notebook.community

Edit and run

Seclists reply parse

Example: http://seclists.org/fulldisclosure/2017/Jan/0

With each reply, we'll attempt to parse out the following:

  • raw reply text, without html tags
    • the reply text with any signatures stripped out
  • an analysis of what html tags are in the message
  • a listing of which domains are referenced in links in the message




In [1]:



    


import re
import requests

from bs4 import BeautifulSoup

We'll gather the contents of a single message. 2017_Jan_0 is one that includes a personal signature, as well as the standard Full Disclosure footer.

2017_Jan_45 is a message that includes a PGP signature.





In [30]:



    


year = '2005'
month = 'Jan'
id = '0'
url = 'http://seclists.org/fulldisclosure/' + year + '/' + month + '/' + id

r = requests.get(url)
content = r.text
from IPython.display import Pretty
Pretty(content)



    


















    
Out[30]:








<!-- MHonArc v2.6.19 -->
<!--X-Head-End-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
                      "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<link rel="alternate" type="application/rss+xml" title="RSS" href="http://seclists.org/rss/fulldisclosure.rss">
<title>Full Disclosure: Re: /bin/rm file access vulnerability</title>
<meta property="og:image" content="http://seclists.org/images/fulldisclosure-img.png" />
<link rel="image_src" href="http://seclists.org/images/fulldisclosure-img.png" />
<meta name="Subject" content="Re: /bin/rm file access vulnerability"/>
<meta name="Author" content="bkfsec"/>
<link REL="SHORTCUT ICON" HREF="/shared/images/tiny-eyeicon.png" TYPE="image/png">
<META NAME="ROBOTS" CONTENT="NOARCHIVE">
<meta name="theme-color" content="#2A0D45">
<link rel="stylesheet" href="/shared/css/insecdb.css" type="text/css">
<!--Google Analytics Code-->
<script type="text/javascript">
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-11009417-1', 'auto');
  ga('send', 'pageview');

</script>
<!--END Google Analytics Code-->

<!--Google Custom Site Search boilerplate Javascript-->
<script type="text/javascript">
  (function() {
    var cx = 'partner-pub-0078565546631069:bx60rb-fytx';
    var gcse = document.createElement('script'); gcse.type = 'text/javascript'; gcse.async = true;
    gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
        '//www.google.com/cse/cse.js?cx=' + cx;
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(gcse, s);
  })();
</script>
<!--End Google Custom Site Search boilerplate Javascript-->

</HEAD>
<BODY BGCOLOR="#2A0D45" TEXT="#000000">

<TABLE CELLPADDING="0" WIDTH="100%" CELLSPACING="0">
<TR><TD ALIGN="left"><A HREF="/"><IMG BORDER=0 ALT="Home page logo"
SRC="/images/sitelogo.png" HEIGHT=90 WIDTH=168></A></TD>
<TD VALIGN="bottom" ALIGN="right">
<!-- Begin TopBanner Code -->
<!-- AdSpeed.com Serving Code 7.9.6 for [Zone] TopBanner [Any Dimension] -->
<script type="text/javascript" src="//g.adspeed.net/ad.php?do=js&amp;zid=14678&amp;wd=-1&amp;ht=-1&amp;target=_blank"></script>
<!-- AdSpeed.com End -->
<!-- End Banner Code -->

</TD></TR></TABLE>
<TABLE WIDTH="100%" CELLPADDING="0" CELLSPACING="0"><TR>
<TD ALIGN="left" WIDTH="130" VALIGN="top" class="sidebar">

<!-- SECWIKI PORTAL INSERT -->

<ul>
<li><a href="//nmap.org/">Nmap Security Scanner</a>
<ul>
<li><a href="//nmap.org/">Intro</a></li>
<li><a href="//nmap.org/book/man.html">Ref Guide</a></li>
<li><a href="//nmap.org/book/install.html">Install Guide</a></li>
<li><a href="https://nmap.org/download.html">Download</a></li>
<li><a href="//nmap.org/changelog.html">Changelog</a></li>
<li><a href="//nmap.org/book/">Book</a></li>
<li><a href="//nmap.org/docs.html">Docs</a></li>
</ul>
<li><a href="http://seclists.org/">Security Lists</a>
<ul>
<li><a href="http://seclists.org/nmap-announce/">Nmap Announce</a></li>
<li><a href="http://seclists.org/nmap-dev/">Nmap Dev</a></li>
<li><a href="http://seclists.org/bugtraq/">Bugtraq</a></li>
<li><a href="http://seclists.org/fulldisclosure/">Full Disclosure</a></li>
<li><a href="http://seclists.org/pen-test/">Pen Test</a></li>
<li><a href="http://seclists.org/basics/">Basics</a></li>
<li><a href="http://seclists.org/">More</a></li>
</ul>
<li><a href="http://sectools.org">Security Tools</a>
<ul>
<li><a href="http://sectools.org/tag/pass-audit/">Password audit</a></li>
<li><a href="http://sectools.org/tag/sniffers/">Sniffers</a></li>
<li><a href="http://sectools.org/tag/vuln-scanners/">Vuln scanners</a></li>
<li><a href="http://sectools.org/tag/web-scanners/">Web scanners</a></li>
<li><a href="http://sectools.org/tag/wireless/">Wireless</a></li>
<li><a href="http://sectools.org/tag/sploits/">Exploitation</a></li>
<li><a href="http://sectools.org/tag/packet-crafters/">Packet crafters</a></li>
<li><a href="http://sectools.org/">More</a></li>
</ul>
<li><a href="http://insecure.org/">Site News</a></li>
<li><a href="http://insecure.org/advertising.html">Advertising</a></li>
<li><a href="http://insecure.org/fyodor/">About/Contact</a></li>
<li>
<!-- SiteSearch Google -->
<form action="https://nmap.org/search.html" id="cse-search-box-sidebar">
  <div>
    <input type="hidden" name="cx" value="partner-pub-0078565546631069:bx60rb-fytx">
    <input type="hidden" name="cof" value="FORID:9">
    <input type="hidden" name="ie" value="ISO-8859-1">
    <input type="text" name="q" size="16">
    <input type="submit" name="sa" value="Site Search">
  </div>
</form>
<!-- End SiteSearch Google -->
</li>
<!-- These can come back if I ever update them ...
<li><a href="http://insecure.org/links.html">Exceptional Links</a></li>
<li><a href="http://insecure.org/reading.html">Good Reading</a></li>
<li><a href="http://insecure.org/sploits.html">Exploit World</a></li>
-->
<li><a href="http://insecure.org/advertising.html">Sponsors:</a>
  <br><br>
  
<!-- Begin Sidebar Banner Code -->
<A HREF="http://www.acunetix.com/web-vulnerability-manager/?utm_source=insecure&utm_medium=box&utm_term=chess&utm_campaign=insecure "><IMG SRC="/shared/images/Acunetix/acx_Chess-WB.gif" BORDER=0 ALT="Acunetix"></A>
<!-- End Sidebar Banner Code -->

<BR><BR>

<!-- Begin Bottom (Google) Sidebar Banner Code -->
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- SidebarSkyScraper -->
<ins class="adsbygoogle"
     style="display:inline-block;width:120px;height:600px"
     data-ad-client="ca-pub-0078565546631069"
     data-ad-slot="9829251079"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<!-- End Bottom (Google) Sidebar Banner Code -->

</li>
</ul>

</TD>
<TD BGCOLOR="#FFFFFF" VALIGN="top" ALIGN="left"><IMG
SRC="/shared/images/topleftcurve.gif" alt="/"><TABLE CELLPADDING="4" WIDTH="100%" style="table-layout: fixed;"><TR><TD BGCOLOR="#FFFFFF">

<!--X-Body-Begin-->
<!--X-User-Header-->
<p>
<A HREF="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" border="0" width="80" style="vertical-align: middle" alt="fulldisclosure logo"></A>
<FONT SIZE="+1"><a href="http://seclists.org/fulldisclosure/">Full Disclosure</a>
mailing list archives</FONT><br>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<!-- Google Custom SiteSearch -->
<form action="http://insecure.org/search.html" id="top-search-box">
<a href=""><img src="/images/left-icon-16x16.png" border=0 width=16 height=16></a>&nbsp;&nbsp;<a href="date.html#0">By Date</a>&nbsp;&nbsp;<a href="1"><img src="/images/right-icon-16x16.png" border=0 width=16 height=16></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href=""><img src="/images/left-icon-16x16.png" border=0 width=16 height=16></a>&nbsp;&nbsp;<a href="index.html#0">By Thread</a>&nbsp;&nbsp;<a href="195"><img src="/images/right-icon-16x16.png" border=0 width=16 height=16></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="hidden" name="cx" value="partner-pub-0078565546631069:bx60rb-fytx" />
    <input type="hidden" name="cof" value="FORID:9" />
    <input type="hidden" name="ie" value="ISO-8859-1" />
    <input type="text" name="q" size="24" />
    <input type="submit" name="sa" value="Search" />
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=top-search-box&amp;lang=en"></script>
<!-- End Google Custom SiteSearch -->
</p>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<font size="+2"><b>Re: /bin/rm file access vulnerability</b></font>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: bkfsec &lt;bkfsec () sdf lonestar org&gt;<br>

<em>Date</em>: Thu, 30 Dec 2004 16:17:29 -0500<br>

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">
Yeah, I think that someone mistook the new year for April 1st.

</pre><tt>Seriously, we seem to be getting more crap like this.  Are people just 
</tt><tt>bored? 
</tt><tt>
</tt><pre style="margin: 0em;">
            -Barry



Jörg Eschke wrote:

</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
Sure, a user with admin rights is able to access/delete every local
file, regardless of the specific filepermissions.
Your &apos;exploit&apos; will work with e.g. /bin/cat as well.
But i can&apos;t see a vulnerability anyway.

Am i missunderstanding something ?

Am Do, den 30.12.2004 schrieb Lennart Hansen um 2:18:
</pre><tt> 
</tt><tt>
</tt><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
/bin/rm file access vulnerability

Affected Products:
        /bin/rm (all versions, tested on FreeBSD and linux)
        (<a  rel="nofollow" href="http://www.freebsd.org">http://www.freebsd.org</a>    <a  rel="nofollow" href="http://www.kernel.org">http://www.kernel.org</a>)

Author:
        Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
        xenzeo at blackhat dot dk


/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file&apos;s permissions and the id of the user
trying to remove the file. If the user does not have the required permissions
to delete the file, /bin/rm will simply reject and exit.

</pre><tt>However, it is possible for a person with admin rights (root) to 
</tt><tt>delete _any_ file
</tt><pre style="margin: 0em;">
on the system regardless of who has created it and what it&apos;s permissions are.

Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c &apos;rm -f /home/xenzeo/file&apos;
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die &quot;usage: rm-exploit.pl file\r\n&quot;;
} else {
   $file = $ARGV[0];
   print &quot;*** CMD: [ /bin/rm -f $file ]\r\n&quot;;
   print &quot;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&quot;;
   if ($&gt; == 0) {
      print &quot;[-] EXECUTING CMD\r\n&quot;;
      system(&quot;/bin/rm -f $file&quot;);
      print &quot;[-] DONE\r\n&quot;;
      print &quot;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&quot;;
      exit();
   } else {
      print &quot;[-] EXPLOIT FAILED\r\n&quot;;
      print &quot;[-] YOU ARE NOT ROOT\r\n&quot;;
      print &quot;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&quot;;
   }
}

Vender status:
        Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo
</pre><tt>   
</tt><tt>
</tt></blockquote><pre style="margin: 0em;">

_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a  rel="nofollow" href="http://lists.netsys.com/full-disclosure-charter.html">http://lists.netsys.com/full-disclosure-charter.html</a>


</pre><tt> 
</tt><tt>
</tt></blockquote><pre style="margin: 0em;">

_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a  rel="nofollow" href="http://lists.netsys.com/full-disclosure-charter.html">http://lists.netsys.com/full-disclosure-charter.html</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<p>
<a href=""><img src="/images/left-icon-16x16.png" border=0 width=16 height=16></a>&nbsp;&nbsp;<a href="date.html#0">By Date</a>&nbsp;&nbsp;<a href="1"><img src="/images/right-icon-16x16.png" border=0 width=16 height=16></a>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<a href=""><img src="/images/left-icon-16x16.png" border=0 width=16 height=16></a>&nbsp;&nbsp;<a href="index.html#0">By Thread</a>&nbsp;&nbsp;<a href="195"><img src="/images/right-icon-16x16.png" border=0 width=16 height=16></a>
</p>
<font size="+1"><b>Current thread:</b></font>
<ul style="margin-top: 0em">
<li><strong>Re: /bin/rm file access vulnerability</strong> <em>bkfsec (Dec 31)</em>
<ul>
<li><a name="195" href="195">Re: /bin/rm file access vulnerability</a> <em>J.A. Terranson (Jan 06)</em>
<ul>
<li><a name="150" href="150">Re: /bin/rm file access vulnerability</a> <em>bkfsec (Jan 06)</em>
</li>
</ul>
</li>
</ul>
<ul>
<li>&lt;Possible follow-ups&gt;</li>
<li><a name="5" href="5">Re: /bin/rm file access vulnerability</a> <em>Sean Harlow (Dec 31)</em>
<ul>
<li><a name="206" href="206">Re: /bin/rm file access vulnerability</a> <em>vh (Jan 06)</em>
<ul>
<li><a name="2" href="2">Re: /bin/rm file access vulnerability</a> <em>Jeffrey Denton (Dec 31)</em>
<li><a name="35" href="35">Re: /bin/rm file access vulnerability</a> <em>Frank Knobbe (Jan 02)</em>
</li>
</li>
</ul>
</li>
</ul>
</li>
<li><a name="50" href="50">Re: /bin/rm file access vulnerability</a> <em>Jerry (Jan 03)</em>
<ul>
<li><a name="14" href="14">Re: /bin/rm file access vulnerability</a> <em>James Longstreet (Jan 01)</em>
</li>
<li><a name="83" href="83">Re: /bin/rm file access vulnerability</a> <em>Valdis . Kletnieks (Jan 04)</em>
</li>
</ul>
</li>
<li><a name="54" href="54">Re: /bin/rm file access vulnerability</a> <em>Alex V. Lukyanenko (Jan 03)</em>
</li>
 </ul>
</li>
</ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</TD></TR>
</TABLE>
</TD></TR>
<TR><TD></TD><TD ALIGN="center">
<FONT COLOR="#FFFFFF">
[ <A HREF="//nmap.org"><FONT COLOR="#FFFFFF">Nmap</FONT></A> |
  <A HREF="http://sectools.org"><FONT COLOR="#FFFFFF">Sec Tools</FONT></A> |
  <A HREF="http://seclists.org/"><FONT COLOR="#FFFFFF">Mailing Lists</FONT></A> |
  <A HREF="http://insecure.org/"><FONT COLOR="#FFFFFF">Site News</FONT></A> |
  <A HREF="http://insecure.org/fyodor/"><FONT COLOR="#FFFFFF">About/Contact</FONT></A> |
  <A HREF="http://insecure.org/advertising.html"><FONT COLOR="#FFFFFF">Advertising</FONT></A> |
  <A HREF="http://insecure.org/privacy.html"><FONT COLOR="#FFFFFF">Privacy</FONT></A> ]<BR>
</FONT>

