physical access
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Physical Access Gateway Denial of
Service Vulnerability
Advisory ID: cisco-sa-20090624-gateway
Revision 1.0
provided by address space layout randomization (ASLR).
CVE-2011-1010
Timo Warns reported an issue in the Linux support for Mac partition tables.
Local users with physical access could cause a denial of service (panic)
by adding a storage device with a malicious map_count value.
CVE-2011-1012
Timo Warns reported an issue in the Linux support for Mac partition tables.
> How much should the average user worry about this? Not very much. Most
> notebooks from average users don't even have Firewire on them and you
> would have an easier time cracking them with a dictionary attack on
> the password and other such things, which means that this attack
> makes you no more vulnerable to compromise if you've already granted
> physical access than you were before.
you don't need a firewire port on your laptop, a pcmcia slot is enough
where an attacker inserts a firewire card. but still.. it's a physical
access attack..
sensitive kernel memory.
CVE-2011-1163
Timo Warns reported an issue in the kernel support for Alpha OSF format disk
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted OSF partition.
CVE-2011-1170
Vasiliy Kulikov reported an issue in the Netfilter arp table
CVE-2009-4067
Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the auerswald
module, a driver for Auerswald PBX/System Telephone USB devices. Attackers
with physical access to a system's USB ports could obtain elevated
privileges using a specially crafted USB device.
CVE-2011-0712
Rafael Dominguez Vega of MWR InfoSecurity reported an issue in the caiaq
| | |
|----------------------------+-------------------------------|
| Cisco ONS 15500 Series | CSCtd02769 |
| | |
|----------------------------+-------------------------------|
| Cisco Physical Access | CSCtd02777 |
| Gateways | |
|----------------------------+-------------------------------|
| Cisco Physical Access | CSCtd03912 |
| Manager | |
|----------------------------+-------------------------------|
> How much should the average user worry about this? Not very much. Most
> notebooks from average users don't even have Firewire on them and you
> would have an easier time cracking them with a dictionary attack on
> the password and other such things, which means that this attack
> makes you no more vulnerable to compromise if you've already granted
> physical access than you were before.
you don't need a firewire port on your laptop, a pcmcia slot is enough
where an attacker inserts a firewire card. but still.. it's a physical
access attack..
orsino wrote:
> There's a difference between being able to get onto a network (via wifi
> maybe?) and getting physical access to a device.
For starters this is a VoIP device (Product Name: SPA-2102), but even
if it weren't it makes no difference to me and in the security realm it
shouldn't make a difference to anyone else either.
1) I don't have an open network and if you do and are on this list its
either going to be a honeypot or for theft of information (bad guys roam
mv-
J. Oquendo wrote:
> orsino wrote:
>> There's a difference between being able to get onto a network (via wifi
>> maybe?) and getting physical access to a device.
>
> For starters this is a VoIP device (Product Name: SPA-2102), but
> even if it weren't it makes no difference to me and in the security
> realm it shouldn't make a difference to anyone else either.
>
physical memory location 0x40:0x1e.
- --[ Impact:
Plain text password disclosure. Local access is required, but no
physical access to the machine.
The level of privilege required to retrieve the password from memory
is OS dependent and varies from guest user under Microsoft Windows
(any) to root user under most Unix based OSes.
There's a difference between being able to get onto a network (via wifi
maybe?) and getting physical access to a device.
> sipherr@gmail.com wrote:
>> Linksys phone adapter denial of service
>>
>> Product Information
>> Product Name: SPA-2102 Serial Number: FM500G582390
>> Software Version: 3.3.6 Hardware Version: 1.2.5(a)
>>
>> Another device hit with the PoD!
but, as you said, most XP OEM's do ship this way, for whatever reason.
network access to them is restricted, as you said, and once you do get
physical access, password or not, the guy trying to install a keystroke
logger when you are on a biobreak just needs a linux password reset boot
disk.
Its easy enough to fix (IBM did it) but seems IBM was the only company
that saw this very easy fix something they wanted to do.
This may reveal sensitive information.
Attempts to write to memory result in an error, indicating that an
access violation
may have occurred, therefore remote code execution is likely possible
with further research (i.e. physical access :).
https://[target]/cgi-bin/welcome/VirtualOffice?err=%n
"Sorry, the SSL-VPN you are trying to reach is unavailable at this
time. Please try again later."
> strongly suggests you set up a password.
>
> With all due respect this is
>
> 1. Not new
> 2. Physical access trumps all
> 3. For XPs it's kinda handy to have a blank admin password when you
> sometimes come in on a network and need to get to that particular
> machine and you didn't set it up, otherwise you have to use the
> Admin password boot disk trick and reset the password to blank.
>
-Thirty minute attack slots given to contestants at each box.
-Attack slots will be scheduled at the contest start by the methods
selected by the judges.
-Attacks are done via crossover cable. (attacker controls default route)
-RF attacks are done offsite by special arrangement...
-No physical access to the machines.
-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and
deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium,
Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird,
kmail) are all in scope.
Local Privilege Escalation Vulnerability
+---------------------------------------
Successful exploitation of this vulnerability may allow users with
physical access to a computer that is running the Cisco AnyConnect
Secure Mobility Client to elevate their privileges and gain full
control of the system.
Software Versions and Fixes
===========================
physical memory location 0x40:0x1e.
- --[ Impact:
Plain text password disclosure. Local access is required, but no
physical access to the machine.
The level of privilege required to retrieve the password from memory
is OS dependent and varies from guest user under Microsoft Windows
(any) to root user under most Unix based OSes.
strongly suggests you set up a password.
With all due respect this is
1. Not new
2. Physical access trumps all
3. For XPs it's kinda handy to have a blank admin password when you
sometimes come in on a network and need to get to that particular
machine and you didn't set it up, otherwise you have to use the Admin
password boot disk trick and reset the password to blank.
> wasn't a security vulnerability
Good call.
Now, if for some reason a remote user was able to obtain a 'local user'
login screen, that would be a serious issue. Physical access to the box
trumps most security measures we are able to apply.
To: bugtraq@securityfocus.com
Subject: STP mitm attack idea
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)
-Thirty minute attack slots given to contestants at each box.
-Attack slots will be scheduled at the contest start by the methods
selected by the judges.
-Attacks are done via crossover cable. (attacker controls default route)
-RF attacks are done offsite by special arrangement...
-No physical access to the machines.
-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and
deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium,
Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird,
kmail) are all in scope.
It's good that he got it running (it's easy enough with physical
access), but your friend should probably plan for a rebuild in the near
future, or at least a comprehensive audit against the systems. If the
ex-admin deleted accounts and changed passwords (which, btw, will land
him in jail if the company follows through with it as they should) then
you have no idea what else he's done to compromise the DC or any other
system he has access to. It's probably too late to depend on any
forensic information to build a case against any additional damages
(since your friend has already stepped on the file system and AD) - but
who knows, a plea bargain including reparation for expenses could cover
A vulnerability has been found and corrected in
compiz-fusion-plugins-main:
The Expo plugin in Compiz Fusion 0.7.8 allows local users with physical
access to drag the screen saver aside and access the locked desktop
by using Expo mouse shortcuts, a related issue to CVE-2007-3920
(CVE-2008-6514).
This update fixes this vulnerability.
_______________________________________________________________________
physical memory location 0x40:0x1e.
- --[ Impact:
Plain text password disclosure. Local access is required, but no
physical access to the machine.
The level of privilege required to retrieve the password from memory
is OS dependant and varies from guest user under Microsoft Windows
(any) to root user under most Unix based OSes.
leave it at a question.
I actually do have a response fom Microsoft on the broader issue, but it
doesn't address these issues or even concded that there's necessarily
anything they can do about it. They instead speak of the same
precautions for physical access that they spoke of a couple weeks ago
with respect to the "frozen notebook memory" attack - use drive
encryption, use 2-factor authentication, use hibernate instead of sleep,
use group policy to enforce them. I don't think it's a bad response
under the circumstances. The fact that you can turn off DMA on Linux
seems in fact inferior to simply disabling the Firewire port and driver
|
