Serious security flaw in SuSE rctab

2001-01-15 Thread Paul Starzetz
Hi @ll, it seems that the problem described below has not been discussed on Bugtraq. Problem description --- Due to a various race conditions in the init level editing script /sbin/rctab it is possible for any local user to overwrite any system's file with arbitrary data. This

Buffer overflow in bing

2001-01-22 Thread Paul Starzetz
exit (status=0) at exit.c:55 3. Impact: -- On systems with suid /usr/bin/ping it may be possible under certain circumstances to gain root priviledges. 4. Solution: ---- chmod 700 /usr/bin/bing -- Paul Starzetz

ntop -i local exploit

2001-01-29 Thread Paul Starzetz
1. Abstract --- There are various format string bugs in the ntop package as mentioned in former Bugtraq articles. This is _not_ a new problem. However, in opposite to the '-w' option bug, an exploit for the existent '-i' option format string bug has never been posted/released. 2.

Local man exploit

2001-02-09 Thread Paul Starzetz
Hi @ll the attached script will create suid man shell on vulnerable systems (man -l bug). ihq. manexpl.sh

Format string bug in startinnfeed

2001-02-12 Thread Paul Starzetz
1. Description -- The 'startinnfeed' binary contains various format string bugs. Most of the command line options passes user given arguments to 'syslog()' as format string. For example: paul@ps:/usr/home/paul /usr/lib/news/bin/startinnfeed -a "%x%x%n%n%n%n%n%n%n" segmentation

Quick Analysiss of the recent crc32 ssh(d) bug

2001-02-20 Thread Paul Starzetz
1. Abstract --- This article discusses the recently discovered security hole in the crc32 attack detector as found in common ssh packages like OpenSSH and derivates using the ssh-1 protocoll. There is a possible overflow during assignemnet from 32bit integer to 16bit wide one leading to

Remote buffer overflow, remote DoS and format string bug in current IRCd's tkserv

2001-03-05 Thread Paul Starzetz
1. Abstract --- There are 3 major bugs in the current IRCd distribution (as used on the IRCnet for example). The included service daemon 'tkserv' (tkserv.c v1.3.0 and all previous versions) suffers from: a) remote exploitable buffer overflow while querying tklines b) memory leck due to

Remote buffer overflow, remote DoS and format string bug in current IRCd's tkserv - correction

2001-03-05 Thread Paul Starzetz
Small correction: One needs at least one _non_ OPERED line in tkserv.access in order to be vulnerable to the mentioned buffer overflow attack. I've read the code too fast :-) ihq.

Re: ptrace/execve race condition exploit (non brute-force)

2001-03-30 Thread Paul Starzetz
Mariusz Woloszyn wrote: On Tue, 27 Mar 2001, Wojciech Purczynski wrote: Hi, Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18. Hi! I've seen a tool that works better than this, useing different aproach to the same bug explits it on all

Re: ptrace/execve race condition exploit (brute force)

2001-03-31 Thread Paul Starzetz
Wojciech Purczynski wrote: Hi, Here is exploit for ptrace/execve race condition bug in Linux kernels up to 2.2.18. As far as I understand it, the race condition exists between preparing the bprm structure inside the kernel (which will carry the suid/sgid credentials) and setting the

VMware symlink problems

2001-04-19 Thread Paul Starzetz
1. Problem description -- There is symlink vulnerability in the vmware-mount.pl script which comes with lates VMware. 2. Details -- While mounting virtual disk drives using the vmware-mount.pl script, a temporary file named vmware-mount.pl.PID where PID is the

Insecure directory handling in KFM file manager

2001-04-19 Thread Paul Starzetz
Hi, there is a symlink/owner problem in the KDE file manager kfm. I found it on my SuSE 7.0 but I'm not sure if it is an original SuSE package or not, rpm doesn't know about it: paul@ps:/tmp rpm -qfi /usr/opt/kde/bin/kfm die Datei /usr/opt/kde/bin/kfm gehrt zu keinem Paket what means that

Re: Announcing RSX - non exec stack/heap module

2001-06-07 Thread Paul Starzetz
few but endangered applications (like sshd, rshd, rpc) improves the system security. sincerely, Paul Starzetz

Re: Announcing RSX - non exec stack/heap module

2001-06-07 Thread Paul Starzetz
doesn't protect against function-pointer overflows but on the other hand eliminates again 90% of the potential vulnerabilities. But can there be a 100% protection at all? sincerely, Paul Starzetz

Re: Announcing RSX - non exec stack/heap module

2001-06-12 Thread Paul Starzetz
Crispin Cowan wrote: It is not very hard to mmap the libc code as non-executable are into main memory. After the regular programm code jumps into some libc function, we can check in the gp() handler if the gp fault resulted from jumping into the libc area by a ret (the target address

Re: Announcing RSX - non exec stack/heap module

2001-06-13 Thread Paul Starzetz
of randomization in the libc location and the plt linking code would provide a simple (but not complete) defense against simple jump-into-system()-plt and similar attack. Paul Starzetz.

Symlinks symlinks...this time KTVision

2001-06-22 Thread Paul Starzetz
Hi ppl, the subject already states the problem: there is a symlink follow problem in the (in many distributions suid root) ktvision binary = 0.1.1-271. It is discouraging that nowadays such trivial symlink attacks are still possible. No comment anymore. In order to be complete: a bash script

Re: Tripwire temporary files

2001-07-10 Thread Paul Starzetz
Jarno Huuskonen wrote: I found out about the problem when I noticed a temporary file /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire binary with strace and noticed that temporary files in /tmp are opened without the O_EXCL flag. Here a strace from tripwire 1.2

Inn (Inter Net News) security problems

2002-04-11 Thread Paul Starzetz
Hi, I found several problems inside the inn (=2.2.3) package as shipped with various Linux distributions. There are several format string coding bugs as well as unsecure open() calls. In particular the inews and the rnews binaries are affected. This may lead to serious security problems if those

Re: An alternative method to check LKM backdoor/rootkit

2002-04-17 Thread Paul Starzetz
Wang Jian wrote: THE ALTERNATIVE METHOD Our alternative method uses the first style: to find the differences between the fake view and the real view. We read the raw disk and traverse the filesystem on disk, bypass the live filesystem, and create a real view of files on disk; then traverse the

Re: trusting user-supplied data (was Re: FreeBSD Security AdvisoryFreeBSD-SA-02:23.stdio)

2002-05-03 Thread Paul Starzetz
Steven M. Bellovin wrote: The list includes, but is not limited to: command-line array environment array open files I don't think there was enough research on open file descriptor problems. For example, I found this small bug while playing yround with crontab on Linux: gcc

GNU rm fileutils race condition problems on SuSE

2002-05-16 Thread Paul Starzetz
Hi, the following issue has been reported to SuSE about 2 months ago: 1. Problem description -- There is an exploitable call to the vulnerable rm -rf command in /etc/cron.daily/aaa_base_clean_core as follows: # # paranoia settings # umask 022

Linux kernels DoSable by file-max limit

2002-07-08 Thread Paul Starzetz
Hi, the recently mentioned problem in BSD kernels concerning the global limit of open files seems to be present in the Linux-kernel too. However as mentioned in the advisory about the BSD specific problem the Linux kernel keeps some additional file slots reserved for the root user. This code

Re: Interface promiscuity obscurity in Linux

2002-07-25 Thread Paul Starzetz
Ricardo Branco wrote: This affects Linux 2.2 and 2.4 Using libpcap to put the interface in promiscuous mode, will cause that ifconfig(8) doesn't show it! This is an old issue (noticed this nearly 2 years ago...) but can be contributed to 'bad' userspace tools. libpcap uses setsockopt(...,

Re: White paper: Exploiting the Win32 API.

2002-08-27 Thread Paul Starzetz
Andrey Kolishak wrote: There is also article of Symeon Xenitellis A New Avenue of Attack: Event-driven system vulnerabilities http://www.isg.rhul.ac.uk/~simos/event_demo/ In fact, the problem is similar to U*ix signals, except that there is no jump-to-address argument for usual. Remember

Ambiguities in TCP/IP - firewall bypassing

2002-10-18 Thread Paul Starzetz
1. Abstract --- There are ambiguities in implementations of the TCP/IP suite for various operating systems. Even if this fact has been used since a long time in different software for OS fingerprinting, no real attempt has been made to identify the security impact of the differences in

TracerouteNG - never ending story

2002-11-28 Thread Paul Starzetz
Hi everyone, I want to provide some additional information about the recently discovered traceroute-ng flaw. I decided to disclose to details right now because I do not believe that the flaw is easily exploitable. 1) The vulnerablilty. The patch provided by vendors like SuSE is not

Eggdrop arbitrary connection vulnerability

2003-02-10 Thread Paul Starzetz
Hi, there is a serious security problem in the popular eggdrop IRCbot. The hole allows a regular user with enough 'power' (at least power to add new bot records) to use any linked instance of the bot on the botnet as an instant 'proxy'. The following session demonstrates the problem with an

Linux /proc sensitive information disclosure

2003-06-21 Thread Paul Starzetz
Hello, attached a simple prrof of concept for the /proc filesystem disclosing sensitive information. I noticed that opening an entry from /proc/self/ and keeping the file open while executing a setuid binary prevents the opened proc entry from changing the ownership from the initial user to

Linux 2.4.x execve() file read race vulnerability

2003-06-26 Thread Paul Starzetz
Hi people, again it is time to discover a funny bug inside the Linux execve() system call. Details: - While looking at the execve() code I've found the following piece of code (from fs/binfmt_elf.c): static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs) {

Re: rPSA-2006-0122-1 kernel

2006-07-10 Thread Paul Starzetz
kernel code? *just guessing* Anyway CVE-2006-2451 is trivially exploitable so I don't attach any exploit code since it is obvious... Paul Starzetz

Re: [ MDKSA-2006:116 ] - Updated kernel packages fixes multiple vulnerabilities

2006-07-10 Thread Paul Starzetz
to an IMMEDIATE root compromise of vulnerable machines. But I'm not going to provide a PoC :-] with best regards Paul Starzetz