lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131120151220.33280@gmx.com>
Date: Wed, 20 Nov 2013 10:12:19 -0500
From: "steve jobs" <job.steve@...l.com>
To: full-disclosure@...ts.grok.org.uk,sales@...erva.com,support@...erva.com
Cc: bugtraq@...urityfocus.com
Subject: Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2
	localroot vulnerability

Imperva use hardened centos 5.4 to run Web Application Firewall and Database Activity Monitoring product.
It could be exploit to get root in the kernel 2.6.18-164.15.1.el5.imp4 which was built by imperva in 9.5 patch 8 and 10.0 patch 2.
I hope imperva could upgrade your OS to centos 5.9 with kernel 2.6.18-348 to keep your system secure.
Your can check the attachment for details.

[test95p8@...AF ~]$ uname -a
Linux GFWAF 2.6.18-164.15.1.el5.imp4 #1 SMP Mon Apr 8 15:29:20 IDT 2013 x86_64 x86_64 x86_64 GNU/Linux
[test95p8@...AF ~]$ cat /etc/redhat-release
Imperva release 5.4 (Final)
[test95p8@...AF ~]$ wc -l /etc/shadow
wc: /etc/shadow: Permission denied
[test95p8@...AF ~]$ id
uid=505(test95p8) gid=507(test95p8) groups=507(test95p8)
[test95p8@...AF ~]$ ./centos54_localroot_exp
########snip##############
sh-3.2# id
uid=0(root) gid=507(test95p8) groups=507(test95p8)
sh-3.2# wc -l /etc/shadow
40 /etc/shadow
sh-3.2#

[root@WAF ~]# impctl platform show 2> /dev/null | grep version
version 10.0.0.2_0
[root@WAF ~]# uname -a
Linux WAF 2.6.18-164.15.1.el5.imp4 #1 SMP Mon Apr 8 15:29:20 IDT 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@WAF ~]# cat /etc/redhat-release
Imperva release 5.4 (Final)

Content of type "text/html" skipped

Download attachment "imperva10p2.png" of type "image/png" (40987 bytes)

Download attachment "imperva9.5p8.png" of type "image/png" (166423 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists