Next Page >>
paths
evilaliv3 DOT org)
Date 20090207
I) Introduction
II) The bugs in 50 words
III) PHP filesystem functions path normalization attack
IV) PHP filesystem functions path normalization attack details
V) PHP filesystem functions path truncation attack
VI) PHP filesystem functions path truncation attack details
VII) The facts
VIII) POC and attack code
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.
Example:
GET
/manager/html/sessions?path=/&sort="><script>alert('xss')</script>order=ASC&action=injectSessions&refresh=Refresh+Sessions+list
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Tomcat 7.0.0 to 7.0.4
- Remove the Manager application
Spring Security 2.0.0 t0 2.0.5
Acegi Security 1.0.0 to 1.0.7
Description:
Spring Security does not consider URL path parameters when processing security constraints. By adding an URL path parameter to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo().
Users of SpringSource tc Server (all versions) are not affected. tc Server uses Apache Tomcat and does not change the handling of path parameters.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Leopard Server Remote Path Traversal
*Advisory Information*
Title: Leopard Server Remote Path Traversal
properly checking that the buffer is large enough to hold the filename
string. Proof of concept PDF file also included [5].
If an 'Open/Execute a file' is defined in a PDF file, when the trigger
condition is satisfied, Foxit Reader first determines if the filename
argument has a relative path:
/-----------
00403029 |> 50 PUSH EAX
; /Path
if ($argc<5) {
print "-------------------------------------------------------------------------\r\n";
print " BellaBook Admin Bypass/Remote Code Execution\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: pheap.php [OPTION] [HOST] [PATH] [USER] ([COMMAND])\r\n\r\n";
print "[OPTION] = 0 = Credentials Disclosures\r\n";
print " 1 = Remote Code Execution\r\n";
print "[HOST] = Target server's hostname or ip address\r\n";
print "[PATH] = Path where Pheap is located\r\n";
print "[USER] = Admin's username\r\n";
I want to warn you about security vulnerabilities in WordPress which I
published at 30.07.2010 during my Day of bugs in WordPress 2 project.
------------------------------
Advisory: Day of bugs in WordPress 2: Information Leakage and Full path
disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4419/
------------------------------
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
The icabar.exe file does launch during an administrator logon to the
desktop via RUN registry key. Unfortunately the IcaBar key value
doesn't have a full binary path, which allows an attacker to escalate
privilege in Windows NT, 2000 in the default configuration and in
Windows 2003 in some circumstances.
This causes several instances of Windows PATH trolling, where Windows
tries to locate the icabar.exe file in the directories listed in its
greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
Critical: Highly critical
Impact:Command Execution
------------------------------------------------------------------
this is litel POC that can execute arabitrary command in victime machine.
in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
project file look like this.
" some data has been cuted for making it readable"
-------------------------------------
project file structure
[Project]
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
> [Project]
Knowing the path of the home directory of an unknown host has little, if any, value. Even if you know the host, you would have to get the user to run code interactively to leverage this "privacy issue" in addition to ensuring that the interactive user was indeed the same user that created the PDF doc. And that code would have to be written specifically for that particularly host/user, which is inefficient (barring network based home directory settings). Any time I've needed local user path for proof-of-concept code, I simply parse the HOMEPATH environmental variable to ensure the code runs properly and that it can be easily applied to any host.
t
-----Original Message-----
From: Inferno [mailto:inferno@securethoughts.com]
Sent: Monday, November 23, 2009 7:46 AM
To: bugtraq@securityfocus.com
Subject: Millions of PDF invisibly embedded with your internal disk paths
------------------------------------------------------------------------
It has been discovered that certain e-mail message cause Outlook to
create Windows shortcut-like attachments or messages within Outlook.
Through specially crafted TNEF streams with certain MAPI attachment
properties, it is possible to set a path name to files to be executed.
When a user double clicks on such an attachment or message, Outlook will
proceed to execute the file that is set by the path name value. These
files can be local files, but also file stored remotely for example on a
file share. Exploitation is limited by the fact that its is not
possible for attackers to supply command line options.
published at 30.07.2010 during my Day of bugs in WordPress 2 project. This
is second advisory for this project.
------------------------------
Advisory: Day of bugs in WordPress 2: CSRF, Information Leakage and Full
path disclosure vulnerabilities in WordPress
------------------------------
URL: http://websecurity.com.ua/4420/
------------------------------
These are Cross-Site Request Forgery vulnerability which I found at
* This code posts a crafted comment with a very simple
PHP shell.
* It exploits the LFI, hides the shell in the cache directory
* and starts a remote command session via POST.
*
* Syntax: php fp-lfi2rce.php <host> <path> [action] [lang] [shell]
* <host>: the hostname or IP address of your target;
* <path>: the path where FlatPress was installed;
* [action]: the action to take against the host system
(test, attack);
* [lang]: the remote language used (en, it);";
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Timbuktu Pro Remote Path Traversal and Log Injection
*Advisory Information*
Title: Timbuktu Pro Remote Path Traversal and Log Injection
vulnerability that provides access to the contents of any file stored in
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
commands and instantiate certain ActiveX controls.
[MajorSecurity Advisory #59]PHP <=5.3 - mysqli_real_escape_string() full
path disclosure
Details
=======
Product: PHP <=5.3
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.php.net/
Vendor-Status: informed
[MajorSecurity Advisory #57]PHP <=5.3 - preg_match() full path disclosure
Details
=======
Product: PHP <=5.3
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.php.net/
Vendor-Status: informed
Advisory-Status: published
The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure */
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
Ingres 2.5 Single Byte Patch- Ingres 2.5 Single Byte patch
ftp://ftp.ca.com/caproducts/ips/MDB/Generic_Ingres/IIS_Vulnerability/patch-2.5.0605.12291-win-x86.zip
Potential problems installing the patches:
While testing these patches, CA identified an install issue when
the user is presented with the option to make a backup of the
Ingres installation. In cases where a <space> is in the path, the
path is not properly read. The backup does get taken and is by
default stored in the %II_SYSTEM%\ingres\install\backup directory.
Additionally, if the user happens to press the "Set Directory"
button, the path will be displayed. Clicking "ok" will result in a
message stating "... spaces are not supported in paths... ". This
These vulnerabilities are found in the Upload function, which gives users
the ability to transfer their downloaded files to Websites supporting file
sharing and storage such as yousendit.com, 4shared.com.
The first flaw (Arbitrary File Download) is due to the fact that Rapidleech
does not perform careful check on the paths of downloaded files. More
precisely, the file path must be an absolute path encoded in base64 and can
point to whichever files on servers. This path is sent from users as
"filename" parameter via GET method. This allows hackers to access arbitrary
files on a Rapidleech server, especially files containing sensitive
information, for e.g. "/etc/passwd".
require_once '../../lib-common.php';
if (PHP_VERSION < 5) {
$_CONF['disable_webservices'] = true;
} else {
require_once $_CONF['path_system'] . '/lib-webservices.php';
}
if ($_CONF['disable_webservices']) {
COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
$ua = LWP::UserAgent->new;
print "\e[2J";
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
my ($host, $path, $action) = @ARGV ;
unless($ARGV[2]) {
print "Usage: perl $0 <host> <path> <action>\n";
print "\tex: perl $0 http://site.com /etc/ list\n";
print "\tex: perl $0 http://site.com /etc/passwd edit\n";
Exploit
Log in as a bytehoard administrator
Click the "Upload files" link
Change upload directory to an arbitrary path (by pushing the change
button and selecting another directory)
Edit the "infolder" GET parameter to ".." and go to the resulting url
The resulting page should read "Uploading to: .." to the left of the
change button
Select a php file with a shell, exploit or action to be run in one of
}
if (empty($_POST['command'] ) ) {
}ELSE{
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "</form>\n";
}
$tb = new FORMS;
netVigilance Security Advisory #68
SimpNews version 2.41.03 Multiple Path Disclosure Vulnerabilities
Description:
SimpNews is a news system written in PHP. Features: Data stored in MySQL, admin interface, support for multiple languages, support for multiple instances in one database, own header, multiple layout settings, support for BBCode andsmilies, you can assin an icon graphic to every news entry, you can attach a file to news entries, entries can be put in categories, users can subscribe to get news sent by email, search entries, users can post comments on news entries, event calendar, newsticker, option to let users propose news entries.
External References:
Mitre CVE: CVE-2007-4872
NVD NIST: CVE-2007-4872
OSVDB: ID requested but no answer received
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
------------------------------------------------------------------------------
Gruezi, This is CVE-2010-3847.
The dynamic linker (or dynamic loader) is responsible for the runtime linking of
dynamically linked programs. ld.so operates in two security modes, a permissive
mode that allows a high degree of control over the load operation, and a secure
mode (libc_enable_secure) intended to prevent users from interfering with the
loading of privileged executables.
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
- Severity: 5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Joomla! < 1.5.12 Multiple Full Path Disclosure vulnerabilities
II. BACKGROUND
-------------------------
Joomla! is an award-winning content management system (CMS), which
enables you to build Web sites and powerful online applications. Many
Next Page>>
|
