search for: lcamtuf

...cron is wider (and more funny) than I expected. Here''s my proggy which allows hiding files of any kind and size into crontab entries (remember, quota is ignored ;-): -- cron_put -- #!/bin/bash echo "Vixie cron 3.0.1 file storage - put utlility" echo "by Michal Zalewski <lcamtuf@staszic.waw.pl>" echo if [ "$1" = "" ]; then echo usage: $0 file_to_hide echo exit 0 fi if [ ! "`ulimit`" = "unlimited" ]; then echo Warning, filesize limit is set to `ulimit`. echo fi echo Installing fake crontab... echo echo "* * *...

...t directory. Also, file modes > are not verified, so suid files can be placed in remote system (but that's > not the point, even without it, remote attack eg. on .ssh/authorized_keys > is possible). > > _______________________________________________________ > Michal Zalewski [lcamtuf at tpi.pl] [tp.internet/security] > [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: > =-----=> God is real, unless declared integer. <=-----= > > -------------------------------------------------------------------------------- Marti...

...hing >$TMPFILE is not sufficient and may be extremally harmful!!! You should at least use mktemp to create temporary files, or|and prevent from creating anything in /tmp directly. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

More patch-o-rama :-( ---Mike >From: Michal Zalewski <lcamtuf@dione.ids.pl> >To: bugtraq@securityfocus.com, <vulnwatch@securityfocus.com>, > <full-disclosure@netsys.com> >X-Nmymbofr: Nir Orb Buk >Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) >[CAN-2003-0694] >Sender: full-disclosure-admin@lists.netsys....

On Tue, Nov 09, 1999 at 11:39:39AM +0100, Mariusz Marcinkiewicz wrote: > After reading lcamtuf's posts I decided write this one. Few months ago one > of my friends - digit - found bug in linux nfsd daemon. I made example > sploit about IV 1999. Now in distributions is new nfsd and nowhere was > information about security weaknes of old version! Well, one gets used to people pos...

...d > be fixed. I find this discussion fascinating. I normally test random numbers in different languages every now and again using various methods. One simple check that I do is to use Michal Zalewski's method when he studied Strange Attractors and Initial TCP/IP Sequence Numbers: http://lcamtuf.coredump.cx/newtcp/ https://pdfs.semanticscholar.org/ adb7/069984e3fa48505cd5081ec118ccb95529a3.pdf The technique works by mapping the dynamics of the generated numbers into a three-dimensional phase space. This is then plotted in a graph so that you can visually see if something odd is going on...

On Oct 29, 2014, at 3:39 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > >> Or is it expected that certain sanity checks would be performed prior to >> passing along any files to libhivex? What would those checks be? > > No, hivex should definitely have those checks. > > I'll have a proper look at this in the morning. > > Thanks, > > Rich.

...ject: RedHat sysklogd vulnerability To: BUGTRAQ@NETSPACE.ORG Reply-to: Cory Visi <visi@CMU.EDU> I'd like to apologize for being so late with this e-mail as I have known about this problem for months. The vulnerability was discussed in a Thu, 10 Sep 1998 BugTraq e-mail by Michal Zalewski (lcamtuf@IDS.PL). I replied to it with a quick patch. Here are some lines from my e-mail: > I'm not completely happy with this, as it modifies the reference parameter, > ptr, but it will solve the problem. However, later on: > > ExpandKadds(line, eline) > > Where eline is the same siz...

I'm right now handling this beach-ball sized grenade, and trying to figure out which of our services need to be locked down right away. Since dovecot passes values via environment variables based on user input (e.g. username, password, mailbox?) to auxilliary executables (including possibly bash shell scripts), is dovecot vulnerable to this exploit? (This is not a fault of dovecot, but

> On Nov 11, 2014, at 1:57 AM, Richard W.M. Jones <rjones@redhat.com> wrote: > > Yes I was also meaning to do that after reading lcamtuf's postings. Yup. That's the one. > I just started a run now .. Will let it run for a few days and report > any issues on the list. Thank you. Do you mind running it under valgrind to catch out-of-bound reads? Mahmoud

...smith of Oracle, and William Robinet of Conostix for reporting these issues to our security team and helping evaluate and test the fixes; and thanks Michal Zalewski and the American Fuzzy Lop community for providing their fuzz testing tool as an open source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ . -- -Alan Coopersmith- alan.coopersmith at oracle.com X.Org Security Response Team - xorg-security at lists.x.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes D...