<!-- SiteSearch Google -->
<div class="gcse-searchbox-only" data-resultsUrl="https://nmap.org/search.html"></div>
<!-- End SiteSearch Google -->

<!-- Bottom Banner -->
<!-- Adsense -->
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- PageBottom728x90 -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-0078565546631069"
     data-ad-slot="2743510915"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<!-- End Bottom Banner -->
</TD></TR>
</TABLE>
</BODY>
</HTML>

Each message in the FD list is wrapped in seclists.org code, including navigation, ads, and trackers, all irrelevant to us. The body of the reply is contained between two comments, <!--X-Body-of-Message--> and <!--X-Body-of-Message-End-->.

BeautifulSoup isn't great at handling comments, so we first use simple indexing to extract the relevant chars. We'll then send it through BeautifulSoup so we can use its .text property to strip out the html tags. BS4 automatically adds tags to create valid html, so remember to parse using the generated <body> tags.

What we end up with is a plaintext version of the message's body.





In [45]:



    


start = content.index('<!--X-Body-of-Message-->') + 24
end = content.index('<!--X-Body-of-Message-End-->')
body = content[start:end]

soup = BeautifulSoup(body, 'html5lib')
bodyhtml = soup.find('body')
raw = bodyhtml.text
Pretty(raw)



    


















    
Out[45]:








Yeah, I think that someone mistook the new year for April 1st.

Seriously, we seem to be getting more crap like this.  Are people just 
bored? 

            -Barry



Jörg Eschke wrote:

Sure, a user with admin rights is able to access/delete every local
file, regardless of the specific filepermissions.
Your 'exploit' will work with e.g. /bin/cat as well.
But i can't see a vulnerability anyway.

Am i missunderstanding something ?

Am Do, den 30.12.2004 schrieb Lennart Hansen um 2:18:
 

/bin/rm file access vulnerability

Affected Products:
        /bin/rm (all versions, tested on FreeBSD and linux)
        (http://www.freebsd.org    http://www.kernel.org)

Author:
        Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
        xenzeo at blackhat dot dk


/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file's permissions and the id of the user
trying to remove the file. If the user does not have the required permissions
to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to 
delete _any_ file
on the system regardless of who has created it and what it's permissions are.

Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die "usage: rm-exploit.pl file\r\n";
} else {
   $file = $ARGV[0];
   print "*** CMD: [ /bin/rm -f $file ]\r\n";
   print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
   if ($> == 0) {
      print "[-] EXECUTING CMD\r\n";
      system("/bin/rm -f $file");
      print "[-] DONE\r\n";
      print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
      exit();
   } else {
      print "[-] EXPLOIT FAILED\r\n";
      print "[-] YOU ARE NOT ROOT\r\n";
      print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
   }
}

Vender status:
        Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo
   


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Signature extraction

Messages to the FD list usually end with a common footer:

2002-2005:

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html

2005-2014:

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

2014-onward:

_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

We'll look for the first line (47 underscores), then test the lines below to make sure it's a match. If so, we'll strip out that footer from our content.





In [60]:



    


workcopy = raw
footers = [m.start() for m in re.finditer('_{47}', workcopy)]
for f in reversed(footers):
    possible = workcopy[f:f+190]  
    lines = possible.splitlines()
    if(len(lines) == 4
        and lines[1][0:15] == 'Full-Disclosure'
        and lines[2][0:8] == 'Charter:'
        and lines[3][0:20] == 'Hosted and sponsored'):
        workcopy = workcopy[:f] + workcopy[f+213:]
        continue
    
    if(len(lines) == 4
        and lines[1][0:16] == 'Sent through the'
        and lines[2][0:17] == 'https://nmap.org/'
        and lines[3][0:14] == 'Web Archives &'):
        workcopy = workcopy[:f] + workcopy[f+211:]
        continue
    
    
    possible = workcopy[f:f+146]
    lines = possible.splitlines()
    if(len(lines) == 3
        and lines[1][0:15] == 'Full-Disclosure'
        and lines[2][0:8] == 'Charter:'):
        workcopy = workcopy[:f] + workcopy[f+146:]
        continue
        
print(workcopy)



    


















    






Yeah, I think that someone mistook the new year for April 1st.

