Security News #0x76
- Every now and then you read a piece that just makes you shake your head and go “Hmmmm”. This is one of them. Take your Linux system, and create an empty file, say with the simple name “
-l“. What do you think will happen if you run the command
ls *? If you thought that, hey- the file “
-l” wont be listed, but you will get a long listing of the files in your directory, then you don’t need to read the recent blog post at Dicesoft. They actually have a demo of a working attack that exploits this property of bash. I guess now I have another reason to explain to all my students why it is so important to get in the habit of using absolute path names.
root@kali:~/test# touch -- -l root@kali:~/test# ls file1 file2 -l test root@kali:~/test# ls -al total 8 drwxr-xr-x 2 root root 4096 Jun 28 10:24 . drwxr-xr-x 30 root root 4096 Jun 28 10:24 .. -rw-r--r-- 1 root root 0 Jun 28 10:22 file1 -rw-r--r-- 1 root root 0 Jun 28 10:22 file2 -rw-r--r-- 1 root root 0 Jun 28 10:24 -l -rw-r--r-- 1 root root 0 Jun 28 10:24 test root@kali:~/test# ls * -rw-r--r-- 1 root root 0 Jun 28 10:22 file1 -rw-r--r-- 1 root root 0 Jun 28 10:22 file2 -rw-r--r-- 1 root root 0 Jun 28 10:24 test root@kali:~/test# ls ./* ./file1 ./file2 ./-l ./test
- While I am talking about some non-traditional attacks, here is another novel attack. The folks at Ars Technica realized that with companies like Xfinity and AT&T offering public wi-fi hotspots, it would be simple to trick a user into connecting to a malicious hotspost by simply impersonating the (standardized) names used by these services. Do yourself a favor- if you are running Windows, navigate through the Control Panel to Network and Internet to Manage Wireless Networks. Make sure you actually trust the networks you have set for automatic connection, and be sure that their names are unlikely to be spoofed.
- If you have ever used the C99.PHP shell, you probably ought to know that it comes with a backdoor to bypass its authentication routines.
- There is a vulnerability in Python when used as a web server. It turns out that a flaw in how path separators are handled, it is possible to read CGI source code or run other CGI programs.
- Eric Gruber over at the NetSPI blog has published a PowerShell script that will show if a program or
.dllwas compiled with ASLR, DEP and/or SEH enabled.
- The folks at Spider Labs detail an engagement where they were able to reprogram industrial robots as part of their test.
- There is an overflow in how Android manages the KeyStore service. Roee Hay has a nice piece explaining the problem, including the course code for the vulnerable component.
- It looks like there is a long standing vulnerability in a common core compression algorithm (LZO). This is algorithm is so commonly used that it may be running on the Mars Rover. And you thought hacking a television was cool….