This Metasploit module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using policykit. Then it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verification against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not the root password of the system), stealing the user password of an administrative user directly allows escalating to root privileges. Please note that you have to start a handler as a background job before running this exploit since the exploit will only create a shell when the user actually enters the password (which may be hours after launching the exploit). Using exploit/multi/handler with the option ExitOnSession set to false should do the job.
0a9cac7ba17812d5abc36544dbde12e861f70ee5697f577efc23726fdff20564The most popular full disk encryption solution for Linux is LUKS (Linux Unified Key Setup), which provides an easy to use encryption layer for block devices. By default, newly generated LUKS devices are set up with 256-bit AES in CBC mode. Since there is no integrity protection/checksum, it is obviously possible to destroy parts of plaintext files by changing the corresponding ciphertext blocks. Nevertheless many users expect the encryption to make sure that an attacker can only change the plaintext to an unpredictable random value. The CBC mode used by default in LUKS however allows some more targeted manipulation of the plaintext file given that the attacker knows the original plaintext. This article demonstrates how this can be used to inject a full remote code execution backdoor into an encrypted installation of Ubuntu 12.04 created by the alternate installer (the default installer of Ubuntu 12.04 doesn't allow setting up full disk encryption).
83e0e48a068a6889d9cec9e057406641dd9d38932ce22381b3c16a767ef73656Simple Machines Forum suffers from username impersonation and clickjacking issues. These issues are are present in SMF1 up to version 1.1.18 and SMF2 up to version 2.0.5.
ec054b0bcc023ef1325986cda6d0998e1dc4e6a4098ffcf06f2400521afdec66This write up goes into detail about how real world cross site request forgery attacks can be used to hijack DNS on TP-Link routers.
97ebb3cb84a6a9a66f84afff891ff378fa74b1e2ed747d6a5cd984a436456d72TCP uses 32 bit Seq/Ack numbers in order to make sure that both sides of a connection can actually receive packets from each other. Additionally, these numbers make it relatively hard to spoof the source address because successful spoofing requires guessing the correct initial sequence number (ISN) which is generated by the server in a non-guessable way. It is commonly known that a 32 bit number can be brute forced in a couple of hours given a fast (gigabit) network connection. This article shows that the effort required for guessing a valid ISN can be reduced from hours to minutes if the server uses TCP SYN Cookies (a widely used defense mechanism against SYN-Flooding DOS Attacks), which are enabled by default for various Linux distributions including Ubuntu and Debian.
b8f8a5a1565210c001b8928ecc2c9c00ee0638f668d5a0c9e076bda0c08391c5Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the MAC address of the device. Since the MAC address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Vulnerable versions include, but are not limited to, Belkin Surf N150 Model F7D1301v1, Belkin N900 Model F9K1104v1, Belkin N450 Model F9K1105V2, and possibly Belkin N300 Model F7D2301v1.
684453e25779c4ae90104f2addefb07264bc19185c67e2fec33fdde7ceba7c7cGNU Tar and GNU Cpio suffer from a heap-based buffer overflow vulnerability. Tar versions prior to 1.23 and Cpio versions prior to 2.11 are affected.
d24150b634cab2351df08efe4449b09dfe98932abdb966b3ab00c97293fcd9c2
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed