Next Page >>
root access
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
Summary
=======
A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP)
where an authenticated user can create, modify, or delete a superuser
account. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
II. DESCRIPTION
Local exploitation of an arbitrary file creation vulnerability in IBM
Corp.'s Advanced Interactive eXecutive (AIX) Operating System allows
attackers to execute arbitrary code with super-user privileges.
This vulnerability exists due to the handling of several environment
variables. The libC.a library will open files as specified by the
"_LIB_INIT_DBG" and "_LIB_INIT_DBG_FILE" variables. The attacker's
"umask" will be honored, allowing them to create world-writable files,
Hello,
Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.
1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts are not revealed.
2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.
Therefore it is trivial to patch the client software to pass the
authentication.
Furthermore with every "authentication" attempt to the server the attacker
gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client
in
cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
II. DESCRIPTION
Local exploitation of multiple file creation vulnerabilities in IBM
Corp.'s DB2 Universal Database could allow attackers to elevate
privileges to the superuser.
These vulnerabilities are due to insufficient checking being performed
while handling files with elevated privileges. By setting certain
combinations of environment variables, an attacker is able to create or
append to arbitrary files on the system.
Jamie,
the servers are definately 'rooted' - as in, root access required for
what the exploit does ie. it's dug itself deep into the kernel and you
can't even compile a new kernel on the infected machine or even create
files or directories that start with a digit. So yeah, the servers are
rooted in every sense of the word (even the Aussie slang interpretation)
I don't believe the exploit would be nearly as damaging or dangerous if
it didn't involve root compromise.
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as expression indexes. This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
Index Functions Privilege Escalation (CVE-2007-6600): as a unique
feature, PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions were
executed as the superuser and not the table owner during VACUUM and
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were
permitted within index functions. Both of these holes have now been closed.
Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067,
CVE-2007-4769): three separate issues in the regular expression
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
> I repeat, signals are in general not a reliable information source since they
> can be generated in a couple of ways, even by an unkind superuser :-) .
You cannot protect against the superuser, nor should you even try.
Programs which attempt to evade control by the owner of the hardware
are normally termed "malware".
+---------------------------------
Complete these steps:
1. Log in as fgn, and then use the su command to switch to the
superuser.
2. Stop the Condenser and Node Manager:
/etc/init.d/fgnpn<Tab> stop
Hash: SHA1
Executive Summary
- -----------------
Unprivileged local users can obtain root access on Unix systems where
the DISA SRR scripts are run. If a remote user can introduce a file
into the filesystem (e.g. anonymous ftp, http upload, cdrom, samba
share, etc.), root access may be obtained by remote, and potentially
anonymous, users.
Description
-----------
Rumpus turns any Mac into a file transfer server.
Rumpus v6.0 contains two buffer overflow vulnerabilities in its HTTP and FTP modules. The first allows an unauthenticated user to crash Rumpus. The later may result in arbitrary code execution under superuser privilege.
The overflow in HTTP component is caused by the lack of boundary check when parsing for HTTP action verb (GET, POST, PUT, etc.). If the verb is exactly 2908-byte long, the server runs into a segmentation fault and crashes. A manual restart is required. It has been observed that this problem occurs at other verb lengths too. The vulnerability is rated at moderate severity for the lost of service.
The overflow in FTP component is also caused by the lack of length check when parsing FTP commands that take argument such as ``MKD``, ``XMKD``, ``RMD`` and so on. The overflow occurs when the argument is ``strcpy`` to an internal buffer. This buffer is 1024-byte long. When the passed-in argument is longer than 1046 bytes, the instruction pointer will be overwritten. This allows a successful attack to run arbitrary code under the privilege of a superuser (root) by default. Though authorization is required to exploit this security bug, the vulnerability is rated at critical severity because the FTP daemon could be allowing anonymous access.
>
> Each box serving the nasty javascript has been rooted. One person has
> found a way to CLEAN the infection (ie. stop your server from serving
> the bad javascript), however not the root hole ie. the servers in
> question are still rooted as nobody so far has found what hole is being
> exploited to gain root access in the first place.
