Re: [Full-disclosure] New Opera 11.51 PoC Denial of Service (pigtail23)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 stack exhaustion. it's seems to recursion problem for basic regular expression. the same or similar problem exists in PCRE 8.12, allowing to crash multiple applications cx@cx64:/www$ cat crash0.php cx@cx64:/www$ php crash0.php Segmentation fault or some times ago for apache, 127# cat .htaccess RewriteEngine On RewriteBase /rcrash RewriteRule gun((.*){2000,}(\s*){2000,}.*) /ygy 127# curl http://127.0.0.1/rcrash/gun curl: (52) Empty reply from server [Mon Jul 11 02:40:39 2011] [notice] child pid 1343 exit signal Illegal instruction (4) Program received signal SIGSEGV, Segmentation fault. 0x08097a9b in match (eptr=0xbb777b07 "", ecode=0xbb76ab6f "*\bB", offset_top=8, md=0xbfbfe284, ims=0, eptrb=0xbfa02014, flags=2) at pcre.c:7997 7997c = *ecode++ - OP_TYPESTAR; that is the same problem. - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJOo1mUAAoJEIO8+dzW5bUwMBwP/3M0LD5DaXzuwvT3jhmuxi+m aQ8/66efeFAYqcm8XFTx4xcinA6thDvxV05VHUN1TwJbBUY/m0IatD5WdD3gCY2/ R61fg3zmYZoKg5+aeSCJT3VSJbhQbA8pcQoDQp8BI+AdLv9D1hGu6n8qMC9xF6Lx 4ef/sqTZfsGZObKU1ualRvKa5MWT9N78r8ufDDwxEnDnk6IigrKnnRfsnQsZbboW i1hGwyJhDNI0s9HJzyT2t0sru3aGdSXXVoKlSkmtfVbhvpmT8gyIWr3xNJZQWXRP odGNXPJ4/+yKXZh5jjNZ4tFqc4ARkkpG5WxqoLOwVYucTQgcJeh61gt42cMnAnFM NNKYjhFS1IKiuW8UXWPDB6hoVySBsOArhZK7d6P/h3PsMNGVm1lixfQMX5e1JNQb 5KUu704p1ONDyzC5JWqfdGYwXE3K10sDZJ6K7n0vgEtmfGVX3WKjIybnAlnZ5CT/ 7MCo4xGKB7vuMUeZaBInKvLwr/a1LZK1MFMPcu+ypNBLJI6FWG98OsNttpRz2jRz O0dq0BNAGZR8zTYnd6JD7zTKpk9IIHoQLJjDjTDsxZrOFnLrF6FTqCwUSuTo9ldi r+T3GU0+dtBTUG34mBPxWSYlGUag6xjLlyOZDpSniSSwj8brsCKuXlOf67Hh2VHW MfKU/5PxCy6TYZjdAROB =L6P1 -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] jara 1.6 sql injection vulnerability
jara 1.6 sql injection vulnerability download http://sourceforge.net/projects/jara/files/v1.6/jarav16.zip author muuratsalo contact muuratsalo[at]gmail.com exploit http://localhost/jara/view.php?id=[SQL Injection] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:160 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:160 http://www.mandriva.com/security/ ___ Package : krb5 Date: October 22, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in krb5: The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function (CVE-2011-1528). The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors (CVE-2011-1529). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529 ___ Updated Packages: Mandriva Linux 2010.1: 3c2e6b5720aafe4283403170c2d58492 2010.1/i586/krb5-1.8.1-5.6mdv2010.2.i586.rpm 3ac1a5668862182f3a48338c2f76cf81 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.6mdv2010.2.i586.rpm 0fc35189df3032ea14d295cf8bc58839 2010.1/i586/krb5-server-1.8.1-5.6mdv2010.2.i586.rpm 00caac26b6e5a59d776440266002b3ab 2010.1/i586/krb5-server-ldap-1.8.1-5.6mdv2010.2.i586.rpm a5320af15d594506ad2055b739211565 2010.1/i586/krb5-workstation-1.8.1-5.6mdv2010.2.i586.rpm 0bba786af6f0e73b380bfa77321aaee5 2010.1/i586/libkrb53-1.8.1-5.6mdv2010.2.i586.rpm c233f28e23d554bf8cbc62c22f7e4a44 2010.1/i586/libkrb53-devel-1.8.1-5.6mdv2010.2.i586.rpm 0f748bb4522391005759bf2915b67d89 2010.1/SRPMS/krb5-1.8.1-5.6mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: a24d3b618ae99dc2d2197c5df1adcbfc 2010.1/x86_64/krb5-1.8.1-5.6mdv2010.2.x86_64.rpm 78ffd9611e8106a61fb00201504110a7 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.6mdv2010.2.x86_64.rpm 3b9baf5a46fc90e9cf0069c23bd87655 2010.1/x86_64/krb5-server-1.8.1-5.6mdv2010.2.x86_64.rpm f7e6d0006e504520bf811144c2639238 2010.1/x86_64/krb5-server-ldap-1.8.1-5.6mdv2010.2.x86_64.rpm cbcdb6e8882eb7f0b2d2933e7620c108 2010.1/x86_64/krb5-workstation-1.8.1-5.6mdv2010.2.x86_64.rpm 06549d9617286d573fac8c522f62edfb 2010.1/x86_64/lib64krb53-1.8.1-5.6mdv2010.2.x86_64.rpm ba81b94a26532fb2bddc3d5de201aa76 2010.1/x86_64/lib64krb53-devel-1.8.1-5.6mdv2010.2.x86_64.rpm 0f748bb4522391005759bf2915b67d89 2010.1/SRPMS/krb5-1.8.1-5.6mdv2010.2.src.rpm Mandriva Enterprise Server 5: 1aace07998863fe7f30d2fb91993d7b2 mes5/i586/krb5-1.8.1-0.7mdvmes5.2.i586.rpm d4b71902ff32d362e2a5d7fe2e4e9a71 mes5/i586/krb5-pkinit-openssl-1.8.1-0.7mdvmes5.2.i586.rpm 858c3babd9f4fa4badd04a3676c755c7 mes5/i586/krb5-server-1.8.1-0.7mdvmes5.2.i586.rpm 63a002132291b4cda6a750e47ec0bece mes5/i586/krb5-server-ldap-1.8.1-0.7mdvmes5.2.i586.rpm 7238700c172cf9e4c7b94af1f016201c mes5/i586/krb5-workstation-1.8.1-0.7mdvmes5.2.i586.rpm 3e3b2122ea7a58503d26713254e9f97b mes5/i586/libkrb53-1.8.1-0.7mdvmes5.2.i586.rpm ae343104b7643e7558930d2f85af5091 mes5/i586/libkrb53-devel-1.8.1-0.7mdvmes5.2.i586.rpm 1b3d691cf8b9d2c01463593cf4e2e1d5 mes5/SRPMS/krb5-1.8.1-0.7mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: b1912a66538b9c45c67691d2a3523576 mes5/x86_64/krb5-1.8.1-0.7mdvmes5.2.x86_64.rpm 2f1989fb1412fc1581f41d416146e659 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.7mdvmes5.2.x86_64.rpm 6f34d14eae154ff5991e248c18021eb2 mes5/x86_64/krb5-server-1.8.1-0.7mdvmes5.2.x86_64.rpm 69649b642ac23f458d8e02f1e7d549d0 mes5/x86_64/krb5-server-ldap-1.8.1-0.7mdvmes5.2.x86_64.rpm 50f5feb5c21c5a246917e0b06faf28c6 mes5/x86_64/krb5-workstation-1.8.1-0.7mdvmes5.2.x86_64.rpm 4a2e291f75ec2288df3a7c28ea5b2ba1 mes5/x86_64/lib64krb53-1.8.1-0.7mdvmes5.2.x86_64.rpm f95b08bf29f82897105d8b853b42df67 mes5/x86_64/lib64krb53-devel-1.8.1-0.7mdvmes5.2.x86_64.rpm 1b3d691cf8b9d2c01463593cf4e2e1d5 mes5/SRPMS/krb5-1.8.1-0.7mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --
[Full-disclosure] [ MDVSA-2011:159 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:159 http://www.mandriva.com/security/ ___ Package : krb5 Date: October 22, 2011 Affected: 2011. ___ Problem Description: Multiple vulnerabilities has been found and corrected in krb5: The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions (CVE-2011-1527). The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function (CVE-2011-1528). The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors (CVE-2011-1529). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529 ___ Updated Packages: Mandriva Linux 2011: cec18dcb661488f6203f1ece61b635d1 2011/i586/krb5-1.9.1-1.1-mdv2011.0.i586.rpm a4a3f2eee29c35048289de09ecf52ed8 2011/i586/krb5-pkinit-openssl-1.9.1-1.1-mdv2011.0.i586.rpm 5e73f3eb097442260b8b683b48a3497c 2011/i586/krb5-server-1.9.1-1.1-mdv2011.0.i586.rpm 83401420817b2e182d6096a7fab0b4d4 2011/i586/krb5-server-ldap-1.9.1-1.1-mdv2011.0.i586.rpm 8d038ca1ea3baa3862df07b714196e29 2011/i586/krb5-workstation-1.9.1-1.1-mdv2011.0.i586.rpm 666e6590112610d0974c808c18e15857 2011/i586/libkrb53-1.9.1-1.1-mdv2011.0.i586.rpm 822e804be6b1b6c6daf4036e58c8d097 2011/i586/libkrb53-devel-1.9.1-1.1-mdv2011.0.i586.rpm 44b9f82fcf337955b550e2b8279cc319 2011/SRPMS/krb5-1.9.1-1.1.src.rpm Mandriva Linux 2011/X86_64: c1a3ce4fed380b27b58fdb5a1de4a225 2011/x86_64/krb5-1.9.1-1.1-mdv2011.0.x86_64.rpm 31abe59dbe968c413e91d9bc8f58cc6f 2011/x86_64/krb5-pkinit-openssl-1.9.1-1.1-mdv2011.0.x86_64.rpm 3978b0e72b6f25f816554cb3f632fbd9 2011/x86_64/krb5-server-1.9.1-1.1-mdv2011.0.x86_64.rpm 03b1d9c2b9ef5a18af5f47e93c7f5b7b 2011/x86_64/krb5-server-ldap-1.9.1-1.1-mdv2011.0.x86_64.rpm 8c9cf44a634d326e5fcc03adad2c673f 2011/x86_64/krb5-workstation-1.9.1-1.1-mdv2011.0.x86_64.rpm cb1303ca942bc49cfa41e7871dc8ace8 2011/x86_64/lib64krb53-1.9.1-1.1-mdv2011.0.x86_64.rpm 6317fcfa9e3e569645f5a6df6250ce34 2011/x86_64/lib64krb53-devel-1.9.1-1.1-mdv2011.0.x86_64.rpm 44b9f82fcf337955b550e2b8279cc319 2011/SRPMS/krb5-1.9.1-1.