| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHw3cgTTSbAjfFMs6kscwUZBTaqrn7R_1pOE8Yu6mwNtWHGALQ@mail.gmail.com> Date: Sat, 5 Nov 2011 19:43:46 +0000 From: Ryan Dewhurst <ryandewhurst@...il.com> To: Ed Carp <erc@...ox.com> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: Oracle NoSQL Directory Traversal It doesn't matter what file was included. The problem is that a local file can be included, irrelevant to the choice of file. Ryan Dewhurst blog www.ethicalhack3r.co.uk twitter www.twitter.com/ethicalhack3r projects www.dvwa.co.uk | www.webwordcount.com | code.google.com/p/wpscan On Sat, Nov 5, 2011 at 7:30 PM, Ed Carp <erc@...ox.com> wrote: > Password file, yawn. Shadow password file, that would be a much bigger > deal... > > On Nov 5, 2011 11:46 AM, <Valdis.Kletnieks@...edu> wrote: >> >> On Sat, 05 Nov 2011 18:58:20 BST, =?ISO-8859-1?Q?Buher=E1tor?= said: >> >> > "Oracle NoSQL Database is intended to be installed in a secure >> > location where physical and network access to the store is restricted >> > to trusted users. >> >> Which any savvy sysadmin knows really means "It's your problem to set >> up iptables to restrict this sucker..." >> >> And of course, *that* usually means "avoid this product like the plague" >> ;) >> >> > $ curl -v >> > http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd >> >> OK as far as it goes. But take it a step further. Does the >> LogDownloadService >> process do any sanity checking and only let you download world-readable >> files? >> If so, it's quite the yawner of an "exploit". >> >> Or does it let you snarf up /etc/shadow, or other ways to get a system >> privilege escalation. Remember - you could have users trusted with the >> data in >> the database, but not other content on the system. A *lot* of shops have >> policy >> where the DBAs do *not* have the root password - can you use this to >> bypass >> that policy? Can you get it to cough up a file containing the database >> config >> or access passwords? Can you get it to cough up the logfile where it logs >> the >> fact you accessed it (and can you abuse that into an infinite loop filling >> the >> log space?) What other creative failure modes can you come up with for >> this >> "fee-chur"? :) >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists