‘Format string bugs are a method of abusing incorrect usage of the format functions like printf, sprintf, snprintf, fprintf, vfprintf and the likes. When these functions are called they require that a version specifier is used to display the data stored in one or more directives.
‘kmalloc – ‘Linux Kernel memory allocation routine, kmalloc() ensures physical address contiguity’.
‘Exploiting well known flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain.
A grouping of attack vectors now referred to as ‘Pharming’, affects the fundamental way in which a customer’s computer locates and connects to an organisations online offering. Enabling the Pharmer to reach wider audiences with less probability of detection than their Phishing counterparts, pharming attacks are capable of defeating many of the latest defensive strategies used customer and online retailer alike.
‘In ‘Meanwhile on the other side of the webserver’ Amit surveyed some possible attacks against a scenario wherein a proxy server is positioned in front of a web server, and that proxy server shares a single TCP connection to the server among several clients. In that write-up, Amit mentioned several problems related to HTTP Request Smuggling (http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) and HTTP Response Splitting (http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf).
Well, wrong. There is a kind of XSS that does not match this description, at least not in some of its fundamental properties. The XSS attacks described above are either non-persistent / reflected (i.e. the malicious data is embedded in the page that is returned to the browser immediately following the request) or persistent / stored (in which case the malicious data is returned at some later time).
But there s also a third kind of XSS attacks – the ones that do not rely on sending the malicious data to the server in the first place! While this seems almost contradictory to the definition or to common sense, there are, in fact, two well described examples for such attacks.
‘A rootkit is a program designed to control the behavior of a given machine. This is often used to hide the illegitimate presence of a backdoor and others such tools. It acts by denying the listing of certain elements when requested by the user, affecting thereby the confidence that the machine has not been compromised.
Specifically, the problem arises when one program, ‘PARENT,’ invokes another program, ‘CHILD,’ in which:
– The CHILD has a ‘standalone’ design, i.e. its normal mode of operation is to be run by an interactive user, or a script on behalf of the user
– The CHILD does not run with more privileges than the user that invokes it, e.g. it is not setuid
– The CHILD program assumes that the user calling the program has control over all files that are specified as arguments, i.e. the specified filenames are trusted
– The CHILD program follows symlinks
– The PARENT uses filenames that are passed as arguments to the CHILD
– The filenames as used by the PARENT are:
– Controllable, or predictable, by the attacker, and
– In a directory that’s writable by the attacker;
The attacker could then use a symlink attack on the filename arguments that the PARENT passes to the CHILD.
This variant might be referred to as a ‘Second Order Symlink Vulnerability’.’