Next Page >>
root
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for Root Account on
Tandberg E, EX and C Series Endpoints
Advisory ID: cisco-sa-20110202-tandberg
Revision 1.0
HyperVM/Kloxo.
It was originally documented in ISSUE 14 by an anonymous author:
http://www.milw0rm.com/exploits/8880
It turns out that he was showing how a root shell can be created:
[user1@testing574 tmp]$ ls -al
total 28
drwxrwxrwt 4 root root 4096 May 21 08:41 .
drwxr-xr-x 24 root root 4096 May 19 16:57 ..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for root Account on the
Cisco Media Experience Engine 5600
Advisory ID: cisco-sa-20110601-mxe
Revision 1.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error
Advisory ID: cisco-sa-20111109-telepresence-c-ex-series
Revision 1.0
For Public Release 2011 November 9 16:00 UTC (GMT)
> --------------------/Response/--------------------
> [...]
> <br>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
--------------------/Response/--------------------
[...]
<br>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco IP Video Phone E20 Default Root Account
Advisory ID: cisco-sa-20120118-te
Revision 1.0
For Public Release 2012 January 18 16:00 UTC (GMT)
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash
or possibly gain root privileges. (Ubuntu 10.10 was not affected.)
(CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this
to read portions of kernel memory, leading to a loss of privacy. (Only
Oracle Database Local Untrusted Library Path Vulnerability
----------------------------------------------------------
The Oracle July 2008 Critical Patch Update fixes a vulnerability which
allows a user in the OINSTALL/DBA group to scalate privileges to root.
Scalating Privileges from "oracle" to "root"
--------------------------------------------
In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
> Oracle Database Local Untrusted Library Path Vulnerability
> ----------------------------------------------------------
>
> The Oracle July 2008 Critical Patch Update fixes a vulnerability which
> allows a user in the OINSTALL/DBA group to scalate privileges to root.
>
> Scalating Privileges from "oracle" to "root"
> --------------------------------------------
>
> In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
This is a low impact issue that is only of interest to security
professionals and system administrators, end users do not need to be
concerned.
It is possible to exploit this confusion to execute arbitrary code as root.
The exact steps required to exploit this vulnerability will vary from
distribution to distribution, but an example from Ubuntu 10.04 is given below.
# The creation mask is inherited by children, and survives even a setuid
Result (forked dos):
cx@cx64:~$
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
...
root 149 0.0 0.1 2932 1152 ? Is 2:31AM 0:00.01 vsftpd /usr/pkg/e
cx 150 0.0 0.2 2956 1592 ? R 2:32AM 0:01.22 vsftpd /usr/pkg/e
cx 160 0.3 0.2 2956 1592 ? R 2:31AM 0:01.48 vsftpd /usr/pkg/e
cx 161 0.2 0.2 2956 1592 ? R 2:32AM 0:01.03 vsftpd /usr/pkg/e
root 258 0.0 0.1 2932 1152 ? Is 2:32AM 0:00.01 vsftpd /usr/pkg/e
root 278 0.0 0.1 2932 1152 ? Is 2:32AM 0:00.02 vsftpd /usr/pkg/e
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The PulseAudio binary is affected by a local race condition. If the
binary is installed as SUID root, it is possible to exploit this
vulnerability to gain root privileges. This attack requires that a local
attacker can create hard links on the same hard disk partition on which
PulseAudio is installed (i.e. /usr/bin and /tmp reside on the same
partition).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Advisory
Default Root Password in Infrant (now Netgear) ReadyNAS "RAIDiator"
Release Date:
August 13, 2007
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
capabilities. If an attacker could make malicious routing changes, they
could crash the system, leading to a denial of service. (CVE-2010-2495)
Neil Brown discovered that NFSv4 did not correctly check certain write
requests. A remote attacker could send specially crafted traffic that could
crash the system or possibly gain root privileges. (CVE-2010-2521)
David Howells discovered that DNS resolution in CIFS could be spoofed. A
local attacker could exploit this to control DNS replies, leading to a loss
of privacy and possible privilege escalation. (CVE-2010-2524)
capabilities. If an attacker could make malicious routing changes, they
could crash the system, leading to a denial of service. (CVE-2010-2495)
Neil Brown discovered that NFSv4 did not correctly check certain write
requests. A remote attacker could send specially crafted traffic that could
crash the system or possibly gain root privileges. (CVE-2010-2521)
David Howells discovered that DNS resolution in CIFS could be spoofed. A
local attacker could exploit this to control DNS replies, leading to a loss
of privacy and possible privilege escalation. (CVE-2010-2524)
download. Unfortunately, although some changes were made, it is still
vulnerable to the issue described in CVE-2009-4211.
The CVE should be updated to reflect that the December, 2009 version is
also vulnerable. The script should be re-evaluated to remove any
invocations of untrusted programs (especially any done as root). Users
should continue to avoid running the Unix SRR script until a fixed
version is available.
Below is a walk-through:
Hash: SHA1
Executive Summary
- -----------------
Unprivileged local users can obtain root access on Unix systems where
the DISA SRR scripts are run. If a remote user can introduce a file
into the filesystem (e.g. anonymous ftp, http upload, cdrom, samba
share, etc.), root access may be obtained by remote, and potentially
anonymous, users.
capabilities. If an attacker could make malicious routing changes, they
could crash the system, leading to a denial of service. (CVE-2010-2495)
Neil Brown discovered that NFSv4 did not correctly check certain write
requests. A remote attacker could send specially crafted traffic that could
crash the system or possibly gain root privileges. (CVE-2010-2521)
David Howells discovered that DNS resolution in CIFS could be spoofed. A
local attacker could exploit this to control DNS replies, leading to a loss
of privacy and possible privilege escalation. (CVE-2010-2524)
Webmin fails to sanitize $real in useradmin/index.cgi. $real is the
"Full Name" in the finger information of the user. useradmin/index.cgi
is the control panel of the "Users & Groups" section in webmin.
An attacker that has a normal user on the victim's machine could be
able to change his Full Name with chfn command, inject XSS and execute
commands as root.
Developing a exploit:
-------------------
With Webmin you can execute shell commands and the only security
Wietse
1. Postfix local privilege escalation via hardlinked symlinks
=============================================================
Sebastian Krahmer of SuSE has found a privilege escalation problem.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts. This can happen
on operating systems with specific non-standard behavior.
Symlinks (symbolic links) implement aliasing for UNIX pathnames.
Jim,
Sorry, but your 'prove' below is wrong!
You are opening the locked down file as root and passing that
fd as input to the nobody process.
So nobody is not opening /dir/file.txt (he can't because he hasn't
access to it via /dir) but root is...
Therefor the write to the fd is failing, because you're passing a
Jamie,
the servers are definately 'rooted' - as in, root access required for
what the exploit does ie. it's dug itself deep into the kernel and you
can't even compile a new kernel on the infected machine or even create
files or directories that start with a digit. So yeah, the servers are
rooted in every sense of the word (even the Aussie slang interpretation)
I don't believe the exploit would be nearly as damaging or dangerous if
it didn't involve root compromise.
Problem type : local
CVE Id(s) : CVE-2010-4345 CVE-2011-0017
Behaviour change : yes
A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4's behvaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
- linux-ti-omap4: Linux kernel for OMAP4 devices
Details:
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
###############################################
1. VULNERABILITY
-------------------------
linux privileged and arbitrary chdir(),
this leads to an arbitary file identification as root.
2. BACKGROUND
-------------------------
mount.cifs (GNU Software) is part of linux base system, and is setuided on
most of the distributions (archlinux, debian, ubuntu, ...)
Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)
Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever.
Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - see[4] for upgrade steps
List,
There is a bug in the Promise NAS NS4300N web GUI (firmware version 1.1.0.5)
which allows an authenticated (admin) user to change the password of the
'root' account.
The user management portion of the web interface allows the admin user to
change user's passwords. The PHP script that handles this does not check to
see if the admin is changing a user account or system accounts such as
'root'.
Template Security Security Advisory
-----------------------------------
BlueCat Networks Adonis CLI root privilege escalation
Date: 2007-08-16
Advisory ID: TS-2007-003-0
Vendor: BlueCat Networks, http://www.bluecatnetworks.com/
Revision: 0
Next Page>>
|
