Next Page >>
unprivileged user
vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well
type of vulnerability: DoS, potential privilege escalation
I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges.
The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code.
Interestingly the vmstor driver (which is the old version supposed to mount VMware images prior to version 6.0) is not vulnerable.
I have originally reported this vulnerability on 21-May-07 and got response from the VMware security team, but so far the investigation hasn't gone any further and no update has been released.
Rising Personal Firewall 2009 (21.62.04)
Prior versions may also be affected.
DETAILS
Rising installs the own program files with insecure permissions (Users: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Rising services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Rising Antivirus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Rising Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Rising\RAV\RavTask.exe (Rising RavTask Manager).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
Self-defense of the Rising Antivirus will prevent all operations with Rising program files. It can be bypassed using internal shell dialogs in the Rising Antivirus (for example, "Save as" dialog in Tools -> Installer Creation Tool -> Browse).
Previous versions may also be affected
DETAILS
Protector Plus installs the own program files with insecure permissions (Everyone - Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Protector services) by malicious file and execute arbitary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, the following attack scenario could be used:
1. An attacker (unprivileged user) renames one of the Protector program files (below, the FILE). For example, the FILE could be - PPAVMON.exe (Protector Plus Anti-virus Monitor Service).
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - PPAVMON.exe) to Protector folder.
3. Restart the system.
All - the first bug is self-explanatory,
> # Kernel denial of service vulnerability
> An integer overflow vulnerability in the vmx86 kernel extension allows
> for a denial of service by an unprivileged user.
The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,
vulnerable software: BufferZone (all product version) till version 2.5 (latest)
type of vulnerability: DoS, potential privilege escalation
I found a vulnerability in BufferZone which allows an unprivileged user and even a malicious software running inside the BufferZone sandbox to crash the system and potentially run arbitrary code with kernel privileges.
The issue is within the kernel driver redlight.sys which does not properly validate file buffer. Sending the IOCTL code FsSetVolumeInformation with subcode FsSetDirectoryInformation with a large buffer but underreporting its size with at most 1024 bytes results in a buffer underrun which might also lead to executing arbitrary code.
Since the RedLight device is also visible to sandboxed application, it might allow a sandboxed malware to escape the sandbox.
How to reproduce:
- get DC2.exe from the latest Windows Driver Kit
- install BufferZone
. 2008-03-01: Vendor requests publication to be delayed one day in
order to publish a new release of Android with a fix to the BMP issue.
. 2008-03-02: Core agrees to delay publication for one day.
. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP
vulnerability. Vendor indicates that Android applications run with
the credentials of an unprivileged user which decreases the severity of
the issues found
. 2008-03-04: Further research by Alfredo Ortega reveals that although
the vendor statement is correct current versions of Android SDK ship
with a passwordless root account. Unprivileged users with shell access
can simply use the 'su' program to gain privileges
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other
files. After the installer writes these files to the directory, it will execute
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a
privileged user.
On a standard Windows installation, unprivileged users have write-access to
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes
installation, an unprivileged attacker can create these directories and place a
malicious executable at "%ALLUSERSPROFILE%\Application Data\
{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or
"%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\
> your vendor.
>
>
> ===[ DESCRIPTION ]======================================================
>
> Typically unprivileged user can not send signal to processes running
> with different UID. Due to vulnerability found in the Linux kernel any
> local user may bypass security restrictions and send arbitrary signal to
> any child process executed by the user.
>
> When a parent process dies or exits its child processes may receive a
- ----------------------
On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented
in the OS X XNU kernel. HFS+ is the default filesystem in use on many
installations of the Mac OS X operating system. By exploiting this
vulnerability, an unprivileged user with local access to a machine using HFS+
may be able to read raw filesystem data, bypassing file permissions and
resulting in information disclosure.
Vulnerability Details
Not "the new Windows 98" by a long shot - saying that is just
irresponsible. While Apple is not used to dealing with security in the
same way that other companies are, comparing OSX to Windows 98 is not
only a huge technical inaccuracy, but you also insult MAC users out
there. OSX had "UAC-like unprivileged user controls" way before Vista
did - let's not try to start some holy-war on this like people have
tried to do with Windows vs Linux in the past.
If you want to report this, then report it-- but say what it is, a
totally lame user-must-be-drunk "exploit" that requires that all manner
The attack permits a Guest user to predict the password length entered by any user who ran runas and
typed a password in. This is very easy to do and is based on analyzing the I/O bytes computed when
executing runas.exe.
First you have to consider this : on Windows any unprivileged user can grab information on highly
privileged running processes. This is where the flaw is.
I found the issue by realizing some very simple steps that you can reproduce following:
1. Log in as guest
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the SQL Server. SQL Server 2005 runs under
the "NETWORK SERVICE" account, which is similar to an unprivileged user
account.
The target function can be run by any user with access to query the
database. This attack could also be conducted anonymously through a Web
application if it contained an SQL Injection vulnerability.
Previous versions may also be affected
DETAILS
Trustport installs the own program files with insecure permissions (Everyone - Full Control). Local attacker (unprivileged user) can replace some files (including executable files of Trustport services) by malicious files and execute arbitrary code with SYSTEM privileges.
EXPLOITATION
This is local privilege escalation vulnerability. An attacker must have valid logon credentials to a system where vulnerable software is installed.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2826
Description:
Previous versions of the kernel package contain multiple
vulnerabilities, the most serious of which can allow an unprivileged
user to cause a denial of service.
