Date: Mon, 31 May 1999 18:09:47 +0100 (GMT)
From: Chris Evans [EMAIL PROTECTED]
Subject: xfs security issues
I can't remember if I ever sent you these. Fixing "xfs" security has been
on my TODO list for a while but I just haven't had the time :-( Hopefully
uth.c.oldTue Apr 18 05:13:47 2000
+++ net/sunrpc/svcauth.cTue Apr 18 06:36:20 2000
@@ -4,6 +4,9 @@
* The generic interface for RPC authentication on the server side.
* Copyright (C) 1995, 1996 Olaf Kirch [EMAIL PROTECTED]
+ * CHANGES
+ * 19-Apr-2000 Chris Evans - Security
There exists a Linux system call sysctl() which is used to query and
modify runtime system settings. Unprivileged users are permitted to query
the value of many of these settings.
The unprivileged user passes in a buffer location and the length of this
buffer. Unfortunately, by
On Tue, 10 Apr 2001, Mike Gleason wrote:
NcFTPd Server for UNIX from NcFTP Software is not vulnerable to the
pathname globbing buffer overflow described by NAI COVERT Labs advisory
(COVERT-2001-02) (which is also documented in CERT Advisory CA-2001-07).
Additionally, NcFTPd Server is not
On Wed, 18 Apr 2001, Bill Sommerfeld wrote:
seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
chroot(".."); execve("/bin//sh", ..);
For the record, I blocked this way of breaking out of chroot in NetBSD
Firefox 126.96.36.199 fixes a cross-domain theft of image data. Firefox 3
unaffected. It's another interesting case where a redirector confuses
the browser about the true origin of a piece of content. If evil.org
hosts a redirector, e.g. evil.org/redir, and an image is loaded via
Firefoxes 188.8.131.52 and 3.0.5 fix a cross-domain theft of textual data.
messages for scripts executed via script src=remote_domain.org.
handler. In some
There's a trick which may permit the bypassing of policies in
technologies which do syscall filtering on the Linux x86_64 kernel.
The trick is made possible by the fact that the 32-bit and 64-bit
kernel tables are different, combined with the fact that a 64-bit
process can make a 32-bit
Buffer overflow in Ghostscript. A useful attack vector because a lot
of UNIX workstations will put PS files on the web through Ghostscript.
The problem is a stack-based buffer overflow in the zseticcspace()
function in zicc.c. The issue is over-trust of the length of a
postscript array which
A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates.
Full technical details:
The most interesting part is the faulty code:
Limit = SpGetUInt32 (Buf);
UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit *
Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:
Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.
In particular, I'm worried about web services (and other server-side
LittleCMS (or lcms) prior to v1.18beta2 contains various integer
overflow, buffer overflow and memory leak errors. At least one of
these bugs is a stack-based buffer overflow which is good for
arbitrary code execution. I have an exploit that works on my
Ubuntu-8.10 laptop but am holding off
Safari prior to version 4 may permit an evil web page to steal files
from the local system.
This is accomplished by mounting an XXE attack against the parsing of
the XSL XML. This is best explained with a sample evil XSL file which
includes a DTD that attempts the XXE attack:
!DOCTYPE doc [
Safari prior to version 4 may permit an evil web page to steal
arbitrary XML data cross-domain.
This is accomplished by abusing a relatively obscure cross-domain
access point which was completely missing a cross-domain access check.
The access point in question is the document() function in
Mail list logo