Next Page >>
written
Example:
Command File written
------------------------------
:write % Current file name
:write \% %
:write \\% \%
So, now we have to write a piece of code that knows which class the characters
belong to, and quote them accordingly, right? Not really.
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
||
|| Now user2 is expected to be able to have read-access to the file via
|| (he opened it in step 2). If he attempts to write with ">&4" then it
> || User1 creates file with permissions 0644
> || User2 opens file for read access on file descriptor 4
> || User1 chmod's directory to 0700
> || User1 chmod's file to 0666
> || User1 verifies no hard links to file
> || User2 can not open the file for read or write access
> || User2 can not write to file descriptor 4
> || User2 _can_ write to /proc/$$/fd/4
> ||
> || Now user2 is expected to be able to have read-access to the file via
> || (he opened it in step 2). If he attempts to write with ">&4" then it
After vendor was contacted and informed about the vulnerabilities, new
version was released, with all vulnerabilities supposedly fixed.
Vulnerability explained above was fixed by adding
ProbeForRead()/ProbeForWrite() calls in order to catch malformed
requests.
However, every affected driver uses METHOD_BUFFERED for all IOCTL
calls. Buffer passed from user mode is first copied to kernel mode,
and will always have kernel mode address (when accessed by the above
function). Calling ProbeForRead()/ProbeForWrite() on kernel mode
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
---------------------------------------------------------------------------
- -
* Opera : SELECT SIZE Arbitrary null write *
- -
---------------------------------------------------------------------------
--[ Vulnerability Summary:
That's a good question, and here is my answer from the draft version of
an upcoming paper I'm working on:
"
Gaining SNMP write access to a device is already a compromise on its own
and usually considered a potential high risk security issue. Therefore,
one could argue that there is no point in launching a SNMP injection
attack when we can already change system settings via the SNMP write
community string. You might be wondering: why bother injecting a
HTML/JavaScript payload on the web console through SNMP when I can
Pavel considered that in his original mail, where he checked there were
no links.
Pavel wrote his email in a convoluted way, so it's not clear what's going
on. Here's an attempt to rewrite:
User1 creates file with permissions 0644
User2 opens file for read access on file descriptor 4
User1 chmod's directory to 0700
User1 chmod's file to 0666
high profile websites like: banking websites, political party websites,
gaming websites, blogs and even security company websites.
During our research in unserialize() vulnerabilities it was discovered
that Piwik unserializes data from the user supplied cookie. By
unserializing some of Piwik's objects it is possible to write
arbitrary files to writable locations on the webserver which
can be used to upload e.g. PHP files to writable directories
within the webserver's document root which usually exist in a
standard Piwik installation. In newer versions of Piwik it is
also possible to execute arbitrary PHP code directly.
"mapserv->map->name", is taken from the NAME attribute inside the same
map file. The third variable, "mapserv->Id", is read from user input
at line 406, though it is restricted to IDSIZE (128) bytes. Thus, a
buffer overflow can be achieved by creating a map file on the server
with overly long IMAGEPATH and/or NAME attributes; their values will be
stored past the end of "buffer" and will overwrite saved register
values. If the following specially-crafted map file ("bof.map") is
stored on the server (either by creating it directly, or tricking a
legitimate user into placing it onto the file system):
MAP
...
> ># Linux correctly prevents guest from writing to that file
> >guest@toy:/tmp/my_priv$ cat unwritable_file
> >cat: unwritable_file: Permission denied
> >guest@toy:/tmp/my_priv$ echo got you>&3
> >bash: echo: write error: Bad file descriptor
> >
> ># ...until we take a way around it with /proc filesystem. Oops.
> >guest@toy:/tmp/my_priv$ echo got you> /proc/self/fd/3
> >
> That can hardly be called a real security hole, since the behaviour
/a/b, and therefore full access to all the files there which are not
otherwise protected against that user's access. user1 can copy them,
mail them to friends, make hard links to them, etc.... Anything
desired, until that shell is closed. This case won't work if you
close off /a/b, because you need to be able to modify the directory in
order to write to the file (I'm getting to that)...
I don't think what Pavel described is a very serious hole, but it *IS*
a hole, because:
1. It circumvents the fact that to write to a file, you MUST be able
That said there is no other answer than: No, we are not prepared and we will
surrender if such bad thing happens again. Why am I saying that? You will
figurate.
Just for the records: I will not write that much, even because it is very,
very simple, and I do believe some one else will write a good stuff for
academic audiences.
