Next Page >>
write access
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
||
|| Now user2 is expected to be able to have read-access to the file via
|| (he opened it in step 2). If he attempts to write with ">&4" then it
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02821425
Version: 1
HPSBMA02672 SSRT100485 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Local Read and Write Access to Data and Log Files
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-10
Last Updated: 2011-05-10
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02822174
Version: 1
HPSBMI02632 SSRT100379 rev.1 - HP/Palm webOS, Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized File System Write Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-05-09
Last Updated: 2011-05-09
> || User1 creates file with permissions 0644
> || User2 opens file for read access on file descriptor 4
> || User1 chmod's directory to 0700
> || User1 chmod's file to 0666
> || User1 verifies no hard links to file
> || User2 can not open the file for read or write access
> || User2 can not write to file descriptor 4
> || User2 _can_ write to /proc/$$/fd/4
> ||
> || Now user2 is expected to be able to have read-access to the file via
> || (he opened it in step 2). If he attempts to write with ">&4" then it
actions within the context of the current session (full administrative
rights).
Although usually the SNMP write community string must be guessed/cracked
for a SNMP injection [1] attack to work, some embedded devices come with
SNMP read/write access enabled by default. Some examples include many
ZyXEL Prestige router models [2] used in residential and SOHO networks,
and also products used in corporate and government environments such as
the Proxim Tsunami MP.11 2411 Wireless Point-to-Multipoint System.
- From Proxim Tsunami MP.11 2411's user manual:
lercg> -----"Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU>
wrote: -----
>>What can you achieve with script injection you can not achieve
>>with SNMP write access?
lercg> I don't know what you can actually achieve, but in addition to
whatever you
lercg> can do to/with the box you have SNMP write access for, it gives
you a shot
2.1 Input passed via the "status" GET parameter to /admin/stats_monthly_sales.php is not properly sanitised before being used in SQL query. This can be exploited to alter SQL queries.
The vulnerability usage is limited to the "INTO FILE" clause. This vulnerability requires administrative privileges, however can be exploited via the CSRF technique. Remote attacker should make logged-in website administrator open the following URL (in hidden iframe for example):
http://[host]/admin/stats_monthly_sales.php?status=0 union select '<? php_code ?>' INTO OUTFILE '../../../path/to/site/file.php'
Depending on MySQL and PHP configurations, as well as file system permissions this PoC should create arbitrary PHP file within the web root.
2.2 Input passed via the "country" POST parameter to /admin/create_account_process.php is not properly sanitised before being used in SQL query. This can be exploited to alter SQL queries.
The vulnerability usage is limited to the "INTO FILE" clause. This vulnerability requires administrative privileges, however can be exploited via the CSRF technique. Remote attacker should make logged-in website administrator open the page with following html code:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02518539
Version: 1
HPSBMI02582 SSRT100269 rev.1 - Palm webOS Camera Application, Unauthorized Write Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-26
Last Updated: 2010-10-26
-----"Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU> wrote: -----
>What can you achieve with script injection you can not achieve
>with SNMP write access?
I don't know what you can actually achieve, but in addition to whatever you
can do to/with the box you have SNMP write access for, it gives you a shot
at the admin's machine. And maybe even a shot at everything that the
admin's machine can talk to.
source IP address with the administrator. Therefore, this vulnerability
would mostly be exploited by internal users only. Sensitive information
such as administrative credentials can be obtained.
Admin passwords can be compromised given that an attacker has first
gained SNMP write access.
Workaround:
No workaround is available for the authentication bypass and passwords
32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other
files. After the installer writes these files to the directory, it will execute
DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a
privileged user.
On a standard Windows installation, unprivileged users have write-access to
"%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes
installation, an unprivileged attacker can create these directories and place a
malicious executable at "%ALLUSERSPROFILE%\Application Data\
{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or
"%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\
During client authentication, cookies are used as an input parameters
for authorization and validation of identity both as user and as an
administrator. It is possible to construct specially crafted cookie
parameters which will cause sql injection and give full administrative
access rights. Additionally, having full write access templates for
smarty based engine, together with all-allow security level for the
templates processing, allows injection of php code into templates,
gaining complete and undetected control of the server, such as direct
access to file system, direct access to any databases.
=======
Cisco Industrial Ethernet 3000 (IE 3000) Series switches running
Cisco IOS Software releases 12.2(52)SE or 12.2(52)SE1, contain a
vulnerability where well known SNMP community names are hard-coded
for both read and write access. The hard-coded community names are
"public" and "private."
Cisco recommends that all administrators deploy the mitigation
measures outlined in the Workarounds section or perform a Cisco IOS
Software upgrade.
affected.
V. WORKAROUND
Block access to the httpd interface of vulnerable servers Remove write
access for 'other' users to all files. The following command will
recursively change the permissions to remove write permission to
'other'.
chmod -R o-w directory/
Impact
======
Successful exploitation of the directory traversal vulnerability may
result in read and write access to files on the underlying operating
system.
Successful exploitation of the script injection vulnerability may result
in the execution of JavaScript of authenticated users and prevent server
pages from displaying properly.