Seriously, we seem to be getting more crap like this.  Are people just 
bored? 

            -Barry



Jörg Eschke wrote:

Sure, a user with admin rights is able to access/delete every local
file, regardless of the specific filepermissions.
Your 'exploit' will work with e.g. /bin/cat as well.
But i can't see a vulnerability anyway.

Am i missunderstanding something ?

Am Do, den 30.12.2004 schrieb Lennart Hansen um 2:18:
 

/bin/rm file access vulnerability

Affected Products:
        /bin/rm (all versions, tested on FreeBSD and linux)
        (http://www.freebsd.org    http://www.kernel.org)

Author:
        Xenzeo (Ablazed, Ultralaser, Lennart A. Hansen)
        xenzeo at blackhat dot dk


/bin/rm is a program that removes the named file arguments on unix systems.
When /bin/rm is called it checks the file's permissions and the id of the user
trying to remove the file. If the user does not have the required permissions
to delete the file, /bin/rm will simply reject and exit.

However, it is possible for a person with admin rights (root) to 
delete _any_ file
on the system regardless of who has created it and what it's permissions are.

Proof of concepts:
$ touch /home/xenzeo/file
$ ls -l /home/xenzeo/file
-rw-r--r--  1 xenzeo none 0 Dec 30  2004 /home/xenzeo/file
$ id
uid=1000(xenzeo) gid=513(none) groups=513(none),545(users)
$ su -c 'rm -f /home/xenzeo/file'
$ ls -l /home/xenzeo/file
ls: file: No such file or directory

#!/usr/bin/perl
if ($#ARGV != 0) {
        die "usage: rm-exploit.pl file\r\n";
} else {
   $file = $ARGV[0];
   print "*** CMD: [ /bin/rm -f $file ]\r\n";
   print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
   if ($> == 0) {
      print "[-] EXECUTING CMD\r\n";
      system("/bin/rm -f $file");
      print "[-] DONE\r\n";
      print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
      exit();
   } else {
      print "[-] EXPLOIT FAILED\r\n";
      print "[-] YOU ARE NOT ROOT\r\n";
      print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
   }
}

Vender status:
        Neither FreeBSD nor Linux developers have been contacted yet!

-Xenzeo

PGP messages

As can be expected, many messages offer a PGP signature validation. This isn't useful to our processing, so we'll take it out. First, we define get_raw_message with code we've used previously. We then create strip_pgp, looking for the PGP signature. We can just use simple text searches again, with an exception of using RE for the Hash, which can change.

http://seclists.org/fulldisclosure/2017/Oct/11 is a message that includes a PGP signature, so we'll use that to test.





In [13]:



    


def get_raw_message(url):
    r = requests.get(url)
    content = r.text
    start = content.index('<!--X-Body-of-Message-->') + 24
    end = content.index('<!--X-Body-of-Message-End-->')
    body = content[start:end]

    soup = BeautifulSoup(body, 'html5lib')
    bodyhtml = soup.find('body')
    return bodyhtml.text

#rawmsg = get_raw_message('http://seclists.org/fulldisclosure/2017/Oct/11')
rawmsg = get_raw_message('http://seclists.org/fulldisclosure/2005/Jan/719')

def strip_pgp(raw):

    try:
        pgp_sig_start = raw.index('-----BEGIN PGP SIGNATURE-----')
        pgp_sig_end = raw.index('-----END PGP SIGNATURE-----') + 27
        
        cleaned = raw[:pgp_sig_start] + raw[pgp_sig_end:]
        
