OpenBSD Connected Socket Ownership Vulnerability BugTraq ID: 3406 Remote: No Date Published: 2001-10-06 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3406 Summary:
OpenBSD contains a bug that allows users capable of executing local processes to send signals to processes running on the system belonging to other users. This could result in unpredictable behavior or denial of service against the recipient processes. The default action when SIGIO and SIGURG signals are recieved in OpenBSD is "ignore", but this issue could still affect processes designed to catch these signals. On many UNIX systems, including OpenBSD, asynchronous I/O is implemented using the signal subsystem. Sockets can be set so that once data is available for reading, a SIGIO signal is sent to the process that owns the socket. A SIGURG signal may also be sent to the socket owner process when Out-Of-Band data is recieved. Normally the process signalled is the socket creator, but the PID to be signalled can be set using the fcntl() F_SETOWN operation or ioctl() FIOSETOWN operation. Normally one process should not be able to set the descriptor owner to an arbitrary process ID owned by another user. Socket ownership information is stored in the socket structure "so_siguid" and "so_sigeuid" by the kernel, and when a signal is to be generated the recipient process UID is checked against these to ensure the operation does not violate the permissions of the process that created the socket. It is noteworthy that authorization is not performed when fcntl() F_SETOWN is called, only when signals are generated. This vulnerability arises when a connection is completed and accept() is called. The routine that generates the new connected socket, sonewconn1, fails to properly copy the "so_siguid" and "so_sigeuid" fields to the new socket, setting them to zero instead. This causes the permission checking routine to fail when this socket generates signals, allowing SIGIO and SIGURG signals to be sent to unauthorized processes previously defined by F_SETOWN or FIOSETOWN. An attacker may exploit this vulnerability to send SIGIO or SIGURG signals to arbitrary processes running on a host. It should be noted that this vulnerability may affect other BSD-based operating systems. ht://Dig Remote Denial of Service/File Disclosure Vulnerability BugTraq ID: 3410 Remote: Yes Date Published: 2001-10-07 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3410 Summary: ht://Dig is freely available, open-source web search engine and indexing software. ht://Dig is usable via the web interface or from the command line. It may be possible for a remote attacker to cause a denial of service or under circumstances display arbitrary web-readable files. This is due to the fact that it is possible to use command line arguments from the web interface. In particular, the -c [filename] argument is normally used to specify an alternate configuration file. A maliciously crafted web request for /dev/zero may cause a denial of service by exhausting resources on the host. A request for a web-readable file may cause it to be disclosed. For example: http://target/cgi-bin/htsearch?-c/dev/zero http://target/cgi-bin/htsearch?-c/path/to/webreadablefile The first example will cause a denial of services which may affect the entire host(depending on resource limits). The second example has the potential to disclose an arbitrary web-readable file. Sensitive information contained in disclosed web-readable files may be used to mount further attacks on the host. PHPBB 'bb_memberlist.php' Remote SQL Query Manipulation Vulnerability BugTraq ID: 3411 Remote: Yes Date Published: 2001-10-08 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3411 Summary: phpBB is free, open-source forums software that is written in PHP and backended by MySQL. A vulnerability exists in phpBB which makes it possible for a malicious user to remotely manipulate the logic of SQL queries. The following is an excerpt of the vulnerable code: --- switch($sortby) { case '': [...] case 'posts': [...] } $sql = "SELECT * FROM users WHERE [...] ORDER BY $sortby"; --- This issue is caused by a missing "default:" label in a 'switch' block in 'bb_memberlist.php'. As a result, it may be possible to view, delete or modify data in the MySQL database. Util-Linux Login Pam Privilege Elevation Vulnerability BugTraq ID: 3415 Remote: No Date Published: 2001-10-09 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3415 Summary: util-linux is a freely available, open source software package that provides some implementations of standard UNIX utilities, such as login. A problem in the package could allow a local user to gain elevated privileges. This is due to unpredicted interaction with the PAM utilities. It is possible for a user to log into a system, and gain elevated privileges at login. When the number of users of a certain group are being limited via the pam_limits module, and access the system via a utility that uses login, the user may be granted arbitrary rights. This makes it possible for a user with legitimate access to the system to gain elevated privileges, and potentially access sensitive information or programs. The user could gain the rights of console, or potentially pts/0 rights. - Pour poster une annonce: [EMAIL PROTECTED]
