> I haven't seen a reference to this in the archives, so for the sake of
> completeness here it is:
> http://forum.xda-developers.com/showthread.php?t=1790104
>
> Looks like on a number of devices you can symlink the block device
> that gets mounted on /system to something like /data/local/tmp, and
Hendrik,
Well, they know about it now. ;-)
I figured it was appropriate for April Fools' Day in keeping with the
spirit of mischief. I wouldn't worry too much about seeing exploitation
of what amounts to a local DoS vulnerability that requires a compromised
browser session to exploit. It would be
/*
* Android Arbitrary File Removal Payload
* by Dan Rosenberg (@djrbliss)
*
* Android differentiates between "system" applications and user-installed
* applications, where the former are OEM-shipped and installed in
/system/app
* rather than /data/app (this has nothing to d
ous comment.
-Dan
>
> Am 13. Dezember 2011 20:56 schrieb Dan Rosenberg :
>>> Anyone with an up2date linux local root which only makes use of syscalls? :>
>>>
>>
>> This is all fun stuff, and definitely worth looking into further, but
>> if you've g
> Anyone with an up2date linux local root which only makes use of syscalls? :>
>
This is all fun stuff, and definitely worth looking into further, but
if you've got a local kernel exploit that you can trigger from inside
vsftpd, you don't need this (potential) vulnerability in vsftpd - you
already
On Wed, Dec 7, 2011 at 10:02 AM, Pablo Ximenes wrote:
> Hi,
>
> 2011/12/7 Dan Rosenberg
>>
>> On Wed, Dec 7, 2011 at 9:09 AM, Pablo Ximenes wrote:
>>
>>
>>
>> That's a good question. As you've mentioned, the URL falls within the
>> H
On Wed, Dec 7, 2011 at 9:09 AM, Pablo Ximenes wrote:
> Hi,
>
> 2011/12/7 Dan Rosenberg
>>
>> And I was really hoping I wouldn't get dragged into another discussion
>> on this...
>
>
> Well, if it serves of any consolation, discussions are good for maki
subset of this data that is actually recorded and
> collected is at the discretion of the carrier, and is based on the profile
> installed on the device." (Dan Rosenberg)
>
>
> So the eavesdropped data with respect to the rest of affected phones could
> be anything for all he know
On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn
wrote:
> Balls, I forgot to add this to the last message, but has anyone examined the
> patch yet? I can only imagine it would be VERY interesting to look at...
> Or that it opens all UDP ports so that there are no closed ones to
> exploit
>
Yet ano
On Thu, Jul 21, 2011 at 3:37 AM, Stefan Esser
wrote:
> Hello,
>> Does someone know about this method? If there are no tools available for
>> that, I would like to create one, that uses markov-chains for library
>> analysis and that should support multiple CPU-archs.
> As far as I know there are no
2011/6/23 アドリアンヘンドリック :
> Well, first of all, this is the Dan Rosenberg's specialty. I just try
> to comment so hope the snowball rolls.
>
Ok, you got my attention.
>
> Hello!
> Could somebody write what threats there are when kernel memory
> disclosure is found?
> I mean not along with another b
ir bag
of tricks.
-Dan
> Anyway now that the cats out of the bag... See attached. :) No more bids
> please. Dan was correct.
>
> On Tue, Jun 7, 2011 at 9:38 AM, Dan Rosenberg
> wrote:
>>
>> On Tue, Jun 7, 2011 at 6:19 AM, Marshall Whittaker
>> wrote:
>> > H
On Tue, Jun 7, 2011 at 6:19 AM, Marshall Whittaker
wrote:
> Hello,
> I am willing to sell a new attack vector I have devised. The proof of
> concept code you will receive has the ability to arbitrarily upload files to
> a webserver (tested on Apache), running linux with the well known perl read
>
Hmm...well, this is one vulnerability, not two, and it was fixed in
VLC's tree on February 12. Still a nice find.
-Dan
On Wed, Mar 23, 2011 at 4:34 PM, CORE Security Technologies Advisories
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Core Security Technologies - Corelabs Advi
ginally found in Openwall Linux, followed by grsecurity, and most
recently as the Yama LSM enabled by default in Ubuntu Maverick, prevents all
users from following symlinks created by other users in sticky-bit directories.
This simple restriction successfully prevents exploitation of a majority of
/*
* Linux Kernel CAP_SYS_ADMIN to root exploit
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc -w caps-to-root.c -o caps-to-root
* sudo setcap cap_sys_admin+ep caps-to-root
* ./caps-to-root
*
* This exploit is NOT stable:
*
* * It only works on 32-bit x86 machines
Resolved prepare_kernel_cred to 0x81086890
> [*] Calculating target...
> [*] Triggering payload...
> [*] Exploit failed to get root.
>
>
>
> 2010/12/7 coderman :
>> On Tue, Dec 7, 2010 at 12:25 PM, Dan Rosenberg
>> wrote:
>>> ... I've include
alation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* -
* This is the interesting one, a
It's funny to me that this should get special attention over any of
the several dozen local DoS vulnerabilities that have been made public
this year, starting with:
CVE-2010-2954: NULL pointer dereference in IRDA
CVE-2010-2960: NULL pointer dereference in keyctl
CVE-2010-3066: NULL pointer derefer
http://marc.info/?l=linux-netdev&m=128934173821229&w=2
On Tue, Nov 9, 2010 at 5:18 PM, Dan Rosenberg wrote:
> Enjoy...
>
> -Dan
>
>
> /*
> * You've done it. After hours of gdb and caffeine, you've finally got a
> shell
> * on your target's se
ce for good
* candidates, you find your target and begin to code...
*
* by Dan Rosenberg
*
* Greets to kees, taviso, jono, spender, hawkes, and bla
*
*/
#include
#include
#include
#include
#include
#include
#include
#define PORT 37337
int transfer(int sendsock, int recvsock)
{
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Advisory Name: Linux RDS Protocol Local Privilege Escalation
> Release Date: 2010-10-19
> Application: Linux Kernel
> Versions: 2.6.30 - 2.6.36-rc8
> Severity: High
> Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com &g
...And it looks like I jumped the gun on blaming upstream. The
vulnerability was introduced by Debian patch
"mozjs1.9_ldlibpath.patch" on 3/24/2009.
-Dan
On Wed, Aug 25, 2010 at 1:23 PM, Dan Rosenberg
wrote:
> Apache CouchDB (tested on Ubuntu 10.04) is vulnerable to exactly this
Apache CouchDB (tested on Ubuntu 10.04) is vulnerable to exactly this
issue. The script installed on my machine at /usr/bin/couchdb first
sets LD_LIBRARY_PATH with:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/xulrunner-`xulrunner-1.9.2
--gre-version`/
At the time of invocation, the following envir
2010 at 9:05 AM, Henri Salo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Mon, 26 Jul 2010 16:53:28 -0400
> Dan Rosenberg wrote:
>
>> Hello,
>>
>> I'd like to announce FuzzDiff, a simple tool to help make crash
>> analysis during file f
It
also assumes that the target program adheres to the syntax "[program]
[args] [input file]". Both of these limitations can be easily worked
around. The code is hardly what I'd call production-ready, but it
gets the job done.
The tool is available at:
http://vsecurity.com/reso
LOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)
==Credits==
This vulnerability was discovered by Dan Rosenberg (dan.j.rosenb...@gmail.com).
==References=
-4.72.tar.gz. Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
==Timeline==
5/24/10 - Reported to Exim
5/25/10 - Response
ice safe browsing habits and avoid visiting unknown or untrusted
websites.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
Thanks to Matthew Bergin for suggesting I should look at cable modems.
==Timeline==
1/26/10 - Vulnerability reported to Cisco
On Tue, May 11, 2010 at 11:44 PM, Marsh Ray wrote:
>
> How are you supposed to trust a document before you read it?!
> Judge it by it's cover perhaps?
>
Unfortunately, there are few options for mitigation in a scenario like
this. While I understand the importance of Ghostscript in many
setups, t
e use of
Ghostscript or avoid processing untrusted PostScript files.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
==Timeline==
3/04/10 - Initial report to downstream distribution
5/11/10 - Anonymous researcher discloses first issue
5/
ed. Because it relies on the
existence of another vulnerability, I wouldn't consider this a serious
issue by any means, but it's probably something that's worth fixing
eventually.
Happy hacking,
Dan Rosenberg
___
Full-Disclosure - We
I just finished a blog post detailing how the popular text editor,
nano, is unsafe to run as root to edit untrusted users' files, with
consequences including full privilege escalation:
http://drosenbe.blogspot.com/2010/03/nano-as-root.html
This is not a disclosure of vulnerabilities per se; rathe
disclosure. In addition, users
can
deny service to other users by creating lockfiles for other users'
mailboxes.
==Solution==
Users are advised to discontinue use of Deliver in the absence of a patch or
new release from the developer.
==Credits==
These vulnerabilities were discovered b
distributors.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
Thanks to Vitezslav Crhonek for the patch against the first issue.
==References==
CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been
assigned to these issues.
diff
stributors
when they become available.
==Credits==
This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenb...@gmail.com).
Thanks to Thibault Godouet for his prompt response and new release.
==References==
CVE identifier CVE-2010-0792 has been as
36 matches
Mail list logo
