Next Page >>
processes
Dan Yefimov wrote:
> > > The signal in question in the given situation is issued by PRIVILEGED process,
> > > no matter how.
> >
> > And that's the bug,
>
> The case we consider is of course a bug. But generally privileged process
> sending a signal to another privileged process is of course not a bug.
VENDOR SOFTWARE DESCRIPTION:
---------------
SUPERAntiSpyware is the most thorough scanner on the market. Our
Multi-Dimensional Scanning and Process Interrogation Technology will
detect spyware that other products miss! SUPERAntiSpyware will remove
ALL the Spyware, NOT just the easy ones!
Super Ad Blockerâ„¢ is the first ad-blocker designed to block all new
forms of advertising! Blocks all Rich Media, Flash, pop-ups,
On Thu, 16 Aug 2007, Glynn Clements wrote:
> > The signal in question in the given situation is issued by PRIVILEGED process,
> > no matter how.
>
> And that's the bug,
The case we consider is of course a bug. But generally privileged process
sending a signal to another privileged process is of course not a bug.
Yes, the user toggles a signal that privileged process sends to another one,
On Tue, 14 Aug 2007, Wojciech Purczynski wrote:
>
> ===[ ABSTRACT ]=========================================================
>
> An unprivileged local user may send arbitrary signal to a child process
> despite security restrictions.
>
>
> ===[ AFFECTED SOFTWARE ]================================================
>
Dan Yefimov wrote:
> > > If setuid program just
> > > trusts the environment in that it doesn't properly handle or block signals
> > > whose default action is terminating the process and doesn't perform it's
> > > actions in a fail-safe manner, it is certainly broken. Setuid program must
> > > always be careful in signal handling and data processing.
> >
> > Ordinarily, a process can assume that certain signals (those which can
> > only be generated by kill()) can only be received as a result of an
Multiple vulnerabilities exist in the Session Initiation Protocol
(SIP) implementation in Cisco IOS Software and Cisco IOS XE Software
that could allow an unauthenticated, remote attacker to cause a
reload of an affected device or trigger memory leaks that may result
in system instabilities. Affected devices would need to be configured
to process SIP messages for these vulnerabilities to be exploitable.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for devices that must run
SIP; however, mitigations are available to limit exposure to the
vulnerabilities.
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
configured to process SIP messages are affected.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the command "dial-peer voice"
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
applied or with any client-side bug for which a fix has not been
developed after dismissing the bug as not exploitable or of low
priority. The vulnerability does not seem usable to escape from a
virtualized OS (guest) to execute code in the context of the
non-virtualized OS (host). Use of the vulnerability to implement covert
inter-process communications within the virtualized OS or to establish
inter-VM communication have not been researched in full but are deemed
possible.
4. *Vulnerable packages*
Vulnerable Products
+------------------
Cisco devices are affected when they are running affected Cisco IOS
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the dial-peer voice command
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
denies access. It takes N + M milliseconds to realize the operation.
5. You got it. If you can measure the number of milliseconds it takes for the system to reply on a
real login you are aware of (Administrator, root, ...) then you can predict other real logins by
discarding all the attempts that ran only ~(N) milliseconds as you are only looking for attempts
that took ~(N + M) milliseconds to be processed.
There is a security advisory published in 2003 by Marco Ivaldi detailing exactly this kind of flaw
against SSH [1].
More recently, also about SSH, Dawn Xiaodong Song, David Wagner and Xuqing Tian wrote an interesting
. Contact the vendor for fixed versions of the product.
*Vendor Information, Solutions and Workarounds*
In general process control networks should be physically isolated from
corporate or other publicly accessible data networks as such an isolated
network will limit the exposure of systems with network facing
vulnerabilities only to accidental disruption or potentially malicious
users or systems within the process control network itself.
===[ ABSTRACT ]=========================================================
An unprivileged local user may send arbitrary signal to a child process
despite security restrictions.
===[ AFFECTED SOFTWARE ]================================================
Linux 2.6
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
configured to process SIP messages with the Cisco Unified Border
Element feature are affected. Cisco IOS devices that are not
configured for SIP and Cisco Unified Border Element feature are not
affected by this vulnerability.
Note: Cisco Unified Border Element feature (previously known as the
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01114023
Version: 1
HPSBMA02244 SSRT061260 rev.1 - HP OpenView Business Process Insight and Related Products Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-08-07
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS versions and that may
process SIP messages are affected. The only requirement for these
vulnerabilities is that the Cisco IOS device processes SIP messages
as part of configured voice over IP (VoIP) functionality (this does
not apply to processing of SIP messages as part of the NAT and
firewall feature sets.) Recent versions of Cisco IOS do not process
SIP messages by default, but creating a "dial peer" via the command
Details:
PHP uses the following macro on the first usage of rand() or
mt_rand() within a PHP process to seed the different random
number generators.