Basicly the attacker performs a loop where he:
- builds the HTTP request which does the desired action using an
incremental Session value
- uploads the file containing this request on his remote folder where
he has write access
- uses "PORT 127,0,0,1,171,182" or "EPRT |1|127.0.0.1|43958" or
"EPRT |2|::1|43958"
- uses RETR for sending the uploaded file with the generated HTTP
request to the management interface on 127.0.0.1:43958
The JavaScript garbage collector in WebKit in Apple Safari before
4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
through 2.2.1 does not properly handle allocation failures, which
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) via a crafted
HTML document that triggers write access to an offset of a NULL
pointer. (CVE-2009-1687)
Use-after-free vulnerability in WebKit, as used in Apple Safari
before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1
through 2.2.1, Google Chrome 1.0.154.53, and possibly other products,
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)
User mode write access violations that are not near NULL are exploitable.
Disassembly:
0:008> u 0x69081264 L15
https://issues.rpath.com/browse/RPL-2255
Description:
Previous versions of the am-utils package are vulnerable to an attack
in which one local user can modify the contents of arbitrary files to
which other local users running expn have write access.
http://wiki.rpath.com/Advisories:rPSA-2008-0088
Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
LogAnalyzer version 3.4.2 and probably below suffers from multiple vulnerabilities:
- SQL Injection
1) The script admin/views.php contains a SQL-Injection vulnerability when used to create a new view. It can be exploited by a non-admin user (with write access) to insert arbitrary data into logcon_views table.
The vulnerability exists due to the failure in the script to sanytize the POST variable "Columns" before use it to build a SQL query.
This PoC creates an arbitrary record into logcon_views table.
The JavaScript garbage collector in WebKit in Apple Safari before
4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1
through 2.2.1 does not properly handle allocation failures, which
allows remote attackers to execute arbitrary code or cause a denial
of service (memory corruption and application crash) via a crafted
HTML document that triggers write access to an offset of a NULL
pointer. (CVE-2009-1687).
WebKit in Apple Safari before 4.0.2, KHTML in kdelibs in KDE, QtWebKit
(aka Qt toolkit), and possibly other products does not properly handle
numeric character references, which allows remote attackers to execute
> # cat /dir/file.txt
> hacked
>
> Again, debatable whether this is a bug, but it's certainly
> non-obvious. There is no other way (that I'm aware) for the "nobody"
> user to gain write access to /dir/file.txt, even when given a
> read-only fd, without using /proc.
>
> -jim
http://www.samba.org/samba/news/symlink_attack.html
fails to consider whether the mentioned configuration (when admin sets
non-default "writeable = yes" but leaving default "wide links = yes")
allows write access to the whole filesystem (where the user has UNIX
rights). I also wonder about the interaction with the setting of "unix
extensions" (which I had set to non-default "no" to help Mac clients).
Cheers, Paul
http://www.samba.org/samba/news/symlink_attack.html
fails to consider whether the mentioned configuration (when admin sets
non-default "writeable = yes" but leaving default "wide links = yes")
allows write access to the whole filesystem (where the user has UNIX
rights). I also wonder about the interaction with the setting of "unix
extensions" (which I had set to non-default "no" to help Mac clients).
Cheers, Paul
7c83e790 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlAbsoluteToSelfRelativeSD+0x00000000000005cd (Hash=0x7d7e510d.0x116d301c)
User mode write access violations that are not near NULL are exploitable.
code:
...
7c83e790 8901 mov dword ptr [ecx],eax ds:0023:41414141=???????? <---- crash
7c83e792 894204 mov dword ptr [edx+4],eax
an output parameter.
The problem with this code is that a race condition exists: if the attacker is
able to guess the generated file name, he/she is able to create such a named
file between the call of cli_gentemp() and open(), making it possible to
overwrite arbitrary files to which the user that runs ClamAV has write access
with temporary data. A solution to fix this problem is to use the O_EXCL option
for open(). This option prevents that the file will be opened if it already
exists.
So, how does the file name generation happen? First, cli_gentemp() determines
That's a good question, and here is my answer from the draft version of
an upcoming paper I'm working on:
"
Gaining SNMP write access to a device is already a compromise on its own
and usually considered a potential high risk security issue. Therefore,
one could argue that there is no point in launching a SNMP injection
attack when we can already change system settings via the SNMP write
community string. You might be wondering: why bother injecting a
HTML/JavaScript payload on the web console through SNMP when I can
Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at
libavcodec_plugin!vlc_entry__1_1_0g+0x33cef2 (Hash=0x64744c60.0x724a4f4e)
User mode write access violations that are not near NULL are exploitable.
diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 8bcdbe4..dd31eda 100644 (file)
--- a/libavcodec/sp5xdec.c
+++ b/libavcodec/sp5xdec.c
@@ -86,7 +86,6 @@ static int sp5x_decode_frame(AVCodecContext *avctx,
vectors. (CVE-2010-2492)
The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel
before 2.6.35 does not properly check the file descriptors passed
to the SWAPEXT ioctl, which allows local users to leverage write
access and obtain read access by swapping one file into another
file. (CVE-2010-2226)
The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux
kernel before 2.6.35 uses an incorrect size value in calculations
associated with sentinel directory entries, which allows local
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
Next Page>>
|
