An off-by-two heap overflow exists in ProFTPD 1.2.7 to 1.2.9rc1 and 1.2.7p to 1.2.9rc1p. This bug can only be exploited if there is a writable directory on the FTP server. This module uses two different techniques in order to exploit the bug, depending on the glibc version (new glibc versions use a modified malloc implementation). Once the bug has been exploited, full root capabilities are regained (chroot can therefore be broken thanks to the appropriate module).
ProFTPD is prone to an remote buffer-overflow vulnerability. This issue is due to an off-by-one error, allowing attackers to corrupt memory. Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the server application, facilitating the compromise of affected computers. ProFTPD versions prior to 1.3.0a are vulnerable to this issue. The FTP server will remain active after a successful exploitation. Exploitation requires a valid user or anonymous account, with a writable directory. If a anonymous account is used, the agent will be in a chrooted environment and a shell can't be executed in this state. The "DisplayFirstChdir .message" option must be present for the user account in the proftpd.conf file (this is the default). After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the ftp server. However, the euid (as opposite to the uid) of the agent may be not that of the super user (usually is "nobody"). By using the setuid module (see setuid module documentation), the user id will be changed to zero (root) and the upgrade will be possible.
The DBA Management Server component of EnterpriseDB Postgres Plus Advanced Server does not restrict access to the underlying JBoss JMX Console. This can be abused by remote, unauthenticated attackers to execute arbitrary code on the vulnerable server. This module uploads an arbitrary .WAR application to the target in order to deploy an agent on it. On Windows targets, the deployed agent will run with SYSTEM privileges.
PoPToP PPTP server before 1.1.4-b3 allows remote attackers to execute code via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow.
This module exploits a remote command execution vulnerability in the Zope web application server used by Plone, by sending a specially crafted HTTP request to the affected web site. The vulnerability exists because it is possible to remotely invoke the popen2 function from the Python os package with arbitrary arguments in the context of the affected server. This can be exploited by remote unauthenticated attackers to execute arbitrary code on the target machine.
This module exploits the following vulnerability, as described by the CVE database: "The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete." However, this exploit does not use the zend_hash_init technique used by other proof-of-concept codes and research papers, and does therefore not depend on a specific PHP configuration. Notably it does not require register_globals to be turned on (it is off by default) and will work against any Linux machine running Apache (1 or 2) and PHP (from 4.1.0 to 4.3.7). Successful exploitation of this vulnerability is highly dependent on Apache's and PHP's versions, configurations, and memory usage. This module will successively run 5 different phases: the first 4 phases will determine the parameters needed to trigger the memory_limit in an exploitable manner, the 5th and last phase will bruteforce the 3 remaining parameters and finally install an agent.
Subscribe to Linux