...ion fault (core dumped) $ cat << EOF > crash2 *filter -A INPUT -ftf -j ACCEPT COMMIT EOF $ ./xtables-multi iptables-restore -t < crash2 *** Error in `./xtables-multi': free(): invalid pointer: 0x00000000006ab673 *** Aborted (core dumped) Issue has been discovered with AFL (http://lcamtuf.coredump.cx/afl/). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170317/8ccb6690/attachment.html>

...g. Janne Hyv?rinen reported a problem with seeking as a result of the fix for CVE-2014-9028. This is a different solution to the issue that should not adversely affect seeking. This version of the fix for the above CVE has been extensively fuzz tested using afl (http://lcamtuf.coredump.cx/afl/). Cheers, Erik -- ---------------------------------------------------------------------- Erik de Castro Lopo http://www.mega-nerd.com/

...k bug''. Almost any symlink-vunerable program, which stores any data (even PIDs) in their temporary files, may be exploited in that way (eg. not so easy to fix gzexe problem). _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

...nd this discussion fascinating. I normally test random numbers in > different languages every now and again using various methods. One simple > check that I do is to use Michal Zalewski's method when he studied Strange > Attractors and Initial TCP/IP Sequence Numbers: > > http://lcamtuf.coredump.cx/newtcp/ > https://pdfs.semanticscholar.org/ > adb7/069984e3fa48505cd5081ec118ccb95529a3.pdf > > The technique works by mapping the dynamics of the generated numbers into a > three-dimensional phase space. This is then plotted in a graph so that you > can visually see...

...============= FreeBSD-SA-01:45 Security Advisory FreeBSD, Inc. Topic: samba Category: ports Module: samba Announced: 2001-07-10 Credits: Michal Zalewski <lcamtuf@bos.bindview.com> Affects: Ports collection prior to the correction date. Corrected: 2001-06-23 Vendor status: Updated version released FreeBSD only: NO I. Background Samba is an implementation of the Server Message Block (SMB) protocol. II. Problem Description The samba po...

On 25.11.2014 12:14, Miroslav Lichvar wrote: > I think the case with non-zero partition order may need to be fixed > too. For example, with partition order of 1, predictor order of 16 and > blocksize of 4, the function would return true and blocksize-order in > the caller would still underflow. > > --- a/src/libFLAC/stream_decoder.c > +++ b/src/libFLAC/stream_decoder.c > @@

...Security Advisory The FreeBSD Project Topic: a third sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-09-17 Credits: Michal Zalewski <lcamtuf@dione.ids.pl> Todd C. Miller <Todd.Miller@courtesan.com> Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-17 15:18:20 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 20:19:00 UTC (RELENG_...

...Security Advisory The FreeBSD Project Topic: a third sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-09-17 Credits: Michal Zalewski <lcamtuf@dione.ids.pl> Todd C. Miller <Todd.Miller@courtesan.com> Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-17 15:18:20 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 20:19:00 UTC (RELENG_...

...----------------------------------------- The release notes for 2.2.0a follow : SECURITY FIX ============ This is a security bugfix release for Samba 2.2.0. This release provides the following two changes *ONLY* from the 2.2.0 release. 1). Fix for the security hole discovered by Michal Zalewski (lcamtuf@bos.bindview.com) and described in the security advisory below. 2). Fix for the hosts allow/hosts deny parameters not being honoured. No other changes are being made for this release to ensure a security fix only. For new functionality (including these security fixes) download Samba 2.2.1 when...