[ andreas dot strodl dot org ]

Research Papers
Misc
  • Linux/Apache Sandbox implements a virtual filesystem module, a character device and an Apache module to improve security for virtual hosting environments
  • RTSP server implements a tiny streaming server (using dvblast) with token authentication
  • OpenMCT is a custom firmware for MCT (Magic Control Technology) based NAS (Network Attached Storage) or SA (Server Appliance)
GSM Security
  • GSM A51 Cracker parses encrypted GSM frames and apply specified plaintext and try to crack them via kraken
  • TMSI MSISDN mapper identifies MSISDN using paging reqeusts to TMSI
  • IMSI detach adds IMSI detach feature to OsmocomBB
  • KC reader reads last KC from SIM (smartcard interface)
Tools
  • inetdfun ICMP based backdoor for inetd
  • openbsdacl adds acl network support for OpenBSD 3.1 to control bind or connect (incl. IP addresses)
  • openbsdpriv a set of patches for some OpenBSD 2.8 base tools to increase privacy
  • linksys_mod converts binary linksys configuration to plaintext files (and vice versa)
  • zebrahead a tiny dns server to generate custom crafted dns replies
  • Squid Tunnel Kit a proxy forwarder with authentication
Patches
Advisories
  • VSA0402_openftpd.txt OpenFTP is a free opensource FTP daemon that offers a lot of features (ratio, bandwith limits, ip address restrictions). The daemon has a format string bug in its internal message system
  • VSA0309_solarisldap.txt Solaris uses a LDAP Library for NSS requests. The library contains a buffer overflow in the hostname resolving routine
  • VSA0306_yabbse.txt YaBB SE SQL Injection Bugs
Exploits
  • remote exim <= 4.69 The string_vformat() function in string.c in exim <= 4.69 allows remote attackers to cause a denial of service or execute arbitrary code via a crafted header.
  • remote squid <= 3.0.STABLE25, <= 3.1.7, <= 3.2.0.1 The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.
  • remote tomcat <= 7.0.0, <= 6.0.27, <= 5.5.29 Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer".
  • remote root samba root <= 3.3.12, <= 3.2.15, <= 3.0.37 Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
  • remote openssl (0.9.8m, 0.9.8f - 0.9.8n) The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number.
  • local linux kernel root exploit (udp_sendmsg) The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
  • remote/local nginx exploit (< 0.5.37, < 0.6.39, < 0.7.62, < 0.8.15) Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.
  • remote apache2 (<2.2.12) mod_proyx_http dos The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value.
  • remote snoop buffer overflow root exploit Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet.
  • local solaris root < 5.10 138888-01 tun in IP Tunnel in Solaris 10 and OpenSolaris snv_01 through snv_76 allows local users to cause a denial of service (panic) and possibly execute arbitrary code via a crafted SIOCGTUNPARAM IOCTL request, which triggers a NULL pointer dereference
  • remote lighttpd <= 1.4.17 header overflow exploit Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long exploits length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow."
  • local php <= 5.1.4, 4.4.3 exploit scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
  • remote openftpd <= 0.30.2 format string exploit Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.
  • local solaris ldap library buffer overflow root exploit Buffer overflow in the nss_ldap.so.1 library for Sun Solaris 8 and 9 may allow local users to gain root access via a long hostname in an LDAP lookup.
  • remote mysql <= 3.23.53a privilege escalation exploit The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.
  • remote cups <= 1.1.17 integer overflow exploit Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun.
  • remote heartbeat <= 0.4.9.1 buffer overflow exploit Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).
  • remote isc dhcpd 3.0 format string exploit Format string vulnerabilities in the logging routines for dynamic DNS code (print.c) of ISC DHCP daemon (DHCPD) 3 to 3.0.1rc8, with the NSUPDATE option enabled, allow remote malicious DNS servers to execute arbitrary code via format strings in a DNS server response.
  • local scotty/ntping <= 2.1.10 root exploit Buffer overflow in ntping in scotty 2.1.0 allows local users to execute arbitrary code via a long hostname as a command line argument.
  • local restore <= 0.4b17 root exploit 
  • local kdesud 0.97 buffer overflow root exploit Buffer overflow in KDE kdesud on Linux allows local uses to gain privileges via a long DISPLAY environmental variable.