| New User, Welcome! Login |
Next Page >>
wrote
non-interactive way, respectively, and tell you whether the exploit has worked.
3.4.2.6. gzip.vim
``The plugin installs autocommands to intercept reading and writing of files
with these extensions: [...] *.Z [...] *.gz [...] *.bz2''
-- Vim Reference Manual (pi_gzip.txt)
3.4.2.6.1. Vulnerability
addresses raises exception which is appropriately handled, and the
ZwQueryObject() call is never performed.
Because of the added "fixes", even legitimate request cannot be
fulfilled, so these drivers are very likely not used at all.
--- 2. Issue: Local DoS by overwriting array of registered processes ---
SABKUTIL.sys/SASKUTIL.sys have unique mechanism of
connecting/registering with an application (i.e. user mode). Every
application with intention to use these drivers must first register
with the driver. Registration involves a modified variant of MD5 hash
On Saturday 15 September 2007 13:55:24 Peter Gutmann wrote:
> (The original article was cross-posted to a lot of lists, maybe the
> discussion could be moved to vuln-dev only, unless everyone wants to see
> all of this stuff).
I shall respond in turn to the interesting points from all responses.
Peter wrote:
> I first saw
> this issue covered at the AVAR conference last year (before Vista had even
saved to the disk. So on every particular site it's needed to use any
working page. And for hidden attack via iframe (on any web site) it's
possible to use any stably working site (such as google.com).
Second, this variant of attack is working (and so I'm using this example for
all affected browsers) in first hole in IE (as I wrote in 2007), in Google
Chrome (as I wrote in 2008), in Opera (as I wrote in 2008), in second hole
in IE (as I wrote recently). And in hole in Ad Muncher (which allows to
conduct this attack via any browser at all), which I found in 2006 and which
I wrote about in my article Local XSS (I mentioned a link to English version
of it in my advisory).
>
> guest abuses ptrace permissions on his own processes to write to
> pavel's files... no, that obviously is not security hole :-).
>
guest abuses ptrace permissions on his own processes to write to ANY file open
by his processes, whose permissions explicitly allow writing to it. Doesn't it
trouble you, that guest's processes still retain open file descriptors and hence
access to files, that you believe should no longer be accessible to those
processes due to permissions you set?
--
> SVNs.
>
>> The vulnerability ...or rather the bug is in the captcha code, this is
>> just a site using it, right?
>
> I'm not writing about bugs, only about vulnerabilities :-). And I
> regularly
> found holes at single sites (which often uses some engines). But in my
> advisories I'm talking only about webapps. As I said above, there are
> many
> web applications which are using this captcha, and I wrote to security
9000000000 bytes (9.0 GB) copied, 147496 seconds, 61.0 kB/s
And I analyzed this larger sample briefly:
$ time ~/john/john-1.7.9-jumbo-5/run/unique -v -mem=25 1gu < 1g
Total lines read 1000000000 Unique lines written 697066573
real 144m40.619s
user 142m8.727s
sys 0m39.645s
Thus, effectively stalling the ability to use TcpWindowScaling is
stopped by SynAttackProtect too, so an attacking system/app sending a
setsockopt of 0 for this SHOULD also be nullified, on a server also...
(However/Again - Workstations are easily taken care of , vs. servers,
just by what I wrote up above either by PORT FILTERING)
IP Security Policies, which can work on ranges of addresses to block,
OR, single systems as well you either ALLOW or DENY to talk to your
system, still can help also... vs. a DDOS though? SynAttackProtect is
your best friend here... you'd use netstat -b -n tcp to see which are
It's not a racial slight, it's spellchecker not working and I didn't
realize I spelled it wrong. My deepest apologies if anyone reads that
wrong.
Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.
Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasn't many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so it's not vulnerable.
Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
____________________________________________________
From: CAS CAS [mailto:cas-security@live.com]
Sent: donderdag 12 november 2009 21:42
To: Peter Van Eeckhoutte; bugtraq@securityfocus.com
Subject: RE: Exploit writing tutorials
Hey why are you publishing tutorials on port 8800?
Be carefull everybody
(concerned with CaptchaSecurityImages) in their source codes in online SVNs.
> The vulnerability ...or rather the bug is in the captcha code, this is
> just a site using it, right?
I'm not writing about bugs, only about vulnerabilities :-). And I regularly
found holes at single sites (which often uses some engines). But in my
advisories I'm talking only about webapps. As I said above, there are many
web applications which are using this captcha, and I wrote to security
mailing lists about some of them and I'd write about others soon.
In my letter to Bugtraq (http://www.securityfocus.com/archive/1/511023),
which was mentioned in my advisory (you can read that letter, if you didn't
read it yet), I wrote about importance of making separate advisories of
vulnerabilities in software which are using CaptchaSecurityImages.php. And
reading of it is very recommending before writing me anything about issues
related to CaptchaSecurityImages.
> Still the same "bugs"?!
Yes, still the same. Same holes in different web application. As it clearly
> >> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
> >> ${tmp_mkf} __ | sed '/ directory /d'`"
> >> 691 rm -f ${tmp_mkf}
> >>
> >> The attacker has to create the temporary file
> >> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1).