>
> See the following urls for a lot more info on this exploit:
>
> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
> starts on page 3 or so)
II. DESCRIPTION
Local exploitation of a directory creation vulnerability in IBM Corp.'s
DB2 Universal Database could allow attackers to elevate privileges to
the superuser.
This vulnerability exists due to insecure directory creation within
setuid-binaries included with DB2. While creating specific directory
structures, attacker created symbolic links will be followed. This
allows world-writable directories to be created anywhere on the file
BlueCat Networks is aware of this situation involving the CLI (known as the Adonis Administration Console) that can give an admin user unauthorized root privileges on the system.
This situation may only arise if an administrator has admin login capabilities to the CLI whether through SSH access or direct access to the system – i.e. monitor and keyboard.
Please note that this situation is only possible if someone has both access to the system and the admin password. In most customer environments such access should be highly restricted to trusted personnel. Commonly, those trusted personnel have access to the system with both the admin and the root passwords, which will give them root access regardless.
We would like to note that the Proteus IPAM appliance is not affected by this issue
We are currently investigating this issue with the intention of amending the product to diminish the likelihood of this occurring. A patch should be available shortly. In the meantime, we are recommending that customers do all of the following:
administrator is able to execute a command as root.
Impact
------
Access to the admin account is the same as root access on the
appliance.
Exploit
-------
--->
---> Each box serving the nasty javascript has been rooted. One person has
---> found a way to CLEAN the infection (ie. stop your server from serving
---> the bad javascript), however not the root hole ie. the servers in
---> question are still rooted as nobody so far has found what hole is being
---> exploited to gain root access in the first place.
--->
---> See the following urls for a lot more info on this exploit:
--->
---> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> starts on page 3 or so)
CVE-2010-0668
Multiple security issues in MoinMoin related to configurations that have
a non-empty superuser list, the xmlrpc action enabled, the SyncPages
action enabled, or OpenID configured.
CVE-2010-0669
>
> Each box serving the nasty javascript has been rooted. One person has
> found a way to CLEAN the infection (ie. stop your server from serving
> the bad javascript), however not the root hole ie. the servers in
> question are still rooted as nobody so far has found what hole is being
> exploited to gain root access in the first place.
You don't need root to deface web servers in general. Even if the
attackers want to run bots, they often stay as the unprivileged user
they get in as. Sometimes a few privilege escalation exploits are
tried, but even then people seem willing to make use of normal users
> >
> > I think you've got it exactly backwards: you don't let non-trusted
> > people run code on these machines because they are so expensive.
> >
>
> Right, and even if you are forced to allow root access to someone who
> is not well trusted then run them in a zone on the hardware domain -
> that way they cannot load random kernel modules even if they have root
> in the zone.
>
> The bug is bad but there are workarounds available that make it very
privileges.
CVE-2007-4573
Wojciech Purczynski discovered a vulnerability that can be exploited
by a local user to obtain superuser privileges on x86_64 systems.
This resulted from improper clearing of the high bits of registers
during ia32 system call emulation. This vulnerability is relevant
to the Debian amd64 port as well as users of the i386 port who run
the amd64 linux-image flavour.
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
***
Impact
------
Successful exploitation of the vulnerability will result in
root access on the Adonis appliance.
Exploit
-------
0) Create a new TFTP Group in a Proteus configuration.
Advisory: Level-One WBR-3460A Grants Root Access
Risk: High
Vendor Status: Vendor has not released an updated version
Release Date: 08/01/2008
Last Modified: 01/01/2008
Author: Anastasios Monachos [anastasiosm(at)gmail(dot)com]
I Affected Products:
====================
Level-One WBR-3460A latest firmware available 1.00.12
- Ubuntu 10.10
Summary:
Local users could gain root access via the language-selector.
Software Description:
- language-selector: Language selector for Ubuntu Linux
Details:
buffer overflow is triggered. No authentication or data validation is
performed.
III. ANALYSIS
Exploitation allows unauthenticated remote attackers to gain root access
on affected machines.
The seriousness of this vulnerability is increased by the fact that in
most cases an attacker will have unlimited attempts at successful
exploitation due to the fact that inetd will continue to launch the
Next Page>>
|
