)
It was discovered that the example pstopdf CUPS filter created log files in an
insecure way. Local users could exploit a race condition to create or overwrite
files with the privileges of the user invoking the program. This issue only
applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5377)
Url_PrefixUnInstall /logs
Note: For further information please refer to the following document.
Document title: CAE Alert: Unauthenticated access to HPCA log files from a web browser
Document ID: KM897874
The document is available from the HP Software Support Online portal at http://support.openview.hp.com/
PRODUCT SPECIFIC INFORMATION
_______________________________________________________________________
Problem Description:
Gavin McCullagh of Griffith College Dublin reported an issue in Kolab
v1 where user passwords were being recorded in the Apache log files
due to Kolab using HTTP GET requests rather than HTTP POST requests.
This would allow any users with access to the Apache log files to
harvest user passwords and possibly other sensitive data.
The patch to fix this problem also corrects and issue where
This is not a common situation, especially when doing LFI2RCE attacks
as shown in [5] (Local File Inclusion to Remote Code Execution attacks
are when a LFI can be automatically exploited into an RCE finding a way
to put an attacker controlled payload on the target filesystem in an
existing file, like a logfile, and then including it).
Normally to mount a succesfull LFI attack the attacker must control the
end of the path, since filesystem functions in PHP normally are not
binary safe a nullbyte can be used.
CA Arcot WebFort Versatile Authentication Server (VAS) 6.2.5
How to determine if the installation is affected
Check the CA Arcot WebFort Versatile Authentication Server log file
to determine the installed release version.
1) Using Windows Explorer, navigate to the following directory
"%ARCOT_HOME%\logs"
SEC Consult Security Advisory < 20101021-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Sawmill - Universal Log File Analysis
vulnerable version: Sawmill Enterprise < v8.1.7.3
fixed version: v8.1.7.3
impact: critical
homepage: http://www.sawmill.net
found: 2010-07-20
by: J. Greil / SEC Consult / www.sec-consult.com
Option "omit XFree86-Misc"
EndSubSection
EndSection
To check if the extension is built-in to the server, grep the output of
the X Server log file.
grep built-in /var/log/Xorg.0.log
The result will list all built in extensions. The location of the log
file may need to be changed.
Debian-specific: no
CVE ID : CVE-2011-0715
Debian Bug : 615995
Dominik George discovered that logwatch does not guard against shell
meta-characters in crafted log file names (such as those produced by
Samba). As a result, an attacker might be able to execute shell
commands on the system running logwatch.
For the oldstable distribution (lenny), this problem has been fixed in
version 7.3.6.cvs20080702-2lenny1.
With the configuration directives:
SecAuditEngine On
SecDebugLogLevel 9
After the attack, the last line of the debug logfile is:
[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9]
Multipart: Added part abe458 to the list: name "(null)" (offset 0,
length 0)
1 app-admin/logsurfer+ < 1.8 >= 1.8
Description
===========
Logsurfer log files may contain substrings used for executing external
commands. The prepare_exec() function in src/exec.c contains a
double-free vulnerability.
Impact
======
In general, a standard system update will make all the necessary changes.
Details follow:
Dominik George discovered that logwatch did not properly sanitize
log file names that were passed to the shell as part of a command.
If a remote attacker were able to generate specially crafted filenames
(for example, via Samba logging), they could execute arbitrary code
with root privileges.
--------------
Vulnerability:
--------------
Execution of arbitrary code is possible by executing sarg with
specially crafted squid log files (access and useragent log).
The access.log has to be manually created to trigger the exploit,
as squid will not allow malformed HTTP methods.
The useragent log is more critical, as this vulnerability can be
currently employed) will patch the problem on seeing it occur on Monday
(a good thing) but do little or nothing to notify any user whose private
information is on their system (downplaying the likelihood of risk).
This exploit has very likely existed for years and whether or not a
company typically keeps logs for years is beyond my knowledge - the
exploit is however detectable through web log files. I also lack faith
in the company's ability to make an objective determination whether or
not the exploit has been used to download the private information of
its' users.
My question is this - does anyone out there have any experience dealing
Next Page>>
|
