lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20090803200313.96A66B8044@smtp.hushmail.com>
Date: Mon, 03 Aug 2009 16:03:13 -0400
From: elliot_mb@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: PHP Fuzzer Framework Insecure File
	Creation/Execution Vulnerability

PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
I. BACKGROUND

PFF is a popular fuzzing suite developed by a team of highly
skilled developers at a classified government funded information 
security research center.
http://www.setec.org/~calcite/code/pff/

II. DESCRIPTION

Local exploitation of an insecure file creation method allows an
attacker to execute arbritrary code with the privileges of the user 
running the affected application.

III. ANALYSIS

PFF uses a default location for output files before execution by
the php intepreter.
This location can be owned by another user. An attacker can then
use the time between creation of the output file and execution of 
the file by the php binary to replace the file with a one 
containing the attacker's payload.

IV. DETECTION

All versions are affected.

V. WORKAROUND

Use a location not writable by another user for storage of PFF
output files.

VI. VENDOR RESPONSE

Vendor was uninterested in fixing the issue.


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has not yet
assigned an identifier  to this issue.

VIII. DISCLOSURE TIMELINE

07/30/2009 10:01PM EST - Initial Contact
07/30/2009 10:05PM EST - Initial Vendor Reply
07/30/2009 10:06PM EST - Vendor expressed lack of interest in
fixing the issue.

IX. CREDIT

This vulnerability was discovered by abad1dea,
Melissa Elliott
Email:
Elliott_mb@...dents.lynchburg.edu
melissa@...ric.org
Address:
408 Homestead Drive
Forest, VA 24551

Box 2073
Lynchburg Edu

Phone:
(434) 610-3058
      544-8967

Web:
http://www.0xabad1dea.net

IRC:
irc.smashthestack.org/#social/esper
---
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
View attachment "cheddabay.c" of type "text/x-c" (1531 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