modern operating systems
announced today the free, world-wide availability of version 3.2 of
their exploit development and attack framework. The latest version
is provided under a true open source software license (BSD) and is
backed by a community-based development team.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the iPhone. Users can access Metasploit using the tab-completing console
interface, the Gtk GUI, the command line scripting interface, or the
AJAX-enabled web interface. The Windows version of Metasploit includes
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
Exploitation of heap overflow vulnerabilities on modern operating
systems can at times be difficult due to various heap integrity
protections. However, the Pack200 code uses a custom allocator that
does not contain such integrity checks. Labs testing has demonstrated
that code execution is possible on the Linux platform. A similar
methodology is likely to be successful on the Windows platform.
> > I still don't see why this bug should be considered as a security issue but not
> > as an ordinary bug.
>
> Because it's a form of privilege escalation. Non-root processes can't
> normally send signals to processes which are owned by another UID (and
> most modern operating systems prevent non-root processes from sending
> signals to any process where suid/sgid is involved regardless of the
> current UID or EUID).
>
I repeat, this bug cannot be abused to send arbitrary signal to arbitrary
process in the system. Only direct successors (children) are affected, and this
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.
Exploitation of heap overflow vulnerabilities on modern operating
systems can be difficult due to heap integrity checks. However, the
code in the PDF Distiller offers a wide variety of application specific
targets for overwriting. By sculpting the heap it is possible place
pointers in the buffer and use these to gain arbitrary code execution.
IV. DETECTION
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
Exploitation of heap-overflow vulnerabilities on modern operating
systems can, at times, be difficult due to various heap integrity
protections; however, the Pack200 code uses a custom allocator that
does not contain such integrity checks. Labs testing has demonstrated
that code execution is possible on the Linux platform. A similar
methodology is likely to be successful on the Windows platform.
were fixed since last year’s release of version 3.2, making this one of
the more well-tested releases yet.
- http://www.metasploit.com/framework/download/
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on
a wide range of hardware platforms, from massive Unix mainframes to the
Apple® iPhone™. Installers are available for the Windows and Linux
platforms, bundling all dependencies into a single package for ease of
installation. The latest version of the Metasploit Framework, as well as
On IPv6 networks, hosts automatically find out about available
routers via ICMPv6 router announcements which are sent by the
routers. Additionally, router announcemens are used to replace
DHCP by the so called autoconfiguration feature.
Windows and FreeBSD - like all modern operating systems - enable
IPv6 and autoconfiguration by default and are thereby vulnerable.
A personal firewall will not protect against this attack.
If a system receives a router announcement of a new router, it
updates its routing table with the new router, and if the
Advisory URL: http://securityreason.com/achievement_securityalert/49
Vendor: http://httpd.apache.org
- --- 0.Description ---
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.
mod_proxy_ftp : http://httpd.apache.org/docs/2.2/mod/mod_proxy_ftp.html
>
> For running arbitrary code...The main architectures running OpenVMS
> (Alpha, VAX) have Page Table Entries set such that the Fault-on-
> execute bit is set for
> the user stack...i.e. equivalent to a non-executable stack on other
> modern operating systems.
>
> However this doesn't stop a "return-into-libc" type attack...library
> functions can be returned into. One possible candidate is returning
> into the lib$spawn() library function.
>
> I still don't see why this bug should be considered as a security issue but not
> as an ordinary bug.
Because it's a form of privilege escalation. Non-root processes can't
normally send signals to processes which are owned by another UID (and
most modern operating systems prevent non-root processes from sending
signals to any process where suid/sgid is involved regardless of the
current UID or EUID).
> > Moreover, I would suggest that exec()ing a suid/sgid binary should
> > reset *everything* which is not explicitly specified as being
etc..
-----------
For running arbitrary code...The main architectures running OpenVMS (Alpha, VAX) have Page Table Entries set such that the Fault-on-execute bit is set for
the user stack...i.e. equivalent to a non-executable stack on other modern operating systems.
However this doesn't stop a "return-into-libc" type attack...library functions can be returned into. One possible candidate is returning into the lib$spawn() library function.
Take it easy.
> > > I still don't see why this bug should be considered as a security issue but not
> > > as an ordinary bug.
> >
> > Because it's a form of privilege escalation. Non-root processes can't
> > normally send signals to processes which are owned by another UID (and
> > most modern operating systems prevent non-root processes from sending
> > signals to any process where suid/sgid is involved regardless of the
> > current UID or EUID).
>
> I repeat, this bug cannot be abused to send arbitrary signal to arbitrary
> process in the system. Only direct successors (children) are affected, and this
administrators to verify patch installations, product vendors to
perform regression testing, and security researchers world-wide. The
framework is written in the Ruby programming language and includes
components written in C and assembler.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the tiny Nokia n800 handheld. Users can access Metasploit using the
tab-completing console interface, the Gtk GUI, the command line scripting
interface, or the AJAX-enabled web interface. The Windows version of
http://securityreason.com/achievement_securityalert/48
Vendor: http://httpd.apache.org
- --- 0.Description ---
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.
mod_proxy_balancer : http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html
Vendor: http://httpd.apache.org
- --- 0.Description ---
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating systems
including UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server that provides
HTTP services in sync with the current HTTP standards.
Apache has been the most popular web server on the Internet since
Advisory URL: http://securityreason.com/achievement_securityalert/46
Vendor: http://httpd.apache.org
- --- 0.Description ---
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.
- --- 1. Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability ---
|
