clamav: denial of service through "better zip bomb"
https://www.openwall.com/lists/oss-security/2019/08/06/3 [www.openwall.com]
2019-08-06 16:43
tags:
bugfix
compression
security
Recently David Fifield presented a new variant of a ZIP bomb where by using overlapping segments he was able to achieve very high compression ratios (42kb->5GB, 10MB->281TB).
However David Fifield commented in the bug report [4] that the fix is incomplete, by using some slight variations of his methods he could bypass the fix.
This shouldn’t be anything new, but... oops. Plus some commentary about age browsing, etc.
source: L
Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service issues
https://www.openwall.com/lists/oss-security/2019/06/17/5 [www.openwall.com]
2019-06-17 17:45
tags:
freebsd
linux
networking
security
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
Also: https://access.redhat.com/security/vulnerabilities/tcpsack
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
https://www.openwall.com/lists/oss-security/2019/06/06/1 [www.openwall.com]
2019-06-07 00:42
tags:
auth
email
exploit
security
In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved.
This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.
source: solar
John the Ripper 1.9.0-jumbo-1
https://www.openwall.com/lists/announce/2019/05/14/1 [www.openwall.com]
2019-05-15 22:47
tags:
auth
hash
release
swtools
It’s been 4.5 years and 6000+ jumbo tree commits (not counting JtR core tree commits, nor merge commits) since we released 1.8.0-jumbo-1:
source: solar
yescrypt 1.0.0 - modern KDF and password
http://www.openwall.com/lists/announce/2018/03/09/1 [www.openwall.com]
2018-03-25 16:21
tags:
auth
crypto
hash
release
security
swtools
This is to announce the release of yescrypt 1.0.0.
yescrypt is a password-based key derivation function (KDF) and password hashing scheme. It builds upon Colin Percival’s scrypt and includes classic scrypt, a minor extension of scrypt known as YESCRYPT_WORM (named that for “write once, read [potentially] many [times]”, which is how scrypt works), and the full native yescrypt also known as YESCRYPT_RW (for “read-write“).
http://www.openwall.com/yescrypt/
source: solar
LKRG - Linux Kernel Runtime Guard
http://www.openwall.com/lkrg/ [www.openwall.com]
2018-02-02 04:47
tags:
beta
defense
linux
release
security
systems
Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant the process access (such as open a file) based on the unauthorized credentials.
source: solar
On the effectiveness of kernel integrity checks
http://www.openwall.com/lists/kernel-hardening/2017/09/30/1 [www.openwall.com]
2017-10-01 21:40
tags:
defense
linux
security
Much of the value could be in diversity - if most systems do not have this sort of runtime checks, then canned exploits and even some capable human attackers would not care or know to try and bypass the checks. However, if this functionality becomes standard, so will the bypasses.
source: solar
Linux PIE/stack corruption (CVE-2017-1000253)
http://www.openwall.com/lists/oss-security/2017/09/26/16 [www.openwall.com]
2017-09-26 18:40
tags:
bugfix
exploit
linux
malloc
security
systems
Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the “gap” between the stack and the binary.
source: L
php_mt_seed - PHP mt_rand() seed cracker
http://www.openwall.com/php_mt_seed/ [www.openwall.com]
2017-08-26 00:26
tags:
links
php
random
security
Plus a great collection of links and references.
source: solar
GCC generates incorrect code for RDRAND/RDSEED intrinsics
http://www.openwall.com/lists/oss-security/2017/07/27/2 [www.openwall.com]
2017-07-27 22:06
tags:
bugfix
compiler
cpu
random
security
turtles
Actual impact is pretty minimal, but... sigh.
source: green
regarding the maximum embargo duration
http://www.openwall.com/lists/oss-security/2017/06/19/8 [www.openwall.com]
2017-06-19 22:14
tags:
development
security
Some behind the scenes looks at vuln disclosure and coordination.
source: solar
Vixie/ISC Cron group crontab to root escalation
http://www.openwall.com/lists/oss-security/2017/06/08/3 [www.openwall.com]
2017-06-09 00:38
tags:
auth
bugfix
linux
openbsd
security
Sorry for the lengthy message.
source: solar
TIOCSTI not going away
http://www.openwall.com/lists/oss-security/2017/06/03/9 [www.openwall.com]
2017-06-05 15:37
tags:
auth
linux
programming
security
tty
unix
I am posting this message primarily to let maintainers of userspace su-like programs know that they should in fact proceed to implement allocation of a separate pty, if they don’t do that already. Do not wait for the kernel to do some magic thing because it’s been NAK’ed, it wouldn’t fully address the issue, and it wouldn’t be enabled by default.
source: solar
CVE-2017-1000367 in sudo's get_process_ttyname() for Linux
http://www.openwall.com/lists/oss-security/2017/05/30/16 [www.openwall.com]
2017-05-30 18:54
tags:
auth
exploit
linux
security
generic kde LPE
http://www.openwall.com/lists/oss-security/2017/05/10/3 [www.openwall.com]
2017-05-12 01:53
tags:
auth
exploit
linux
security
The exploit is achieved by abusing a logic flaw within the KAuth framework which is present in kde4 (org.kde.auth) and kde5 (org.kde.kf5auth). It is possible to spoof what KAuth calls callerID’s which are indeed DBUS unique names of the sender of a DBUS message.
source: R
terminal emulators' processing of escape sequences
http://www.openwall.com/lists/oss-security/2017/05/01/13 [www.openwall.com]
2017-05-01 20:05
tags:
fuzzing
security
tty
It is a well-known feature, previously discussed in here, that data printed to a terminal (emulator) may control that terminal, including making it effectively unusable until reset, and in some cases even pasting characters as if they were typed by the user.
source: solar
Headsup: systemd v228 local root exploit
http://www.openwall.com/lists/oss-security/2017/01/24/4 [www.openwall.com]
2017-01-24 20:07
tags:
admin
bugfix
c
linux
security
Firejail local root exploit
http://www.openwall.com/lists/oss-security/2017/01/04/1 [www.openwall.com]
2017-01-07 20:58
tags:
exploit
linux
security
musl 1.1.16 release
http://www.openwall.com/lists/musl/2017/01/03/1 [www.openwall.com]
2017-01-03 20:13
tags:
bugfix
library
linux
release
security
The SipHash Patchset (and more)
http://www.openwall.com/lists/kernel-hardening/2016/12/16/6 [www.openwall.com]
2016-12-16 16:35
tags:
crypto
hash
linux
perf
security