Next Page >>
regular
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
since the initial upstream fix was incomplete.
CVE-2007-4769
Tavis Ormandy and Will Drewry discovered that a bug in the handling
of back-references inside the regular expressions engine could lead
to an out of bands read, resulting in a crash. This constitutes only
a security problem if an application using ProgreSQL processes
regular expressions from untrusted sources.
CVE-2007-4772
-------- Original Message --------
> From: "Christian Sciberras" <uuf6429@gmail.com>
> Sent: Thursday, December 02, 2010 2:51 PM
> To: "Steno Plasma" <exploitdevelopmentdotcom@gmail.com>
> Subject: Re: Flaw in Microsoft Windows SAM Processing Allows Continued
Administrative Access Using Hidden Regular User Masquerading After
Compromise (2010-M$-001)
>
> I don't understand how this is even relevant to security?
>
> If a system was compromised, I'd have assumed it would be only logical
> -------- Original Message --------
> > From: "Christian Sciberras" <uuf6429@gmail.com>
> > Sent: Thursday, December 02, 2010 2:51 PM
> > To: "Steno Plasma" <exploitdevelopmentdotcom@gmail.com>
> > Subject: Re: Flaw in Microsoft Windows SAM Processing Allows Continued
> Administrative Access Using Hidden Regular User Masquerading After
> Compromise (2010-M$-001)
> >
> > I don't understand how this is even relevant to security?
> >
> > If a system was compromised, I'd have assumed it would be only logical
>
> * OpenBSD 2.6-4.2
>
> o Idle-scanning, O/S fingerprinting, host alias
> detection, traffic analysis, TCP blind data injection,
> etc. (predictable IP fragmentation ID) in "regular" IP
> packets and raw IP packets.
>
> o Predictable IP fragmentation ID in Ethernet-inside-IP
> encapsulation, IP-inside-IP encapsulation, the CARP
> protocol, IP multicast routing, pfsync interface
* OpenBSD 2.6-4.2
o Idle-scanning, O/S fingerprinting, host alias
detection, traffic analysis, TCP blind data injection,
etc. (predictable IP fragmentation ID) in "regular" IP
packets and raw IP packets.
o Predictable IP fragmentation ID in Ethernet-inside-IP
encapsulation, IP-inside-IP encapsulation, the CARP
protocol, IP multicast routing, pfsync interface
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate a
denial-of-service by passing certain regular expressions in SQL queries.
First, users could create infinite loops using some specific regular
expressions. Second, certain complex regular expressions could consume
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
libraries used by PostgreSQL allowed malicious users to initiate
a denial-of-service by passing certain regular expressions in SQL
queries. First, users could create infinite loops using some specific
regular expressions. Second, certain complex regular expressions
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow in the Regular Expression engine in Perl possibly
allows for the execution of arbitrary code.
Background
==========
www.ExploitDevelopment.com 2010-M$-001
----------------------------------------------------------
TITLE:
Flaw in Microsoft Windows SAM Processing Allows Continued
Administrative Access Using Hidden Regular User Masquerading After
Compromise
SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
Overview:
Virtualmin is prone to multiple vulnerabilities.
#1 Unprivileged port use
The Virtualmin listens by default on port 10000. Regular users are able
to run
their own daemon on that port and prevent Virtualmin to run.
#2 XSS
The Virtualmin doesn't validate input data correctly in some scripts. As a
Attack Vector: remote network
Attack Impact: arbitrary code execution
Description:
Will Drewry and Tavis Ormandy of the Google Security Team have
discovered a UTF-8 related heap overflow in the regular expression
compiler of the Perl [0] programming language, probably allowing
attackers to execute arbitrary code by compiling specially crafted
regular expressions. The bug manifests in a possible buffer overflow
in the polymorphic "opcode" support code, caused by ASCII regular
expressions that really are Unicode regular expressions.
Hi Thierry,
> With all due respect - this is known to be a vulnerability
> class since over a century.
The referenced web page is titled, "ReDoS (Regular Expression Denial
of Service) Revisited". The authors cite work as early as 2003 in
their paper.
> Can we please stop the attitude of inventing
> acronyms for vulnerabilites, ...
In versions of the PCRE regular expression library before 8.02, compiling
a very large regular expression will overflow the workspace buffer.
Although the code checks for the size of the compiled regular expression,
the check only returns true after the end of the buffer has been
overrun. The bug was fixed in PCRE 8.02 with this patch:
http://vcs.pcre.org/viewvc/code/trunk/pcre_compile.c?r1=504&r2=505&view=patch
======================================================================
Secunia Research 30/03/2010
- ViewVC Regular Expression Search Cross-Site Scripting -
======================================================================
Table of Contents
Affected Software....................................................1
for the execution of arbitrary code and a Denial of Service.
