Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 57, Issue 17
From: hmarti2 () umbc edu
Date: Mon, 16 Nov 2009 01:03:12 +0000
I am not a number, I am a free man! Sent via BlackBerry by AT&T -----Original Message----- From: full-disclosure-request () lists grok org uk Date: Fri, 13 Nov 2009 12:00:01 To: <full-disclosure () lists grok org uk> Subject: Full-Disclosure Digest, Vol 57, Issue 17 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Dawid Golunski) 2. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Milan Berger) 3. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Martin Aberastegue) 4. Re: WordPress (Vladimir Vorontsov) 5. Microsoft Patents the "sudo" command (Leandro Malaquias) 6. [USN-858-1] OpenLDAP vulnerability (Marc Deslauriers) 7. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Martin Aberastegue) 8. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (g30rg3_x) 9. Re: Microsoft Patents the "sudo" command (Todd C. Miller) 10. Secunia Research: Gimp BMP Image Parsing Integer Overflow Vulnerability (Secunia Research) 11. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Vincent Guasconi) 12. Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution (Moritz Naumann) 13. Re: Microsoft Patents the "sudo" command (Valdis.Kletnieks () vt edu) 14. Cryptome posts Microsoft COFEE forensic toolkit (Gary McKinnon [SOLO]) 15. Re: Microsoft Patents the "sudo" command (Todd C. Miller) 16. JTTF/FBI informant "snitching" on security professionals in Bay Area (Jacob Appelbaum [ioerror]) 17. rPSA-2009-0142-1 httpd mod_ssl (rPath Update Announcements) 18. rPSA-2009-0143-1 util-linux util-linux-extras (rPath Update Announcements) 19. rPSA-2009-0144-1 apr-util (rPath Update Announcements) 20. rPSA-2009-0145-1 samba samba-client samba-server samba-swat (rPath Update Announcements) 21. rPSA-2009-0142-2 httpd mod_ssl (rPath Update Announcements) 22. Re: Microsoft Patents the "sudo" command (McGhee, Eddie) ---------------------------------------------------------------------- Message: 1 Date: Wed, 11 Nov 2009 16:47:49 +0000 From: Dawid Golunski <golunski () onet eu> Subject: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: full-disclosure () lists grok org uk Message-ID: <12E7DBD9-85F1-4DD6-9213-9A97E7830240 () onet eu> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes ============================================= - Release date: November 11th, 2009 - Discovered by: Dawid Golunski - Severity: Moderately High ============================================= I. VULNERABILITY ------------------------- WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution II. BACKGROUND ------------------------- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. III. DESCRIPTION ------------------------- Wordpress allows authorised users to add an attachment to a blog post. It does not sanitize provided file properly before moving it to an uploads directory. The part of the code responsible for uploading files looks as follows: wp-admin/includes/file.php: ---[cut]--- line 217: function wp_handle_upload( &$file, $overrides = false, $time = null ) { ---[cut]--- // All tests are on by default. Most can be turned off by $override[{test_name}] = false; $test_form = true; $test_size = true; // If you override this, you must provide $ext and $type!!!! $test_type = true; $mimes = false; ---[cut]--- // A properly uploaded file will pass this test. There should be no reason to override this one. if (! @ is_uploaded_file( $file['tmp_name'] ) ) return $upload_error_handler( $file, __( 'Specified file failed upload test.' )); // A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter. if ( $test_type ) { $wp_filetype = wp_check_filetype( $file['name'], $mimes ); extract( $wp_filetype ); if ( ( !$type || !$ext ) && ! current_user_can( 'unfiltered_upload' ) ) return $upload_error_handler( $file, __( 'File type does not meet security guidelines. Try another.' )); if ( !$ext ) $ext = ltrim(strrchr($file['name'], '.'), '.'); if ( !$type ) $type = $file['type']; } else { $type = ''; } // A writable uploads dir will pass this test. Again, there's no point overriding this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] ) ) return $upload_error_handler( $file, $uploads['error'] ); $filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback ); // Move the file to the uploads dir $new_file = $uploads['path'] . "/$filename"; if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) { return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) ); } ---[cut ]--- From the above code we can see that provided filename gets checked with: $wp_filetype = wp_check_filetype( $file['name'], $mimes ); Here is how the wp_check_filetype() function looks like: wp-includes/functions.php: ---[cut]--- line 2228: function wp_check_filetype( $filename, $mimes = null ) { // Accepted MIME types are set here as PCRE unless provided. $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', array( 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', 'png' => 'image/png', 'bmp' => 'image/bmp', 'tif|tiff' => 'image/tiff', 'ico' => 'image/x-icon', 'asf|asx|wax|wmv|wmx' => 'video/asf', 'avi' => 'video/avi', ---[cut, more mime types]--- line 2279: $type = false; $ext = false; foreach ( $mimes as $ext_preg => $mime_match ) { $ext_preg = '!\.(' . $ext_preg . ')$!i'; if ( preg_match( $ext_preg, $filename, $ext_matches ) ) { $type = $mime_match; $ext = $ext_matches[1]; break; } } return compact( 'ext', 'type' ); } We can see that type of the file gets set to a predefined MIME type that matches supplied extension, and that the extension is obtained from a regexp that matches a mime ext. string after the LAST dot. If extension is not on the list $type and $ext will be set to FALSE and wordpress will produce an error ("File type does not meet security guidelines. Try another"). Let's look at the other check that is performed on the filename before a file gets uploaded, that is a call to the following function: $filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback ); wp-includes/functions.php: line 2096: function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) { // sanitize the file name before we begin processing $filename = sanitize_file_name($filename); ---[cut, code that only matters if uploaded file already exists]--- line 2126: return $filename; } To have a complete view on file sanitization performed by wordpress we need to look into the sanitize_file_name() function: wp-includes/formatting.php: line 601: function sanitize_file_name( $filename ) { $filename_raw = $filename; $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0)); $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw); $filename = str_replace($special_chars, '', $filename); $filename = preg_replace('/[\s-]+/', '-', $filename); $filename = trim($filename, '.