lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1267820998-1258333404-cardhu_decombobulator_blackberry.rim.net-480275353-@bda322.bisx.prod.on.blackberry>
Date: Mon, 16 Nov 2009 01:03:12 +0000
From: hmarti2@...c.edu
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 57, Issue 17

I am not a number, I am a free man!
Sent via BlackBerry by AT&T

-----Original Message-----
From: full-disclosure-request@...ts.grok.org.uk
Date: Fri, 13 Nov 2009 12:00:01 
To: <full-disclosure@...ts.grok.org.uk>
Subject: Full-Disclosure Digest, Vol 57, Issue 17

Send Full-Disclosure mailing list submissions to
	full-disclosure@...ts.grok.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
	full-disclosure-request@...ts.grok.org.uk

You can reach the person managing the list at
	full-disclosure-owner@...ts.grok.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

   1. WordPress <= 2.8.5 Unrestricted File Upload	Arbitrary PHP
      Code Execution (Dawid Golunski)
   2. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP
      Code Execution (Milan Berger)
   3. Re: WordPress <= 2.8.5 Unrestricted File Upload	Arbitrary PHP
      Code Execution (Martin Aberastegue)
   4. Re: WordPress (Vladimir Vorontsov)
   5. Microsoft Patents the "sudo" command (Leandro Malaquias)
   6. [USN-858-1] OpenLDAP vulnerability (Marc Deslauriers)
   7. Re: WordPress <= 2.8.5 Unrestricted File Upload	Arbitrary PHP
      Code Execution (Martin Aberastegue)
   8. Re: WordPress <= 2.8.5 Unrestricted File Upload	Arbitrary PHP
      Code Execution (g30rg3_x)
   9. Re: Microsoft Patents the "sudo" command (Todd C. Miller)
  10. Secunia Research: Gimp BMP Image Parsing Integer	Overflow
      Vulnerability (Secunia Research)
  11. Re: WordPress <= 2.8.5 Unrestricted File Upload	Arbitrary PHP
      Code Execution (Vincent Guasconi)
  12. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP
      Code Execution (Moritz Naumann)
  13. Re: Microsoft Patents the "sudo" command (Valdis.Kletnieks@...edu)
  14. Cryptome posts Microsoft COFEE forensic toolkit
      (Gary McKinnon [SOLO])
  15. Re: Microsoft Patents the "sudo" command (Todd C. Miller)
  16. JTTF/FBI informant "snitching" on security	professionals in
      Bay Area (Jacob Appelbaum [ioerror])
  17. rPSA-2009-0142-1 httpd mod_ssl (rPath Update Announcements)
  18. rPSA-2009-0143-1 util-linux util-linux-extras
      (rPath Update Announcements)
  19. rPSA-2009-0144-1 apr-util (rPath Update Announcements)
  20. rPSA-2009-0145-1 samba samba-client samba-server	samba-swat
      (rPath Update Announcements)
  21. rPSA-2009-0142-2 httpd mod_ssl (rPath Update Announcements)
  22. Re: Microsoft Patents the "sudo" command (McGhee, Eddie)


----------------------------------------------------------------------

Message: 1
Date: Wed, 11 Nov 2009 16:47:49 +0000
From: Dawid Golunski <golunski@...t.eu>
Subject: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload
	Arbitrary PHP Code Execution
To: full-disclosure@...ts.grok.org.uk
Message-ID: <12E7DBD9-85F1-4DD6-9213-9A97E7830240@...t.eu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

=============================================
- Release date: November 11th, 2009
- Discovered by: Dawid Golunski
- Severity: Moderately High
=============================================

I. VULNERABILITY
-------------------------
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on  
aesthetics, web standards,
and  usability. WordPress is both free and priceless at the same time.  
More simply, WordPress is
what you use when you want to work with your blogging software, not  
fight it.

III. DESCRIPTION
-------------------------

Wordpress allows authorised users to add an attachment to a blog post.
It does not sanitize provided file properly before moving it to an  
uploads directory.

The part of the code responsible for uploading files looks as follows:

wp-admin/includes/file.php:
---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by  
$override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---

// A properly uploaded file will pass this test. There should be no  
reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
         return $upload_error_handler( $file, __( 'Specified file  
failed upload test.' ));

// A correct MIME type will pass this test. Override $mimes or use the  
upload_mimes filter.
if ( $test_type ) {
         $wp_filetype = wp_check_filetype( $file['name'], $mimes );

         extract( $wp_filetype );

         if ( ( !$type || !$ext ) && ! 
current_user_can( 'unfiltered_upload' ) )
                 return $upload_error_handler( $file,
					       __( 'File type does not meet security guidelines. Try  
another.' ));

         if ( !$ext )
                 $ext = ltrim(strrchr($file['name'], '.'), '.');

         if ( !$type )
                 $type = $file['type'];
} else {
         $type = '';
}

// A writable uploads dir will pass this test. Again, there's no point  
overriding this one.
if ( ! ( ( $uploads = wp_upload_dir($time) ) && false ===  
$uploads['error'] ) )
         return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'],  
$unique_filename_callback );

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
         return $upload_error_handler( $file,
		   sprintf( __('The uploaded file could not be moved to %s.' ),  
$uploads['path'] ) );
}
---[cut ]---

 From the above code we can see that provided filename gets checked  
with:
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

Here is how the wp_check_filetype() function looks like:

wp-includes/functions.php:
---[cut]---
line 2228:

function wp_check_filetype( $filename, $mimes = null ) {
         // Accepted MIME types are set here as PCRE unless provided.
         $mimes = ( is_array( $mimes ) ) ? $mimes :  
apply_filters( 'upload_mimes', array(
                 'jpg|jpeg|jpe' => 'image/jpeg',
                 'gif' => 'image/gif',
                 'png' => 'image/png',
                 'bmp' => 'image/bmp',
                 'tif|tiff' => 'image/tiff',
                 'ico' => 'image/x-icon',
                 'asf|asx|wax|wmv|wmx' => 'video/asf',
                 'avi' => 'video/avi',
				