#ifdef PHP_WIN32
#define GENERATE_SEED() ((long) (time(0) * GetCurrentProcessId() \
* 1000000 * php_combined_lcg(TSRMLS_C)))
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven. In the event that arbitrary code execution in the
VMX process is possible, kernel privileges can be obtained on a
Windows host by abusing the VMX process's special access to a VMware
driver, meaning the maximum possible impact of this vulnerability is
A vulnerability exists in the Cisco IOS software implementation of
Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS
software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS
software, including but not limited to Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up
Networks (VPDN). Once this process is enabled the device is
vulnerable.
II. DESCRIPTION
Remote exploitation of a denial of service vulnerability in
Hewlett-Packard's Internet Services Probe Builder product allows an
unauthenticated attacker the ability to terminate any process.
The Probe Builder Service, PBOVISServer.exe, listens by default on TCP
port 32968. This process has a specific opcode that allows a remote
unauthenticated user to terminate any process on the system by
supplying a process ID number.
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The clone system call in the Linux kernel 2.6.28 and earlier allows
local users to send arbitrary signals to a parent process from an
unprivileged child process by launching an additional child process
with the CLONE_PARENT flag, and then letting this new process
exit. (CVE-2009-0028)
fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel
are not correctly handled when applying file handling rules or access
restrictions. By abusing of these flaws an attacker can bypass security
options implemented in the web server. For instance, 'file.shtml' will
become 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'
file, not a '.shtml' file. The result of this is that instead of
processing SSI directives as would normally be the case with a '.shtml'
file, the file would be served unprocessed. Additionally, Nginx does not
correctly handle extraneous spaces after file extensions when applying
preprocessing rules or access restrictions.
. Cherokee Web Server [2]. On Cherokee Web Server for Windows, short
>>>> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
>>>> that in turn contains the reference to the open file dentry and
>>>> hence inode. That's exactly why those symlinks behave as hardlinks.
>>>> This behavior assumes, that if you were able to open the file,
>>>> you've all necessary transition permissions to access it's inode.
>>>> But in order to follow them you need privileges to read the process
>>>> memory, which hardly restricts the impact of this behavior. I don't
>>>> think this should be fixed, since /proc/<PID>/fd/ is mainly for
>>>> debugging purposes.
>>>
>>> guest certianly does not have permission to ptrace() pavel's
Remote exploitation of a pre-authentication input validation
vulnerability in Oracle Corp.'s Oracle Internet Directory allows an
attacker to conduct a denial of service attack on a vulnerable host.
Internet Directory consists of two processes. One process acts as a
listener. It handles incoming connections and passes them off to the
second process. The second process, which handles requests, contains
the vulnerability.
When processing a malformed LDAP request, it is possible to cause the
SectionName parameter which is double-slashed string path relative to the HKey,
and the last one - name of key to access / modify.
The third method is used by the HP Info Center application to spawn utility programs from within
the embeded IE window.
When user presses one of the Quick Launch buttons on the HP keyboard the QLBCTRL.exe process
launches apropriate application, in this case: \HP INFO CENTER\hpinfocenter.exe,
an application build to support the user with quick wifi configuration, update check and so on.
The application window contains enbeded IE control to launch the HPINFO ActiveX CTL.
IE uses the JS script 'HPInfoCenter.js' located in the same dir, which is used to response
user input. When user selects the option he is intrested of, the JS code executes HPINFO
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
> webserver process and change any setting, inject code, whatever. You can
> php.ini whatever you want, and the attacker can > just make the webserver
> read his own php.ini, or change the webserver memory after the fact, to
> make it think it read something else than you wrote.
This is not true, at least on most platforms, because webservers typically start as root and use setuid to change their access level down to that of the webserver user after binding to the port. Most platforms do not allow users with the level of access as the webserver user to make ptrace syscalls against a process which used setuid to change to the webserver user.
The SSH server implementation in Cisco IOS XR Software contains a
vulnerability that an unauthenticated, remote user could exploit to
cause a denial of service condition.
An attacker could trigger this vulnerability by sending a crafted SSH
version 2 packet that may cause a new SSH connection handler process to
crash. Repeated exploitation may cause each new SSH connection handler
process to crash and lead to a significant amount of memory being
consumed, which could introduce instability that may adversely impact
other system functionality. During this event, the parent SSH daemon
process will continue to function normally.
Greetings,
I am glad to release ProcL v1.0. ProcL employs many different methods
to detect hidden processes. Essentially, ProcL detailed and
implemented a mechanism to embed all these different approaches in one
tool to detect hidden processes. Our methods of detecting hidden
processes requires the examination of each kernel object - EPROCESS,
ETHREADS, HANDLES, JOBS. Therefore, we believe, ProcL would defeat
process concealment from one certain method.
Versions: <= v8.0 Patch 2 - build 1189
<= v7.3 Patch 3 - build 1314
Platforms: Windows
Bugs: A] buffer-overflow in the decryption function of the
passwords
B] endless dead processes
Exploitation: remote
(no tests have been performed to check for a possible
local exploiting of the vulnerability on the clients
machines for killing the antivirus or the monitor
processes or escalating privileges)
Next Page>>
|
