Re: [Full-disclosure] Symlink vulnerabilities
On Saturday 22 Oct 2011, valdis.kletni...@vt.edu wrote: > > If you had your way, would you see it implemented as /tmp/ > > //tmp, or some other way? > > It should be site-configurable - some places may have a large fast > /tmp area and they want a per-user directory on that disk space. > Other places may want to have /tmp redirected to /home/${USER}/tmp > so disk quotas apply, etc etc. There's also the issue of mounting /tmp noexec and nosuid on a separate filesystem that many people choose. Location of per-user tmp filesystem would also be impacted by that. At first sight, the best option from that point of view seems to be a per-user tmp under /tmp/$USER/ and mount /tmp noexec, nosuid. If you choose the ~$USER/tmp option, you'll probably have to do some userfs jugglery to achieve the same objective. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves "This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. Any use or disclosure of the contents is unauthorised and may be unlawful. All liability for viruses is excluded to the fullest extent permitted by law. The recipient acknowledges that NetAmbit or its subsidiaries and associated companies, (collectively "NetAmbit Group"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of NetAmbit Group.." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On Sat, 22 Oct 2011 01:23:34 EDT, Byron Sonne said: > > If you are in charge of a distro, it would not hurt to nuke it > > altogether and change all packages in your control to use per-user > > $TMPDIR. Some third-party stuff will break - but it breaks every now > > and then anyway. > > Excellent suggestion, and you've piqued my curiosity. What distros exist > that implement tmp dirs in such a way? I haven't come across any, and > the more I think about it, the more I wish that this is something I > would see. Fedora's had the pam_namespace stuff for a while now - it got added about the same time as SELinux. It's also in RHEL 5 and later. It also appears to be in current Ubuntu and SLES 11.1. So it's a good question of what distros *don't* have the tools to implement this? Why they don't do it by default? Because if you screw up the config, things break in strange and mysterious ways. Those of you old enough to remember the first 2-3 years of "/etc/shadow is a separate file from /etc/passwd", or even further back to when the Sun-3 created "Not all the world's a Vax", know why distros aren't enabling it by default yet. But in 2-3 years, probably... > If you had your way, would you see it implemented as /tmp/ > //tmp, or some other way? It should be site-configurable - some places may have a large fast /tmp area and they want a per-user directory on that disk space. Other places may want to have /tmp redirected to /home/${USER}/tmp so disk quotas apply, etc etc. pgpPLTG4css1x.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On 22 October 2011 15:39, Michal Zalewski wrote: >> In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races, >> what you should be doing is using pam_namespace or similar so each user gets >> their own /tmp namespace. > > That would result in counterintuitive behavior, I suppose... /tmp is a > fairly stupid and largely unnecessary artifact of the old. > > If you are in charge of a distro, it would not hurt to nuke it > altogether and change all packages in your control to use per-user > $TMPDIR. Some third-party stuff will break - but it breaks every now > and then anyway. Actually in Ubuntu YAMA(Yama Linux Security Module)[0] should block /tmp symlink attacks. According to [1] "In Ubuntu 10.10 and later, symlinks in world-writable sticky directories (e.g. /tmp) cannot be followed if the follower and directory owner do not match the symlink owner. The behavior is controllable through the /proc/sys/kernel/yama/protected_sticky_symlinks sysctl, available via Yama. " [0] http://zinc.canonical.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/yama [1] https://wiki.ubuntu.com/Security/Features ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
> If you are in charge of a distro, it would not hurt to nuke it > altogether and change all packages in your control to use per-user > $TMPDIR. Some third-party stuff will break - but it breaks every now > and then anyway. Excellent suggestion, and you've piqued my curiosity. What distros exist that implement tmp dirs in such a way? I haven't come across any, and the more I think about it, the more I wish that this is something I would see. If you had your way, would you see it implemented as /tmp/ //tmp, or some other way? Cheers, B -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