-_'); return apply_filters('sanitize_file_name', $filename, $filename_raw); } This function removes special characters shown above, replaces spaces and consecutive dashes with a single dash, trims period, dash and underscore from beginning and end of the filename. The sanitization process appears quite extensive however it does not take into account files that have multiple extensions. It is possible to upload a file containing an arbitrary PHP script with an extension of '.php.jpg' and execute it by requesting the uploaded file directly. The execution of the PHP code despite the .php.jpg extension is possible because Apache allows for multiple extensions. Here is a quote from Apache docs regarding this matter: " Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/ html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html. Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file. " IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg thus executing the PHP code it contains. In the above code example, a php info page will be shown. V. BUSINESS IMPACT ------------------------- An attacker that has already obtained login details (for example by stealing user's cookies with an XSS attack) to the blog as one of the existing users could exploit this vulnerability to get access to the system in the Apache user's context. From there he could use local bugs to further escalate the privileges. Apache account would be enough in most cases to view the source codes and gain access to the databases. Some wordpress users of the 2.8.5 release have reported that some php files have been added to their wordpress directory. It could be possible that they have been hit by this bug. Therefore it is important to take some countermeasures as soon as possible. VI. SYSTEMS AFFECTED ------------------------- Most likely all of the wordpress releases contain this bug. Including the current hardened stable release 2.8.5 and the beta version. VII. SOLUTION ------------------------- Vendor has been informed about the bug. Currently wordpress developers and contributors are in the process of bug hunting and fixing reported bugs in beta versions before the new stable release, so hopefully it should not take long for them to take this problem into account. You can apply the temporary solutions for this problem which I provide below before an official patch is made. You can create a .htaccess file in the uploads dir (wordpress/wp- content/uploads) with the following content: deny from all <Files ~ "^\w+\.(gif|jpe?g|png|avi)$"> order deny,allow allow from all </Files> Adjust allowed file extensions in the brackets if necessary. This will prevent Apache from serving files with double extensions inside the uploads directory. Alternatively you can try to patch the source code yourself by editing the wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch could be to add the following three lines of code at the line 260: // Fix Unrestricted File Upload Arbitrary PHP Code Execution bug, return if more than 1 extension provided if ( count(explode('.', $file['name'])) > 2 ); return $upload_error_handler( $file, __( 'File type does not meet security guidelines. Try another.' )); VIII. REFERENCES ------------------------- http://www.wordpress.org http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext IX. CREDITS ------------------------- This vulnerability has been discovered by Dawid Golunski golunski (at) onet (dot) eu Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old time's sake :) and complexmind X. REVISION HISTORY ------------------------- November 11th, 2009: Initial release XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ------------------------------ Message: 2 Date: Thu, 12 Nov 2009 13:48:46 +0100 From: Milan Berger <m.berger () project-mindstorm net> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: full-disclosure () lists grok org uk Message-ID: <20091112134846.22a8c38c@0xC0FF33> Content-Type: text/plain; charset=US-ASCII Hi there,
IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo with Suhosin-Patch 0.9.7 Shows a broken image no code executed. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer ------------------------------ Message: 3 Date: Thu, 12 Nov 2009 10:41:48 -0300 From: Martin Aberastegue <xyborg () gmail com> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: Milan Berger <m.berger () project-mindstorm net> Cc: full-disclosure () lists grok org uk Message-ID: <252277f40911120541o3feaf09fk83ac9294fe019920 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 The same here tested on Wordpress 2.8.5 / Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 - PHP/5.2.6 Regards -- Martin Aberastegue http://www.martinaberastegue.com/ On Thu, Nov 12, 2009 at 9:48 AM, Milan Berger <m.berger () project-mindstorm net> wrote:
Hi there,IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php ? ? ? phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpgtried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo with Suhosin-Patch 0.9.7 Shows a broken image no code executed. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 4 Date: Thu, 12 Nov 2009 17:15:56 +0300 From: Vladimir Vorontsov <vladimir.vorontsov () onsec ru> Subject: Re: [Full-disclosure] WordPress To: Full disclosure <full-disclosure () lists grok org uk> Message-ID: <2b8e3269858abb73f40f39d826461e44 () mail onsec ru> Content-Type: text/plain; charset="UTF-8" Did not work on: Apache/2.2.8 (Ubuntu) DAV/2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch Server -------- Original Message -------- Subject: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Date: Wed, 11 Nov 2009 16:47:49 +0000 From: Dawid Golunski <golunski () onet eu> To: full-disclosure () lists grok org uk ============================================= - Release date: November 11th, 2009 - Discovered by: Dawid Golunski - Severity: Moderately High ============================================= I. VULNERABILITY ------------------------- WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution II. BACKGROUND ------------------------- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. III. DESCRIPTION ------------------------- Wordpress allows authorised users to add an attachment to a blog post. It does not sanitize provided file properly before moving it to an uploads directory. The part of the code responsible for uploading files looks as follows: wp-admin/includes/file.php: ---[cut]--- line 217: function wp_handle_upload( &$file, $overrides = false, $time = null ) { ---[cut]--- // All tests are on by default. Most can be turned off by $override[{test_name}] = false; $test_form = true; $test_size = true; // If you override this, you must provide $ext and $type!!!! $test_type = true; $mimes = false; ---[cut]--- // A properly uploaded file will pass this test. There should be no reason to override this one. if (! @ is_uploaded_file( $file['tmp_name'] ) ) return $upload_error_handler( $file, __( 'Specified file failed upload test.' )); // A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter. if ( $test_type ) { $wp_filetype = wp_check_filetype( $file['name'], $mimes ); extract( $wp_filetype ); if ( ( !$type || !$ext ) && ! current_user_can( 'unfiltered_upload' ) ) return $upload_error_handler( $file, __( 'File type does not meet security guidelines. Try another.' )); if ( !$ext ) $ext = ltrim(strrchr($file['name'], '.'), '.'); if ( !$type ) $type = $file['type']; } else { $type = ''; } // A writable uploads dir will pass this test. Again, there's no point overriding this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] ) ) return $upload_error_handler( $file, $uploads['error'] ); $filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback ); // Move the file to the uploads dir $new_file = $uploads['path'] . "/$filename"; if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) { return $upload_error_handler( $file, sprintf( __('The uploaded file could not be moved to %s.' ), $uploads['path'] ) ); } ---[cut ]---
From the above code we can see that provided filename gets checked
with: $wp_filetype = wp_check_filetype( $file['name'], $mimes ); Here is how the wp_check_filetype() function looks like: wp-includes/functions.php: ---[cut]--- line 2228: function wp_check_filetype( $filename, $mimes = null ) { // Accepted MIME types are set here as PCRE unless provided. $mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( 'upload_mimes', array( 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', 'png' => 'image/png', 'bmp' => 'image/bmp', 'tif|tiff' => 'image/tiff', 'ico' => 'image/x-icon', 'asf|asx|wax|wmv|wmx' => 'video/asf', 'avi' => 'video/avi', ---[cut, more mime types]--- line 2279: $type = false; $ext = false; foreach ( $mimes as $ext_preg => $mime_match ) { $ext_preg = '!\.(' . $ext_preg . ')$!i'; if ( preg_match( $ext_preg, $filename, $ext_matches ) ) { $type = $mime_match; $ext = $ext_matches[1]; break; } } return compact( 'ext', 'type' ); } We can see that type of the file gets set to a predefined MIME type that matches supplied extension, and that the extension is obtained from a regexp that matches a mime ext. string after the LAST dot. If extension is not on the list $type and $ext will be set to FALSE and wordpress will produce an error ("File type does not meet security guidelines. Try another"). Let's look at the other check that is performed on the filename before a file gets uploaded, that is a call to the following function: $filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback ); wp-includes/functions.php: line 2096: function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) { // sanitize the file name before we begin processing $filename = sanitize_file_name($filename); ---[cut, code that only matters if uploaded file already exists]--- line 2126: return $filename; } To have a complete view on file sanitization performed by wordpress we need to look into the sanitize_file_name() function: wp-includes/formatting.php: line 601: function sanitize_file_name( $filename ) { $filename_raw = $filename; $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0)); $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw); $filename = str_replace($special_chars, '', $filename); $filename = preg_replace('/[\s-]+/', '-', $filename); $filename = trim($filename, '.-_'); return apply_filters('sanitize_file_name', $filename, $filename_raw); } This function removes special characters shown above, replaces spaces and consecutive dashes with a single dash, trims period, dash and underscore from beginning and end of the filename. The sanitization process appears quite extensive however it does not take into account files that have multiple extensions. It is possible to upload a file containing an arbitrary PHP script with an extension of '.php.jpg' and execute it by requesting the uploaded file directly. The execution of the PHP code despite the .php.jpg extension is possible because Apache allows for multiple extensions. Here is a quote from Apache docs regarding this matter: " Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/ html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html. Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being handled by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imagemap imagemap file. " IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg thus executing the PHP code it contains. In the above code example, a php info page will be shown. V. BUSINESS IMPACT ------------------------- An attacker that has already obtained login details (for example by stealing user's cookies with an XSS attack) to the blog as one of the existing users could exploit this vulnerability to get access to the system in the Apache user's context.
