Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] Objet :Full-disclosure Digest , Vol 1, Issue 2112 (De retour le mardi 28 décembr e.)
From: "Christophe Savin" <christophe.savin () tdf fr>
Date: Wed, 22 Dec 2004 05:53:29 +0100

 En mon absence,  toute demande concernant les réseaux doit être envoyée au mail : ars_reseaux () tdf fr ou 
(ars_transpac pour tout incident lié à ce réseau)

En cas d'urgence, Vous pouvez contacter :
  La Hot-line Réseaux : 01 49 15 32 53  
  François LEVEQUE au 01 49 15 30 56
  Pascal PAINPARAY au 01 49 15 31 36.
 
  Bonnes fêtes de fin d'année.
  Christophe SAVIN


full-disclosure 12/18/04 21:25 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Re: Linux kernel IGMP vulnerabilities (Timothy  Hall)
   2. STG Security Advisory: [SSA-20041215-17]  Vulnerability of
      uploading files with multiple extensions in JSBoard (SSR Team)
   3. Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
      (Stefan Esser)
   4. STG Security Advisory: [SSA-20041215-18]  Vulnerability of
      uploading files with multiple extensions in       phpBB Attachment Mod
      (SSR Team)
   5. Re: RE: Cipher Tool (James Tucker)


----------------------------------------------------------------------

Message: 1
Date: Wed, 15 Dec 2004 16:02:10 -0500
From: "Timothy  Hall" <admin () TELE2WIN NET>
Subject: [Full-disclosure] Re: Linux kernel IGMP vulnerabilities
To: <stephen.butler () gmail com>, <ihaquer () isec pl>
Cc: bugtraq () securityfocus com, vulnwatch () vulnwatch org,
        security () isec pl,    full-disclosure () lists netsys com
Message-ID: <s1c06017.003 () WEBACCESS TELE2WIN NET>
Content-Type: text/plain; charset=ISO-8859-1

Greetings Paul and Stephen and List...

Paul thanks for clearing that up.  SuSE 9.0 Pro (at least the way two
boxes I take care of are set up) have
/proc/net/igmp
/proc/net/mcfilter
but 'mcfilter' is empty.  
No local users other than myself...  At least that I can tell...  :)



TîMöTH¥ Hª££


Paul Starzetz <ihaquer () isec pl> 12/15/04 07:34AM >>>
On Tue, 14 Dec 2004, stephen joseph butler wrote:

/proc/net/igmp
/proc/net/mcfilter

if both exist and are non-empty you are vulnerable!

Just to be clear: if "mcfilter" is empty, then you aren't
vulnerable?
I have both files, and "igmp" contains data, but "mcfilter" is
empty.

You are not vulnerable to the remote attack described under (3),
however 
your kernel may be still buggy. Note that you need a running process
that 
has manipulated its multicast socket filters. If your kernel is buggy
and 
you have local users such an application can always appear, at a time
you 
don't expect it.

-- 
Paul Starzetz
iSEC Security Research
http://isec.pl/ 




------------------------------

Message: 2
Date: Thu, 16 Dec 2004 10:17:41 +0900
From: "SSR Team" <advisory () stgsecurity com>
Subject: [Full-disclosure] STG Security Advisory: [SSA-20041215-17]
        Vulnerability of uploading files with multiple extensions in JSBoard
To: <vuln () secunia com>, <news () securiteam com>,
        <bugs () securitytracker com>,  <full-disclosure () lists netsys com>,
        <staff () packetstormsecurity com>
Message-ID: <GKEOJIPDJOHGOEEOIINIAEPOCAAA.advisory () stgsecurity com>
Content-Type: text/plain;       charset="ks_c_5601-1987"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041215-17] Vulnerability of uploading files
with multiple extensions in JSBoard

Revision 1.0
Date Published: 2004-12-15 (KST)
Last Update: 2004-12-15
Disclosed by SSR Team (advisory () stgsecurity com)

Summary
========
JSBoard is one of widely used web BBS applications in Korea.  However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
JSBoard 2.0.8 and prior.
JSBoard 1.3.11 and prior.

Vendor Status: FIXED
====================
2004-12-08 Vulnerability found.
2004-12-08 JSBoard developer notified.
2004-12-09 Update version released.
2004-12-15 Official release.

Details
=======
JSBoard doesn't implemented in "include/parse.php" to check multiple
extensions of uploaded files, e.g. attack.php.hwp, so malicious attackers
can upload arbitrary script files (php, pl, cgi, etc) to a web server. This
is originated from a feature of Apache MIME module (mod_mime), which regards
attack.php.hwp as a normal PHP file and execute the file through mod_php
module with the privilege of the HTTPD process.

cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple
Extensions" : it's a feature, not a bug.

Solution
=========
JSBoard 2.x branch : Update to 2.0.9
http://kldp.net/frs/download.php/1670/jsboard-2.0.9.tar.gz

JSBoard 1.x branch : Update to 1.3.13
http://kldp.net/frs/download.php/1668/jsboard-1.3.13.tar.gz

Vendor URL
==========
http://kldp.net/projects/jsboard/

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQcDiAD9dVHd/hpsuEQKY8gCg2vJZ2akGDGEA//Hwi3rOheZaVwkAn31V
tYi5XHLsUOHHdENvCrsUZyPi
=3VGj
-----END PGP SIGNATURE-----



------------------------------

Message: 3
Date: Wed, 15 Dec 2004 19:46:20 +0100
From: Stefan Esser <sesser () php net>
Subject: [Full-disclosure] Advisory 01/2004: Multiple vulnerabilities
        in PHP  4/5
To: bugtraq () securityfocus com, full-disclosure () lists netsys com
Message-ID: <20041215184620.GA20448 () e-matters de>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser [sesser () php net]

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
   References: http://www.hardened-php.net/advisories/012004.txt


Overview:

   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.
   