> In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races, > what you should be doing is using pam_namespace or similar so each user gets > their own /tmp namespace. That would result in counterintuitive behavior, I suppose... /tmp is a fairly stupid and largely unnecessary artifact of the old. If you are in charge of a distro, it would not hurt to nuke it altogether and change all packages in your control to use per-user $TMPDIR. Some third-party stuff will break - but it breaks every now and then anyway. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Cyrus IMAP Server: Multiple vulnerabilities Date: October 22, 2011 Bugs: #283596, #382349, #385729 ID: 201110-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The Cyrus IMAP Server is affected by multiple vulnerabilities which could potentially lead to the remote execution of arbitrary code or a Denial of Service. Background == The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-mail/cyrus-imapd < 2.4.12 >= 2.4.12 Description === Multiple vulnerabilities have been discovered in the Cyrus IMAP Server. Please review the CVE identifiers referenced below for details. Impact == An unauthenticated local or remote attacker may be able to execute arbitrary code with the privileges of the Cyrus IMAP Server process or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Cyrus IMAP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/cyrus-imapd-2.4.12" References == [ 1 ] CVE-2009-2632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2632 [ 2 ] CVE-2011-3208 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3208 [ 3 ] CVE-2011-3481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3481 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuPG: User-assisted execution of arbitrary code Date: October 22, 2011 Bugs: #329583 ID: 201110-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The GPGSM utility included in GnuPG contains a use-after-free vulnerability that may allow an unauthenticated remote attacker to execute arbitrary code. Background == The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. The GPGSM utility in GnuPG is responsible for processing X.509 certificates, signatures and encryption as well as S/MIME messages. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-crypt/gnupg< 2.0.16-r1 >= 2.0.16-r1 < 2.0 Description === The GPGSM utility in GnuPG contains a use-after-free vulnerability that may be exploited when importing a crafted X.509 certificate explicitly or during the signature verification process. Impact == An unauthenticated remote attacker may execute arbitrary code with the privileges of the user running GnuPG by enticing them to import a crafted certificate. Workaround == There is no known workaround at this time. Resolution == All GnuPG 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1" References == [ 1 ] CVE-2010-2547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2547 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On Fri, 21 Oct 2011 19:59:59 EDT, b...@fbi.dhs.org said: > Which I thought people really didn't care too much about anymore, I took a > quick look at one of my ubuntu 8.04lts boxes: > These are so easy to fix/avoid, I don't know why developers are still > introducing them to their code. It's Ubuntu. What second userid is going to exploit the vulns? Not sure if the above deserves a smiley or not. But it's exactly the mindset that causes these bugs. In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races, what you should be doing is using pam_namespace or similar so each user gets their own /tmp namespace. pgpjFK4Onci82.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Symlink vulnerabilities
After seeing an advisory for symlink attacks in ubuntu and opensuse: http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-1297.html Which I thought people really didn't care too much about anymore, I took a quick look at one of my ubuntu 8.04lts boxes: /sbin/iscsi_discovery: df=/tmp/discovered.$$ <-- iscsi tmp vuln mentioned above. /usr/sbin/grub-install:log_file=/tmp/grub-install.log.$$ /usr/sbin/grub-install:img_file=/tmp/grub-install.img.$$ /usr/sbin/mkboot: b=$tmpdir/boot$$ /usr/sbin/MAKEFLOPPIES:TMPDEVICE=/dev/tmpfloppy$$ This is just what I saw in /sbin. These are so easy to fix/avoid, I don't know why developers are still introducing them to their code. Here are some for netbackup: /usr/openv/netbackup/bin/nblu_registration:TMPFILE=/tmp/nblureg.$$ /usr/openv/netbackup/bin/bp.kill_all: rm -f ${TMPDIR}/results.$$ /usr/openv/netbackup/bin/bp.kill_all: rm -f ${TMPDIR}/nb_daemons.$$ /usr/openv/netbackup/bin/bp.kill_all: rm -f ${TMPDIR}/nb_daemons.$$ bzexe utility: /bin/bzexe:tmp=gz$$ /bin/bzexe:rm -f zfoo[12]$$ lorder utility: /usr/bin/lorder:TDIR=/tmp/_lorder$$ bashbug: /usr/bin/bashbug:TEMPDIR=$TMPDIR/bbug.$$ Maybe I should use bashbug to report a bug in bashbug? http://www.downspout.org/?q=node/6 -- Larry Cashdollar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Chrome PoC
To fuzz Opera the hole time is boring, so i fuzzed Google Chrome. ;) October 22, 2011 Ohh nice! What u doing google? Thx 4 ur bug! 0__o Google Chrome PoC, killing thread. Exploitable or only a DOS!? Found no way to exploit it. Good Luck!!! Testsystem: WinXP SP3, Win7(64 bit) Google Chrome version: 14.0.835.202 http://www.remoteshell.de/downloads/chrome-poc.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-14 ] D-Bus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: D-Bus: Multiple vulnerabilities Date: October 21, 2011 Bugs: #348766, #371261, #372743 ID: 201110-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in D-Bus, the worst of which allowing for a symlink attack. Background == D-Bus is a message bus system, a simple way for applications to talk to each other. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-apps/dbus< 1.4.12 >= 1.4.12 Description === Multiple vulnerabilities have been discovered in D-Bus. Please review the CVE identifiers referenced below for details. Impact == The vulnerabilities allow for local Denial of Service (daemon crash), or arbitrary file overwriting. Workaround == There is no known workaround at this time. Resolution == All D-Bus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.4.12" References == [ 1 ] CVE-2010-4352 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4352 [ 2 ] CVE-2011-2200 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2200 [ 3 ] CVE-2011-2533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2533 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
For what it's worth, I found this article to be far more "matter of fact" in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has presented in the past.Noting "it may or may not be a vulnerability" shows some research maturity and business intelligence on your part, and was actually refreshing. When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or exaggerated exposure scenarios, the actual message in the research is lost. In this case, developers can very easily see how including features that support functions such as "library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib" is a really bad idea. t >-Original Message- >From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- >boun...@lists.grok.org.uk] On Behalf Of ACROS Security Lists >Sent: Friday, October 21, 2011 2:07 AM >To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk; >c...@cert.org; si-c...@arnes.si >Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting > > >A month ago our company notified Google about a peculiar behavior of >Chrome browser that can be exploited for execution of remote code outside >Chrome sandbox under specific conditions. Our new blog post describes it all. > >http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file- >planting.html > >or > >http://bit.ly/olK1P9 > >Enjoy the reading! > > >Mitja Kolsek >CEO&CTO > >ACROS, d.o.o. >Makedonska ulica 113 >SI - 2000 Maribor, Slovenia >tel: +386 2 3000 280 >fax: +386 2 3000 282 >web: http://www.acrossecurity.com >blg: http://blog.acrossecurity.com > >ACROS Security: Finding Your Digital Vulnerabilities Before Others Do > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TeamSHATTER Security Advisory: SQL Injection Vulnerability in Oracle DROP INDEX for spatial datatypes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: High Affected versions: Oracle Database Server version 10gR1, 10gR2, 11gR1 and 11gR2 Remote exploitable: No Credits: This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc. Details: Oracle Database supports spatial datatypes. A SQL Injection vulnerability exists in the handling of spatial indexes. Users with create table and create procedure privileges can elevate their privileges to SYSDBA (CVE-2011-3512). Impact: Privilege escalation to SYSDBA. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this vulnerability. Fix: Apply Oracle Critical Patch Update October 2011 available at Oracle Support. CVE: CVE-2011-3512 Links: http://www.teamshatter.com/topics/general/team-shatter-exclusive/sql-injection-vulnerability-in-oracle-drop-index-for-spatial-datatypes/ http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html Timeline: Vendor Notification - 04/21/2011 Vendor Response - 04/26/2011 Fix - 10/18/2011 Public Disclosure - 10/20/2011 Application Security, Inc's database security solutions have helped over 2000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAk6hhx0ACgkQRx91imnNIgFSUgCePizpjKl/+eN7d9A3xWUdTU7i wbEAoMKkmzub1+zMsHpxHajawqN/QRBG =WdGH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TeamSHATTER Security Advisory: Database Vault Account Management Vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: Medium Affected versions: Oracle Database Server version 10gR2, 11gR1 and 11gR2 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc. Details: Oracle Database Vault provides additional protections from malicious privileged users. The protections include separation of duty for some tasks like user account management. Any user with SYSDBA privilege (CVE-2011-2322) or DV_ACCTMGR role (CVE-2011-3511) can bypass these protections and change any user's password (including Oracle Database Vault Owner user password) calling the OCIPasswordChange client API (the 'password' command in SqlPLUS uses this API). Impact: Users granted SYSDBA privilege (CVE-2011-2322) or DV_ACCTMGR role (CVE-2011-3511) can change any user's password (including the Oracle Database Vault Owner user password) calling the OCIPasswordChange client API ('password' command in SqlPLUS). Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this vulnerability. Fix: Apply Oracle Critical Patch Update October 2011 available at Oracle Support. CVE: CVE-2011-3511 CVE-2011-2322 Links: http://www.teamshatter.com/topics/general/team-shatter-exclusive/database-vault-account-management-vulnerabilites http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html Timeline: Vendor Notification - 5/10/2010 Vendor Response - 6/1/2010 Fix - 10/18/2011 Public Disclosure - 10/20/2011 Application Security, Inc's database security solutions have helped over 2000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAk6hhx8ACgkQRx91imnNIgEEzACdHBF4i1Ez+WY1BNrkN16uy+B7 XsMAoMYnzGmsLkZm/adVkswn1GTbibnB =Y+Op -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TeamSHATTER Security Advisory: Buffer Overflow in Oracle Database (CTXSYS.DRVDISP.TABLEFUNC_ASOWN function)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: Medium Affected versions: Oracle Database Server version 10gR1, 10gR2 and 11gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc. Details: Oracle Database Server provides the CTXSYS.DRVDISP package that is part of Oracle Text component. This package contains the function TABLEFUNC_ASOWN which is vulnerable to buffer overflow attacks when it is called with a long string in their parameters. Impact: Any Oracle database user with EXECUTE privilege on CTXSYS.DRVDISP package (or with EXECUTE ANY PROCEDURE privilege) can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DoS (Denial of service) killing the Oracle server process. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict EXECUTE permissions on the vulnerable package CTXSYS.DRVDISP. Fix: Apply Oracle Critical Patch Update October 2011 available at Oracle Support. CVE: CVE-2011-2301 Links: http://www.teamshatter.com/topics/general/team-shatter-exclusive/buffer-overflow-in-oracle-database-ctxsys-drvdisp-tablefunc_asown-function http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html Timeline: Vendor Notification - 5/31/2011 Vendor Response - 6/1/2011 Fix - 10/18/2011 Public Disclosure - 10/20/2011 Application Security, Inc's database security solutions have helped over 2000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAk6hhx8ACgkQRx91imnNIgGjJACfcgQJQbi1hQM6ULqFDZ+B8Nvh YiAAoLnn6pfpYHoa4fPXDOCXrDcTrJOH =vWgh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY][GNAA 1488-1] slimhttpd security-update
On Thu, 20 Oct 2011 10:09:07 CDT, Laurelai said: > Did any of the other channers on the list laugh uncontrollably at this? .eu addresses for an "of America" was a nice subtle touch. ;) pgp9pOMpAnUlp.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY][GNAA 1488-1] slimhttpd security-update
Had to giggle when I saw it yesterday. ALMOST got nimped too at that,... On Thu, Oct 20, 2011 at 9:33 PM, xD 0x41 wrote: > eep yep sorry but i had a chuckle :P > lol. > > > > On 21 October 2011 02:09, Laurelai wrote: > >> On 10/19/2011 06:47 PM, N Za wrote: >> > -BEGIN HASH SIGNED MESSAGE- >> > Hash: Bubble >> > >> > - >> - >> > GNAA Security Advisory GNAA-1488-1 security () gnaa eu >> > http://security.on.nimp.org/ N Za >> > October 19, 2011 >> http://security.on.nimp.org/faq/ >> > - >> - >> > >> > Package: slimhttpd >> > Vulnerability : several >> > Problem type : local >> > GNOS-specific bug: no >> > GNOS Bug : 101 >> > >> > In the package `` slimhttpd'' found at >> https://github.com/ajwak95/SlimHTTPD there exist several vulnerabilities. >> > >> > After cc httpd.c -o httpd I run slimhttpd with index.html with lines >> longer than 256 characters and receive: >> > [1]1386 segmentation fault (core dumped) ./http >> > >> > Also after I run slimhttpd and kill -9 it I am unable to restart server >> for several minutes due to lack of set SO_REUSEADDR on socket. >> > >> > I tried to contact the vendor Alex Conroy, ajwak95, but he is too scared >> to use freenode irc. >> > >> > About SlimHTTPD: >> > >> > ripe with gaping vulnerabilities >> > >> > About ajwak95: >> > >> > underage >> > >> > About GNAA: >> > GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which >> gathers GAY NIGGERS from all over America and abroad for one common goal - >> being GAY NIGGERS. >> > >> > Are you GAY? >> > Are you a NIGGER? >> > Are you a GAY NIGGER? >> > >> > If you answered "Yes" to all of the above questions, then GNAA (GAY >> NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking >> for! >> > Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the >> benefits of being a full-time GNAA member. >> > GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY >> NIGGER community with THOUSANDS of members all over United States of America >> and the World! You, too, can be a part of GNAA if you join today! >> > >> > Why not? It's quick and easy - only 3 simple steps! >> > First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE >> MOVIE and watch it. You can download the movie (~130mb) using BitTorrent. >> > Second, you need to succeed in posting a GNAA First Post on >> slashdot.org, a popular "news for trolls" website. >> > Third, you need to join the official GNAA irc channel #GNAA on >> irc.gnaa.eu, and apply for membership. >> > Talk to one of the ops or any of the other members in the channel to >> sign up today! Upon submitting your application, you will be required to >> submit links to your successful First Post, and you will be tested on your >> knowledge of GAYNIGGERS FROM OUTER SPACE. >> > >> > If you are having trouble locating #GNAA, the official GAY NIGGER >> ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The >> correct network is NiggerNET, and you can connect to irc.gnaa.eu as our >> official server. Follow this link if you are using an irc client such as >> mIRC. >> > >> > If you have mod points and would like to support GNAA, please moderate >> this post up. >> > >> > .. >> > | __._a,| Press contact: >> > | ___a_.___a___aj#0s_aWY!400.___| Gary Niger >> > | __ad#7!!*Pa.d#0a#!-_#0i___.#!__W#0#___| >> gary_ni...@gnaa.eu >> > | _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA >> Corporate Headquarters >> > | _"#ga#9!01___"#01__40,_"4Lj#!_4#g_"01_ | 143 >> Rolloffle Avenue >> > | "#,___*@`__-N#`___-!^_ | Tarzana, >> California 91356 >> > | _#1__? | >> > | _j1___ | All other >> inquiries: >> > | a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Al-Punjabi >> > | !4yaa#l___ | >> enid_al_punj...@gnaa.eu >> > | __-"!^ | GNAA World >> Headquarters >> > ` ___' 160-0023 Japan >> Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2 >> > >> > Copyright (c) 2003-2011 Gay Nigger Association of America >> > >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> Did any of the other channers on the list laugh uncontrollably at this? >> >> ___ >> Full-Disclosure - We believe in it. >> Cha
[Full-disclosure] [ MDVSA-2011:158 ] phpmyadmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:158 http://www.mandriva.com/security/ ___ Package : phpmyadmin Date: October 21, 2011 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in phpmyadmin: Missing sanitization on the table, column and index names leads to XSS vulnerabilities (CVE-2011-3181). Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities. When the js_frame parameter of phpmyadmin.css.php is defined as an array, an error message shows the full path of this file, leading to possible further attacks (CVE-2011-3646). Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory (CVE-2011-4064). This upgrade provides the latest phpmyadmin version (3.4.6) to address these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4064 http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php ___ Updated Packages: Mandriva Enterprise Server 5: e74e03213d3adf2b8b5e7bb6c182 mes5/i586/phpmyadmin-3.4.6-0.1mdvmes5.2.noarch.rpm 7b2b17c82823d5b9aed51f9ddd09eb8c mes5/SRPMS/phpmyadmin-3.4.6-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 86e0a6932a41f0a91d641238aeb88149 mes5/x86_64/phpmyadmin-3.4.6-0.1mdvmes5.2.noarch.rpm 7b2b17c82823d5b9aed51f9ddd09eb8c mes5/SRPMS/phpmyadmin-3.4.6-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOoU0KmqjQ0CJFipgRAmSHAJ0b2+duUqLucbYk9NUrFK1b0dcDTgCg8Gib iEeeT3JSt0NDGvf4J/5A8y0= =++ft -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:157 ] freetype2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:157 http://www.mandriva.com/security/ ___ Package : freetype2 Date: October 21, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in freetype2: FreeType allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font (CVE-2011-3256). A regression was found in freetype2 in Mandriva Enterprise Server 5 that caused ugly font rendering with firefox (#63892). Additionally, improvements conserning the LZW handling (as noted in the freetype-2.4.7 version) was added. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256 https://qa.mandriva.com/63892 ___ Updated Packages: Mandriva Linux 2010.1: 5cb7a45af29372a1b91c23088a3be78f 2010.1/i586/libfreetype6-2.3.12-1.7mdv2010.2.i586.rpm 18b8a3231fab96584207b6e8a4a8e81d 2010.1/i586/libfreetype6-devel-2.3.12-1.7mdv2010.2.i586.rpm 7d6147c1638bcb6d16cee6e2a9939f27 2010.1/i586/libfreetype6-static-devel-2.3.12-1.7mdv2010.2.i586.rpm 77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7ae7f8215e3542d2fb8f6377c7cf4469 2010.1/x86_64/lib64freetype6-2.3.12-1.7mdv2010.2.x86_64.rpm 6b97bbef06367d203527cfb65bcd899f 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.7mdv2010.2.x86_64.rpm 2864878ad4d4294790f4e5a00cbe4390 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.7mdv2010.2.x86_64.rpm 77690084036cd92f1f19333d383897ad 2010.1/SRPMS/freetype2-2.3.12-1.7mdv2010.2.src.rpm Mandriva Linux 2011: e9fab15c8a7e45a3b59f81ce166cc85d 2011/i586/freetype2-demos-2.4.5-2.1-mdv2011.0.i586.rpm 3c9cb8ee3857996cc5dc5829dcf8e41e 2011/i586/libfreetype6-2.4.5-2.1-mdv2011.0.i586.rpm 592bdc4c63e31b7692da26a8ba001528 2011/i586/libfreetype6-devel-2.4.5-2.1-mdv2011.0.i586.rpm edc8653f7609c869c0ec20a0fcd012fa 2011/i586/libfreetype6-static-devel-2.4.5-2.1-mdv2011.0.i586.rpm 86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm Mandriva Linux 2011/X86_64: 35eaf601f67489ea952087e2f6339c1f 2011/x86_64/freetype2-demos-2.4.5-2.1-mdv2011.0.x86_64.rpm 7ccc207101ce7840e5e0abd0f4642067 2011/x86_64/lib64freetype6-2.4.5-2.1-mdv2011.0.x86_64.rpm 91aec2804157d8817fcab99ede4da4f0 2011/x86_64/lib64freetype6-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm 92fb10c2f9a1847db4423f1c6c67c0fa 2011/x86_64/lib64freetype6-static-devel-2.4.5-2.1-mdv2011.0.x86_64.rpm 86535a7b5e2ccef2e1ba0d037f18e000 2011/SRPMS/freetype2-2.4.5-2.1.src.rpm Mandriva Enterprise Server 5: 097b5a0bc581233000e5e4612101d500 mes5/i586/libfreetype6-2.3.7-1.8mdvmes5.2.i586.rpm 17c6796fb526c1c3e53074e0834db5c3 mes5/i586/libfreetype6-devel-2.3.7-1.8mdvmes5.2.i586.rpm c3e708211d845e14ad63bfe14e108d6c mes5/i586/libfreetype6-static-devel-2.3.7-1.8mdvmes5.2.i586.rpm 13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: aa08ec531c3b663dec9fe150316b69f8 mes5/x86_64/lib64freetype6-2.3.7-1.8mdvmes5.2.x86_64.rpm c1a715c5816d9db37159000ce71fc4fb mes5/x86_64/lib64freetype6-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm 6f59f92a9e60158c4cd53bc7fb34d54d mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.8mdvmes5.2.x86_64.rpm 13576b846900d36ed12b74f7ef612850 mes5/SRPMS/freetype2-2.3.7-1.8mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOoSQgmqjQ0CJFipgRAu7bAKCNJuDDSIC2BGla3ck+cJp/Kn88ZwCg1jD/ dxu3TlyhMXF4coBC+GcK+2g= =QK6b -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-di