        # if we find a public key block, then strip that out
        try: 
            pgp_pk_start = raw.index('-----BEGIN PGP PUBLIC KEY BLOCK-----')
            pgp_pk_end = raw.index('-----END PGP PUBLIC KEY BLOCK-----') + 35
            cleaned = cleaned[:pgp_pk_start] + cleaned[pgp_pk_end:]
        except ValueError as ve:
            pass

        # finally, try to remove the signed message header
        pgp_msg = raw.index('-----BEGIN PGP SIGNED MESSAGE-----')
        pgp_hash = re.search('Hash:(.)+\n', raw)
        
        if pgp_hash is not None:
            first_hash = pgp_hash.span(0)
            if first_hash[0] == pgp_msg + 35:
                #if we found a hash designation immediately after the header, strip that too
                cleaned = cleaned[:pgp_msg] + cleaned[first_hash[1]:]
            else:
                #just strip the header
                cleaned = cleaned[:pgp_msg] + cleaned[pgp_msg + 34:]
        else:
            cleaned = cleaned[:pgp_msg] + cleaned[pgp_msg + 34:]
            
                
        return cleaned
    except ValueError as ve:
        return raw

unpgp = strip_pgp(rawmsg)
Pretty(unpgp)
#Pretty(strip_pgp(raw))



    


















    
Out[13]:










______________________________________________________________________________

                        SUSE Security Announcement

        Package:                realplayer 8
        Announcement-ID:        SUSE-SA:2005:004
        Date:                   Monday, Jan 24th 2005 16:00 MET
        Affected products:      8.1, 8.2, 9.0, 9.1
                                SUSE Linux Desktop 1.0
        Vulnerability Type:     remote code execution
        Severity (1-10):        8
        SUSE default package:   yes
        Cross References:       none

    Content of this advisory:
        1) security vulnerability discussed:
               - integer overflow
           problem description
        2) solution/workaround
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion


   RealPlayer is a combined audio and video player for RealMedia formatted
   streaming data. These formats are very common throughout the Internet.

   eEye Security in October 2004 discovered a flaw in the .rm RealMovie
   stream handling routines which allows a remote attacker to exploit an
   integer overflow vulnerability using a special .rm file. This might
   allow a remote attacker to execute code as the user running RealPlayer.

   Reference URLs for this problems are the Real security advisory:
           http://service.real.com/help/faq/security/040928_player/EN/

   and the eEye security advisory:
           http://www.eeye.com/html/research/advisories/AD20041001.html


   SUSE Linux includes RealPlayer as both standalone player and as a
   plugin for web browsers like Mozilla and Konqueror.
   This might allow the attacker to just provide a web page or E-Mail
   linking to the special exploit .rm file.

   We cannot fully evaluate the impact of this problem due to lack of
   information and lack of source code to review.


   SUSE Linux versions up to 9.1 and the SUSE Linux Desktop 1.0
   include RealPlayer version 8 and are affected by this problem.

   SUSE Linux 9.2 and the Novell Linux Desktop 9 include RealPlayer
   version 10 and are NOT affected by this problem.


   Real does not offer a fixed version 8 RealPlayer, but suggests
   upgrading RealPlayer to version 10.

   However, upgrading Realplayer is not possible for older SUSE Linux
   products since Realplayer 10 requires newer dynamic library
   versions than the ones to be found in those products.  Also some old
   Real content is not compatible with the RealPlayer version 10.

   For these reasons we cannot offer fixed packages for older SUSE Linux
   based products.

