Bugtraq

[CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers

Tue, 09 Feb 2010 00:33:30 GMT

Posted by CORE Security Technologies Advisories on Feb 08

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers

1. *Advisory Information*

Title: Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
Advisory Id: CORE-2010-0121
Advisory URL:
http://www.coresecurity.com/content/filename-pseudonyms-vulnerabilities
Date published: 2010-02-05
Date of last update: 2010-02-05...

[Hacking Event] Night Da Hack 2010 : Call For Proposals

Tue, 09 Feb 2010 00:29:11 GMT

Posted by m . mahdjoub on Feb 08

- Night Da Hack 2010

Date: June 19-20 2010
Time: 4 PM - 7 AM
Location: Paris, France

What is Night da Hack?
“Night da Hack” comes from a rough translation from French “Nuit du Hack”. Started in 2003 by Hackerz Voice team, and
inspired by world famous DEF CON, “Nuit du Hack” is one of the oldest French underground hacking conference.

Around computer security related talks, workshops and contests, Night da Hack aims at bringing...

JDownloader Remote Code Execution

Tue, 09 Feb 2010 00:24:00 GMT

Posted by Matthias -apoc- Hecker on Feb 08

-- Product

JDownloader[1] is an open source download manager for One-Click-
Filehoster like Rapidshare or Megaupload. The Click'n'Load[2] interface
allows external applications and websites to send URLs to the local
running JDownloader. With Click'n'Load2 [3] it is possible to sent
AES-CBC encrypted URLs (for some kind of link 'obfuscation').
The encrypted payload _and_ key are sent with an HTTP-POST submit on
localhost port 9666 (default port,...

Re: Samba Remote Zero-Day Exploit

Tue, 09 Feb 2010 00:10:10 GMT

Posted by Stefan Kanthak on Feb 08

Dan Kaminsky wrote on February 06, 2010 6:43 PM:

OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!

[snip]

Stefan

Re: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 23:29:35 GMT

Posted by Dan Kaminsky on Feb 08

You need admin rights to create junctions. At that point, path
constraints aren't relevant, just psexec and get not only arbitrary
path but arbitrary code.

The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,...

Re: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 22:55:21 GMT

Posted by Kingcope on Feb 08

Hello Paul,

First and foremost I did not know about the configuration setting which
closes the bug when i posted the advisory. So this was my mistake.
But for the most servers which are not entirely hardened (and my
assumption is that this applies to many servers in internal networks)
the traversal can be a serious issue, because a samba user (even nobody)
can create the symlinks. It would in my point of view be more secure to
only allow...

RE: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 22:07:45 GMT

Posted by Michael Wojcik on Feb 08

symlinks

And at least since Vista, it also supports symlinks, which are designed
to mimic Unix symlinks, and can point to files or directories. Junctions
and symlinks can cross volumes; symlinks can also refer to files or
directories on network filesystems.

Junctions (which Microsoft also sometimes refers to as "soft links") and
symlinks are implemented with NTFS reparse points, just like mounts. You
can see some of the differences...

Re: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 21:35:47 GMT

Posted by paul . szabo on Feb 08

Dear Kingcope,

The samba server follows symlinks by default. There are options
("follow symlinks", "wide links") for turning it off:

http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-SECT-1.2
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#FOLLOWSYMLINKS
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#WIDELINKS

The "problem" at your installation seems a...

[security bulletin] HPSBUX02503 SSRT100019 rev.1 - HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other

Mon, 08 Feb 2010 21:00:50 GMT

Posted by security-alert on Feb 08

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01997760
Version: 1

HPSBUX02503 SSRT100019 rev.1 - HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other

Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2010-02-08
Last Updated: 2010-02-08

Potential Security Impact: Remote Increase in privilege, Denial of Service and other vulnerabilities...

[security bulletin] HPSBMA02487 SSRT100024 rev.1 - HP Operations Agent Running on Solaris 10, Remote Unauthorized Access

Mon, 08 Feb 2010 20:53:22 GMT

Posted by security-alert on Feb 08

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02002298
Version: 1

HPSBMA02487 SSRT100024 rev.1 - HP Operations Agent Running on Solaris 10, Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2010-02-08
Last Updated: 2010-02-08

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team...

[ MDVSA-2010:034 ] kernel

Mon, 08 Feb 2010 20:42:42 GMT

Posted by security on Feb 08

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:034
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : February 8, 2010
Affected: 2009.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Some...

Re: [Full-disclosure] Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 20:31:45 GMT

Posted by Thierry Zoller on Feb 08

http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html

Re: [Full-disclosure] Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 20:21:42 GMT

Posted by Thierry Zoller on Feb 08

Hi Paul,

Facts :
- Several distributions run with vulnerable settings per default
if there is a "misconfiguration" it is part of the vendor.
- Your not supposed to be able to traverse dirs.

Consequence it is a vulnerability, whether you can mitigate it is
a different piece of cake.

Next time somebody creates an IE8 0day that relies on javascript,
will you scream "misconfiguration!" ? Of course you could disable...

Re: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 20:10:34 GMT

Posted by Dan Kaminsky on Feb 08

On Feb 6, 2010, at 5:26 PM, "Stefan Kanthak" <stefan.kanthak () nexgo de>
wrote:

Really? Try. Especially remotely over SMB w/o remote interactive.

Re: Samba Remote Zero-Day Exploit

Mon, 08 Feb 2010 19:39:22 GMT

Posted by paul . szabo on Feb 08

Dear Kingcope,

Correct.

Maybe what you want is for Samba to add and support an option like
"allow create symlink" (with default "no"). I myself do not think it
would be useful... would surely be a few lines of code only, so if you
want to submit a patch to the Samba team... or just patch your own
servers (as I do, see http://www.maths.usyd.edu.au/u/psz/samba/).

Cheers, Paul

Paul Szabo psz () maths usyd edu au...