From there he could use local bugs to further escalate the
privileges. Apache account would be enough in most cases to view the source codes and gain access to the databases. Some wordpress users of the 2.8.5 release have reported that some php files have been added to their wordpress directory. It could be possible that they have been hit by this bug. Therefore it is important to take some countermeasures as soon as possible. VI. SYSTEMS AFFECTED ------------------------- Most likely all of the wordpress releases contain this bug. Including the current hardened stable release 2.8.5 and the beta version. VII. SOLUTION ------------------------- Vendor has been informed about the bug. Currently wordpress developers and contributors are in the process of bug hunting and fixing reported bugs in beta versions before the new stable release, so hopefully it should not take long for them to take this problem into account. You can apply the temporary solutions for this problem which I provide below before an official patch is made. You can create a .htaccess file in the uploads dir (wordpress/wp- content/uploads) with the following content: deny from all <Files ~ "^\w+\.(gif|jpe?g|png|avi)$"> order deny,allow allow from all </Files> Adjust allowed file extensions in the brackets if necessary. This will prevent Apache from serving files with double extensions inside the uploads directory. Alternatively you can try to patch the source code yourself by editing the wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch could be to add the following three lines of code at the line 260: // Fix Unrestricted File Upload Arbitrary PHP Code Execution bug, return if more than 1 extension provided if ( count(explode('.', $file['name'])) > 2 ); return $upload_error_handler( $file, __( 'File type does not meet security guidelines. Try another.' )); VIII. REFERENCES ------------------------- http://www.wordpress.org http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext IX. CREDITS ------------------------- This vulnerability has been discovered by Dawid Golunski golunski (at) onet (dot) eu Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old time's sake :) and complexmind X. REVISION HISTORY ------------------------- November 11th, 2009: Initial release XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ----------------------------------------------------------------- Best regards! Vladimir Vorontsov, security expert. ONsec: turn on security ------------------------------ Message: 5 Date: Thu, 12 Nov 2009 14:09:12 +0000 From: Leandro Malaquias <lm.net.security () gmail com> Subject: [Full-disclosure] Microsoft Patents the "sudo" command To: full-disclosure () lists grok org uk Message-ID: <4AFC1708.7040508 () gmail com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command Patent: http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617,530&RS=PN/7,617,530 ------------------------------ Message: 6 Date: Thu, 12 Nov 2009 09:29:21 -0500 From: Marc Deslauriers <marc.deslauriers () canonical com> Subject: [Full-disclosure] [USN-858-1] OpenLDAP vulnerability To: ubuntu-security-announce () lists ubuntu com Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <1258036161.3657.1.camel () mdlinux technorage com> Content-Type: text/plain; charset="utf-8" =========================================================== Ubuntu Security Notice USN-858-1 November 12, 2009 openldap2.2 vulnerability CVE-2009-3767 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libldap-2.2-7 2.2.26-5ubuntu2.9 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that OpenLDAP did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.diff.gz Size/MD5: 516098 098a03b4f7d511ce730e9647deca2072 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.dsc Size/MD5: 1028 5a95dae94a1016fbcf41c1c1992ea8e6 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_amd64.deb Size/MD5: 130854 1f1b40b12adcb557a810194d0c4f7993 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_amd64.deb Size/MD5: 166444 500528d10502361c075a08578c1586f5 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_amd64.deb Size/MD5: 961974 f56eef919306d6ca7f4a7a090d2ae6ba i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_i386.deb Size/MD5: 118638 0558a833fb6eadf4d87bd9fd6e687838 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_i386.deb Size/MD5: 146444 fc85d5259c97622324047bbda153937d http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_i386.deb Size/MD5: 873424 358c78f76ee16010c1fb81e89adfe849 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_powerpc.deb Size/MD5: 133012 92d9de435a795261e6bf4143f2bf59c7 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_powerpc.deb Size/MD5: 157480 099b1ee5e158f77be109a7972587f596 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_powerpc.deb Size/MD5: 960052 850fb56995224edd6ae329af1b8236ef sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_sparc.deb Size/MD5: 120932 4fa0f7accd968ba71dff1f7c5b2ef811 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_sparc.deb Size/MD5: 148546 2d1af209a8b53a8315fbd4bd86573d70 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_sparc.deb Size/MD5: 903928 4aa6b0478821e803c80a020b031aafed -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20091112/9caed4d4/attachment-0001.bin ------------------------------ Message: 7 Date: Thu, 12 Nov 2009 12:40:47 -0300 From: Martin Aberastegue <xyborg () gmail com> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: Milan Berger <m.berger () project-mindstorm net> Cc: full-disclosure () lists grok org uk Message-ID: <252277f40911120740j1534b2fdpb04648cd55da2e06 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 LOL I forgot to add this did not work on my box. -- Martin Aberastegue http://www.martinaberastegue.com/ On Thu, Nov 12, 2009 at 10:41 AM, Martin Aberastegue <xyborg () gmail com> wrote:
The same here tested on Wordpress 2.8.5 / Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 - PHP/5.2.6 Regards -- Martin Aberastegue http://www.martinaberastegue.com/ On Thu, Nov 12, 2009 at 9:48 AM, Milan Berger <m.berger () project-mindstorm net> wrote:Hi there,IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php ? ? ? phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpgtried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo with Suhosin-Patch 0.9.7 Shows a broken image no code executed. -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 8 Date: Thu, 12 Nov 2009 09:42:21 -0600 From: g30rg3_x <g30rg3x () gmail com> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: full-disclosure () lists grok org uk Message-ID: <d5d5430f0911120742o4e34981bv639046454bacd78f () mail gmail com> Content-Type: text/plain; charset=UTF-8 The same thing was discussed on WP-Hackers list[1] and it was found that the problem was introduced by Option +Multiviews[2]... And also someone point that Option +Multiviews is enabled by default on cpanel/whm[3] based servers therefore lots of cheap (and not so cheap) shared hosting providers introduce this behavior that could potentially be harmful not just to wordpress but any software that handles uploads and respect the uploaded file extensions. Regards [1] http://lists.automattic.com/pipermail/wp-hackers/2009-November/thread.html#28450 [2] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028466.html [3] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028482.html _________________________ g30rg3_x ------------------------------ Message: 9 Date: Thu, 12 Nov 2009 10:36:19 -0500 From: "Todd C. Miller" <Todd.Miller () courtesan com> Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command To: Leandro Malaquias <lm.net.security () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <200911121536.nACFaJuo032210 () core courtesan com> In message <4AFC1708.7040508 () gmail com> so spake Leandro Malaquias (lm.net.security):
Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command Patent: http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1 &u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617,530&RS =PN/7,617,530
This doesn't sound like it would cover sudo to me, or even a GUI-wrapper for sudo. While I am not a patent attorney, I have been hacking on sudo for the past 15+ years. My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating. One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name. Sudo simply doesn't work this way. - todd ------------------------------ Message: 10 Date: Thu, 12 Nov 2009 14:18:51 +0100 From: Secunia Research <remove-vuln () secunia com> Subject: [Full-disclosure] Secunia Research: Gimp BMP Image Parsing Integer Overflow Vulnerability To: full-disclosure () lists grok org uk Message-ID: <200911121318.nACDIppW031610@CA-IX-1.intnet> ====================================================================== Secunia Research 12/11/2009 - Gimp BMP Image Parsing Integer Overflow Vulnerability - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Gimp 2.6.7 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote ====================================================================== 3) Vendor's Description of Software "GIMP is the GNU Image Manipulation Program. It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.". Product Link: http://www.gimp.org/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Gimp, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by an integer overflow error within the "ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted BMP file. ====================================================================== 5) Solution Fixed in the GIT repository. ====================================================================== 6) Time Table 02/11/2009 - Vendor notified. 02/11/2009 - Vendor response. 09/11-2009 - Fixed in the GIT repository. 12/11/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Stefan Cornelius, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-1570 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-42/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== ------------------------------ Message: 11 Date: Thu, 12 Nov 2009 18:22:39 +0100 From: Vincent Guasconi <tyoptyop () gmail com> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: Milan Berger <m.berger () project-mindstorm net> Cc: full-disclosure () lists grok org uk Message-ID: <985b1a3d0911120922l6f4da046rcd35ba74dd900646 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 On Thu, Nov 12, 2009 at 1:48 PM, Milan Berger <m.berger () project-mindstorm net> wrote:
and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpgtried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo with Suhosin-Patch 0.9.7 Shows a broken image no code executed.