				---[cut, more mime types]---
line 2279:

         $type = false;
         $ext = false;

         foreach ( $mimes as $ext_preg => $mime_match ) {
                 $ext_preg = '!\.(' . $ext_preg . ')$!i';
                 if ( preg_match( $ext_preg, $filename,  
$ext_matches ) ) {
                         $type = $mime_match;
                         $ext = $ext_matches[1];
                         break;
                 }
         }

         return compact( 'ext', 'type' );
}

We can see that type of the file gets set to a predefined MIME type  
that matches supplied
extension, and that the extension is obtained from a regexp that  
matches a mime ext. string after
the LAST dot.
If extension is not on the list $type and $ext will be set to FALSE  
and wordpress will
produce an error ("File type does not meet security guidelines. Try  
another").

Let's look at the other check that is performed on the filename before  
a file gets uploaded,
that is a call to the following function:
$filename = wp_unique_filename( $uploads['path'], $file['name'],  
$unique_filename_callback );


wp-includes/functions.php:
line 2096:
function wp_unique_filename( $dir, $filename,  
$unique_filename_callback = null ) {
         // sanitize the file name before we begin processing
         $filename = sanitize_file_name($filename);

         ---[cut, code that only matters if uploaded file already  
exists]---
line 2126:
		return $filename;
}

To have a complete view on file sanitization performed by wordpress we  
need to look into the
sanitize_file_name() function:

wp-includes/formatting.php:
line 601:
function sanitize_file_name( $filename ) {
         $filename_raw = $filename;
         $special_chars = array("?", "[", "]", "/", "\\", "=", "<",  
">", ":", ";", ",", "'", "\"",
				"&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
         $special_chars = apply_filters('sanitize_file_name_chars',  
$special_chars, $filename_raw);
         $filename = str_replace($special_chars, '', $filename);
         $filename = preg_replace('/[\s-]+/', '-', $filename);
         $filename = trim($filename, '.-_');
         return apply_filters('sanitize_file_name', $filename,  
$filename_raw);
}

This function removes special characters shown above, replaces spaces  
and consecutive dashes with
a single dash, trims period, dash and underscore from beginning and  
end of the filename.

The sanitization process appears quite extensive however it does not  
take into account files that
have multiple extensions.
It is possible to upload a file containing an arbitrary PHP script  
with an extension of '.php.jpg'
and execute it by requesting the uploaded file directly.


The execution of the PHP code despite the .php.jpg extension is  
possible because Apache
allows for multiple extensions. Here is a quote from Apache docs  
regarding this matter:

"
Files can have more than one extension, and the order of the  
extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/ 
html and language French then
the file welcome.fr.html will map onto exactly the same information.  
If more than one extension is
given that maps onto the same type of meta-information, then the one  
to the right will be used,
except for languages and content encodings. For example, if .gif maps  
to the MIME-type  image/gif
and .html maps to the MIME-type text/html, then the file  
welcome.gif.html will be associated with
the MIME-type text/html.

Care should be taken when a file with multiple extensions gets  
associated with both a MIME-type
and a handler. This will usually result in the request being handled  
by the module associated with
the handler. For example, if the .imap  extension is mapped to the  
handler imap-file
(from mod_imagemap) and the .html extension is mapped to the MIME-type  
text/html, then the file
world.imap.html will be associated with both the imap-file handler and  
text/html MIME-type.
When it is processed, the imap-file handler will be used, and so it  
will be treated as a
mod_imagemap imagemap file.
"

IV. PROOF OF CONCEPT
-------------------------
Browser is enough to replicate this issue. Simply log in to your  
wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature  
to upload a file:

test-image.php.jpg

containing the following code:

<?php
	phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

V. BUSINESS IMPACT
-------------------------
An attacker that has already obtained login details (for example by  
stealing user's cookies with
an XSS attack) to the blog as one of the existing users could exploit  
this vulnerability to get
access to the system in the Apache user's context.
 From there he could use local bugs to further escalate the  
privileges. Apache account would be
enough in most cases to view the source codes and gain access to the  
databases.

Some wordpress users of the 2.8.5 release have reported that some php  
files have been added to
their wordpress directory. It could be possible that they have been  
hit by this bug. Therefore it
is important to take some countermeasures as soon as possible.

VI. SYSTEMS AFFECTED
-------------------------
Most likely all of the wordpress releases contain this bug. Including  
the current hardened stable
release 2.8.5 and the beta version.

VII. SOLUTION
-------------------------
Vendor has been informed about the bug. Currently wordpress developers  
and contributors are in
the process of bug hunting and fixing reported bugs in beta versions  
before the new stable release,
so hopefully it should not take long for them to take this problem  
into account.

You can apply the temporary solutions for this problem which I provide  
below before an official
patch is made.

You can create a .htaccess file in the uploads dir (wordpress/wp- 
content/uploads) with
the following content:

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
	order deny,allow
	allow from all
</Files>

Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions  
inside the uploads directory.