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOowpqmqjQ0CJFipgRAs2hAKDMeGN7tiy4lC3amLtbhOmfsNAQNwCfUqcr OvImBY/l6ve2vDAoD1+KEfY= =bhR2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-19 ] X.Org X Server: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: X.Org X Server: Multiple vulnerabilities Date: October 22, 2011 Bugs: #387069 ID: 201110-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in the X.Org X server might allow local attackers to disclose information. Background == The X Window System is a graphical windowing system based on a client/server model. Affected packages = --- Package / Vulnerable /Unaffected --- 1 x11-base/xorg-server < 1.10.4-r1 *>= 1.9.5-r1 >= 1.10.4-r1 Description === vladz reported the following vulnerabilities in the X.Org X server: * The X.Org X server follows symbolic links when trying to access the lock file for a X display, showing a predictable behavior depending on the file type of the link target (CVE-2011-4028). * The X.Org X server lock file mechanism allows for a race condition to cause the X server to modify the file permissions of an arbitrary file to 0444 (CVE-2011-4029). Impact == A local attacker could exploit these vulnerabilities to disclose information by making arbitrary files on a system world-readable or gain information whether a specified file exists on the system and whether it is a file, directory, or a named pipe. Workaround == There is no known workaround at this time. Resolution == All X.Org X Server 1.9 users should upgrade to the latest 1.9 version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.9.5-r1" All X.Org X Server 1.10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.10.4-r1" References == [ 1 ] CVE-2011-4028 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4028 [ 2 ] CVE-2011-4029 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4029 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] R: Re: Symlink vulnerabilities
> Sorry for the top posting. No, top posting is the *correct* way to do things, which most people on this list don't seem to realize. Instead they quote *everything* and then respond on the bottom. Yikes. > In fedorable distro Almost pam namespace can do this. It was born from > a selinux project, for mls need, but it can be used also for a selinux > targeted policy. Its configuration is not the default, However. Yeah, I'm looking at this stuff now. I must admit I feel rather foolish for not knowing of it's existence earlier. Humiliated, actually :) -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-18 ] rgmanager: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rgmanager: Privilege escalation Date: October 22, 2011 Bugs: #352213 ID: 201110-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability was found in rgmanager, allowing for privilege escalation. Background == rgmanager is a clustered resource group manager. Affected packages = --- Package / Vulnerable /Unaffected --- 1 sys-cluster/rgmanager < 2.03.09-r1>= 2.03.09-r1 Description === A vulnerability has been discovered in rgmanager. Please review the CVE identifier referenced below for details. Impact == A local attacker could gain escalated privileges. Workaround == There is no known workaround at this time. Resolution == All rgmanager users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=sys-cluster/rgmanager-2.03.09-r1" References == [ 1 ] CVE-2010-3389 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-17 ] Avahi: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Avahi: Denial of Service Date: October 22, 2011 Bugs: #335885, #355583 ID: 201110-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Avahi, allowing for Denial of Service. Background == Avahi is a system which facilitates service discovery on a local network. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-dns/avahi < 0.6.28-r1 >= 0.6.28-r1 Description === Multiple vulnerabilities have been discovered in Avahi. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Avahi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/avahi-0.6.28-r1" References == [ 1 ] CVE-2010-2244 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2244 [ 2 ] CVE-2011-1002 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1002 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/22/2011 11:14 AM, full-disclosure-requ...@lists.grok.org.uk wrote: > If you had your way, would you see it implemented as /tmp/ > //tmp, or some other way? per_user_tmp=yes ? http://www.feyrer.de/NetBSD/bx/blosxom.cgi/index.front?-tags=tmp - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJOouW2AAoJEIO8+dzW5bUwz5IP/2zd8n7txMETl/t1wHvvhnXV YhyfSCSxxnYXh7Us9T/5aLFZUBykwOV03Dr9p57G7S25ETtYwPXGdcNlnhIQ8La5 7Ac3g8htqoPvX8pVKx0ZcEz2CVZwOtR32AvSkY+ulFx3q1eZC22BHj/vQ3QFa2ky AFHC/9B5l5tcyJUyAqGRYqrvP4ijhjew6aHS6A1WTlwEDNkA4hj8eKxHW7J1o3iR 14buqi2/mAN2XwYus3DniQI7LTsAp20nv60yFMuTIBZ24kzDc/XGkNw5sNzkJOnq Q6Cg4rxhLclwH91aSyrZOsrBE1irWsAQM40yMzuZ1UnlcQJv3dVln8OdnFSEpoUN DWR1iyeYOHW5tHhW9f9elj8CZQQJG/iGyfaYItGWWx0R5sHyRXfK0Dqk7V7c+Fqw 8LVj33xCwmD2ihYLWKoOWHNe1jpaZV+m9miVnNH6pAHvBspXVva5dwyidhxOgyvu e67VuHdMlpMi9HN/j+ULsjrJ92GpWwNZBVi54UxaPnUnIzA+UEyDvXRikdDNVWaK BXU+6T8uvncctv/k2ujrVJrTFEByxcWKXSUXvpVB1d3hfcJShUWyaXqKBIDYmNoL jjMhlM17D2wdIw/h0NvCopTXC+xExZAjZT423xpyhkrw8TzUN2imfd1eEYLDs/RT yN2Gr0CCVYY3J6SH0D/r =6G5i -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
I apologize as my search wasn't a complex method, just a quick grep for signs of /tmp misuse. Indeed creating a directory under /tmp is a safeway to handle tmp files. > b...@fbi.dhs.org wrote: >> >> bashbug: >> >> /usr/bin/bashbug:TEMPDIR=$TMPDIR/bbug.$$ >> >> Maybe I should use bashbug to report a bug in bashbug? >> > > I took a quick look, it's actually using mkdir to create a temporary > directory in /tmp, which it uses for collecting support files. > > This is actually a safe way to use /tmp, assuming you check the return > code > of mkdir (which it does). The mkdir() system call behaves very differently > to open(), and is not vulnerable to these attacks. > > Tavis. > > -- > - > tav...@cmpxchg8b.com | pgp encrypted mail preferred > --- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
Hi Chris, You're right: File browse dialogs change the CWD and this contributes essentially to the exploitability of the bug in question. While it's possible to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected file/folder (see http://www.binaryplanting.com/guidelinesDevelopers.htm, bullet #7), it may be impossible to prevent them from changing it temporarily to the locations the user is opening - which is all this bug needs. Disclaimer: we haven't looked into this for over a year, so things may have changed since. CWD is process-wide and could potentially cause a mess in multithreaded apps. Fortunately not many apps actively use it or depend on it. Unfortunately every app has it and many can obviously be attacked through it. We believe CWD should be eliminated from Windows entirely and applications actively depending on it recoded. Because of the latter, the former will probably not happen. We haven't researched Linux or Mac regarding their CWD-related behavior, nor did we test this particular bug on non-Windows systems. Cheers, Mitja > Interesting. Clear