xfs security issues (fwd)

2000-04-19 Thread Chris Evans
-- Date: Mon, 31 May 1999 18:09:47 +0100 (GMT) From: Chris Evans [EMAIL PROTECTED] To: removed Subject: xfs security issues Hi, I can't remember if I ever sent you these. Fixing "xfs" security has been on my TODO list for a while but I just haven't had the time :-( Hopefully if

Linux knfsd DoS issue

2000-05-02 Thread Chris Evans
uth.c.oldTue Apr 18 05:13:47 2000 +++ net/sunrpc/svcauth.cTue Apr 18 06:36:20 2000 @@ -4,6 +4,9 @@ * The generic interface for RPC authentication on the server side. * * Copyright (C) 1995, 1996 Olaf Kirch [EMAIL PROTECTED] + * + * CHANGES + * 19-Apr-2000 Chris Evans - Security

Linux kernel sysctl() vulnerability

2001-02-09 Thread Chris Evans
Hi, OVERVIEW There exists a Linux system call sysctl() which is used to query and modify runtime system settings. Unprivileged users are permitted to query the value of many of these settings. The unprivileged user passes in a buffer location and the length of this buffer. Unfortunately, by

Re: [COVERT-2001-02] Globbing Vulnerabilities in Multiple FTP Daemons

2001-04-13 Thread Chris Evans
On Tue, 10 Apr 2001, Mike Gleason wrote: NcFTPd Server for UNIX from NcFTP Software is not vulnerable to the pathname globbing buffer overflow described by NAI COVERT Labs advisory (COVERT-2001-02) (which is also documented in CERT Advisory CA-2001-07). Additionally, NcFTPd Server is not

Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)

2001-04-19 Thread Chris Evans
On Wed, 18 Apr 2001, Bill Sommerfeld wrote: seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555); chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--) chdir(".."); chroot(".."); execve("/bin//sh", ..); For the record, I blocked this way of breaking out of chroot in NetBSD

Firefox cross-domain image theft (CESA-2008-009)

2008-11-19 Thread Chris Evans
Hi, Firefox 2.0.0.18 fixes a cross-domain theft of image data. Firefox 3 unaffected. It's another interesting case where a redirector confuses the browser about the true origin of a piece of content. If evil.org hosts a redirector, e.g. evil.org/redir, and an image is loaded via this redirector,

Firefox cross-domain text theft (CESA-2008-011)

2008-12-18 Thread Chris Evans
Hi, Firefoxes 2.0.0.19 and 3.0.5 fix a cross-domain theft of textual data. The theft is via cross-domain information leaks in JavaScript error messages for scripts executed via script src=remote_domain.org. The JavaScript error messages are made available to the window.onerror handler. In some

Problems with syscall filtering technologies on Linux

2009-01-26 Thread Chris Evans
Hi, There's a trick which may permit the bypassing of policies in technologies which do syscall filtering on the Linux x86_64 kernel. The trick is made possible by the fact that the 32-bit and 64-bit kernel tables are different, combined with the fact that a 64-bit process can make a 32-bit

Ghostscript buffer overflow

2008-02-29 Thread Chris Evans
Hi, Buffer overflow in Ghostscript. A useful attack vector because a lot of UNIX workstations will put PS files on the web through Ghostscript. The problem is a stack-based buffer overflow in the zseticcspace() function in zicc.c. The issue is over-trust of the length of a postscript array which

Sun JDK image parsing vulnerabilities

2008-03-06 Thread Chris Evans
Hi, A couple more JPEG ICC parsing bugs were fixed in the latest JDK updates. Full technical details: http://scary.beasts.org/security/CESA-2007-005.html The most interesting part is the faulty code: Limit = SpGetUInt32 (Buf); ... UInt16Ptr = (KpUInt16_t *)SpMalloc (Limit *

Sun JRE / JDK bug introduces XXE possibilities

2008-02-02 Thread Chris Evans
Hi, Now that Sun has fixed this in JDK6u4, I thought this might be of interest to people: http://scarybeastsecurity.blogspot.com/ Essentially, one common XXE protection method was broken in the default XML parser, in JDK6. In particular, I'm worried about web services (and other server-side

LittleCMS vulnerabilities (OpenJDK, Firefox, GIMP, etc. impacted)

2009-03-20 Thread Chris Evans
Hi, LittleCMS (or lcms) prior to v1.18beta2 contains various integer overflow, buffer overflow and memory leak errors. At least one of these bugs is a stack-based buffer overflow which is good for arbitrary code execution. I have an exploit that works on my Ubuntu-8.10 laptop but am holding off

Apple Safari local file theft vulnerability

2009-06-09 Thread Chris Evans
Hi, Safari prior to version 4 may permit an evil web page to steal files from the local system. This is accomplished by mounting an XXE attack against the parsing of the XSL XML. This is best explained with a sample evil XSL file which includes a DTD that attempts the XXE attack: !DOCTYPE doc [

Apple Safari cross-domain XML theft vulnerability

2009-06-10 Thread Chris Evans
Hi, Safari prior to version 4 may permit an evil web page to steal arbitrary XML data cross-domain. This is accomplished by abusing a relatively obscure cross-domain access point which was completely missing a cross-domain access check. The access point in question is the document() function in