Alternatively you can try to patch the source code yourself by editing  
the
wp-admin/includes/file.php file and the wp_handle_upload() function it  
contains. An example patch
could be to add the following three lines of code at the line 260:

// Fix Unrestricted File Upload Arbitrary PHP Code Execution bug,  
return if more than 1 extension provided
if ( count(explode('.', $file['name'])) > 2 );
         return $upload_error_handler( $file, __( 'File type does not  
meet security guidelines. Try another.' ));


VIII. REFERENCES
-------------------------
http://www.wordpress.org
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

IX. CREDITS
-------------------------
This vulnerability has been discovered by Dawid Golunski
golunski (at) onet (dot) eu

Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old  
time's sake :) and complexmind

X. REVISION HISTORY
-------------------------
November 11th, 2009: Initial release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of
use or otherwise. I accept no responsibility for any damage caused by  
the use or misuse of this information.



------------------------------

Message: 2
Date: Thu, 12 Nov 2009 13:48:46 +0100
From: Milan Berger <m.berger@...ject-mindstorm.net>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload Arbitrary PHP Code Execution
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20091112134846.22a8c38c@...0FF33>
Content-Type: text/plain; charset=US-ASCII

Hi there,

> IV. PROOF OF CONCEPT
> -------------------------
> Browser is enough to replicate this issue. Simply log in to your  
> wordpress blog as a low privileged
> user or admin. Create a new post and use the media file upload
> feature to upload a file:
> 
> test-image.php.jpg
> 
> containing the following code:
> 
> <?php
> 	phpinfo();
> ?>
> 
> After the upload you should receive a positive response saying:
> 
> test-vuln.php.jpg
> image/jpeg
> 2009-11-11
> 
> and it should be possible to request the uploaded file via a link:
> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.

-- 
Kind Regards

Milan Berger
Project-Mindstorm Technical Engineer



------------------------------

Message: 3
Date: Thu, 12 Nov 2009 10:41:48 -0300
From: Martin Aberastegue <xyborg@...il.com>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload	Arbitrary PHP Code Execution
To: Milan Berger <m.berger@...ject-mindstorm.net>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
	<252277f40911120541o3feaf09fk83ac9294fe019920@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

The same here tested on Wordpress 2.8.5 / Apache/2.0.63 (Unix)
mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635 - PHP/5.2.6

Regards

--
Martin Aberastegue
http://www.martinaberastegue.com/



On Thu, Nov 12, 2009 at 9:48 AM, Milan Berger
<m.berger@...ject-mindstorm.net> wrote:
> Hi there,
>
>> IV. PROOF OF CONCEPT
>> -------------------------
>> Browser is enough to replicate this issue. Simply log in to your
>> wordpress blog as a low privileged
>> user or admin. Create a new post and use the media file upload
>> feature to upload a file:
>>
>> test-image.php.jpg
>>
>> containing the following code:
>>
>> <?php
>> ? ? ? phpinfo();
>> ?>
>>
>> After the upload you should receive a positive response saying:
>>
>> test-vuln.php.jpg
>> image/jpeg
>> 2009-11-11
>>
>> and it should be possible to request the uploaded file via a link:
>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>
> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
> with Suhosin-Patch 0.9.7
> Shows a broken image no code executed.
>
> --
> Kind Regards
>
> Milan Berger
> Project-Mindstorm Technical Engineer
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



------------------------------

Message: 4
Date: Thu, 12 Nov 2009 17:15:56 +0300
From: Vladimir Vorontsov <vladimir.vorontsov@...ec.ru>
Subject: Re: [Full-disclosure] WordPress
To: Full disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <2b8e3269858abb73f40f39d826461e44@...l.onsec.ru>
Content-Type: text/plain; charset="UTF-8"

Did not work on:
Apache/2.2.8 (Ubuntu) DAV/2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch Server

-------- Original Message --------
Subject: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload 
Arbitrary PHP Code Execution
Date: Wed, 11 Nov 2009 16:47:49 +0000
From: Dawid Golunski <golunski@...t.eu>
To: full-disclosure@...ts.grok.org.uk

=============================================
- Release date: November 11th, 2009
- Discovered by: Dawid Golunski
- Severity: Moderately High
=============================================

I. VULNERABILITY
-------------------------
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on  
aesthetics, web standards,
and  usability. WordPress is both free and priceless at the same time.  
More simply, WordPress is
what you use when you want to work with your blogging software, not  
fight it.

III. DESCRIPTION
-------------------------

Wordpress allows authorised users to add an attachment to a blog post.
It does not sanitize provided file properly before moving it to an  
uploads directory.

The part of the code responsible for uploading files looks as follows:

wp-admin/includes/file.php:
---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by  
$override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---

// A properly uploaded file will pass this test. There should be no  
reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file  
failed upload test.' ));

// A correct MIME type will pass this test. Override $mimes or use the  
upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

extract( $wp_filetype );

if ( ( !$type || !$ext ) && ! 
current_user_can( 'unfiltered_upload' ) )
return $upload_error_handler( $file,
					       __( 'File type does not meet security guidelines. Try  
another.' ));

if ( !$ext )
$ext = ltrim(strrchr($file['name'], '.'), '.');

if ( !$type )
$type = $file['type'];
} else {
$type = '';
}

// A writable uploads dir will pass this test. Again, there's no point  
overriding this one.
if ( ! ( ( $uploads = wp_upload_dir($time) ) && false ===  
$uploads['error'] ) )
return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'],  
$unique_filename_callback );

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
return $upload_error_handler( $file,
		   sprintf( __('The uploaded file could not be moved to %s.' ),  
$uploads['path'] ) );
}
---[cut ]---

>>From the above code we can see that provided filename gets checked  
with:
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

Here is how the wp_check_filetype() function looks like:

wp-includes/functions.php:
---[cut]---
line 2228:

function wp_check_filetype( $filename, $mimes = null ) {
// Accepted MIME types are set here as PCRE unless provided.
$mimes = ( is_array( $mimes ) ) ? $mimes :  
apply_filters( 'upload_mimes', array(
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon',
'asf|asx|wax|wmv|wmx' => 'video/asf',
'avi' => 'video/avi',

				---[cut, more mime types]---
line 2279:

$type = false;
$ext = false;

foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = '!\.(' . $ext_preg . ')$!i';
if ( preg_match( $ext_preg, $filename,  
$ext_matches ) ) {
$type = $mime_match;
$ext = $ext_matches[1];
break;
}
}

return compact( 'ext', 'type' );
}

We can see that type of the file gets set to a predefined MIME type  
that matches supplied
extension, and that the extension is obtained from a regexp that  
matches a mime ext. string after
the LAST dot.
If extension is not on the list $type and $ext will be set to FALSE  
and wordpress will
produce an error ("File type does not meet security guidelines. Try  
another").