http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext -- Guasconi Vincent ------------------------------ Message: 12 Date: Thu, 12 Nov 2009 18:51:24 +0100 From: Moritz Naumann <security () moritz-naumann com> Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution To: full-disclosure () lists grok org uk Message-ID: <4AFC4B1C.6070803 () moritz-naumann com> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Milan Berger wrote:
Hi there,IV. PROOF OF CONCEPT ------------------------- Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged user or admin. Create a new post and use the media file upload feature to upload a file: test-image.php.jpg containing the following code: <?php phpinfo(); ?> After the upload you should receive a positive response saying: test-vuln.php.jpg image/jpeg 2009-11-11 and it should be possible to request the uploaded file via a link: http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpgtried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo with Suhosin-Patch 0.9.7 Shows a broken image no code executed.
This is specific to Apaches' Add* directives, when combined with the PHP SAPI / Apache module: http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext http://isc.sans.org/diary.html?storyid=6139 It's been like that for years, but many Linux distros still ship with default configurations which bear this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREKAAYFAkr8SxwACgkQn6GkvSd/BgyWFACcDDGWwp92WxOunIr26u3juxL5 FvYAn1ynPl1pBolZKyV/mLQrb+i/AROY =sM0Q -----END PGP SIGNATURE----- ------------------------------ Message: 13 Date: Thu, 12 Nov 2009 12:59:11 -0500 From: Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command To: "Todd C. Miller" <Todd.Miller () courtesan com> Cc: full-disclosure () lists grok org uk Message-ID: <7897.1258048751 () turing-police cc vt edu> Content-Type: text/plain; charset="us-ascii" On Thu, 12 Nov 2009 10:36:19 EST, "Todd C. Miller" said:
privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating.
Umm... my check of my 'sudo' manpage says that the '-u username' is optional, and I don't remember having to use '-u root', so it's supported doing it without having to type the target username for years... Unless I'm misunderstanding your interpretation of the invention and how it compares to traditional sudo usage? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20091112/f4f9539a/attachment-0001.bin ------------------------------ Message: 14 Date: Thu, 12 Nov 2009 18:07:40 +0000 From: "Gary McKinnon [SOLO]" <jdl () mac hush com> Subject: [Full-disclosure] Cryptome posts Microsoft COFEE forensic toolkit To: full-disclosure () lists grok org uk Message-ID: <20091112180741.0D18C11803D () smtp hushmail com> Content-Type: text/plain; charset="UTF-8" Note: This is a toolkit by Microsoft meant to be used on a thumb drive. There are many open source tools already available, this is just an all-in-one set. For the curious tinkerer. Microsoft COFEE forensic toolkit: http://cryptome.org/cofee.zip User guide: http://cryptome.org/cofee-guide.zip Gary McKinnon / SOLO "People faking autism after charges should receive total immunity from prosecution" ------------------------------ Message: 15 Date: Thu, 12 Nov 2009 13:47:36 -0500 From: "Todd C. Miller" <Todd.Miller () courtesan com> Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command To: Valdis.Kletnieks () vt edu Cc: full-disclosure () lists grok org uk Message-ID: <200911121847.nACIlbOf002116 () core courtesan com> In message <7897.1258048751 () turing-police cc vt edu> so spake (Valdis.Kletnieks):
Umm... my check of my 'sudo' manpage says that the '-u username' is optional, and I don't remember having to use '-u root', so it's supported doing it without having to type the target username for years...
Sudo has always defaulted to running commands as root.
Unless I'm misunderstanding your interpretation of the invention and how it compares to traditional sudo usage?
It's very possible that I am not doing a good job of explaining my interpretation. As I see it, the invention is about providing the user with a list of privileged users with the appropriate rights to perform the action in a GUI when the user tries to perform an action that they don't have sufficient rights to do. If you read the patent in question, in all its TIFF glory (what do they have against text?) they list a number of possible scenarios. Sudo doesn't contain any logic to try and figure out what user a command should be run as in order for it to succeed (and no, root isn't always the right answer, especially when NFS is in the picture). - todd ------------------------------ Message: 16 Date: Fri, 13 Nov 2009 02:53:36 +0000 From: "Jacob Appelbaum [ioerror]" <jdl () mac hush com> Subject: [Full-disclosure] JTTF/FBI informant "snitching" on security professionals in Bay Area To: full-disclosure () lists grok org uk Message-ID: <20091113025336.6EAEFB00B5 () smtp hushmail com> Content-Type: text/plain; charset="UTF-8" Greetings Full Disclosure, For the past few weeks I've been facing a professional dilemma. Should I out someone who at one time fellated me? Should I trouble my colleagues with drama only 5% will care about. I'll take the gamble, as there are odds 100% may reap entertainment from such undertakings. It has come to my attention that one "Hepkitten" is an informant of the United States Government. Relevant Link: http://encyclopediadramatica.com/Hepkitten Photograph: http://i38.tinypic.com/1037hxy.jpg She has attended Defcon a few times. You may recognize her face. You may have had her face on your genitals (Yes, this is the one). She resides in San Francisco, California. Lives with her kids. She is on the FBI payroll and has been for at least 2 years. At the behest SF FBI and JTTF -- no less - she has spent the past few years successfully infiltrating security/activist groups. She has also acted as anarchist provacateur. She has guaranteed immunity from prosecution. I would like her docs submitted to my desk immediately. Salt the Earth, ioerror Jacob Appelbaum, Hacktivist. http://ioerror.livejournal.com ------------------------------ Message: 17 Date: Thu, 12 Nov 2009 17:49:51 -0500 From: rPath Update Announcements <announce-noreply () rpath com> Subject: [Full-disclosure] rPSA-2009-0142-1 httpd mod_ssl To: security-announce () lists rpath com, update-announce () lists rpath com, product-announce () lists rpath com Cc: lwn () lwn net, full-disclosure () lists grok org uk, vulnwatch () vulnwatch org, bugtraq () securityfocus com Message-ID: <4afc910f.4o79OjHk+Vk+vc9P%announce-noreply () rpath com> Content-Type: text/plain; charset=us-ascii rPath Security Advisory: 2009-0142-1 Published: 2009-11-12 Products: rPath Appliance Platform Linux Service 2 rPath Linux 2 Rating: Major Exposure Level Classification: Local System User Deterministic Privilege Escalation Updated Versions: httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1 mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3061 https://issues.rpath.com/browse/RPL-3079 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 Description: Previous versions of httpd do not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges via a specially crafted .htaccess file combined with an exec element in a .shtml file. Additionally, when a reverse proxy is configured, a vulnerability in mod_proxy could allow a remote attacker to cause a denial of service (CPU consumption) via crafted requests. Both of these issues have been addressed in this release. http://wiki.rpath.com/Advisories:rPSA-2009-0142 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ------------------------------ Message: 18 Date: Thu, 12 Nov 2009 17:51:45 -0500 From: rPath Update Announcements <announce-noreply () rpath com> Subject: [Full-disclosure] rPSA-2009-0143-1 util-linux util-linux-extras To: security-announce () lists rpath com, update-announce () lists rpath com, product-announce () lists rpath com Cc: lwn () lwn net, full-disclosure () lists grok org uk, vulnwatch () vulnwatch org, bugtraq () securityfocus com Message-ID: <4afc9181.2pDUvWevLacA1/Ax%announce-noreply () rpath com> Content-Type: text/plain; charset=us-ascii rPath Security Advisory: 2009-0143-1 Published: 2009-11-12 Products: rPath Appliance Platform Linux Service 2 rPath Linux 2 Rating: Informational Exposure Level Classification: Remote User Deterministic Weakness Updated Versions: util-linux=conary.rpath.com@rpl:2/2.13_pre7-14.2-1 util-linux-extras=conary.rpath.com@rpl:2/2.13_pre7-14.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3062 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1926 Description: Previous versions of util-linux have an argument injection vulnerability, which allows remote attackers to hide activity by modifying portions of audit log events. This is only relevant on systems where the auditd service is used. http://wiki.rpath.com/Advisories:rPSA-2009-0143 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ------------------------------ Message: 19 Date: Thu, 12 Nov 2009 17:54:02 -0500 From: rPath Update Announcements <announce-noreply () rpath com> Subject: [Full-disclosure] rPSA-2009-0144-1 apr-util To: security-announce () lists rpath com, update-announce () lists rpath com, security-announce () lists rpath com, update-announce () lists rpath com, product-announce () lists rpath com, product-announce () lists rpath com Cc: lwn () lwn net, full-disclosure () lists grok org uk, vulnwatch () vulnwatch org, bugtraq () securityfocus com Message-ID: <4afc920a.7Z5N8KKXHjiE6q+N%announce-noreply () rpath com> Content-Type: text/plain; charset=us-ascii rPath Security Advisory: 2009-0144-1 Published: 2009-11-12 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Major Exposure Level Classification: Remote User Deterministic Denial of Service Updated Versions: apr-util=conary.rpath.com@rpl:1/0.9.7-1.4-1 apr-util=conary.rpath.com@rpl:2/1.2.12-2.4-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3058 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 Description: Previous versions of apr-util contain a vulnerability which can allow remote attackers to crash an Apache HTTP Server by triggering a heap-based buffer underflow. This vulnerability only exists when .htaccess files are used, or when a module linked to libaprutil is used. http://wiki.rpath.com/Advisories:rPSA-2009-0144 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ------------------------------ Message: 20 Date: Thu, 12 Nov 2009 17:55:48 -0500 From: rPath Update Announcements <announce-noreply () rpath com> Subject: [Full-disclosure] rPSA-2009-0145-1 samba samba-client samba-server samba-swat To: security-announce () lists rpath com, update-announce () lists rpath com, security-announce () lists rpath com, update-announce () lists rpath com, product-announce () lists rpath com, product-announce () lists rpath com Cc: lwn () lwn net, full-disclosure () lists grok org uk, vulnwatch () vulnwatch org, bugtraq () securityfocus com Message-ID: <4afc9274.jRz2hhU5YGwl+dWJ%announce-noreply () rpath com> Content-Type: text/plain; charset=us-ascii rPath Security Advisory: 2009-0145-1 Published: 2009-11-12 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Severe Exposure Level Classification: Local User Deterministic Unauthorized Access Updated Versions: samba=conary.rpath.com@rpl:1/3.0.33-0.2-1 samba=conary.rpath.com@rpl:2/3.0.33-1.2-1 samba-client=conary.rpath.com@rpl:1/3.0.33-0.2-1 samba-client=conary.rpath.com@rpl:2/3.0.33-1.2-1 samba-server=conary.rpath.com@rpl:1/3.0.33-0.2-1 samba-server=conary.rpath.com@rpl:2/3.0.33-1.2-1 samba-swat=conary.rpath.com@rpl:1/3.0.33-0.2-1 samba-swat=conary.rpath.com@rpl:2/3.0.33-1.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3068 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906 Description: Previous versions of samba contain multiple vulnerabilities, the most serious of which could allow remote authenticated users without home directories to bypass intended sharing restrictions. http://wiki.rpath.com/Advisories:rPSA-2009-0145 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ------------------------------ Message: 21 Date: Thu, 12 Nov 2009 20:02:00 -0500 From: rPath Update Announcements <announce-noreply () rpath com> Subject: [Full-disclosure] rPSA-2009-0142-2 httpd mod_ssl To: security-announce () lists rpath com, update-announce () lists rpath com, product-announce () lists rpath com Cc: lwn () lwn net, full-disclosure () lists grok org uk, vulnwatch () vulnwatch org, bugtraq () securityfocus com Message-ID: <4afcb008.Vsubqjl8o4M6qcpC%announce-noreply () rpath com> Content-Type: text/plain; charset=us-ascii rPath Security Advisory: 2009-0142-2 Published: 2009-11-12 Updated: 2009-11-12 updated to reference CVE-2009-1891 Products: rPath Appliance Platform Linux Service 2 rPath Linux 2 Rating: Major Exposure Level Classification: Local System User Deterministic Privilege Escalation Updated Versions: httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1 mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3061 https://issues.rpath.com/browse/RPL-3079 https://issues.rpath.com/browse/RPL-3107 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 Description: Previous versions of httpd do not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges via a specially crafted .htaccess file combined with an exec element in a .shtml file. Additionally, two similar vulnerabilities exist -- one in mod_proxy, and one in mod_deflate -- which could allow a remote attacker to cause a denial of service (CPU consumption) via crafted requests. These three issues have been addressed in this release. http://wiki.rpath.com/Advisories:rPSA-2009-0142 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ------------------------------ Message: 22 Date: Thu, 12 Nov 2009 11:27:30 -0500 From: "McGhee, Eddie" <Eddie.McGhee () ncr com> Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command To: "Todd C. Miller" <Todd.Miller () courtesan com>, Leandro Malaquias <lm.net.security () gmail com> Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk> Message-ID: <DEF48B74C2B9A041B12DF257E0E136DD022B9B5A8B () susday212 corp ncr com> Content-Type: text/plain; charset="us-ascii" Total propaganda, if you read it properly you will see.. Ms will not ever own or patent the sudo command. They offer a list of accounts which will be needed when elevated privileges are required.. Sudo doesn't do anything like this at all.. Long live Unix commands, down with the cmd. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Todd C. Miller Sent: 12 November 2009 15:36 To: Leandro Malaquias Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Microsoft Patents the "sudo" command In message <4AFC1708.7040508 () gmail com> so spake Leandro Malaquias (lm.net.security):
Website: http://gizmodo.com/5402796/microsoft-patents-the-sudo-command Patent: http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=P ALL&p=1 &u=/netahtml/PTO/srchnum.htm&r=1&f=G&l=50&s1=7,617,530.PN.&OS=PN/7,617 ,530&RS =PN/7,617,530
This doesn't sound like it would cover sudo to me, or even a GUI-wrapper for sudo. While I am not a patent attorney, I have been hacking on sudo for the past 15+ years. My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating. One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name. Sudo simply doesn't work this way. - todd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 57, Issue 17 *********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 57, Issue 17 RandallM (Nov 13)
- <Possible follow-ups>
- Re: Full-Disclosure Digest, Vol 57, Issue 17 hmarti2 (Nov 15)