lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 7 Jun 2011 06:19:20 -0400
From: Marshall Whittaker <marshallwhittaker@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: New attack vector for sale, firewall bypass

Hello,
I am willing to sell a new attack vector I have devised.  The proof of
concept code you will receive has the ability to arbitrarily upload files to
a webserver (tested on Apache), running linux with the well known perl read
pipe vulnerability in many web CGI applications.  This issue can also be
leveraged through PHP LFI and RFI attacks, and through almost any other
remote command execution vulnerability.  The code has been tested on BSD,
and does not seem to work stand alone, but BSD may be vulnerable as well, I
just don't have a box to test it properly on.  The code can upload an ASCII
or binary file to the webserver, even if the firewall rules prohibit
downloading.  For example, if you have a linux webserver running apache and
a vulnerable perl script, this proof of concept can upload a local root
exploit that cannot be downloaded with the remote command execution as a
local user (usually one of apache's users) due to iptables or another
firewall that blocks outbound connections to other
webservers/ftp/whathaveyou servers for download with
wget/curl/lwp-download/ftp and other local downloading utilities, or if
these utilities have been removed.  Once a (modified) local root exploit has
been uploaded, it can modify the iptables as the root user, then bind a
shell, or spawn a reverse shell, or drop another payload as root.  Please
contact me if you are interested in getting the PoC code, and bid a price.
 Please be reasonable.  When you contact me, payment details can be
arranged.  PoC code is written in perl, and is heavily commented.

oxagast

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