write-up. > I'm not a Windows guy but the article led me to research this: > > http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd > > Isn't that the most significant contributor? An application carefully > puts its CWD somewhere sane and then the underlying operating system > flips it around later? Might that also cause non-determinism for > multi-threaded apps? Does the problem affect Mac, Linux users? > > > Cheers > Chris > >> >> or >> >> http://bit.ly/olK1P9 >> >> Enjoy the reading! >> >> >> Mitja Kolsek >> CEO&CTO >> >> ACROS, d.o.o. >> Makedonska ulica 113 >> SI - 2000 Maribor, Slovenia >> tel: +386 2 3000 280 >> fax: +386 2 3000 282 >> web: http://www.acrossecurity.com >> blg: http://blog.acrossecurity.com >> >> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
b...@fbi.dhs.org wrote: > > bashbug: > > /usr/bin/bashbug:TEMPDIR=$TMPDIR/bbug.$$ > > Maybe I should use bashbug to report a bug in bashbug? > I took a quick look, it's actually using mkdir to create a temporary directory in /tmp, which it uses for collecting support files. This is actually a safe way to use /tmp, assuming you check the return code of mkdir (which it does). The mkdir() system call behaves very differently to open(), and is not vulnerable to these attacks. Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
> Actually, no; per user /tmp could only be accomplished, without a major > redesign and without breaking almost every application [citation needed] ;-) Only a fraction of apps uses /tmp... vendors can fix their own distros: grepping for "/tmp" isn't complicated, and almost every package usually ships with a handful of vendor-specific diffs anyway. You will break some third-party stuff people download from the Internet, but that's a self-correcting problem, and not exactly a horrible prospect: Linux distros break crappy software with almost every major release anyway, often due to far more fundamental changes (e.g. different /dev or /proc semantics, or moving libraries and includes around). The namespace / pseudo-fs approach is fairly ancient and works, but it's sort of ugly: it makes the filesystem behave counterintuitively in the rare case somebody actually has a legit use for /tmp. Not a big deal, but seems like an overcomplicated solution IMO. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On 22 Oct 2011, at 07:06, Raj Mathur (राज माथुर) wrote: > > > At first sight, the best option from that point of view seems to be a > per-user tmp under /tmp/$USER/ and mount /tmp noexec, nosuid. If you > choose the ~$USER/tmp option, you'll probably have to do some userfs > jugglery to achieve the same objective. Actually, no; per user /tmp could only be accomplished, without a major redesign and without breaking almost every application, by turning /tmp into a pseudofilesystem a la procfs. Consider /proc/self for instance, accessing it runs a subroutine which first must get the PPID of the stat() to work out which information the user wants. As such /tmp must stay where it is to ensure backwards compat (Otherwise you introduce a new /tmp directory with no benefit) but where the UID of the caller determines to where the actual /tmp directory links to. Dynamic symlinking, if you've ever done any fuse programming. In which case from a security point of view we use ~/.tmp or similar. This solves a couple fo problems further; it allows for greater control of what can and cannot be done, nosuid is effectively covered, noexec can be enforced, and only root can see other people's /tmp if we implement it correctly. As an aside; we generally mount /tmp over the loopback for obvious reasons. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/