One week ago, on November 4th, 2014, the FreeBSD team published security advisory FreeBSD-SA-14:25.setlogin describing an information disclosure vulnerability in setlogin(2) / getlogin(2), which could allow an unprivileged user to disclose kernel memory contents.
This vulnerability (identified as CVE-2014-8476) affects all supported versions of FreeBSD. This is the problem description, taken from the advisory:
When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.
The code of the vulnerable function (getlogin in FreeBSD 8.4, sys_getlogin in newer versions) is located at /sys/kern/kern_prot.c:
About a week late, but here you have my writeups for Stripe CTF 2.0, levels 0 to 6. There were two more levels, but I wasn’t able to complete them.
Congrats to the Stripe guys for the nice work organizing this web-oriented CTF!
Level 0 (SQL Injection)
This level was a web application written using node.js. It was possible to inject SQL code into a vulnerable query, as seen below:
In this post we’ll see how to install Inguma, Bokken, Pyew and Radare2 in Ubuntu 11.10.
Inguma is a penetration testing and vulnerability research toolkit written in Python.
Bokken is a GUI for the Pyew malware analysis tool and the Radare reverse engineering framework, and it’s part of the Inguma project.
Three months ago Core Security posted an advisory regarding a CSRF vulnerability I’ve found in IBM WebSphere Application Server. While preparing the advisory, I’ve investigated some ways to mitigate this class of vulnerability when, for some reason, there’s no patch available for the affected web application. It turned that Cross-Site Request Forgery can be mitigated both on the server side and on the client side.
This is a quick post about a vulnerability I found in Oracle GlassFish Server (CVE-2011-1511), which was published two weeks ago (I know, I’m a bit late).
The Administration Console of Oracle GlassFish Server is prone to an authentication bypass vulnerability, which can be exploited by remote attackers by performing TRACE requests.
You can find the advisory with the analysis of the bug and its technical details here: CORE-2010-1118: Oracle GlassFish Server Administration Console Authentication Bypass.
By the way, the timeline of the advisory deserves some attention!
And if you are asking, yes, this bug can be exploited to create an administrative account on the Glassfish Server and then execute arbitrary code on the vulnerable machine!