Background
==========
PCRE is a Perl-compatible regular expression library. GLib includes a
copy of PCRE.
Affected packages
=================
[... logical flow of the code then jumps to line 181 ...]
*181 exe "setf " . b:asmsyntax
[... or line 1267 ...]
*1267 exe "setf " . b:asmsyntax
Patch 7.1.300 changed the regular expression in the substitute() call on
line 190:
let b:asmsyntax = substitute(head,
'.*\sasmsyntax=\([a-zA-Z0-9]\+\)\s.*','\1', "")
3. Problem description:
~ a. Updated pcre Service Console package addresses several security issues
~ The pcre package contains the Perl-Compatible Regular Expression library.
~ pcre is used by various Service Console utilities.
~ Several security issues were discovered in the way PCRE handles
~ regular expressions. If an application linked against PCRE parsed a
~ malicious regular expression, it may have been possible to run
Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A flaw in the Tcl regular expression handling engine was originally
discovered by Will Drewry in the PostgreSQL database server's Tcl
regular expression engine. This flaw can result in an infinite loop
when processing certain regular expressions.
The updated packages have been patched to correct these issues.
against libicu, such as OpenOffice.org, to effect the necessary changes.
Details follow:
Will Drewry discovered that libicu did not properly handle '\0' when
processing regular expressions. If an application linked against libicu
processed a crafted regular expression, an attacker could execute
arbitrary code with privileges of the user invoking the program.
(CVE-2007-4770)
Will Drewry discovered that libicu did not properly limit its
Background
==========
Boost is a set of C++ libraries, including the Boost.Regex library to
process regular expressions.
Affected packages
=================
-------------------------------------------------------------------
~ b. Python
~ Chris Evans of the Google security research team discovered an
~ integer overflow issue with the way Python's Perl-Compatible
~ Regular Expression (PCRE) module handled certain regular
~ expressions. If a Python application used the PCRE module to
~ compile and execute untrusted regular expressions, it might be
~ possible to cause the application to crash, or to execute
~ arbitrary code with the privileges of the Python interpreter.
Debian-specific: no
CVE Ids : CVE-2007-1659 CVE-2007-1660 CVE-2007-1661 CVE-2007-1662
CVE-2007-4766 CVE-2007-4767 CVE-2007-4768
Tavis Ormandy of the Google Security Team has discovered several
security issues in PCRE, the Perl-Compatible Regular Expression library,
which potentially allow attackers to execute arbitrary code by compiling
specially crafted regular expressions.
Version 7.0 of the PCRE library featured a major rewrite of the regular
expression compiler, and it was deemed infeasible to backport the
Impact
======
The combination of these features allows a local attacker to hardlink a
root-owned symlink such that the newly created symlink would be
root-owned and would point to a regular file (or another symlink) that
would be written by the Postfix built-in local(8) or virtual(8)
delivery agents, regardless the ownership of the final destination
regular file. Depending on the write permissions of the spool mail
directory, the delivery style, and the existence of a root mailbox,
this could allow a local attacker to append a mail to an arbitrary file
Several vulnerabilitites were found in PHP:
* PHP ships a vulnerable version of the PCRE library which allows for
the circumvention of security restrictions or even for remote code
execution in case of an application which accepts user-supplied
regular expressions (CVE-2008-0674).
* Multiple crash issues in several PHP functions have been
discovered.
* Ryan Permeh reported that the init_request_info() function in
>
>
> GE> Alex Roichman wrote:
>>> Checkmarx Research Lab presents a new attack vector on Web applications. By
>>> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
>>> attacker can make a Web application unavailable to its intended users. ReDoS
>>> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
>>> from Checkmarx show how serious it is and how using this technique, various
>>> applications can be “ReDoSed”. These include, among others, Server-side of
>>> Web applications and Client-side Browsers. The art of attacking the Web by
name.
GE> Alex Roichman wrote:
>> Checkmarx Research Lab presents a new attack vector on Web applications. By
>> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
>> attacker can make a Web application unavailable to its intended users. ReDoS
>> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
>> from Checkmarx show how serious it is and how using this technique, various
>> applications can be “ReDoSed”. These include, among others, Server-side of
>> Web applications and Client-side Browsers. The art of attacking the Web by
A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown
impact and attack vectors (CVE-2008-2050).
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371). PHP in Corporate Server 4.0 is affected by
this issue.
set of objects whose memory could be freed prior to their use. These
conditions often result in a crash which could potentially be
used by an attacker to run arbitrary code on a victim's computer
(CVE-2009-3371).
Security researcher Marco C. reported a flaw in the parsing of regular
expressions used in Proxy Auto-configuration (PAC) files. In certain
cases this flaw could be used by an attacker to crash a victim's
browser and run arbitrary code on their computer. Since this
vulnerability requires the victim to have PAC configured in their
environment with specific regular expresssions which can trigger
Next Page>>
|