2) solution/workaround

   We suggest one of the following workarounds:

   a) De-install RealPlayer

      Either use YaST to deinstall RealPlayer, or as root do:

      # rpm -e RealPlayer

      You will lose the ability to view Real content.



   b) Remove the RealPlayer plug in

      As root, execute the following commands:

      # rm /usr/lib/browser-plugins/raclass.zip
      # rm /usr/lib/browser-plugins/rpnp.so


      Content can still be viewed by starting "realplay" and opening
      URLs, but automatic exploits via web pages or E-Mails are no longer
      possible.

______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security () suse de),
       the checksums show proof of the authenticity of the package.
       We recommend against subscribing to security lists that cause the
       e-mail message containing the announcement to be modified
       so that the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is the
       file name of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an uninstalled rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "build () suse de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security () suse com
        -   general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe () suse com>.

    suse-security-announce () suse com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe () suse com>.

    For general information or the frequently asked questions (FAQ)
    send mail to:
        <suse-security-info () suse com> or
        <suse-security-faq () suse com> respectively.

    =====================================================================
    SUSE's security contact is <security () suse com> or <security () suse de>.
    The <security () suse de> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the clear-text signature shows proof of the
    authenticity of the text.
    SUSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security () suse de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build () suse de>

- 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Talon processing

Next, we'll attempt to use talon to strip out the signature from the message. Talon provides two different ways to find the signature, "brute force" and "machine learning".

We'll try the brute force method first.





In [28]:



    


import talon
from talon.signature.bruteforce import extract_signature

reply, signature = extract_signature(raw)
if(not signature is None):
    Pretty(signature)



    











In [29]:



    


Pretty(reply)



    


















    
Out[29]:








Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.7.2

Discovered by Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Desc:
An independent research uncovered a critical vulnerability in zend-mail, a
Zend Framework's component that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in the context
of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the zend-mail class.

Full advisory / PoC exploit at:

http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Video / PoC:

https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html

For updates, follow:

https://twitter.com/dawid_golunski

At least for 2017_Jan_0, it is pretty effective. 2017_Jan_45 was not successful at all. Now, we'll try the machine learning style, to compare.





In [8]:



    


talon.init()
from talon import signature
reply_ml, sig_ml = signature.extract(raw, sender="dawid@legalhackers.com")
print(sig_ml)
#reply_ml



    


















    






None

This doesn't seem to output anything. I'm unclear whether or not this library is already trained; documentation states that it was trained on the authors' personal email and an ENRON set. There is an open issue on github https://github.com/mailgun/talon/issues/143 from July asking about the same thing. We will stick with the "brute force" method for now, and continue to look for more libraries.

Extract HTML tags

We'll use a fairly simple regex to extract any tags from the reply.

<([^\s>]+)(\s|/>)+

  • [^\s>]+ one or more non-whitespace characters, followed by:
  • \s|/ either a whitespace character, or a slash (/) for self-closing tags.

We then use a dictionary to count the instances of each unique tag.





In [9]:



    


rx = re.compile('<([^\s>]+)(\s|/>)+')
tags = {}
for tag in rx.findall(str(bodyhtml)):
    tagtype = tag[0]
    if not tagtype.startswith('/'):
        if tagtype in tags:
            tags[tagtype] = tags[tagtype] + 1
        else:
            tags[tagtype] = 1
print(tags)



    


















    






{'a': 7, 'pre': 1}

We'll record what domains are linked to in each message. We use BeautifulSoup to pull out all <a> tags, then urlparse to determine the domain within.





In [10]:



    


from urllib.parse import urlparse

sites = {}

atags = bodyhtml.find_all('a')
hrefs = [link.get('href') for link in atags]

for link in hrefs:
    parsedurl = urlparse(link)
    site = parsedurl.netloc
    if site in sites:
        sites[site] = sites[site] + 1
    else:
        sites[site] = 1

sites



    


















    
Out[10]:








{'legalhackers.com': 4, 'nmap.org': 1, 'seclists.org': 1, 'twitter.com': 1}

Content source: sailuh/perceive

Similar notebooks:

notebook.community | gallery | about