Let's look at the other check that is performed on the filename before  
a file gets uploaded,
that is a call to the following function:
$filename = wp_unique_filename( $uploads['path'], $file['name'],  
$unique_filename_callback );


wp-includes/functions.php:
line 2096:
function wp_unique_filename( $dir, $filename,  
$unique_filename_callback = null ) {
// sanitize the file name before we begin processing
$filename = sanitize_file_name($filename);

---[cut, code that only matters if uploaded file already  
exists]---
line 2126:
		return $filename;
}

To have a complete view on file sanitization performed by wordpress we  
need to look into the
sanitize_file_name() function:

wp-includes/formatting.php:
line 601:
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\\", "=", "<",  
">", ":", ";", ",", "'", "\"",
				"&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
$special_chars = apply_filters('sanitize_file_name_chars',  
$special_chars, $filename_raw);
$filename = str_replace($special_chars, '', $filename);
$filename = preg_replace('/[\s-]+/', '-', $filename);
$filename = trim($filename, '.-_');
return apply_filters('sanitize_file_name', $filename,  
$filename_raw);
}

This function removes special characters shown above, replaces spaces  
and consecutive dashes with
a single dash, trims period, dash and underscore from beginning and  
end of the filename.

The sanitization process appears quite extensive however it does not  
take into account files that
have multiple extensions.
It is possible to upload a file containing an arbitrary PHP script  
with an extension of '.php.jpg'
and execute it by requesting the uploaded file directly.


The execution of the PHP code despite the .php.jpg extension is  
possible because Apache
allows for multiple extensions. Here is a quote from Apache docs  
regarding this matter:

"
Files can have more than one extension, and the order of the  
extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/ 
html and language French then
the file welcome.fr.html will map onto exactly the same information.  
If more than one extension is
given that maps onto the same type of meta-information, then the one  
to the right will be used,
except for languages and content encodings. For example, if .gif maps  
to the MIME-type  image/gif
and .html maps to the MIME-type text/html, then the file  
welcome.gif.html will be associated with
the MIME-type text/html.

Care should be taken when a file with multiple extensions gets  
associated with both a MIME-type
and a handler. This will usually result in the request being handled  
by the module associated with
the handler. For example, if the .imap  extension is mapped to the  
handler imap-file
(from mod_imagemap) and the .html extension is mapped to the MIME-type  
text/html, then the file
world.imap.html will be associated with both the imap-file handler and  
text/html MIME-type.
When it is processed, the imap-file handler will be used, and so it  
will be treated as a
mod_imagemap imagemap file.
"

IV. PROOF OF CONCEPT
-------------------------
Browser is enough to replicate this issue. Simply log in to your  
wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature  
to upload a file:

test-image.php.jpg

containing the following code:

<?php
	phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

V. BUSINESS IMPACT
-------------------------
An attacker that has already obtained login details (for example by  
stealing user's cookies with
an XSS attack) to the blog as one of the existing users could exploit  
this vulnerability to get
access to the system in the Apache user's context.
>>From there he could use local bugs to further escalate the  
privileges. Apache account would be
enough in most cases to view the source codes and gain access to the  
databases.

Some wordpress users of the 2.8.5 release have reported that some php  
files have been added to
their wordpress directory. It could be possible that they have been  
hit by this bug. Therefore it
is important to take some countermeasures as soon as possible.

VI. SYSTEMS AFFECTED
-------------------------
Most likely all of the wordpress releases contain this bug. Including  
the current hardened stable
release 2.8.5 and the beta version.

VII. SOLUTION
-------------------------
Vendor has been informed about the bug. Currently wordpress developers  
and contributors are in
the process of bug hunting and fixing reported bugs in beta versions  
before the new stable release,
so hopefully it should not take long for them to take this problem  
into account.

You can apply the temporary solutions for this problem which I provide  
below before an official
patch is made.

You can create a .htaccess file in the uploads dir (wordpress/wp- 
content/uploads) with
the following content:

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
	order deny,allow
	allow from all
</Files>

Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions  
inside the uploads directory.

Alternatively you can try to patch the source code yourself by editing  
the
wp-admin/includes/file.php file and the wp_handle_upload() function it  
contains. An example patch
could be to add the following three lines of code at the line 260:

// Fix Unrestricted File Upload Arbitrary PHP Code Execution bug,  
return if more than 1 extension provided
if ( count(explode('.', $file['name'])) > 2 );
return $upload_error_handler( $file, __( 'File type does not  
meet security guidelines. Try another.' ));


VIII. REFERENCES
-------------------------
http://www.wordpress.org
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

IX. CREDITS
-------------------------
This vulnerability has been discovered by Dawid Golunski
golunski (at) onet (dot) eu

Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old  
time's sake :) and complexmind

X. REVISION HISTORY
-------------------------
November 11th, 2009: Initial release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of
use or otherwise. I accept no responsibility for any damage caused by  
the use or misuse of this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
-----------------------------------------------------------------
Best regards!
Vladimir Vorontsov, security expert.
ONsec: turn on security



------------------------------

Message: 5
Date: Thu, 12 Nov 2009 14:09:12 +0000
From: Leandro Malaquias <lm.net.security@...il.com>
Subject: [Full-disclosure] Microsoft Patents the "sudo" command
To: full-disclosure@...ts.grok.org.uk
Message-ID: <4AFC1708.7040508@...il.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command
Patent: 
http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617,530&RS=PN/7,617,530 



------------------------------

Message: 6
Date: Thu, 12 Nov 2009 09:29:21 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
Subject: [Full-disclosure] [USN-858-1] OpenLDAP vulnerability
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <1258036161.3657.1.camel@...inux.technorage.com>
Content-Type: text/plain; charset="utf-8"

===========================================================
Ubuntu Security Notice USN-858-1          November 12, 2009
openldap2.2 vulnerability
CVE-2009-3767
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libldap-2.2-7                   2.2.26-5ubuntu2.9

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that OpenLDAP did not correctly handle SSL certificates
with zero bytes in the Common Name. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.diff.gz
      Size/MD5:   516098 098a03b4f7d511ce730e9647deca2072
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.dsc
      Size/MD5:     1028 5a95dae94a1016fbcf41c1c1992ea8e6
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_amd64.deb
      Size/MD5:   130854 1f1b40b12adcb557a810194d0c4f7993
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_amd64.deb
      Size/MD5:   166444 500528d10502361c075a08578c1586f5
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_amd64.deb
      Size/MD5:   961974 f56eef919306d6ca7f4a7a090d2ae6ba

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_i386.deb
      Size/MD5:   118638 0558a833fb6eadf4d87bd9fd6e687838
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_i386.deb
      Size/MD5:   146444 fc85d5259c97622324047bbda153937d
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_i386.deb
      Size/MD5:   873424 358c78f76ee16010c1fb81e89adfe849

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_powerpc.deb
      Size/MD5:   133012 92d9de435a795261e6bf4143f2bf59c7
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_powerpc.deb
      Size/MD5:   157480 099b1ee5e158f77be109a7972587f596
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_powerpc.deb
      Size/MD5:   960052 850fb56995224edd6ae329af1b8236ef

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_sparc.deb
      Size/MD5:   120932 4fa0f7accd968ba71dff1f7c5b2ef811
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_sparc.deb
      Size/MD5:   148546 2d1af209a8b53a8315fbd4bd86573d70
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_sparc.deb
      Size/MD5:   903928 4aa6b0478821e803c80a020b031aafed



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20091112/9caed4d4/attachment-0001.bin 

------------------------------

Message: 7
Date: Thu, 12 Nov 2009 12:40:47 -0300
From: Martin Aberastegue <xyborg@...il.com>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload	Arbitrary PHP Code Execution
To: Milan Berger <m.berger@...ject-mindstorm.net>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
	<252277f40911120740j1534b2fdpb04648cd55da2e06@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

LOL I forgot to add this did not work on my box.


--
Martin Aberastegue
http://www.martinaberastegue.com/



On Thu, Nov 12, 2009 at 10:41 AM, Martin Aberastegue <xyborg@...il.com> wrote:
> The same here tested on Wordpress 2.8.5 / Apache/2.0.63 (Unix)
> mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1
> mod_bwlimited/1.4 FrontPage/5.0.2.2635 - PHP/5.2.6
>
> Regards
>
> --
> Martin Aberastegue
> http://www.martinaberastegue.com/
>
>
>
> On Thu, Nov 12, 2009 at 9:48 AM, Milan Berger
> <m.berger@...ject-mindstorm.net> wrote:
>> Hi there,
>>
>>> IV. PROOF OF CONCEPT
>>> -------------------------
>>> Browser is enough to replicate this issue. Simply log in to your
>>> wordpress blog as a low privileged
>>> user or admin. Create a new post and use the media file upload
>>> feature to upload a file:
>>>
>>> test-image.php.jpg
>>>
>>> containing the following code:
>>>
>>> <?php
>>> ? ? ? phpinfo();
>>> ?>
>>>
>>> After the upload you should receive a positive response saying:
>>>
>>> test-vuln.php.jpg
>>> image/jpeg
>>> 2009-11-11
>>>
>>> and it should be possible to request the uploaded file via a link:
>>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>>
>> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
>> with Suhosin-Patch 0.9.7
>> Shows a broken image no code executed.
>>
>> --
>> Kind Regards
>>
>> Milan Berger
>> Project-Mindstorm Technical Engineer
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>



------------------------------

Message: 8
Date: Thu, 12 Nov 2009 09:42:21 -0600
From: g30rg3_x <g30rg3x@...il.com>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload	Arbitrary PHP Code Execution
To: full-disclosure@...ts.grok.org.uk
Message-ID:
	<d5d5430f0911120742o4e34981bv639046454bacd78f@...l.gmail.com>
Content-Type: text/plain; charset=UTF-8

The same thing was discussed on WP-Hackers list[1] and it was found
that the problem was introduced by Option +Multiviews[2]...
And also someone point that Option +Multiviews is enabled by default
on cpanel/whm[3] based servers therefore lots of cheap (and not so
cheap) shared hosting providers introduce this behavior that could
potentially be harmful not just to wordpress but any software that
handles uploads and respect the uploaded file extensions.

Regards

[1] http://lists.automattic.com/pipermail/wp-hackers/2009-November/thread.html#28450
[2] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028466.html
[3] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028482.html

_________________________
             g30rg3_x



------------------------------

Message: 9
Date: Thu, 12 Nov 2009 10:36:19 -0500
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command
To: Leandro Malaquias <lm.net.security@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <200911121536.nACFaJuo032210@...e.courtesan.com>

In message <4AFC1708.7040508@...il.com>
	so spake Leandro Malaquias (lm.net.security):

> Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command
> Patent: 
> http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1
> &u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617,530&RS
> =PN/7,617,530 

This doesn't sound like it would cover sudo to me, or even a
GUI-wrapper for sudo.  While I am not a patent attorney, I have
been hacking on sudo for the past 15+ years.