In addition, an issue which made the kernel unbootable as a guest in
Microsoft Virtual Server has been resolved.
A system reboot is required to resolve these issues.
Not "the new Windows 98" by a long shot - saying that is just
irresponsible. While Apple is not used to dealing with security in the
same way that other companies are, comparing OSX to Windows 98 is not
only a huge technical inaccuracy, but you also insult MAC users out
there. OSX had "UAC-like unprivileged user controls" way before Vista
did - let's not try to start some holy-war on this like people have
tried to do with Windows vs Linux in the past.
If you want to report this, then report it-- but say what it is, a
totally lame user-must-be-drunk "exploit" that requires that all manner
IPv6 Router Advertisement daemon:
CVE-2011-3602
set_interface_var() function doesn't check the interface name, which is
chosen by an unprivileged user. This could lead to an arbitrary file
overwrite if the attacker has local access, or specific files overwrites
otherwise.
CVE-2011-3604
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569
Description:
Previous versions of the kdebase package contain a kdm vulnerability in
which an unprivileged user may, if auto-login is enabled, be allowed to
log in as a another user (or as root) without supplying proper login
credentials. If kdm is also configured to service incoming XDMCP
requests, remote root unauthorized access may be possible.
In its default configuration, rPath Linux 1 is not vulnerable to this
*Technical Description / Proof of Concept Code*
When the VirtualBox package is installed on a host the 'VBoxDrv.sys'
driver is loaded on the machine. This driver allows any unprivileged
user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering
mode of METHOD_NEITHER without any kind of validation. This allows
untrusted user mode code to pass arbitrary kernel addresses as arguments
to the driver.
With specially constructed input, a malicious user can use functionality
Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
"mount_webdav" utility included in most default installations.
The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:
MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
Prior versions may also be affected.
DETAILS
Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).
2. Restart the system.
- -------------
The publisher should do a comprehensive review of their software to make
sure they eliminate all cases where they execute
unknown/untrusted/suspect code as root. Ideally, they should not
execute such code at all, even as an unprivileged user. A better
approach would be to use "strings" or something similar to look for a
signature to try to determine the version of the software it found.
Vulnerability Reporting/Tracking
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary shell commands in
the context of the web server process. Under Windows, the
Administration Server runs as SYSTEM, so the injected command will be
executed as SYSTEM. Under Linux it runs as an unprivileged user. No
authentication is required to exploit this vulnerability.
IV. DETECTION
Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux, and Secure
Prior versions may also be affected.
DETAILS
Insecure permissions have been detected in the multiple Kaspersky Lab antivirus products. “Everyone" group has “Full Control” rights to the BASES folder. The folder consists of antivirus bases, configuration files and executable modules. Local attacker (unprivileged user) can replace some files (for example, executable modules) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Kaspersky Anti-Virus 2010 (9.0.0.463) the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the *.kdl files by malicious dynamic link library (DLL). The replacing file could be - %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases\vulns.kdl.
2. Restart the system.
After restart attackers malicious DLL will be loaded with SYSTEM privileges.
be sent to privileged processes, i.e. it's mostly a DoS issue.
> > Just in case it hasn't sunk in yet, the inability to trust signals is
> > a consequence of this bug. Ordinarily, it should be possible to rely
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
> I repeat, signals are in general not a reliable information source since they
> can be generated in a couple of ways, even by an unkind superuser :-) .
Yes, and I said this is a bug, but it is in general not exploitable.
> Just in case it hasn't sunk in yet, the inability to trust signals is
> a consequence of this bug. Ordinarily, it should be possible to rely
> upon the fact that an asynchronous signal cannot be sent to a suid
> process by an unprivileged user.
>
I disagree with you in that. Any hard guarantee can be given only by God.
I repeat, signals are in general not a reliable information source since they
can be generated in a couple of ways, even by an unkind superuser :-) .
CVE Id : CVE-2010-1326
Debian Bug : 593884
It has been discovered that in cvsnt, a multi-platform version of the
original source code versioning system CVS, an error in the
authentication code allows a malicious, unprivileged user, through the
use of a specially crafted branch name, to gain write access to any
module or directory, including CVSROOT itself. The attacker can then
execute arbitrary code as root by modifying or adding administrative
scripts in that directory.
your vendor.
===[ DESCRIPTION ]======================================================
Typically unprivileged user can not send signal to processes running
with different UID. Due to vulnerability found in the Linux kernel any
local user may bypass security restrictions and send arbitrary signal to
any child process executed by the user.
When a parent process dies or exits its child processes may receive a
user mode application via IOCTL functions.
There are 4 IOCTL functions on the firewall driver module that use input
received from userspace and do not validate the length of the input
buffers properly. By calling any of these IOCTLs from with properly
crafted arguments, an unprivileged user could trigger vulnerabilities in
the driver and cause a denial of service or potentially to execute
arbitrary code with elevated privileges.
Similarly other 7 SSDT hook handler functions on the driver that
intercepts the Registry access on Windows are vulnerable to input
Description
***********
Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.
Default unprivileged user can escalate privileges to administrator.
Details
*******
http://dsecrg.com/pages/vul/show.php?id=111
This update fixes a security issue related to local exploitation of
an untrusted library path vulnerability in vmware-authd. In order to
exploit this vulnerability, an attacker must have local access and
the ability to execute the set-uid vmware-authd binary on an affected
system. Exploitation of this flaw might result in arbitrary code
execution on the Linux host system by an unprivileged user.
VMware would like to thank iDefense for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-0967 to this issue.
Next Page>>
|
