Next Page >>
restrictive
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
Internet Explorer Zone Elevation Restrictions Bypass and Security Zone
Restrictions Bypass
*Advisory Information*
rounded.
SYNOPSIS
#include <stdlib.h>
char *ecvt(double value, int ndigit, int *restrict decpt,
int *restrict sign);
char *fcvt(double value, int ndigit, int *restrict decpt,
int *restrict sign);
> stick to file-only ones. Hmm... Dunno, probably the blood level in my
> coffee subsystem is too high this morning, but I do not quite relish
> that idea.
>
I didn't affirm that. I only told, that directory permissions can't in fact
restrict access to the file it contains, they can only hamper accessing that
file via that directory.
> There is a very valid case of trying to restrict access via directory
> permissions. Suppose you have a binary program that uses its own
> directory but for whatever reason keeps scribbling in files with wrong
Problem description:
====================
This vulnerability allows users with any role on a Dimensions product to have read access to all of its containing items.
Dimensions allows you to restrict access to items by relating them on designparts where explicit roles are assigned. E.g. users foo and bar have the role DEVELOPER on the top level designpart which allows them to get items. Now there is a subdesignpart RESTRICTED which has explicit role assignments of all existing roles for foo. This prevents bar to get any files of this designpart because he has no more role on this designpart. Unfortunately, this is only correct for item fetches and browsing.
The user bar may simply run a recursive get command (e.g. on the toplevel designpart) which is executed as DOWNLOAD command in the Desktop Client. This command does not prevent the access to items on RESTRICTED because the privileges for DOWNLOAD are less restrictive. Now, bar may read the items on his local machine.
Resolution:
===========
SYNOPSIS:
#include <monetary.h>
ssize_t
strfmon(char * restrict s, size_t maxsize, const char * restrict format,
...);
- --- 1. /usr/src/lib/libc/stdlib/strfmon.c - Integer Overflow ---
The main problem and vulnerability exist in strfmon() function. When we use this function in example program:
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Internet Explorer Security Zone restrictions bypass
1. *Advisory Information*
Title: Internet Explorer Security Zone restrictions bypass
TIBCO has identified the following workarounds:
* Disable the rtserver UDP port if it has been enabled in the rtserver
configuration file.
* Utilize a firewall to restrict access to the rtserver.
* Use a user with restricted privileges to invoke the rtserver
or application.
* On Unix systems, invoke the server or application from a chroot
Build 6235: http://support.veritas.com/docs/294241
Build 7170: http://support.veritas.com/docs/294237
Best Practices
As part of normal best practices, Symantec recommends:
* Restrict access to administration or management systems to authorized privileged users
* Block remote access to all ports not essential for efficient operation
* Restrict remote access, if required, to trusted/authorized systems only
* Remove/disable unnecessary accounts or restrict access according to security policy as required
* Run under the principle of least privilege where possible
* Keep all operating systems and applications updated with the latest vendor patches
Summary:
Two critical vulnerabilities exist in the javascript API of Adobe
Acrobat Professional 7. A remote attacker who successfully exploits
these vulnerabilities can execute restricted functions and arbitrary
codes on the affected system.
Affected Software Versions:
Workarounds
===========
Although there are no workarounds for these vulnerabilities, it is
possible to mitigate the vulnerabilities through the use of network
filters. Administrators are advised to restrict access to UDP port
37000 on vulnerable Cisco Video Surveillance Services Platform and
Integrated Services Platform systems to trusted hosts. On Cisco Video
Surveillance 2500 Series IP Cameras, administrators are advised to
restrict access to TCP ports 80 and 443 to trusted hosts.
web interface that is vulnerable to the following issues. Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. Other
WebSTAR modems and firmware versions may be vulnerable as well.
1. Cross-site request forgery (CSRF). Several features provided by the web
interface fail to properly establish sessions that restrict access to
authorized users, including forms for changing the administrative password,
resetting the modem, and installing new firmware. An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. This can be used to deny service by resetting
Impact Security Bypass
Where From remote
Software PolyPager 1.0rc10
Description
A security issue has been discovered in PolyPager, which can be exploited by malicious people to bypass certain security restrictions.
Access to the enabled FCKeditor component is not properly restricted, which can be exploited to e.g upload files of certain types.
The security issue is confirmed in version 1.0rc10 Other versions may also be affected.
source.
II. Problem Description
If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send
a mode 7 error response.
III. Impact
SABKUTIL.sys and SASKUTIL.sys use IOCTL code 0x9c402090
(IOCTL_SABKUTIL_ZWOPENPROCESS) as a wrapper around the ZwOpenProcess()
method which creates the handle to the specified process (valid only
in kernel mode).
Parameters passed to the ZwOpenProcess() method are completely under
attacker's control. The wrapper tries to restrict the handle usage to
kernel mode by setting OBJECT_ATTRIBUTES.Attributes field to
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE values. Since this field is
controllable by the user, user could pass invalid pointer which, when
dereferenced, leads to BSOD. No check is made whether the pointer is
valid.
changes.
