Next Page >>
writing
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
||
|| Now user2 is expected to be able to have read-access to the file via
|| (he opened it in step 2). If he attempts to write with ">&4" then it
> || User1 creates file with permissions 0644
> || User2 opens file for read access on file descriptor 4
> || User1 chmod's directory to 0700
> || User1 chmod's file to 0666
> || User1 verifies no hard links to file
> || User2 can not open the file for read or write access
> || User2 can not write to file descriptor 4
> || User2 _can_ write to /proc/$$/fd/4
> ||
> || Now user2 is expected to be able to have read-access to the file via
> || (he opened it in step 2). If he attempts to write with ">&4" then it
Example:
Command File written
------------------------------
:write % Current file name
:write \% %
:write \\% \%
So, now we have to write a piece of code that knows which class the characters
belong to, and quote them accordingly, right? Not really.
"mapserv->map->name", is taken from the NAME attribute inside the same
map file. The third variable, "mapserv->Id", is read from user input
at line 406, though it is restricted to IDSIZE (128) bytes. Thus, a
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
Pavel considered that in his original mail, where he checked there were
no links.
Pavel wrote his email in a convoluted way, so it's not clear what's going
on. Here's an attempt to rewrite:
User1 creates file with permissions 0644
User2 opens file for read access on file descriptor 4
User1 chmod's directory to 0700
User1 chmod's file to 0666
That's a good question, and here is my answer from the draft version of
an upcoming paper I'm working on:
"
Gaining SNMP write access to a device is already a compromise on its own
and usually considered a potential high risk security issue. Therefore,
one could argue that there is no point in launching a SNMP injection
attack when we can already change system settings via the SNMP write
community string. You might be wondering: why bother injecting a
HTML/JavaScript payload on the web console through SNMP when I can
---------------------------------------------------------------------------
- -
* Opera : SELECT SIZE Arbitrary null write *
- -
---------------------------------------------------------------------------
--[ Vulnerability Summary:
...
> ># Linux correctly prevents guest from writing to that file
> >guest@toy:/tmp/my_priv$ cat unwritable_file
> >cat: unwritable_file: Permission denied
> >guest@toy:/tmp/my_priv$ echo got you>&3
> >bash: echo: write error: Bad file descriptor
> >
> ># ...until we take a way around it with /proc filesystem. Oops.
> >guest@toy:/tmp/my_priv$ echo got you> /proc/self/fd/3
> >
> That can hardly be called a real security hole, since the behaviour
That said there is no other answer than: No, we are not prepared and we will
surrender if such bad thing happens again. Why am I saying that? You will
figurate.
Just for the records: I will not write that much, even because it is very,
very simple, and I do believe some one else will write a good stuff for
academic audiences.
If you still believe in Santa Claus, please, stop reading right now, because
this paper will show that bad things can get worse, and worse, and worse, if
high profile websites like: banking websites, political party websites,
gaming websites, blogs and even security company websites.
During our research in unserialize() vulnerabilities it was discovered
that Piwik unserializes data from the user supplied cookie. By
unserializing some of Piwik's objects it is possible to write
arbitrary files to writable locations on the webserver which
can be used to upload e.g. PHP files to writable directories
within the webserver's document root which usually exist in a
standard Piwik installation. In newer versions of Piwik it is
also possible to execute arbitrary PHP code directly.
> >>That can hardly be called a real security hole, since the behaviour
> >>described above is expected, and is as it was conceived by design.
> >>If the file owner in fact allows writing to it, why should Linux
> >>prevent that from happening?
> >
> >No, I do not think this is expected. You could not write to that file
> >under traditional unix, and you can not write into that file when
> >/proc is unmounted.
> >
> >I do not think mounting /proc should change access control semantics.
> >
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
> guest abuses ptrace permissions on his own processes to write to ANY
> file open by his processes, whose permissions explicitly allow
> writing to it. Doesn't it trouble you, that guest's processes still
(http://websecurity.com.ua/articles/security_researches_and_legislation/eng/).
It's because earlier I already disclosed details (at my site and to security
lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which
is used in this CMS, as in many other CMS and web applications). So there
were no reasons to not write details about these holes in advisory at my
site, because all information is already public. So for all of these
vulnerable webapps I used responsible full disclosure approach.
> I don't even know what Dunia soccer is but how about you give vendors a
> chance to make good?
