Home > Uncategorized > Security News #0x76

Security News #0x76

  • Every now and then you read a piece that just makes you shake your head and go “Hmmmm”. This is one of them. Take your Linux system, and create an empty file, say with the simple name “-l“. What do you think will happen if you run the command ls *? If you thought that, hey- the file “-l” wont be listed, but you will get a long listing of the files in your directory, then you don’t need to read the recent blog post at Dicesoft. They actually have a demo of a working attack that exploits this property of bash. I guess now I have another reason to explain to all my students why it is so important to get in the habit of using absolute path names.
    root@kali:~/test# touch -- -l
    root@kali:~/test# ls 
    file1  file2  -l  test
    root@kali:~/test# ls -al
    total 8
    drwxr-xr-x  2 root root 4096 Jun 28 10:24 .
    drwxr-xr-x 30 root root 4096 Jun 28 10:24 ..
    -rw-r--r--  1 root root    0 Jun 28 10:22 file1
    -rw-r--r--  1 root root    0 Jun 28 10:22 file2
    -rw-r--r--  1 root root    0 Jun 28 10:24 -l
    -rw-r--r--  1 root root    0 Jun 28 10:24 test
    root@kali:~/test# ls *
    -rw-r--r-- 1 root root 0 Jun 28 10:22 file1
    -rw-r--r-- 1 root root 0 Jun 28 10:22 file2
    -rw-r--r-- 1 root root 0 Jun 28 10:24 test
    root@kali:~/test# ls ./*
    ./file1  ./file2  ./-l  ./test

    Mind you, this is not an absolute solution to this problem, only a good habit. The corresponding Reddit page is well worth a look, as is a piece by Leon Juranic.

  • While I am talking about some non-traditional attacks, here is another novel attack. The folks at Ars Technica realized that with companies like Xfinity and AT&T offering public wi-fi hotspots, it would be simple to trick a user into connecting to a malicious hotspost by simply impersonating the (standardized) names used by these services. Do yourself a favor- if you are running Windows, navigate through the Control Panel to Network and Internet to Manage Wireless Networks. Make sure you actually trust the networks you have set for automatic connection, and be sure that their names are unlikely to be spoofed.
  • If you have ever used the C99.PHP shell, you probably ought to know that it comes with a backdoor to bypass its authentication routines.
  • There is a vulnerability in Python when used as a web server. It turns out that a flaw in how path separators are handled, it is possible to read CGI source code or run other CGI programs.
Learning More
  • Eric Gruber over at the NetSPI blog has published a PowerShell script that will show if a program or .dll was compiled with ASLR, DEP and/or SEH enabled.
  • The folks at Spider Labs detail an engagement where they were able to reprogram industrial robots as part of their test.
Industry News
  • There is an overflow in how Android manages the KeyStore service. Roee Hay has a nice piece explaining the problem, including the course code for the vulnerable component.
General Silliness
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: