Full Disclosure mailing list archives
[Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2112 (De retour le mardi 28 décembre.)
From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Wed, 22 Dec 2004 05:53:29 +0100
En mon absence, toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou (ars_transpac pour tout incident lié à ce réseau) En cas d'urgence, Vous pouvez contacter : La Hot-line Réseaux : 01 49 15 32 53 François LEVEQUE au 01 49 15 30 56 Pascal PAINPARAY au 01 49 15 31 36. Bonnes fêtes de fin d'année. Christophe SAVIN
full-disclosure 12/18/04 21:25 >>>
Send Full-Disclosure mailing list submissions to full-disclosure () lists netsys com To subscribe or unsubscribe via the World Wide Web, visit https://lists.netsys.com/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists netsys com You can reach the person managing the list at full-disclosure-owner () lists netsys com When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Today's Topics: 1. Re: Linux kernel IGMP vulnerabilities (Timothy Hall) 2. STG Security Advisory: [SSA-20041215-17] Vulnerability of uploading files with multiple extensions in JSBoard (SSR Team) 3. Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 (Stefan Esser) 4. STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Mod (SSR Team) 5. Re: RE: Cipher Tool (James Tucker) ---------------------------------------------------------------------- Message: 1 Date: Wed, 15 Dec 2004 16:02:10 -0500 From: "Timothy Hall" <admin () TELE2WIN NET> Subject: [Full-disclosure] Re: Linux kernel IGMP vulnerabilities To: <stephen.butler () gmail com>, <ihaquer () isec pl> Cc: bugtraq () securityfocus com, vulnwatch () vulnwatch org, security () isec pl, full-disclosure () lists netsys com Message-ID: <s1c06017.003 () WEBACCESS TELE2WIN NET> Content-Type: text/plain; charset=ISO-8859-1 Greetings Paul and Stephen and List... Paul thanks for clearing that up. SuSE 9.0 Pro (at least the way two boxes I take care of are set up) have /proc/net/igmp /proc/net/mcfilter but 'mcfilter' is empty. No local users other than myself... At least that I can tell... :) TîMöTH¥ Hª££
Paul Starzetz <ihaquer () isec pl> 12/15/04 07:34AM >>>
On Tue, 14 Dec 2004, stephen joseph butler wrote:
/proc/net/igmp /proc/net/mcfilter if both exist and are non-empty you are vulnerable!Just to be clear: if "mcfilter" is empty, then you aren't
vulnerable?
I have both files, and "igmp" contains data, but "mcfilter" is
empty. You are not vulnerable to the remote attack described under (3), however your kernel may be still buggy. Note that you need a running process that has manipulated its multicast socket filters. If your kernel is buggy and you have local users such an application can always appear, at a time you don't expect it. -- Paul Starzetz iSEC Security Research http://isec.pl/ ------------------------------ Message: 2 Date: Thu, 16 Dec 2004 10:17:41 +0900 From: "SSR Team" <advisory () stgsecurity com> Subject: [Full-disclosure] STG Security Advisory: [SSA-20041215-17] Vulnerability of uploading files with multiple extensions in JSBoard To: <vuln () secunia com>, <news () securiteam com>, <bugs () securitytracker com>, <full-disclosure () lists netsys com>, <staff () packetstormsecurity com> Message-ID: <GKEOJIPDJOHGOEEOIINIAEPOCAAA.advisory () stgsecurity com> Content-Type: text/plain; charset="ks_c_5601-1987" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20041215-17] Vulnerability of uploading files with multiple extensions in JSBoard Revision 1.0 Date Published: 2004-12-15 (KST) Last Update: 2004-12-15 Disclosed by SSR Team (advisory () stgsecurity com) Summary ======== JSBoard is one of widely used web BBS applications in Korea. However, an input validation flaw can cause malicious attackers to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Vulnerability Class =================== Implementation Error: Input validation flaw Impact ====== High : arbitrary command execution. Affected Products ================ JSBoard 2.0.8 and prior. JSBoard 1.3.11 and prior. Vendor Status: FIXED ==================== 2004-12-08 Vulnerability found. 2004-12-08 JSBoard developer notified. 2004-12-09 Update version released. 2004-12-15 Official release. Details ======= JSBoard doesn't implemented in "include/parse.php" to check multiple extensions of uploaded files, e.g. attack.php.hwp, so malicious attackers can upload arbitrary script files (php, pl, cgi, etc) to a web server. This is originated from a feature of Apache MIME module (mod_mime), which regards attack.php.hwp as a normal PHP file and execute the file through mod_php module with the privilege of the HTTPD process. cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple Extensions" : it's a feature, not a bug. Solution ========= JSBoard 2.x branch : Update to 2.0.9 http://kldp.net/frs/download.php/1670/jsboard-2.0.9.tar.gz JSBoard 1.x branch : Update to 1.3.13 http://kldp.net/frs/download.php/1668/jsboard-1.3.13.tar.gz Vendor URL ========== http://kldp.net/projects/jsboard/ Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQcDiAD9dVHd/hpsuEQKY8gCg2vJZ2akGDGEA//Hwi3rOheZaVwkAn31V tYi5XHLsUOHHdENvCrsUZyPi =3VGj -----END PGP SIGNATURE----- ------------------------------ Message: 3 Date: Wed, 15 Dec 2004 19:46:20 +0100 From: Stefan Esser <sesser () php net> Subject: [Full-disclosure] Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 To: bugtraq () securityfocus com, full-disclosure () lists netsys com Message-ID: <20041215184620.GA20448 () e-matters de> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Multiple vulnerabilities within PHP 4/5 Release Date: 2004/12/15 Last Modified: 2004/12/15 Author: Stefan Esser [sesser () php net] Application: PHP4 <= 4.3.9 PHP5 <= 5.0.2 Severity: Several vulnerabilities within PHP allow local and remote execution of arbitrary code Risk: Critical Vendor Status: Vendor has released bugfixed versions. References: http://www.hardened-php.net/advisories/012004.txt Overview: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. During the development of Hardened-PHP which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered that reach from bufferoverflows, over information leak vulnerabilities and path truncation vulnerabilities to safe_mode restriction bypass vulnerabilities. Details: [01 - pack() - integer overflow leading to heap bufferoverflow ] Insufficient validation of the parameters passed to pack() can lead to a heap overflow which can be used to execute arbitrary code from within a PHP script. This enables an attacker to bypass safe_mode restrictions and execute arbitrary code with the permissions of the webserver. Due to the nature of this function it is unlikely that a script accidently exposes it to remote attackers. [02 - unpack() - integer overflow leading to heap info leak ] Insufficient validation of the parameters passed to unpack() can lead to a heap information leak which can be used to retrieve secret data from the apache process. Additionally a skilled local attacker could use this vulnerability in combination with 01 to bypass heap canary protection systems. Similiar to 01 this function is usually not used on user supplied data within webapplications. [03 - safe_mode_exec_dir bypass in multithreaded PHP ] When safe_mode is activated within PHP, it is only allowed to execute commands within the configured safe_mode_exec_dir. Unfourtunately PHP does prepend a "cd [currentdir] ;" to any executed command when a PHP is running on a multithreaded unix webserver (f.e. some installations of Apache2). Because the name of the current directory is prepended directly a local attacker may bypass safe_mode_exec_dir restrictions by injecting shell- commands into the current directory name. [04 - safe_mode bypass through path truncation ] The safe_mode checks silently truncated the file path at MAXPATHLEN bytes before passing it to realpath(). In combination with certain malfunctional implementations of realpath() f.e. within glibc this allows crafting a filepath that pass the safe_mode check although it points to a file that should fail the safe_mode check. [05 - path truncation in realpath() ] PHP uses realpath() within several places to get the real path of files. Unfourtunately some implementations of realpath() silently truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD) This can lead to arbitrary file include vulnerabilities if something like "include "modules/$userinput/config.inc.php"; is used on such systems. [06 - unserialize() - wrong handling of negative references ] The variable unserializer could be fooled with negative references to add false zvalues to hashtables. When those hashtables get destroyed this can lead to efree()s of arbitrary memory addresses which can result in arbitrary code execution. (Unless Hardened-PHP's memory manager canaries are activated) [07 - unserialize() - wrong handling of references to freed data ] Additionally to bug 07 the previous version of the variable unserializer allowed setting references to already freed entries in the variable hash. A skilled attacker can exploit this to create an universal string that will pass execution to an arbitrary memory address when it is passed to unserialize(). For AMD64 systems a string was developed that directly passes execution to code contained in the string itself. It is necessary to understand that these strings can exploit a bunch of popular PHP applications remotely because they pass f.e. cookie content to unserialize(). Examples of vulnerable scripts: - phpBB2 - Invision Board - vBulletin - Woltlab Burning Board 2.x - Serendipity Weblog - phpAds(New) - ... Proof of Concept: The Hardened-PHP project is not going to release exploits for any of these vulnerabilities to the public. CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to issues 01, 02, the name CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03 and the name CAN-2004-1064 to issues 04, 05. Recommendation: It is strongly recommended to upgrade to the new PHP-Releases as soon as possible, because a lot of PHP applications expose the easy to exploit unserialize() vulnerability to remote attackers. Additionally we always recommend to run PHP with the Hardened-PHP patch applied. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2004 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl rtmmBfJ3iv9Ksb/xtnyflD0= =lzXX -----END PGP SIGNATURE----- ------------------------------ Message: 4 Date: Thu, 16 Dec 2004 10:25:21 +0900 From: "SSR Team" <advisory () stgsecurity com> Subject: [Full-disclosure] STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Mod To: <vuln () secunia com>, <news () securiteam com>, <bugs () securitytracker com>, <full-disclosure () lists netsys com>, <staff () packetstormsecurity com> Message-ID: <GKEOJIPDJOHGOEEOIINIOEPOCAAA.advisory () stgsecurity com> Content-Type: text/plain; charset="Windows-1252" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Mod Revision 1.0 Date Published: 2004-12-15 (KST) Last Update: 2004-12-15 Disclosed by SSR Team (advisory () stgsecurity com) Summary ======== phpBB Attachment Mod is file upload module for phpBB. However, an input validation flaw can cause malicious attackers to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Vulnerability Class =================== Implementation Error: Input validation flaw Impact ====== High : arbitrary command execution. Affected Products ================ Attachment Mod 2.3.10 and prior. Vendor Status: FIXED ==================== 2004-12-08 Vulnerability found. 2004-12-08 Attachment Mod developer notified. 2004-12-13 Update version released. 2004-12-15 Official release. Details ======= Apache Mod doesn't implemented to check multiple extensions of uploaded files, e.g. attack.php.rar, so malicious attackers can upload arbitrary script files (php, pl, cgi, etc) to a web server. This is originated from a feature of Apache MIME module (mod_mime), which regards attack.php.rar as a normal PHP file and execute the file through mod_php module with the privilege of the HTTPD process. cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple Extensions" : it's a feature, not a bug. Solution ========= Update to 2.3.11 http://www.opentools.de/board/viewtopic.php?t=3590 Vendor URL ========== http://www.opentools.de/ Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQcDjxD9dVHd/hpsuEQIIBACfYcy/IRJei/mfkfy+KdhQuCjhUbkAnjig p3OSX1m+9IWd+MoM8lb5IDHS =DQt1 -----END PGP SIGNATURE----- ------------------------------ Message: 5 Date: Thu, 16 Dec 2004 04:37:34 +0000 From: James Tucker <jftucker () gmail com> Subject: Re: [Full-disclosure] RE: Cipher Tool To: richard capistrano <mikoc02 () yahoo com> Cc: full-disclosure () lists netsys com Message-ID: <e92364c3041215203723ff0f55 () mail gmail com> Content-Type: text/plain; charset=US-ASCII Have you considered using secured network protocols on dedicated encryption hardware? or is that beyond the price point? Any cipher algorithm would be theoretically implementable (providing the length of data is suitable). If you are looking for _real_ performance though then ciphering may not be what you want as there isn't any good cipher that is really overly fast fast (deliberate double). There are other core pieces of the puzzle to be considered though, like are you going to be talking in a client less manner (i.e. is the client pre-configured or has the client never received secure comms before?) Is there a socket/tunnel already running? What is the rough length of the data set (impact readability and suitability for encryption algorithms)? What is the performance restriction (i.e. where is the bottleneck)? How secure do you need it, anti-fool, seconds, hours, years or millennial(might actually require more data storage than money can buy)? I raised an eyebrow at the last portion of your mail, "Is there a freeware or software or information, I can check out?". This would suggest that you are looking to put another program somewhere mid-flow in a data pipe; thats not always a good option. If you're really looking for speed and ease of implementation then something like a simple rotation cipher might work out for you, but this is going to be so poor a encryption that some cipher pro's could read it in its encrypted form. This is obviously no good if you're worried about credit card info, but is OK if it's just your girlfriend being a nosy ....... . On Tue, 14 Dec 2004 00:23:41 -0800 (PST), richard capistrano <mikoc02 () yahoo com> wrote:
Hello, We are looking for a tool that can actually cipher or hash a particular portion of a file so that it will not display the particular field of a file. This will be applied to the file so that when it travels the network, the confidential field in the file is not displayed in clear text. Due to performance issues, we can not simply hash the whole file. Is there a freeware or software or information, I can check out? Thanks in advance. ________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
------------------------------ _______________________________________________ Full-Disclosure mailing list Full-Disclosure () lists netsys com https://lists.netsys.com/mailman/listinfo/full-disclosure End of Full-Disclosure Digest, Vol 1, Issue 2112 ************************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] Objet :Full-disclosure Digest, Vol 1, Issue 2112 (De retour le mardi 28 décembre.) Christophe Savin (Dec 21)