Details follow:
It was discovered that the Safe.pm module as used by PostgreSQL did not
properly restrict PL/perl procedures. If PostgreSQL was configured to use
Perl stored procedures, a remote authenticated attacker could exploit this
to execute arbitrary Perl code. (CVE-2010-1169)
It was discovered that PostgreSQL did not properly check permissions to
restrict PL/Tcl procedures. If PostgreSQL was configured to use Tcl stored
fixed in the Bugzilla code:
+ Some files stored on the web server are not correctly protected
against external access and can be viewed from a web browser.
+ Restricting a bug to a group while moving the bug to another product
has no effect if the group is not used by both products. The bug may
become public if no other group restriction applies.
All affected installations are encouraged to upgrade as soon as
possible.
Admin console are using vulnerable components too.
JSFTemplating/FileStreamer can be exploited to read sensitive application data
on the whole server depending on the configuration. One tested server allowed
us to access all files on the server (with rights of the webserver user),
another server was restricted to files within the webroot (but including
WEB-INF) - it might depend on the Java Security Model or filesystem rights.
An attacker is able to gain sensitive data such as configuration files
(WEB-INF/web.xml), the whole source code of the application or other sensitive
data on the server.
-=[ Description ]=-
A security issue has been discovered in Knowledgeroot, which can be exploited by malicious people to bypass certain security restrictions.
Access to the enabled FCKeditor component is not properly restricted, which can be exploited to e.g upload files of certain types.
The security issue is confirmed in version 0.9.9.5 Other versions may also be affected.
-=[ Solution ]=-
There are two ways to work around the vulnerability:
Disable discovery through Secure NaviCLI
OR
Limit login access and restrict privileges for Storage Essentials users
Disable discovery through Secure NaviCLI
===============================
To disable discovery through Secure NaviCLI
& AMG-2000 Manual v2.0, Jun-13-2007
Vulnerability overview:
-----------------------
AMG-2000 uses an internal Squid proxy to restrict access to the wireless LAN
or Internet, e.g. by supplying a username/password on the portal site (depends
on how the system is configured, e.g. on-demand "guest" users or
authentication via RADIUS, LDAP or NT domain). This built-in proxy is
misconfigured which leads to the following vulnerability:
The Role-Based CLI Access feature allows the network administrator to
define "views". Views are sets of operational commands and
configuration capabilities that provide selective or partial access
to Cisco IOS software EXEC and configuration (Config) mode commands.
Views restrict user access to Cisco IOS command-line interface (CLI)
and configuration information; that is, a view can define what
commands are accepted and what configuration information is visible.
For more information about the Role-Based CLI Access feature,
reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
writes, the vulnerability depends on LaTeX environment and its
configuration.
IV. EXPLOIT PoC
If LaTeX is not configured to restrict file inclusion (default!), then
absolute paths and relative ones can be used. As proof of concept
enter:
"$$ \input{/etc/passwd} $$"
In case the system is vulnerable, this will read the /etc/passwd file
[--Background--]
Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users
Walusoft TFTPServer2000 Version 3.6.1 is an application that provides services for transferring configuration files, firmware files and other types of data using the TFTP protocol. The application should restrict GET requests to the contents of the TFTP root directory to prevent obtaining data from other parts of the host operating system.
Vulnerability Scope: The default installation of Walusoft TFTPServer2000 Version 3.6.1 will allow exploitation of this vulnerability. This software is licensed to and re-branded by many VoIP phone systems manufacturers. Verification of the product origin can be obtained by reading the about page.
[--More Details--]
O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).
This vulnerability allows any user with execute privileges on the
affected package (by default users granted the DBA role) to impersonate
the SYS user.
This is especially high risk vulnerability in databases where strict
separation-of-duty is implemented as required by some regulations. This
may also be the case, for instance, where Oracle Database Vault is
deployed. Exploiting this vulnerability may allow a DBA to bypass
Database Vault protections and access protected data that should be
restricted by Database Vault. In other words, a DBA may escalate to
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Check the exploit section.
2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
2.4.1. Exploit:
Check the exploit section.
2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
2.5.1. Exploit:
Check the exploit section.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
I am no expert on ieee1394, but I have read up a bit on this and tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets allow drivers to configure a particular memory range
which is open to access by DMA devices. Since the memory transfers
occur completely without software intervention, the only way to restrict
this is to tell the chip ahead of time what to allow and what not to
allow. Before these tools came out, most free OSes simply opened up
access completely to physical memory for any device. However, Windows
would not do this. It would only open up access to devices that it
thought needed DMA. This is why Metlstorm had to make his Linux machine
> Metlstorm's memory dumping tool and here's what I understand:
>
> Firewire chipsets allow drivers to configure a particular memory range
> which is open to access by DMA devices. Since the memory transfers
> occur completely without software intervention, the only way to
> restrict
> this is to tell the chip ahead of time what to allow and what not to
> allow. Before these tools came out, most free OSes simply opened up
> access completely to physical memory for any device. However, Windows
> would not do this. It would only open up access to devices that it
> thought needed DMA. This is why Metlstorm had to make his Linux
Next Page>>
|