Details:

   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within
   webapplications.

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   
   [04 - safe_mode bypass through path truncation ]
   
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   
   [05 - path truncation in realpath() ]
   
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/config.inc.php"; is used on such
   systems.
   
   [06 - unserialize() - wrong handling of negative references ]
   
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   
   [07 - unserialize() - wrong handling of references to freed data ]
   
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   
   Examples of vulnerable scripts:
   
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl
rtmmBfJ3iv9Ksb/xtnyflD0=
=lzXX
-----END PGP SIGNATURE-----



------------------------------

Message: 4
Date: Thu, 16 Dec 2004 10:25:21 +0900
From: "SSR Team" <advisory () stgsecurity com>
Subject: [Full-disclosure] STG Security Advisory: [SSA-20041215-18]
        Vulnerability of uploading files with multiple extensions in    phpBB
        Attachment Mod
To: <vuln () secunia com>, <news () securiteam com>,
        <bugs () securitytracker com>,  <full-disclosure () lists netsys com>,
        <staff () packetstormsecurity com>
Message-ID: <GKEOJIPDJOHGOEEOIINIOEPOCAAA.advisory () stgsecurity com>
Content-Type: text/plain;       charset="Windows-1252"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files
with multiple extensions in phpBB Attachment Mod

Revision 1.0
Date Published: 2004-12-15 (KST)
Last Update: 2004-12-15
Disclosed by SSR Team (advisory () stgsecurity com)

Summary
========
phpBB Attachment Mod is file upload module for phpBB. However, an input
validation flaw can cause malicious attackers to run arbitrary commands with
the privilege of the HTTPD process, which is typically run as the nobody
user.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
High : arbitrary command execution.

Affected Products
================
Attachment Mod 2.3.10 and prior.

Vendor Status: FIXED
====================
2004-12-08 Vulnerability found.
2004-12-08 Attachment Mod developer notified.
2004-12-13 Update version released.
2004-12-15 Official release.

Details
=======
Apache Mod doesn't implemented to check multiple extensions of uploaded
files, e.g. attack.php.rar, so malicious attackers can upload arbitrary
script files (php, pl, cgi, etc) to a web server. This is originated from a
feature of Apache MIME module (mod_mime), which regards attack.php.rar as a
normal PHP file and execute the file through mod_php module with the
privilege of the HTTPD process.
cf. http://httpd.apache.org/docs/mod/mod_mime.html - "Files with Multiple
Extensions" : it's a feature, not a bug.

Solution
=========
Update to 2.3.11
http://www.opentools.de/board/viewtopic.php?t=3590

Vendor URL
==========
http://www.opentools.de/

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQcDjxD9dVHd/hpsuEQIIBACfYcy/IRJei/mfkfy+KdhQuCjhUbkAnjig
p3OSX1m+9IWd+MoM8lb5IDHS
=DQt1
-----END PGP SIGNATURE-----



------------------------------

Message: 5
Date: Thu, 16 Dec 2004 04:37:34 +0000
From: James Tucker <jftucker () gmail com>
Subject: Re: [Full-disclosure] RE: Cipher Tool
To: richard capistrano <mikoc02 () yahoo com>
Cc: full-disclosure () lists netsys com
Message-ID: <e92364c3041215203723ff0f55 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

Have you considered using secured network protocols on dedicated
encryption hardware? or is that beyond the price point?

Any cipher algorithm would be theoretically implementable (providing
the length of data is suitable). If you are looking for _real_
performance though then ciphering may not be what you want as there
isn't any good cipher that is really overly fast fast (deliberate
double).

There are other core pieces of the puzzle to be considered though,
like are you going to be talking in a client less manner (i.e. is the
client pre-configured or has the client never received secure comms
before?) Is there a socket/tunnel already running? What is the rough
length of the data set (impact readability and suitability for
encryption algorithms)? What is the performance restriction (i.e.
where is the bottleneck)? How secure do you need it, anti-fool,
seconds, hours, years or millennial(might actually require more data
storage than money can buy)?

I raised an eyebrow at the last portion of your mail, "Is there a
freeware or software or information, I can check out?". This would
suggest that you are looking to put another program somewhere mid-flow
in a data pipe; thats not always a good option.

If you're really looking for speed and ease of implementation then
something like a simple rotation cipher might work out for you, but
this is going to be so poor a encryption that some cipher pro's could
read it in its encrypted form. This is obviously no good if you're
worried about credit card info, but is OK if it's just your girlfriend
being a nosy ....... .


On Tue, 14 Dec 2004 00:23:41 -0800 (PST), richard capistrano
<mikoc02 () yahoo com> wrote:
 
 

Hello, 

  

  

We are looking for a tool that can actually cipher or hash a particular
portion of a file so that it will not display the particular field of a
file. This will be applied to the file so that when it travels the network,
the confidential field in the file is not displayed in clear text. Due to
performance issues, we can not simply hash the whole file. 

  

Is there a freeware or software or information, I can check out? Thanks in
advance.

 ________________________________
Do you Yahoo!?
 Read only the mail you want - Yahoo! Mail SpamGuard. 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 1, Issue 2112
************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Full-Disclosure] Objet :Full-disclosure Digest , Vol 1, Issue 2112 (De retour le mardi 28 décembr e.) Christophe Savin (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]