[Full-disclosure] PHP multipart/form-data denial of service
Description PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we've reported on 27 October 2009. The problem is related with PHP's handling of RFC 1867 (Form-based File Upload in HTML). When you send a POST request to a PHP script with the content-type of multipart/form-data and include a list of files in that request, PHP will create a temporary file for each file from the request. PHP will create those files regardless if the script can handle file uploading or not. After the script was executed, the temporary files will be deleted. The problem is that you can include a very large number of files in the request. PHP will need to create those files before the script is executed and delete them afterwards. The denial of service condition appears when you create a bunch of requests, each containing a large number (15000+) of files. When you send these requests to the web server, the web server collapses and stops responding because it has to process (create delete) an insane number of files in a very short period of time. Any website that runs PHP and where file uploading is enabled (which is the default configuration) is vulnerable. You don't need to have a file upload script. PHP does include 2 configuration settings that are related to this situation: upload_max_filesize and post_max_size. However, these are not enough to protect us against this denial of service attack. Workarounds Currently, I'm aware of three workarounds for this problem: 1. Disable file uploads If you don't need file uploading, you can disable this feature from php.ini. file_uploads = Off 2. Install PHP 5.3.1 If you cannot disable file uploading on your website, it's recommended to install the latest version of PHP. PHP 5.3.1 includes a patch for this problem: - Added max_file_uploads INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. 3. Install Suhosin PHP extension The Suhosin PHP extension has an option named suhosin.upload.max_uploads. This option defines the maximum number of files that may be uploaded with one request and by default is set to 25. Suhosin PHP extension should not be confused with the Suhosin Patch which does not protect against this attack. Quote from the hardened-php website: Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections. It's recommended to apply one of the workarounds described above as soon as possible. Below are some conclusions I've gathered from testing this on different systems. Conclusions and real life results -- This attack can make the web server unresponsive in a short period of time (under 2 minutes) with a very small number of requests. Also, this attack doesn't leave any obvious tracks in the logs (only a bunch of POST requests) and can be executed through a proxy server. Some operating systems will handle this condition very badly. For example in one case (a FreeBSD 7.1), the network stack completely crashed and the server was unreachable from the local network. I had to manually restart it from the console. On Linux (Ubuntu), the web server will not be reachable for hours after being attacked for 1-2 minutes. Real life results: 1. PHP on Linux (Ubuntu 8.10) = PHP Version 5.2.6-2ubuntu4.3 Timeline: 14:50 - started the attack 14:51 : web server is no longer responsive. load average: 102.02, 30.68, 10.68 14:52 : web server is not responsive. load average: 129.95, 49.29, 18.05 14:52 - attack is aborted 14:53 - web server is not responsive. load average: 143.58, 67.90, 26.41 14:54 - web server is not responsive. load average: 149.60, 89.58, 37.93 16:05 - web server is not responsive. load average: 151.64, 120.91, 60.94 I wanted to check how many temporary files were created: $ls -la /tmp/php* | wc -l -bash: /bin/ls: Argument list too long 0 I've created a script to count the files: $php count_files_from_dir.php /tmp/php* 2.419.649 So, one hour later, the web server is not responsive and there are 2.419.649 temporary files. If you restart the web server, these files are not deleted. 2. PHP on FreeBSD 7.2 == PHP Version 5.2.9 Timeline: 14:00 - attack is started. 14:01 - web server is no longer responsive (Chrome message: Error 101 (net::ERR_CONNECTION_RESET): Unknown error.)) load average: 87:22, 22.61, 9.9 14:02 - attack is aborted. 14:06 - web server is no longer responsive. load averages: 45.42, 42.35, 22.59 14:11 - web server is not responsive. load averages: 26.77, 35.78, 23.49 The system is slowed down to a crawl. Basically
Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.
On Fri, 20 Nov 2009 01:42:08 +0100, netinfinity said: necessary to submit the post. If this fails then you should conntact the ISP of the spammer based on the IP. Unfortunately, that's exactly what *did* happen. Although for *home* users, the 'ISP' is the person to complain to, for organizations that run their own networks (like many businesses and schools, etc) the proper place to complain is the network management of that organization. He contacted the admins of the school's network, and said One of your users is being a bozo. The admin found the user and it resulted in the user resigning. (Remember - in this case, contacting the school's network provider would *not* have found the user, because the network provider just provides a connection and bandwidth. Any login records/etc are at the *school*, not the provider). pgpDFUVwnr8sX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pussy and the right to free speech.
This whole thing is ridiculous. Kurt Greenbaum is an idiot. What kind of question is that in the first place? Only and idiot would post “what’s the strangest thing you’ve ever eaten” and not expect some obvious remarks. And what’s wrong with pussy? Eating pussy is good! I LOVE eating pussy! All they guys I know, along with several women I know love to eat pussy. I eat pussy. You eat pussy. Everyone eats pussy. That’s because it’s fun. And it’s good. Even Dr. Seuss eats pussy as illustrated by one of his less distributed works: Big pussy, small pussy, girls at the mall pussy, almost any kind of pussy will do. Thin pussy, fat pussy, Dog pussy, cat pussy, Licking your screen pussy is just fine too. Hot pussy, cold pussy, Young pussy, old pussy, Christian, Agnostic, a Muslim, or Jew. I eat pussy standing up, I eat pussy sitting down. I eat pussy on the side of the bed with my knees on the ground. I eat pussy that is nice, I eat pussy that is mean. I eat pussy till that fine pussy get wet up and steam. Real pussy, toy pussy, As long as it’s not boy pussy, Or from that dike that they had on The View. Rich pussy, poor pussy, Virgin or whore pussy, I eat it even when she swats on the loo. Sweet pussy, sour pussy, Pay by the hour pussy, I always make sure that I show them my Fu. I eat pussy in the sun, I eat pussy in a haze. I eat pussy till my face is covered in glaze. I eat pussy in a tree, I eat pussy in a pit, I flickity flick flick my tongue on that clit. So, if Kurt don’t eat pussy, he must be a fag, or only ate pussy that was on the rag. And if you don’t want Greenbaum to make you the fool, Don’t talk about pussy when you are at school. Yuri Nate ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2009-0016 Synopsis: VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components Issue date:2009-11-20 Updated on:2009-11-20 (initial release of advisory) CVE numbers: --- JRE --- CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 --- Tomcat --- CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2008-1232 CVE-2008-1947 CVE-2008-2370 CVE-2007-5333 CVE-2007-5342 CVE-2007-5461 CVE-2007-6286 CVE-2008-0002 --- ntp --- CVE-2009-1252 CVE-2009-0159 --- kernel --- CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 CVE-2008-4307 CVE-2009-0834 CVE-2009-1337 CVE-2009-0787 CVE-2009-1336 CVE-2009-1439 CVE-2009-1633 CVE-2009-1072 CVE-2009-1630 CVE-2009-1192 CVE-2007-5966 CVE-2009-1385 CVE-2009-1388 CVE-2009-1389 CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 CVE-2009-2692 CVE-2009-2698 CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 --- python --- CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 --- bind --- CVE-2009-0696 --- libxml and libxml2 --- CVE-2009-2414 CVE-2009-2416 --- curl -- CVE-2009-2417 --- gnutil --- CVE-2007-2052 - --- 1. Summary Updated Java JRE packages and Tomcat packages address several security issues. Updates for the ESX Service Console and vMA include kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is also updated for ESXi userworlds. 2. Relevant releases vCenter Server 4.0 before Update 1 ESXi 4.0 without patch ESXi400-200911201-UG ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG, ESX400-200911232-SG, ESX400-200911233-SG, ESX400-200911234-SG, ESX400-200911235-SG, ESX400-200911237-SG, ESX400-200911238-SG vMA 4.0 before patch 02 3. Problem Description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCenter4.0 Windows Update 1 VirtualCenter 2.5 Windows affected, patch pending VirtualCenter 2.0.2 Windows affected, patch pending Workstationany any not affected Player any any not
Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.
(Remember - in this case, contacting the school's network provider would *not* have found the user, because the network provider just provides a connection and bandwidth. Any login records/etc are at the *school*, not the provider). Vladis .. not sure about that school since it was K12, but in both your case and mine .. we *are* the ISP (insofar as we have our own ASN and valid info on whois). If K12 is done there like I've seen in a lot of other places, they probably have a consortium that provides connectivity and each institution has a CIDR block within the consortium's AS .. and I'm sure the school had some web-nazi appliance that made it a few-clicks of a mouse to figure out whodunit. Also .. as to the legal matters .. the instructor in question would have been in a much better position if he'd been fired rather than resigning. Granted, he probably quit because he knew he *would* be fired .. but it's hard to argue unlawful termination when you quit on your own (IANAL, etc.). Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability
ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-085 November 20, 2009 -- CVE ID: CVE-2009-3843 -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Operations Manager for Windows -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9261. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Operations Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists due to a hidden account present within the Tomcat users XML file. Using this account a malicious user can access the org.apache.catalina.manager.HTMLManagerServlet class. This is defined within the catalina-manager.jar file installed with the product. This servlet allows a remote user to upload a file via a POST request to /manager/html/upload. If an attacker uploads malicious content it can then be accessed and executed on the server which leads to arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960 -- Disclosure Timeline: 2009-11-09 - Vulnerability reported to vendor 2009-11-20 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:301 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:301 http://www.mandriva.com/security/ ___ Package : kernel Date: November 20, 2009 Affected: Enterprise Server 5.0 ___ Problem Description: Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddpN device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. (CVE-2009-2903) Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. (CVE-2009-3547) The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881. (CVE-2009-3612) net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. (CVE-2009-3621) Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. (CVE-2009-3638) The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726) Additionaly, it includes the fixes from the stable kernel version 2.6.27.39. It also fixes issues with the bnx2 module in which the machine could become unresponsive. For details, see the package changelog. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3612 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726 https://qa.mandriva.com/53713 https://qa.mandriva.com/55110 https://qa.mandriva.com/54744 https://qa.mandriva.com/54830 https://qa.mandriva.com/55830 https://qa.mandriva.com/55463 ___ Updated Packages: Mandriva Enterprise Server 5: e788f76e09b588c51aeacee41fc7fdb7 mes5/i586/drm-experimental-kernel-2.6.27.39-desktop-1mnb-2.3.0-2.20080912.1mdv2009.0.i586.rpm fe5e45ee1ba7a261f84ba2abc5c44970 mes5/i586/drm-experimental-kernel-2.6.27.39-desktop586-1mnb-2.3.0-2.20080912.1mdv2009.0.i586.rpm f74d6db2808ce9aed2bad7eab029e104 mes5/i586/drm-experimental-kernel-2.6.27.39-server-1mnb-2.3.0-2.20080912.1mdv2009.0.i586.rpm ae7175ff239f33f143606f5978c958e9 mes5/i586/drm-experimental-kernel-desktop586-latest-2.3.0-1.20091119.2.20080912.1mdv2009.0.i586.rpm 332b195911d72c1a5166f879304ff517 mes5/i586/drm-experimental-kernel-desktop-latest-2.3.0-1.20091119.2.20080912.1mdv2009.0.i586.rpm 888cff26254825057f03795f8c67602e mes5/i586/drm-experimental-kernel-server-latest-2.3.0-1.20091119.2.20080912.1mdv2009.0.i586.rpm 76bdabbee107d159867b4cf68b789a98 mes5/i586/fglrx-kernel-2.6.27.39-desktop-1mnb-8.522-3mdv2009.0.i586.rpm 74edb1c576329ce344c44a6b5a26acde mes5/i586/fglrx-kernel-2.6.27.39-desktop586-1mnb-8.522-3mdv2009.0.i586.rpm 658c43e6d8c7cbbb175e6e91d98db998 mes5/i586/fglrx-kernel-2.6.27.39-server-1mnb-8.522-3mdv2009.0.i586.rpm 0faf0032b36e4abf40fefc2d200ccb38 mes5/i586/fglrx-kernel-desktop586-latest-8.522-1.20091119.3mdv2009.0.i586.rpm e577114b5c62e4c095900a3043b1fa5a mes5/i586/fglrx-kernel-desktop-latest-8.522-1.20091119.3mdv2009.0.i586.rpm
Re: [Full-disclosure] Pussy and the right to free speech.
http://www.kurtgreenbaum.com/ http://www.kurtgreenbaumisapussy.com/ Damn. This dudes getting some serious blowback. Why didn't someone take DidKurtGreenbaumRapeAndMurderAYoungGirlIn1990.com? --- yuri.n...@hushmail.com yuri.n...@hushmail.com schrieb am Fr, 20.11.2009: Von: yuri.n...@hushmail.com yuri.n...@hushmail.com Betreff: [Full-disclosure] Pussy and the right to free speech. An: full-disclosure@lists.grok.org.uk Datum: Freitag, 20. November 2009, 19:10 This whole thing is ridiculous. Kurt Greenbaum is an idiot. What kind of question is that in the first place? Only and idiot would post “what’s the strangest thing you’ve ever eaten” and not expect some obvious remarks. And what’s wrong with pussy? Eating pussy is good! I LOVE eating pussy! All they guys I know, along with several women I know love to eat pussy. I eat pussy. You eat pussy. Everyone eats pussy. That’s because it’s fun. And it’s good. Even Dr. Seuss eats pussy as illustrated by one of his less distributed works: Big pussy, small pussy, girls at the mall pussy, almost any kind of pussy will do. Thin pussy, fat pussy, Dog pussy, cat pussy, Licking your screen pussy is just fine too. Hot pussy, cold pussy, Young pussy, old pussy, Christian, Agnostic, a Muslim, or Jew. I eat pussy standing up, I eat pussy sitting down. I eat pussy on the side of the bed with my knees on the ground. I eat pussy that is nice, I eat pussy that is mean. I eat pussy till that fine pussy get wet up and steam. Real pussy, toy pussy, As long as it’s not boy pussy, Or from that dike that they had on The View. Rich pussy, poor pussy, Virgin or whore pussy, I eat it even when she swats on the loo. Sweet pussy, sour pussy, Pay by the hour pussy, I always make sure that I show them my Fu. I eat pussy in the sun, I eat pussy in a haze. I eat pussy till my face is covered in glaze. I eat pussy in a tree, I eat pussy in a pit, I flickity flick flick my tongue on that clit. So, if Kurt don’t eat pussy, he must be a fag, or only ate pussy that was on the rag. And if you don’t want Greenbaum to make you the fool, Don’t talk about pussy when you are at school. Yuri Nate ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails. http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/