Hi @ll,Mozilla's (executable) full setup packages for Windows allow arbitrarycode execution resp. escalation of privilege: their SETUP.EXE loadsSHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\"created during self-extraction of the full setup packages.This vulnerability is well-known, every developer past absolute beginnershould know about it: <https://capec.mitre.org/data/definitions/471.html>See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all thetrouble Mozilla's developers went through to fix this vulnerability inthe 7zip self-extractor.See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for thisvulnerability in their maintenance_installer.exe.Proof of concept:~~~~~~~~~~~~~~~~~1. fetch any Mozilla full setup package (these are self-extracting archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe" from <https://www.mozilla.org/en-US/firefox/organizations/all/>2. extract this full setup package into an arbitrary directory, for example "%TEMP%\7zSxyz.tmp", using (again for example) 7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe"3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html>) and save it as "%TEMP%\7zSxyz.tmp\shfolder.
dll"4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click: the installer detection of Windows user account control (see <https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>) will chime in and prompt for consent resp. for an administrator password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box
- ------------------------------------------------------------
-------------Debian Security Advisory DSA-3382-1 security@debian.orghttps://www.debian.org/security/ Thijs KinkhorstOctober 28, 2015 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : phpmyadminCVE ID : CVE-2014-8958 CVE-2014-9218 CVE-2015-2206 CVE-2015-3902 CVE-2015-3903 CVE-2015-6830 CVE-2015-7873Debian Bug : 774194Several issues have been fixed in phpMyAdmin, the web administrationtool for MySQL.CVE-2014-8958 (Wheezy only) Multiple cross-site scripting (XSS) vulnerabilities.CVE-2014-9218 (Wheezy only) Denial of service (resource consumption) via a long password.CVE-2015-2206 Risk of BREACH attack due to reflected parameter.CVE-2015-3902 XSRF/CSRF vulnerability in phpMyAdmin setup.CVE-2015-3903 (Jessie only) Vulnerability allowing man-in-the-middle attack on API call to GitHub.CVE-2015-6830 (Jessie only) Vulnerability that allows bypassing the reCaptcha test.CVE-2015-7873 (Jessie only) Content spoofing vulnerability when redirecting user to an external site.For the oldstable distribution (wheezy), these problems have been fixedin version 4:3.4.11.1-2+deb7u2.For the stable distribution (jessie), these problems have been fixed inversion 4:4.2.12-2+deb8u1.For the unstable distribution (sid), these problems have been fixed inversion 4:4.5.1-1.We recommend that you upgrade your phpmyadmin packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
Vulnerability title: Privilege Escalation Via Symlink Attacks On POSIX Shared Memory With Insecure Permissions In AMD fglrx-driverCVE: CVE-2015-7724Vendor: AMDProduct: fglrx-driverAffected version: 15.7Fixed version: 15.9Reported by: Tim BrownDetails:In the process of validating the fix for CVE-2015-7723, it has been identified that the userland portion of the fglrx-driver utilised by Xorg still allows privilege escalation via symlink attacks on POSIX shared memory with insecure permissions.As with the original vulnerability, with a Linux kernel where fs.protected_symlinks is not set to 1, or where this feature is not available, the following code (present in shared libraries distributed as part of fglrx-driver) calls shm_open() with insecure flags specified which allows the Linux kernel to follow an existent symlink under /dev/shm:mov $0x1b6,%edx ; $edx (mode) = 0666mov $0x42,%esi ; $esi (oflag) = O_CREAT | O_RDWR - missing O_EXCLmov %r13,%rdicallq 208b68 <shm_open@plt>The same call to shm_open() requests that the permissions of newly created file are 0666 and as a result, an arbitrary file, owned by root, with permissions of 0666 can be created anywhere on the filesystemFurthermore, the code then proceeds to force the permissions on the resultant file to 0666 using fchmod(). This can be useful if the symlink target already exists:mov $0x1b6,%esi ; $esi (mode) = 0666mov %eax,%edicallq 209058 <fchmod@plt>Further details at:https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-7724/Copyright:Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.Disclaimer:The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.############################################################
###This email originates from the systems of PortcullisComputer Security Limited, a Private limited company,registered in England in accordance with the CompaniesAct under number 02763799. The registered officeaddress of Portcullis Computer Security Limited is:Portcullis House, 2 Century Court, Tolpits Lane, Watford,United Kingdom, WD18 9RS.The information in this email is confidential and may belegally privileged. It is intended solely for the addressee.Any opinions expressed are those of the individual anddo not represent the opinion of the organisation. Accessto this email by persons other than the intended recipientis strictly prohibited.If you are not the intended recipient, any disclosure,copying, distribution or other action taken or omitted to betaken in reliance on it, is prohibited and may be unlawful.When addressed to our clients any opinions or advicecontained in this email is subject to the terms andconditions expressed in the applicable Portcullis ComputerSecurity Limited terms of business.####################################################################################################################################################This e-mail message has been scanned for Viruses and Content and clearedby MailMarshal.#####################################################################################