My reading of the patent indicates that it is geared towards GUI-based
environments where the user may need to perform some action (such
as setting the clock in a control panel) that requires increased
privileges.  The actual "invention" appears to be that the user is
able to perform an action as a different user without having to
type in the name of that other user when authenticating.  One example
given in that patent is the ability to click on a name in a list
of privileged users as opposed to having to type in a user name.

Sudo simply doesn't work this way.

 - todd



------------------------------

Message: 10
Date: Thu, 12 Nov 2009 14:18:51 +0100
From: Secunia Research <remove-vuln@...unia.com>
Subject: [Full-disclosure] Secunia Research: Gimp BMP Image Parsing
	Integer	Overflow Vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <200911121318.nACDIppW031610@...IX-1.intnet>

====================================================================== 

                     Secunia Research 12/11/2009

      - Gimp BMP Image Parsing Integer Overflow Vulnerability -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Gimp 2.6.7

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: System Access
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"GIMP is the GNU Image Manipulation Program. It is a freely
distributed piece of software for such tasks as photo retouching,
image composition and image authoring. It works on many operating 
systems, in many languages.".

Product Link:
http://www.gimp.org/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Gimp, which can be
exploited by malicious people to potentially compromise a user's 
system.

The vulnerability is caused by an integer overflow error within the
"ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be
exploited to cause a heap-based buffer overflow by e.g. tricking a
user into opening a specially crafted BMP file.

====================================================================== 
5) Solution 

Fixed in the GIT repository.

====================================================================== 
6) Time Table 

02/11/2009 - Vendor notified.
02/11/2009 - Vendor response.
09/11-2009 - Fixed in the GIT repository.
12/11/2009 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Stefan Cornelius, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2009-1570 for the vulnerability.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-42/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================



------------------------------

Message: 11
Date: Thu, 12 Nov 2009 18:22:39 +0100
From: Vincent Guasconi <tyoptyop@...il.com>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload	Arbitrary PHP Code Execution
To: Milan Berger <m.berger@...ject-mindstorm.net>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
	<985b1a3d0911120922l6f4da046rcd35ba74dd900646@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Thu, Nov 12, 2009 at 1:48 PM, Milan Berger
<m.berger@...ject-mindstorm.net> wrote:
>> and it should be possible to request the uploaded file via a link:
>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>
> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
> with Suhosin-Patch 0.9.7
> Shows a broken image no code executed.

http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext

-- 
Guasconi Vincent



------------------------------

Message: 12
Date: Thu, 12 Nov 2009 18:51:24 +0100
From: Moritz Naumann <security@...itz-naumann.com>
Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File
	Upload Arbitrary PHP Code Execution
To: full-disclosure@...ts.grok.org.uk
Message-ID: <4AFC4B1C.6070803@...itz-naumann.com>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Milan Berger wrote:
> Hi there,
> 
>> IV. PROOF OF CONCEPT
>> -------------------------
>> Browser is enough to replicate this issue. Simply log in to your  
>> wordpress blog as a low privileged
>> user or admin. Create a new post and use the media file upload
>> feature to upload a file:
>>
>> test-image.php.jpg
>>
>> containing the following code:
>>
>> <?php
>> 	phpinfo();
>> ?>
>>
>> After the upload you should receive a positive response saying:
>>
>> test-vuln.php.jpg
>> image/jpeg
>> 2009-11-11
>>
>> and it should be possible to request the uploaded file via a link:
>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
> 
> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
> with Suhosin-Patch 0.9.7
> Shows a broken image no code executed.

This is specific to Apaches' Add* directives, when combined with the PHP
SAPI / Apache module:
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
http://isc.sans.org/diary.html?storyid=6139

It's been like that for years, but many Linux distros still ship with
default configurations which bear this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREKAAYFAkr8SxwACgkQn6GkvSd/BgyWFACcDDGWwp92WxOunIr26u3juxL5
FvYAn1ynPl1pBolZKyV/mLQrb+i/AROY
=sM0Q
-----END PGP SIGNATURE-----



------------------------------

Message: 13
Date: Thu, 12 Nov 2009 12:59:11 -0500
From: Valdis.Kletnieks@...edu
Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command
To: "Todd C. Miller" <Todd.Miller@...rtesan.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <7897.1258048751@...ing-police.cc.vt.edu>
Content-Type: text/plain; charset="us-ascii"

On Thu, 12 Nov 2009 10:36:19 EST, "Todd C. Miller" said:

> privileges.  The actual "invention" appears to be that the user is
> able to perform an action as a different user without having to
> type in the name of that other user when authenticating.

Umm... my check of my 'sudo' manpage says that the '-u username' is
optional, and I don't remember having to use '-u root', so it's supported
doing it without having to type the target username for years...

Unless I'm misunderstanding your interpretation of the invention and how
it compares to traditional sudo usage?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20091112/f4f9539a/attachment-0001.bin 

------------------------------

Message: 14
Date: Thu, 12 Nov 2009 18:07:40 +0000
From: "Gary McKinnon [SOLO]" <jdl@....hush.com>
Subject: [Full-disclosure] Cryptome posts Microsoft COFEE forensic
	toolkit
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20091112180741.0D18C11803D@...p.hushmail.com>
Content-Type: text/plain; charset="UTF-8"

Note: This is a toolkit by Microsoft meant to be used on a thumb 
drive.

There are many open source tools already available, this is just an 
all-in-one set. For the curious tinkerer.