If you still believe in Santa Claus, please, stop reading right now, because
this paper will show that bad things can get worse, and worse, and worse, if
> It's because earlier I already disclosed details (at my site and to
> security
> lists) of vulnerabilities in CaptchaSecurityImages (a captcha script
> which
> is used in this CMS, as in many other CMS and web applications). So there
> were no reasons to not write details about these holes in advisory at my
> site, because all information is already public. So for all of these
> vulnerable webapps I used responsible full disclosure approach.
>
>> I don't even know what Dunia soccer is but how about you give vendors a
>> chance to make good?
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).
name of the file will simply be "foo.php.".
A similar result can be obtained on GNU/Linux by requesting an upload
with the filename "foo.php/."
Note that the integrated webmail feature that allows a user to write
emails and eventually save a draft of them is authenticated (a valid
user on the system is required in order to exploit this vulnerability).
B) Multiple CSRF (Cross Site Request Forgery) Vulnerabilites
> >>That can hardly be called a real security hole, since the behaviour
> >>described above is expected, and is as it was conceived by design.
> >>If the file owner in fact allows writing to it, why should Linux
> >>prevent that from happening?
> >
> >No, I do not think this is expected. You could not write to that file
> >under traditional unix, and you can not write into that file when
> >/proc is unmounted.
> >
> >I do not think mounting /proc should change access control semantics.
> >
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
>>>
>> guest abuses ptrace permissions on his own processes to write to ANY
>> file open by his processes, whose permissions explicitly allow
>> writing to it. Doesn't it trouble you, that guest's processes still
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
> guest abuses ptrace permissions on his own processes to write to ANY
> file open by his processes, whose permissions explicitly allow
> writing to it. Doesn't it trouble you, that guest's processes still
apr_pool_t *pool;
};
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
+/* This is at least as big as the largest size for a single instruction. */
+#define MAX_INSTRUCTION_LEN (2*MAX_ENCODED_INT_LEN+1)
(http://websecurity.com.ua/articles/security_researches_and_legislation/eng/).
It's because earlier I already disclosed details (at my site and to security
lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which
is used in this CMS, as in many other CMS and web applications). So there
were no reasons to not write details about these holes in advisory at my
site, because all information is already public. So for all of these
vulnerable webapps I used responsible full disclosure approach.
> I don't even know what Dunia soccer is but how about you give vendors a
> chance to make good?
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Thanks to the discussion with kuza55, evilaliv3 and Wisec, 3 main uses
of this attack vector were identified:
- Blacklist bypass on write functions (file editors, file writing, etc)
- Blacklist bypass on read functions (source disclosure, etc)
- Regular expressions and IDS/IPS signature evasion
The wrong assumption was that this behaviour was filesystem dependent,
as said it turned out to be dependent on witch PHP version (patched VS
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'
MacOS X Server 10.5 [1], also known as Leopard Server features a Wiki
Server [2], which is a multiuser web application written in Python. The
Wiki Server is vulnerable to a path traversal attack, which can be
exploited by non-privileged system users via a forged file upload to
write arbitrary files on locations in the server filesystem, restricted
only by privileges of the Wiki Server application.
*Vulnerable Packages*
below.
At 'mov_demux.c' (line 1768) an array of 'chunkmap' structures is filled
by reading data straight from file without any kind of check. Then, at
'mov_build_index()' (line 150), the 'trak->chunkmap[i].first' field is
used to index the heap array 'chunks' allowing an attacker to write the
'sdid' and 'spc' values at some memory address relative to that heap
pointer causing a memory corruption. This could be used to overwrite
function pointers or some critical data allowing an attacker to get code
execution.
The VideoLAN project has issued a security advisory describing this
vulnerability [2], partially quoted below.
VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files. If successful, a malicious
third party could trigger execution of arbitrary code within the context
of the VLC media player, or otherwise crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
7. *Credits*
This vulnerability was discovered and researched by Nicolas Economou
from Core Security Exploit Writers Team. The publication of this
advisory was coordinated by Fernando Miranda from Core Security
Advisories Team.
8. *Technical Description / Proof of Concept Code*
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
1. *Advisory Information*
>> That can hardly be called a real security hole, since the behaviour
>> described above is expected, and is as it was conceived by design.
>> If the file owner in fact allows writing to it, why should Linux
>> prevent that from happening?
>
> No, I do not think this is expected. You could not write to that file
> under traditional unix, and you can not write into that file when
> /proc is unmounted.
>
> I do not think mounting /proc should change access control semantics.
>
2. *Vulnerability Information*
Class: Failure to Constrain Operations within the Bounds of a Memory
Buffer [CWE-119], Out-of-bounds Write [CWE-787]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 37708
CVE Name: CVE-2010-0280
Next Page>>
|