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
>>>
>> guest abuses ptrace permissions on his own processes to write to ANY
>> file open by his processes, whose permissions explicitly allow
>> writing to it. Doesn't it trouble you, that guest's processes still
> It's because earlier I already disclosed details (at my site and to
> security
> lists) of vulnerabilities in CaptchaSecurityImages (a captcha script
> which
> is used in this CMS, as in many other CMS and web applications). So there
> were no reasons to not write details about these holes in advisory at my
> site, because all information is already public. So for all of these
> vulnerable webapps I used responsible full disclosure approach.
>
>> I don't even know what Dunia soccer is but how about you give vendors a
>> chance to make good?
below.
At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.
The VideoLAN project has issued a security advisory describing this
vulnerability [2], partially quoted below.
VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files. If successful, a malicious
third party could trigger execution of arbitrary code within the context
of the VLC media player, or otherwise crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
You are opening the locked down file as root and passing that
fd as input to the nobody process.
So nobody is not opening /dir/file.txt (he can't because he hasn't
access to it via /dir) but root is...
Therefor the write to the fd is failing, because you're passing a
read-only file descriptor.
Try to replay your scenario in separate shells, without the use of
sudo and redirection.
/a/b, and therefore full access to all the files there which are not
otherwise protected against that user's access. user1 can copy them,
mail them to friends, make hard links to them, etc.... Anything
desired, until that shell is closed. This case won't work if you
close off /a/b, because you need to be able to modify the directory in
order to write to the file (I'm getting to that)...
I don't think what Pavel described is a very serious hole, but it *IS*
a hole, because:
1. It circumvents the fact that to write to a file, you MUST be able
Hello Michal!
First I note, that when I'll find time, I'll answer at your previous comment
about redirection to javascript: URIs in different browsers.
Second I note, that, please, write about something new, not about that I
already mentioned in my advisory ;-).
> "Refresh" or "Location" redirection in Firefox will not bestow a
...
> updates - do inherit that context.
As Martin Rex already explained yesterday, /proc is all virtual.
The item referred as fd in /proc is not a real file descriptor and as
of that, that 'not-tfor-real file descriptor' is also not re-opend and
so does
not become read-write.
The entire discussion about the file descriptor behavior the past days,
including your statement below is all based on false assumptions...
I'll show you a snip out of my strace of the original scenario, being
performed by
>> That can hardly be called a real security hole, since the behaviour
>> described above is expected, and is as it was conceived by design.
>> If the file owner in fact allows writing to it, why should Linux
>> prevent that from happening?
>
> No, I do not think this is expected. You could not write to that file
> under traditional unix, and you can not write into that file when
> /proc is unmounted.
>
> I do not think mounting /proc should change access control semantics.
>
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
1. *Advisory Information*
[Andreas Schmidt]
fix RANDOM_UID setting in jcop_mifare_access.cap/jcopmifare.py (you will
need a secret key from NXP)
add jcoptool.py - JCOP toolkit (work in progress)
mrpkey.py changes:
fix binary mode when reading files under Windows (for WRITE to card)
fix computation of composite checksum digit
support reading non-BAC passports
specify a dummy MRZ or simply the keyword 'PLAIN' for Plain Access if
there is no Basic Access Control
support writing non-BAC passports (only for vonJeek cards)
Also not affected are the following configurations: a) maildir-style
delivery with the Postfix built-in local or virtual delivery agents;
b) mail delivery with non-Postfix local or virtual delivery agents;
c) mailbox-style delivery with the Postfix built-in virtual delivery
agent when virtual mailbox parent directories have no "group" or
other write permissions.
The following configurations are known to be affected on Linux
kernel >= 2.0, Solaris >= 2.0, OpenSolaris 11-2008.5, IRIX 6.5, and
other systems where users can create hardlinks to symlinks: a)
mailbox-style delivery with the Postfix built-in local delivery
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'
Impact:
///////
Remote code execution
Remote system registry read/write access
Remote shell command execution
Apache has directory restrictions.
....But, well, mysql?
What restrictions have you placed upon it, per user, and filesystem?
Apparently, it's allowed to write to /test/, *and* the user perms
used to talk to mysql seem horribly broad, since it can get user
perms. So, since any Apache/PHP/mysql user on a shared host (or
whatever) in the above scenario can write to whatever they want from
mysql to /test/, it's fair game.
Next Page>>
|