Microsoft COFEE forensic toolkit: http://cryptome.org/cofee.zip
User guide: http://cryptome.org/cofee-guide.zip

Gary McKinnon / SOLO
"People faking autism after charges should receive total immunity 
from prosecution"



------------------------------

Message: 15
Date: Thu, 12 Nov 2009 13:47:36 -0500
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <200911121847.nACIlbOf002116@...e.courtesan.com>

In message <7897.1258048751@...ing-police.cc.vt.edu>
	so spake  (Valdis.Kletnieks):

> Umm... my check of my 'sudo' manpage says that the '-u username' is
> optional, and I don't remember having to use '-u root', so it's supported
> doing it without having to type the target username for years...

Sudo has always defaulted to running commands as root.

> Unless I'm misunderstanding your interpretation of the invention and how
> it compares to traditional sudo usage?

It's very possible that I am not doing a good job of explaining my
interpretation.  As I see it, the invention is about providing the
user with a list of privileged users with the appropriate rights
to perform the action in a GUI when the user tries to perform an
action that they don't have sufficient rights to do.  If you read
the patent in question, in all its TIFF glory (what do they have
against text?) they list a number of possible scenarios.

Sudo doesn't contain any logic to try and figure out what user a
command should be run as in order for it to succeed (and no, root
isn't always the right answer, especially when NFS is in the picture).

 - todd



------------------------------

Message: 16
Date: Fri, 13 Nov 2009 02:53:36 +0000
From: "Jacob Appelbaum [ioerror]" <jdl@....hush.com>
Subject: [Full-disclosure] JTTF/FBI informant "snitching" on security
	professionals in Bay Area
To: full-disclosure@...ts.grok.org.uk
Message-ID: <20091113025336.6EAEFB00B5@...p.hushmail.com>
Content-Type: text/plain; charset="UTF-8"

Greetings Full Disclosure,

For the past few weeks I've been facing a professional dilemma. 
Should I out someone who at one time fellated me? Should I trouble 
my colleagues with drama only 5% will care about. I'll take the 
gamble, as there are odds 100% may reap entertainment from such 
undertakings.

It has come to my attention that one "Hepkitten" is an informant of 
the United States Government.

Relevant Link: http://encyclopediadramatica.com/Hepkitten
Photograph: http://i38.tinypic.com/1037hxy.jpg

She has attended Defcon a few times. You may recognize her face. 
You may have had her face on your genitals (Yes, this is the one).

She resides in San Francisco, California. Lives with her kids. She 
is on the FBI payroll and has been for at least 2 years.

At the behest SF FBI and JTTF -- no less - she has spent the past 
few years successfully infiltrating security/activist groups. She 
has also acted as anarchist provacateur.

She has guaranteed immunity from prosecution.

I would like her docs submitted to my desk immediately.

Salt the Earth,

ioerror
Jacob Appelbaum, Hacktivist.
http://ioerror.livejournal.com



------------------------------

Message: 17
Date: Thu, 12 Nov 2009 17:49:51 -0500
From: rPath Update Announcements <announce-noreply@...th.com>
Subject: [Full-disclosure] rPSA-2009-0142-1 httpd mod_ssl
To: security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	product-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org,	bugtraq@...urityfocus.com
Message-ID: <4afc910f.4o79OjHk+Vk+vc9P%announce-noreply@...th.com>
Content-Type: text/plain; charset=us-ascii

rPath Security Advisory: 2009-0142-1
Published: 2009-11-12
Products:
    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Local System User Deterministic Privilege Escalation
Updated Versions:
    httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1
    mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3061
    https://issues.rpath.com/browse/RPL-3079

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890

Description:
    Previous versions of httpd do not properly handle Options=IncludesNOEXEC
    in the AllowOverride directive, which allows local users to gain
    privileges via a specially crafted .htaccess file combined with an exec
    element in a .shtml file.
    
    Additionally, when a reverse proxy is configured, a vulnerability in 
    mod_proxy could allow a remote attacker to cause a denial of service
    (CPU consumption) via crafted requests.
    
    Both of these issues have been addressed in this release.

http://wiki.rpath.com/Advisories:rPSA-2009-0142

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html



------------------------------

Message: 18
Date: Thu, 12 Nov 2009 17:51:45 -0500
From: rPath Update Announcements <announce-noreply@...th.com>
Subject: [Full-disclosure] rPSA-2009-0143-1 util-linux
	util-linux-extras
To: security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	product-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org,	bugtraq@...urityfocus.com
Message-ID: <4afc9181.2pDUvWevLacA1/Ax%announce-noreply@...th.com>
Content-Type: text/plain; charset=us-ascii

rPath Security Advisory: 2009-0143-1
Published: 2009-11-12
Products:
    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Informational
Exposure Level Classification:
    Remote User Deterministic Weakness
Updated Versions:
    util-linux=conary.rpath.com@rpl:2/2.13_pre7-14.2-1
    util-linux-extras=conary.rpath.com@rpl:2/2.13_pre7-14.2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3062

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1926

Description:
    Previous versions of util-linux have an argument injection 
    vulnerability, which allows remote attackers to hide activity by
    modifying portions of audit log events.  This is only relevant on
    systems where the auditd service is used.

http://wiki.rpath.com/Advisories:rPSA-2009-0143

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html



------------------------------

Message: 19
Date: Thu, 12 Nov 2009 17:54:02 -0500
From: rPath Update Announcements <announce-noreply@...th.com>
Subject: [Full-disclosure] rPSA-2009-0144-1 apr-util
To: security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	product-announce@...ts.rpath.com,
	product-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org,	bugtraq@...urityfocus.com
Message-ID: <4afc920a.7Z5N8KKXHjiE6q+N%announce-noreply@...th.com>
Content-Type: text/plain; charset=us-ascii

rPath Security Advisory: 2009-0144-1
Published: 2009-11-12
Products:
    rPath Appliance Platform Linux Service 1
    rPath Appliance Platform Linux Service 2
    rPath Linux 1
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Remote User Deterministic Denial of Service
Updated Versions:
    apr-util=conary.rpath.com@rpl:1/0.9.7-1.4-1
    apr-util=conary.rpath.com@rpl:2/1.2.12-2.4-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3058

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023

Description:
    Previous versions of apr-util contain a vulnerability which can allow
    remote attackers to crash an Apache HTTP Server by triggering a
    heap-based buffer underflow.  This vulnerability only exists when
    .htaccess files are used, or when a module linked to libaprutil is used.

http://wiki.rpath.com/Advisories:rPSA-2009-0144

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html



------------------------------

Message: 20
Date: Thu, 12 Nov 2009 17:55:48 -0500
From: rPath Update Announcements <announce-noreply@...th.com>
Subject: [Full-disclosure] rPSA-2009-0145-1 samba samba-client
	samba-server	samba-swat
To: security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	product-announce@...ts.rpath.com,
	product-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org,	bugtraq@...urityfocus.com
Message-ID: <4afc9274.jRz2hhU5YGwl+dWJ%announce-noreply@...th.com>
Content-Type: text/plain; charset=us-ascii

rPath Security Advisory: 2009-0145-1
Published: 2009-11-12
Products:
    rPath Appliance Platform Linux Service 1
    rPath Appliance Platform Linux Service 2
    rPath Linux 1
    rPath Linux 2

Rating: Severe
Exposure Level Classification:
    Local User Deterministic Unauthorized Access
Updated Versions:
    samba=conary.rpath.com@rpl:1/3.0.33-0.2-1
    samba=conary.rpath.com@rpl:2/3.0.33-1.2-1
    samba-client=conary.rpath.com@rpl:1/3.0.33-0.2-1
    samba-client=conary.rpath.com@rpl:2/3.0.33-1.2-1
    samba-server=conary.rpath.com@rpl:1/3.0.33-0.2-1
    samba-server=conary.rpath.com@rpl:2/3.0.33-1.2-1
    samba-swat=conary.rpath.com@rpl:1/3.0.33-0.2-1
    samba-swat=conary.rpath.com@rpl:2/3.0.33-1.2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3068

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906

Description:
    Previous versions of samba contain multiple vulnerabilities, the most
    serious of which could allow remote authenticated users without home
    directories to bypass intended sharing restrictions.

http://wiki.rpath.com/Advisories:rPSA-2009-0145

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html



------------------------------

Message: 21
Date: Thu, 12 Nov 2009 20:02:00 -0500
From: rPath Update Announcements <announce-noreply@...th.com>
Subject: [Full-disclosure] rPSA-2009-0142-2 httpd mod_ssl
To: security-announce@...ts.rpath.com,
	update-announce@...ts.rpath.com,	product-announce@...ts.rpath.com
Cc: lwn@....net, full-disclosure@...ts.grok.org.uk,
	vulnwatch@...nwatch.org,	bugtraq@...urityfocus.com
Message-ID: <4afcb008.Vsubqjl8o4M6qcpC%announce-noreply@...th.com>
Content-Type: text/plain; charset=us-ascii

rPath Security Advisory: 2009-0142-2
Published: 2009-11-12
Updated:
    2009-11-12 updated to reference CVE-2009-1891
Products:
    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Local System User Deterministic Privilege Escalation
Updated Versions:
    httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1
    mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-3061
    https://issues.rpath.com/browse/RPL-3079
    https://issues.rpath.com/browse/RPL-3107

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891

Description:
    Previous versions of httpd do not properly handle Options=IncludesNOEXEC
    in the AllowOverride directive, which allows local users to gain
    privileges via a specially crafted .htaccess file combined with an exec
    element in a .shtml file.
    
    Additionally, two similar vulnerabilities exist -- one in mod_proxy, 
    and one in mod_deflate -- which could allow a remote attacker 
    to cause a denial of service (CPU consumption) via crafted requests.
    
    These three issues have been addressed in this release.

http://wiki.rpath.com/Advisories:rPSA-2009-0142

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html



------------------------------

Message: 22
Date: Thu, 12 Nov 2009 11:27:30 -0500
From: "McGhee, Eddie" <Eddie.McGhee@....com>
Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command
To: "Todd C. Miller" <Todd.Miller@...rtesan.com>, Leandro Malaquias
	<lm.net.security@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk"
	<full-disclosure@...ts.grok.org.uk>
Message-ID:
	<DEF48B74C2B9A041B12DF257E0E136DD022B9B5A8B@...day212.corp.ncr.com>
Content-Type: text/plain; charset="us-ascii"

Total propaganda, if you read it properly you will see.. Ms will not ever own or patent the sudo command. They offer a list of accounts which will be needed when elevated privileges are required.. Sudo doesn't do anything like this at all..

Long live Unix commands, down with the cmd. 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Todd C. Miller
Sent: 12 November 2009 15:36
To: Leandro Malaquias
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command

In message <4AFC1708.7040508@...il.com>
	so spake Leandro Malaquias (lm.net.security):

> Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command
> Patent: 
> http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=P
> ALL&p=1 
> &u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617
> ,530&RS
> =PN/7,617,530

This doesn't sound like it would cover sudo to me, or even a GUI-wrapper for sudo.  While I am not a patent attorney, I have been hacking on sudo for the past 15+ years.

My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges.  The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating.  One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name.

Sudo simply doesn't work this way.

 - todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 57, Issue 17
***********************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