FreeBSD crontab information leakage

following symlinks created by other users in sticky-bit directories. This simple restriction successfully prevents exploitation of a majority of these types of attacks. Greets to $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/ and #busticati. Happy hacking, Dan Rosenberg @djrbliss on twitter [1] http

Getting root, the hard way

/* * Linux Kernel CAP_SYS_ADMIN to root exploit * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc -w caps-to-root.c -o caps-to-root * sudo setcap cap_sys_admin+ep caps-to-root * ./caps-to-root * * This exploit is NOT stable: * * * It only works on 32-bit x86 machines

Linux kernel exploit

* by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc full-nelson.c -o full-nelson * ./full-nelson * * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * - * This is the interesting one, and the reason

Re: [Full-disclosure] Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(

It's funny to me that this should get special attention over any of the several dozen local DoS vulnerabilities that have been made public this year, starting with: CVE-2010-2954: NULL pointer dereference in IRDA CVE-2010-2960: NULL pointer dereference in keyctl CVE-2010-3066: NULL pointer

Re: Kernel 0-day

clearly need something far more elite.  In order to * prove your superiority, your exploit must be as sophisticated as your taste * in obscure electronic music.  After scanning the kernel source for good * candidates, you find your target and begin to code... * * by Dan Rosenberg * * Greets

Kernel 0-day

find your target and begin to code... * * by Dan Rosenberg * * Greets to kees, taviso, jono, spender, hawkes, and bla * */ #include string.h #include stdio.h #include netinet/in.h #include sys/socket.h #include unistd.h #include stdlib.h #include linux/filter.h #define PORT 37337 int transfer

Re: VSR Advisories: Linux RDS Protocol Local Privilege Escalation

/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Linux RDS Protocol Local Privilege Escalation  Release Date: 2010-10-19  Application: Linux Kernel     Versions: 2.6.30 - 2.6.36-rc8     Severity: High       Author: Dan Rosenberg drosenberg (at) vsecurity (dot) com Vendor Status: Patch Released [3] CVE Candidate: CVE-2010

Re: ubuntu 10.04 xterm heap overflow,can it be exploit ?

This has already been made public: http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html On Ubuntu, xterm is setgid utmp, which might make it an interesting target for local attacks. However, you'll need to check if it's already dropped group utmp privileges by the time

FuzzDiff tool

that the target program adheres to the syntax [program] [args] [input file]. Both of these limitations can be easily worked around. The code is hardly what I'd call production-ready, but it gets the job done. The tool is available at: http://vsecurity.com/resources/tool Happy hacking, Dan Rosenberg

Mac OS X WebDAV kernel extension local denial-of-service

, M_WAITOK); error = copyin(args.pa_socket_name, fmp-pm_socket_name, args.pa_socket_namelen); if (error) ==Credits== This vulnerability was discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com). ==References== CVE identifier CVE-2010-1794 has been assigned to this issue by Apple. [1] http

Multiple vulnerabilities in Exim

users are advised to download and recompile from source, or request updated packages from downstream distributions. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com). ==Timeline== 5/24/10 - Reported to Exim 5/25/10 - Response from Exim 6/03/10 - Exim

Scientific Atlanta DPC2100 WebSTAR Cable Modem vulnerabilities

version string is dpc2100R2-v202r1256-100324as. To prevent exploitation of CSRF vulnerabilities, users are always encouraged to practice safe browsing habits and avoid visiting unknown or untrusted websites. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com

Multiple memory corruption vulnerabilities in Ghostscript

of Ghostscript or avoid processing untrusted PostScript files. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com). ==Timeline== 3/04/10 - Initial report to downstream distribution 5/11/10 - Anonymous researcher discloses first issue 5/11/10

Fun with FORTIFY_SOURCE

vulnerability, I wouldn't consider this a serious issue by any means, but it's probably something that's worth fixing eventually. Happy hacking, Dan Rosenberg

Exploiting nano

I just finished a blog post detailing how the popular text editor, nano, is unsafe to run as root to edit untrusted users' files, with consequences including full privilege escalation: http://drosenbe.blogspot.com/2010/03/nano-as-root.html This is not a disclosure of vulnerabilities per se;

Multiple vulnerabilities in Deliver

disclosure.  In addition, users can deny service to other users by creating lockfiles for other users' mailboxes. ==Solution== Users are advised to discontinue use of Deliver in the absence of a patch or new release from the developer. ==Credits== These vulnerabilities were discovered by Dan

ncpfs, Multiple Vulnerabilities

distributors. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com). Thanks to Vitezslav Crhonek for the patch against the first issue. ==References== CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been assigned to these issues. diff

fcrontab Information Disclosure Vulnerability

they become available. ==Credits== This vulnerability was discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com). Thanks to Thibault Godouet for his prompt response and new release. ==References== CVE identifier CVE-2010-0792 has been assigned to this issue.