lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20090803184829.2A0D8B8046@smtp.hushmail.com>
Date: Mon, 03 Aug 2009 14:48:29 -0400
From: elliot_mb@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: PHP Fuzzer Framework Insecure File
	Creation/Execution Vulnerability

PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability
I. BACKGROUND

PFF is a popular fuzzing suite developed by a team of highly 
skilled developers
at a classified government funded information security research 
center.
http://www.setec.org/~calcite/code/pff/ 

II. DESCRIPTION

Local exploitation of an insecure file creation method allows an 
attacker to 
execute arbritrary code with the privileges of the user running the 
affected 
application.

III. ANALYSIS

PFF uses a default location for output files before execution by 
the php intepreter.
This location can be owned by another user. An attacker can then 
use the time between 
creation of the output file and execution of the file by the php 
binary to replace
the file with a one containing the attacker's payload.

IV. DETECTION

All versions are affected.

V. WORKAROUND

Use a location not writable by another user for storage of PFF 
output files.

VI. VENDOR RESPONSE

Vendor was uninterested in fixing the issue.


VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has not yet 
assigned an identifier  to this issue. 

VIII. DISCLOSURE TIMELINE

07/30/2009 10:01PM EST - Initial Contact
07/30/2009 10:05PM EST - Initial Vendor Reply
07/30/2009 10:06PM EST - Vendor expressed lack of interest in 
fixing the issue.

IX. CREDIT

This vulnerability was discovered by abad1dea,
Melissa Elliott
Email:
Elliott_mb@...dents.lynchburg.edu
melissa@...ric.org
Address:
408 Homestead Drive
Forest, VA 24551

Box 2073
Lynchburg Edu

Phone:
(434) 610-3058
      544-8967 

Web:
http://www.0xabad1dea.net

IRC:
irc.smashthestack.org/#social/esper
---
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

View attachment "cheddabay.c" of type "text/x-c" (1531 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