> >> In the time between (1) and (2), arbitrary commands can be written
> >> to the file. They will be executed at (2).
> >
> > The commands do not have to be written there between (1) and (2),
> > they can be in the file long before the ./configure was started --
Hello John!
Now I'll answer on your letter. Because you've wrote many letters and every
of them have questions which need to be answered, so I'd answer on all
questions in few letters. It's good that Vladimir helped me (thanks to him)
with clarifying of these vulnerabilities for readers of the list, but I need
to give additional explanations. Also I'll point on some important things
for all readers of the list.
First of all, readers of both Bugtraq and Full-disclosure must understand,
Hello Susan!
As I already wrote you and Adam earlier, every type of disclosure (including
full disclosure and responsible full disclosure) can be good in appropriate
situation. And I use that type of disclosure which is suitable for every
particular case.
Taking into account that 3 from 4 vendors answered me (except Microsoft) and
Google had already non affected Chrome 4, and Mozilla and Opera promised to
fix it (we'll see when and how they do it), then you can see that my
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
Opera and other browsers
> Hello Susan!
>
> As I already wrote you and Adam earlier, every type of disclosure
> (including
> full disclosure and responsible full disclosure) can be good in
> appropriate
> situation. And I use that type of disclosure which is suitable for every
> particular case.
CaptchaSecurityImages, but they drew attention at my letter (and to my
advisory posted in Bugtraq) about holes in CB Captcha.
Which shows importance of making separate advisories of vulnerabilities in
software which are using CaptchaSecurityImages.php (some uses its original
code, and some other, like CB Captcha, uses rewritten code of original
script, so it's not always completely the same code). It can be due to that
fact, the developers and admins which are using different engines could
forget or even don't know, that in their webapp there is such web
application as CaptchaSecurityImages.php. But when they see advisory about
specific webapp which they are using, they will draw attention at it.
Hello Bugtraq!
I want to warn you about vulnerability in phpAdsNew, OpenAds and OpenX.
Earlier I already wrote to the list about XSS and HTML Injection
vulnerabilities in tagcloud.swf in multiple plugins for many engines such as
WordPress, Joomla and DLE. About this issue I wrote in details in my article
XSS vulnerabilities in 34 millions flash files
(http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html).
And before this article, I made another research and wrote another article
Dan Kaminsky wrote:
>
>
> Eric Rescorla wrote:
>> At Fri, 8 Aug 2008 17:31:15 +0100,
>> Dave Korn wrote:
>>
>>> Eric Rescorla wrote on 08 August 2008 16:06:
>>>
>>>
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal
application . When a user double-clicks on these events the program
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value
of 'EAX' is under control, must be less than '0x7fffffff' and is
extracted from the following line of the PoC '.ics' file.
/-----------
User2 can not open the file for read or write access
User2 can not write to file descriptor 4
User2 _can_ write to /proc/$$/fd/4
Excluding the /proc route, at no point during this sequence, User2 could
have opened the file for writing. Therefore, User1 expects (justified,
imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
violates this expectation.
It is obscure, because it requires User1 to go through an unusual sequence
of steps, but not inconceivable.
None of those sites load for me, I'm guessing you took the box offline
for an OS reload. Most people who performed an OS reload had the same
exploit hit them again after a very short time. Only way to stop the
exploit (not the root compromise) is to boot into a clean kernel with
the grsec patch which is set to deny writing to /dev/mem (according to
Scott) - but if your box is already compromised, you will also need to
replace the system binaries that were replaced by the rootkit, with
clean ones.
Maybe I've said too much ... all of this info is on those 2 links in my
Lots of security holes can fall into that category! The code matches
its design, and works as expected... it's just that the author had no
idea what he was getting himself into. =8^)
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
Because securing a file by securing directories that lead to it is a
valid and important (and expected) feature of file access semantics.
> How exagerate ;)
Yeah, you're right, it took a little bit more: 30 minutes. 8-D
> Nope, we didn't. But people stopped writing worms, because writing bots
> is much more rewarding, economically.
101% true. And that's even worse than worms. Because they are
stealth... The bots' owner don't want anyone watching. Right?
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
>>>
>> guest abuses ptrace permissions on his own processes to write to ANY
>> file open by his processes, whose permissions explicitly allow
>> writing to it. Doesn't it trouble you, that guest's processes still
>
> I repeat: Show me how to gain write access without using /proc, and
> I'll agree with you.
>
By using hardlinks, as you were already told by two different persons.
> User2 can not open the file for read or write access
> User2 can not write to file descriptor 4
> User2 _can_ write to /proc/$$/fd/4
>
> Excluding the /proc route, at no point during this sequence, User2 could
> have opened the file for writing. Therefore, User1 expects (justified,
> imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
> violates this expectation.
>
Again, you're not right. See above.
--
*Credits*
This vulnerability was discovered and researched by Sebastian Muiz from
CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
*Technical Description / Proof of Concept Code*
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal
application . When a user double-clicks on these events the program
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value
of 'EAX' is under control, must be less than '0x7fffffff' and is
extracted from the following line of the PoC '.ics' file.
/-----------
Next Page>>
|
|
|
