| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: christophe.savin at tdf.fr (Christophe Savin)
Subject: Objet :Full-Disclosure Digest, Vol 1, Issue 2112 (De retour le mardi 28 décembre.)
En mon absence, toute demande concernant les r?seaux doit ?tre envoy?e au mail : ars_reseaux@....fr ou (ars_transpac pour tout incident li? ? ce r?seau)
En cas d'urgence, Vous pouvez contacter :
La Hot-line R?seaux : 01 49 15 32 53
Fran?ois LEVEQUE au 01 49 15 30 56
Pascal PAINPARAY au 01 49 15 31 36.
Bonnes f?tes de fin d'ann?e.
Christophe SAVIN
>>> full-disclosure 12/18/04 21:25 >>>
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.netsys.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.netsys.com
You can reach the person managing the list at
full-disclosure-owner@...ts.netsys.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Today's Topics:
1. Re: Linux kernel IGMP vulnerabilities (Timothy Hall)
2. STG Security Advisory: [SSA-20041215-17] Vulnerability of
uploading files with multiple extensions in JSBoard (SSR Team)
3. Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
(Stefan Esser)
4. STG Security Advisory: [SSA-20041215-18] Vulnerability of
uploading files with multiple extensions in phpBB Attachment Mod
(SSR Team)
5. Re: RE: Cipher Tool (James Tucker)
----------------------------------------------------------------------
Message: 1
Date: Wed, 15 Dec 2004 16:02:10 -0500
From: "Timothy Hall" <admin@...E2WIN.NET>
Subject: [Full-Disclosure] Re: Linux kernel IGMP vulnerabilities
To: <stephen.butler@...il.com>, <ihaquer@...c.pl>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
security@...c.pl, full-disclosure@...ts.netsys.com
Message-ID: <s1c06017.003@...ACCESS.TELE2WIN.NET>
Content-Type: text/plain; charset=ISO-8859-1
Greetings Paul and Stephen and List...
Paul thanks for clearing that up. SuSE 9.0 Pro (at least the way two
boxes I take care of are set up) have
/proc/net/igmp
/proc/net/mcfilter
but 'mcfilter' is empty.
No local users other than myself... At least that I can tell... :)
T?M?TH? H???
>>> Paul Starzetz <ihaquer@...c.pl> 12/15/04 07:34AM >>>
On Tue, 14 Dec 2004, stephen joseph butler wrote:
> > /proc/net/igmp
> > /proc/net/mcfilter
> >
> > if both exist and are non-empty you are vulnerable!
>
> Just to be clear: if "mcfilter" is empty, then you aren't
vulnerable?
> I have both files, and "igmp" contains data, but "mcfilter" is
empty.
You are not vulnerable to the remote attack described under (3),
however
your kernel may be still buggy. Note that you need a running process
that
has manipulated its multicast socket filters. If your kernel is buggy
and
you have local users such an application can always appear, at a time
you
don't expect it.
--
Paul Starzetz
iSEC Security Research
http://isec.pl/
------------------------------
Message: 2
Date: Thu, 16 Dec 2004 10:17:41 +0900
From: "SSR Team" <advisory@...security.com>
Subject: [Full-Disclosure] STG Security Advisory: [SSA-20041215-17]
Vulnerability of uploading files with multiple extensions in JSBoard
To: <vuln@...unia.com>, <news@...uriteam.com>,
<bugs@...uritytracker.com>, <full-disclosure@...ts.netsys.com>,
<staff@...ketstormsecurity.com>
Message-ID: <GKEOJIPDJOHGOEEOIINIAEPOCAAA.advisory@...security.com>
Content-Type: text/plain; charset="ks_c_5601-1987"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20041215-17] Vulnerability of uploading files
with multiple extensions in JSBoard
Revision 1.0
Date Published: 2004-12-15 (KST)
Last Update: 2004-12-15
Disclosed by SSR Team (advisory@...security.com)
Summary
========
JSBoard is one of widely used web BBS applications in Korea. However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
High : arbitrary command execution.
Affected Products
================
JSBoard 2.0.8 and prior.
JSBoard 1.3.11 and prior.
Vendor Status: FIXED
====================
2004-12-08 Vulnerability found.
2004-12-08 JSBoard developer notified.
2004-12-09 Update version released.
2004-12-15 Official release.
Details
=======
JSBoard doesn't implemented in "include/parse.php" to check multiple
extensions of uploaded files, e.g. attack.php.hwp, so malicious attackers
can upload arbitrary script files (php, pl, cgi, etc) to a web server. This
is originated from a feature of Apache MIME module (mod_mime), which regards
attack.php.hwp as a normal PHP file and execute the file through mod_php
module with the privilege of the HTTPD process.
cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple
Extensions" : it's a feature, not a bug.
Solution
=========
JSBoard 2.x branch : Update to 2.0.9
http://kldp.net/frs/download.php/1670/jsboard-2.0.9.tar.gz
JSBoard 1.x branch : Update to 1.3.13
http://kldp.net/frs/download.php/1668/jsboard-1.3.13.tar.gz
Vendor URL
==========
http://kldp.net/projects/jsboard/
Credits
======
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQcDiAD9dVHd/hpsuEQKY8gCg2vJZ2akGDGEA//Hwi3rOheZaVwkAn31V
tYi5XHLsUOHHdENvCrsUZyPi
=3VGj
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Wed, 15 Dec 2004 19:46:20 +0100
From: Stefan Esser <sesser@....net>
Subject: [Full-Disclosure] Advisory 01/2004: Multiple vulnerabilities
in PHP 4/5
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Message-ID: <20041215184620.GA20448@...atters.de>
Content-Type: text/plain; charset=us-ascii
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Multiple vulnerabilities within PHP 4/5
Release Date: 2004/12/15
Last Modified: 2004/12/15
Author: Stefan Esser [sesser@....net]
Application: PHP4 <= 4.3.9
PHP5 <= 5.0.2
Severity: Several vulnerabilities within PHP allow
local and remote execution of arbitrary code
Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
References: http://www.hardened-php.net/advisories/012004.txt
Overview:
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
During the development of Hardened-PHP which adds security hardening
features to the PHP codebase, several vulnerabilities within PHP
were discovered that reach from bufferoverflows, over information
leak vulnerabilities and path truncation vulnerabilities to
safe_mode restriction bypass vulnerabilities.
Details:
[01 - pack() - integer overflow leading to heap bufferoverflow ]
Insufficient validation of the parameters passed to pack() can
lead to a heap overflow which can be used to execute arbitrary
code from within a PHP script. This enables an attacker to
bypass safe_mode restrictions and execute arbitrary code with
the permissions of the webserver. Due to the nature of this
function it is unlikely that a script accidently exposes it to
remote attackers.
[02 - unpack() - integer overflow leading to heap info leak ]
Insufficient validation of the parameters passed to unpack() can
lead to a heap information leak which can be used to retrieve
secret data from the apache process. Additionally a skilled
local attacker could use this vulnerability in combination with
01 to bypass heap canary protection systems. Similiar to 01 this
function is usually not used on user supplied data within
webapplications.
[03 - safe_mode_exec_dir bypass in multithreaded PHP ]
When safe_mode is activated within PHP, it is only allowed to
execute commands within the configured safe_mode_exec_dir.
Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
executed command when a PHP is running on a multithreaded unix
webserver (f.e. some installations of Apache2). Because the name
of the current directory is prepended directly a local attacker
may bypass safe_mode_exec_dir restrictions by injecting shell-
commands into the current directory name.
[04 - safe_mode bypass through path truncation ]
The safe_mode checks silently truncated the file path at MAXPATHLEN
bytes before passing it to realpath(). In combination with certain
malfunctional implementations of realpath() f.e. within glibc this
allows crafting a filepath that pass the safe_mode check although
it points to a file that should fail the safe_mode check.
[05 - path truncation in realpath() ]
PHP uses realpath() within several places to get the real path
of files. Unfourtunately some implementations of realpath() silently
truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
This can lead to arbitrary file include vulnerabilities if something
like "include "modules/$userinput/config.inc.php"; is used on such
systems.
[06 - unserialize() - wrong handling of negative references ]
The variable unserializer could be fooled with negative references
to add false zvalues to hashtables. When those hashtables get
destroyed this can lead to efree()s of arbitrary memory addresses
which can result in arbitrary code execution. (Unless Hardened-PHP's
memory manager canaries are activated)
[07 - unserialize() - wrong handling of references to freed data ]
Additionally to bug 07 the previous version of the variable
unserializer allowed setting references to already freed entries in
the variable hash. A skilled attacker can exploit this to create
an universal string that will pass execution to an arbitrary
memory address when it is passed to unserialize(). For AMD64 systems
a string was developed that directly passes execution to code
contained in the string itself.
It is necessary to understand that these strings can exploit a
bunch of popular PHP applications remotely because they pass f.e.
cookie content to unserialize().
Examples of vulnerable scripts:
- phpBB2
- Invision Board
- vBulletin
- Woltlab Burning Board 2.x
- Serendipity Weblog
- phpAds(New)
- ...
Proof of Concept:
The Hardened-PHP project is not going to release exploits for any
of these vulnerabilities to the public.
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-1018 to issues 01, 02, the name
CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
and the name CAN-2004-1064 to issues 04, 05.
Recommendation:
It is strongly recommended to upgrade to the new PHP-Releases as
soon as possible, because a lot of PHP applications expose the
easy to exploit unserialize() vulnerability to remote attackers.
Additionally we always recommend to run PHP with the Hardened-PHP
patch applied.
