Next Page >>
shared
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs
Path Traversal vulnerability in VMware's shared folders implementation
*Advisory Information*
Title: Path Traversal vulnerability in VMware's shared folders implementation
Advisory ID: CORE-2007-0930
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
> CPNI-957037[1]:
>
> The OpenSSH team has been made aware of an attack against the SSH
> protocol version 2 by researchers at the University of London.
> Unfortunately, due to the report lacking any detailed technical
> description of the attack and CPNI's unwillingness to share necessary
> information, we are unable to properly assess its impact.
It is really sad researchers are prevented to share details with
developers by some lame institute. The OpenSSH developers were asked to
undersign the document below. Apart from asking to be cited as the
3. Problem description:
a. VMware HGFS File System Heap Overflow
The VMware Host Guest File System (HGFS) shared folders feature allows
users to transfer data between a guest operating system and the
non-virtualized host operating system that contains it.
A heap buffer overflow condition is present in VMware HGFS. Exploitation
of this flaw might allow an unprivileged guest process to execute code
http://conference.hackinthebox.org/hitbsecconf2010ams/ ).
During our talk, we released multiple advisories and we explained many
issues related to some vulnerabilities. You can find more public
information through the slides available online. Here are some related
details that we wanted to share with you through this mailing list :
o CVE-2010-1752: TEHTRI-Security inside the iPhone iOS4
TEHTRI-Security found a stack overflow in CFNetwork API, through the
code used to handle URL. By visiting a maliciously crafted website, we
found that it might lead to an unexpected application termination or
+-----------+
|Description|
+-----------+
The Yoono Firefox extension provides an interface for
users to share objects with their friends on social
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
Hi Thor,
Thanks to Microsoft's "defense in depth," double-clicking an .exe from a remote share
pops up a security warning. In contrast, double-clicking a data file that opens a
vulnerable application (which downloads and executes a .dll from the same share)
doesn't trigger such security warning. You might argue that users don't care about
such warnings and you might be right.
On the upside (or downside, depending on one's role in this game), our researchers
have already found an attack vector for binary planting (a superset of dll hijacking)
Analysis
========
As a result of an incorrect dynamic link library loading in VMware Tools
for Windows, an attacker can cause her malicious DLL to be loaded and
executed from local drives, a remote Windows share, and even a share
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open any file from this
network location with any Windows application - which should require
path but arbitrary code.
The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,
though.)
On Feb 6, 2010, at 8:21 AM, "Stefan Kanthak" <stefan.kanthak@nexgo.de>
Description
_______________
OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.
OneNote installs a URL Handler under the registry key
HKEY_CLASSES_ROOT\OneNote
with an open command specified as
>Am Montag, den 25.10.2010, 22:56 +0000 schrieb Thor (Hammer of God):
>> The main point is that you've got to get people to not only connect up
>> to your remote share, but you've got to get them to execute the file,
>> etc. So I'm just wondering what makes this anything more than any
>> other "put a malicious link here to make the user execute it" or email
>> attachment business, particularly when you say "Remote Code
>> Execution."
>
>Err... as far as I know, the interesting part is having the current path be set to
>something you can control (to make windows load evil dlls), and if you just link
This is, what we messed around with:
setuid setgid ELF 32-bit LSB executable,
Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses
shared libs), not stripped
OK, uses shared libs, right:
-rwsr-s--x 1 oracle dba 145M Aug 31 16:42 oracle
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01114023
Version: 1
HPSBMA02244 SSRT061260 rev.1 - HP OpenView Business Process Insight and Related Products Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-08-07
> (On a side note, you're not going to see this sort of symlink stuff on
> Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of "wide" symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports "junctions", which pretty much resemble
Unix symlinks, but only for directories.
See <http://support.microsoft.com/kb/205524/en-us>
#2009-006 Android improper package verification when using shared uids
Description:
Android, an open source mobile phone platform, improperly checks developer
certificates when installing packages that request the shared user identifier
(uid) permission.
Normally, Android applications will be allowed to share a uid if the
packages are all signed by the same developer certificate and request
It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2
A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.
The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).
Changes were made to Skype to remove available command line arguments when
the /URI argument is present, and to resolve the discovered injection vulnerability.
Although many of the useful arguments have been disallowed, Security-Assessment.com
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
(interesting ;););))?
If so, should that mean that they implicitely recognize the very good
work done by the community?
If so, why not act politely with the community and share knowledge?
This would make the software better, so that they could still use it in
their applications.
How can't they understand that?
> (interesting ;););))?
>
> If so, should that mean that they implicitely recognize the very good
> work done by the community?
>
> If so, why not act politely with the community and share knowledge?
>
> This would make the software better, so that they could still use it in
> their applications.
>
> How can't they understand that?
The public botnets@ mailing list, where malicious activity on the Internet
can be openly shared, has been revived, and boy is it active.
Warning: live samples and malicious URLs are openly shared there.
Mailing list URL:
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Reasons, thinking and explanations:
http://gadievron.blogspot.com/2008/08/public-sharing-and-new-statregy-in.html
popular e-mail clients and most popular document readers, trying to use them as
delivery mechanisms for binary planting attacks.
Some interesting findings:
- Clicking a link to a remote shared folder on a web page will open this share in
Windows Explorer without a warning for 67% of all Internet Explorer users.
- Clicking a link to a remote shared folder in an e-mail message will open this share
in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live
Mail users, regardless of their default web browser. (E-mail is the most likely
present sensitive
subjects can do so in total freedom. As we believe the academic
system as setup a good
precedent with anonymous submissions, review and voting, we wish to
pursue this direction
by providing researcher a way to share important contribution without
being concerned
with politics and other non-research influences.
This conference will try to take into account all voices in order to
reach a
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX not affected
ESX 2.5.5 ESX not affected
e. ACE shared folders vulnerability
The VMware Host Guest File System (HGFS) shared folders feature allows
users to transfer data between a guest operating system and the
non-virtualized host operating system that contains it.
This is cPanel's full response to David Collins:
> Hello and thank you again for reporting this security issue to
> cPanel. We appreciate your interest in helping secure the shared
> hosting environment.
>
> cPanel attempts to deliver a default configuration that suits the
> majority of our customers. cPanel makes every attempt to provide
> straight forward interfaces that allow server administrators to
> configure their hosting platform to serve the needs of their end
Aruba Threat Labs
Aruba Networks, Sunnnyvale, CA
- ----------------------------------
- -------- Original Message --------
| Subject: Aruba Mobility Controller Shared Default Certificate
| Date: 23 Sep 2008 03:51:58 -0000
| From: nnposter@disclosed.not
| To: bugtraq@securityfocus.com
|
| Aruba Mobility Controller Shared Default Certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Network Admission Control Shared Secret
Vulnerability
Advisory ID: cisco-sa-20080416-nac
http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier
3. Problem description:
~ a. Host to guest shared folder (HGFS) traversal vulnerability
~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01109171
Version: 2
HPSBMA02236 SSRT061260 rev.2 - HP OpenView Performance Manager (OVPM) Running Shared Trace Service on HP-UX, Solaris, and Windows, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-10-30
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01109584
Version: 2
HPSBMA02237 SSRT061260 rev.2 - HP OpenView Performance Agent (OVPA) Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-10-30
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01109617
Version: 2
HPSBMA02238 SSRT061260 rev.2 - HP OpenView Reporter Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-10-30
Next Page>>
|
