Some famous security vulnurabilities

1. RSA signature forgery by unprivileged users.

RSA signatures are used to authenticate the source of a message. To prevent RSA signatures from being forged, messages are padded with data to ensure message hashes are adequately sized. One such padding scheme is specified in the Public-Key Cryptography Standard #1 (PKCS-1), which is defined in RFC 3447. Many RSA implementations may fail to properly verify signatures. Specifically, the verifier may incorrectly parse PKCS-1 padded signatures, ignoring data at the end of a signature. If this data is ignored and a RSA key with a public exponent of three is used, it may be possible to forge the signing key’s signature.

Note that any application that uses RSA signatures may be affected by this vulnerability. This includes, but is not limited to, SSH, SSL, PGP, and X.509 applications.

http://en.securitylab.ru/notification/276087.php

http://www.mail-archive.com/cryptography@metzdowd.com/msg06732.html

http://www.mail-archive.com/cryptography@metzdowd.com/msg06537.htm

http://en.securitylab.ru/notification/276087.php

2. Telnet login vulnerability gives root access to unauthorized users.

/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
3198
3199     } else /* default, no auth. info available, login does it all */ {
3200                   (void) execl(LOGIN_PROGRAM, “login”,
3201                                   “-p”, “-h”, host, “-d”, slavename,
3202                                   getenv(“USER”), 0);
3203     }

/usr/src/cmd/login/login.c
1397                            break;
1398
1399                  case ‘f’:
1400                            /*
1401                             * Must be root to bypass authentication
1402                             * otherwise we exit() as punishment for trying.
1403                             */
1404 if (getuid() != 0 || geteuid() != 0) {
1405           audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1406
1407           login_exit(1);     /* sigh */
1408           /*NOTREACHED*/
1409 }
1410 /* save fflag user name for future use */
SCPYL(user_name, optarg);
1411
1412 fflag = B_TRUE;

So if we supply a USER environment variable of “-f<username>” we can get in without a
password.

3. DNS server cache poisoning by unprivileged users

http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

http://www.infobyte.com.ar/demo/evilgrade.htm

4.Cross‐site scripting attacks, which allow attackers to execute scripts within the context of a user’s browser.

https://www.governmentsecurity.org/SecurityHackingNews/Sun_Alert_247046_Cross_Site_Scripting_XSS_Vulnerability_in_Sun_Management_Center_SunMC_Performance_Reporting_Module

5.Injection flaws, such as SQL injection attacks in which SQL commands are sent as
part of input data.

6. Poorly managed authentication in distributed applications that allow, for example, a
victim’s username and passwords to be stolen

7. Insecure communications, in which private and confidential information is sent in
unencrypted or easily decrypted form

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s