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2004 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl
rtmmBfJ3iv9Ksb/xtnyflD0=
=lzXX
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Thu, 16 Dec 2004 10:25:21 +0900
From: "SSR Team" <advisory@...security.com>
Subject: [Full-Disclosure] STG Security Advisory: [SSA-20041215-18]
Vulnerability of uploading files with multiple extensions in phpBB
Attachment Mod
To: <vuln@...unia.com>, <news@...uriteam.com>,
<bugs@...uritytracker.com>, <full-disclosure@...ts.netsys.com>,
<staff@...ketstormsecurity.com>
Message-ID: <GKEOJIPDJOHGOEEOIINIOEPOCAAA.advisory@...security.com>
Content-Type: text/plain; charset="Windows-1252"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files
with multiple extensions in phpBB Attachment Mod
Revision 1.0
Date Published: 2004-12-15 (KST)
Last Update: 2004-12-15
Disclosed by SSR Team (advisory@...security.com)
Summary
========
phpBB Attachment Mod is file upload module for phpBB. However, an input
validation flaw can cause malicious attackers to run arbitrary commands with
the privilege of the HTTPD process, which is typically run as the nobody
user.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
High : arbitrary command execution.
Affected Products
================
Attachment Mod 2.3.10 and prior.
Vendor Status: FIXED
====================
2004-12-08 Vulnerability found.
2004-12-08 Attachment Mod developer notified.
2004-12-13 Update version released.
2004-12-15 Official release.
Details
=======
Apache Mod doesn't implemented to check multiple extensions of uploaded
files, e.g. attack.php.rar, so malicious attackers can upload arbitrary
script files (php, pl, cgi, etc) to a web server. This is originated from a
feature of Apache MIME module (mod_mime), which regards attack.php.rar as a
normal PHP file and execute the file through mod_php module with the
privilege of the HTTPD process.
cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple
Extensions" : it's a feature, not a bug.
Solution
=========
Update to 2.3.11
http://www.opentools.de/board/viewtopic.php?t=3590
Vendor URL
==========
http://www.opentools.de/
Credits
======
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQcDjxD9dVHd/hpsuEQIIBACfYcy/IRJei/mfkfy+KdhQuCjhUbkAnjig
p3OSX1m+9IWd+MoM8lb5IDHS
=DQt1
-----END PGP SIGNATURE-----
------------------------------
Message: 5
Date: Thu, 16 Dec 2004 04:37:34 +0000
From: James Tucker <jftucker@...il.com>
Subject: Re: [Full-Disclosure] RE: Cipher Tool
To: richard capistrano <mikoc02@...oo.com>
Cc: full-disclosure@...ts.netsys.com
Message-ID: <e92364c3041215203723ff0f55@...l.gmail.com>
Content-Type: text/plain; charset=US-ASCII
Have you considered using secured network protocols on dedicated
encryption hardware? or is that beyond the price point?
Any cipher algorithm would be theoretically implementable (providing
the length of data is suitable). If you are looking for _real_
performance though then ciphering may not be what you want as there
isn't any good cipher that is really overly fast fast (deliberate
double).
There are other core pieces of the puzzle to be considered though,
like are you going to be talking in a client less manner (i.e. is the
client pre-configured or has the client never received secure comms
before?) Is there a socket/tunnel already running? What is the rough
length of the data set (impact readability and suitability for
encryption algorithms)? What is the performance restriction (i.e.
where is the bottleneck)? How secure do you need it, anti-fool,
seconds, hours, years or millennial(might actually require more data
storage than money can buy)?
I raised an eyebrow at the last portion of your mail, "Is there a
freeware or software or information, I can check out?". This would
suggest that you are looking to put another program somewhere mid-flow
in a data pipe; thats not always a good option.
If you're really looking for speed and ease of implementation then
something like a simple rotation cipher might work out for you, but
this is going to be so poor a encryption that some cipher pro's could
read it in its encrypted form. This is obviously no good if you're
worried about credit card info, but is OK if it's just your girlfriend
being a nosy ....... .
On Tue, 14 Dec 2004 00:23:41 -0800 (PST), richard capistrano
<mikoc02@...oo.com> wrote:
>
>
>
> Hello,
>
>
>
>
>
> We are looking for a tool that can actually cipher or hash a particular
> portion of a file so that it will not display the particular field of a
> file. This will be applied to the file so that when it travels the network,
> the confidential field in the file is not displayed in clear text. Due to
> performance issues, we can not simply hash the whole file.
>
>
>
> Is there a freeware or software or information, I can check out? Thanks in
> advance.
>
> ________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
------------------------------
_______________________________________________
Full-Disclosure mailing list
Full-Disclosure@...ts.netsys.com
https://lists.netsys.com/mailman/listinfo/full-disclosure
End of Full-Disclosure Digest, Vol 1, Issue 2112
************************************************
Powered by blists - more mailing lists