Phrack Security Advisory 2014-001 - Paper leak on release timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Phrack Security Advisory 2014-001 - Paper leak on release timeout
From: Phrack Staff <staff@xxxxxxxxxx>
Date: Fri, 4 Apr 2014 16:58:25 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                 Phrack Security Advisory 2014-001
                 =================================

Topic:          Paper leak on release timeout

Version:        Phrack-current:        affected from 2014-04-04 onwards
                Phrack 1985-2014:      not affected

Severity:       Remote unprivileged information leak

Fix:            Not currently fixed


Abstract
========

We have discovered a remote unprivileged information leak of papers
affecting Phrack. The vulnerable condition is triggered by a release
timeout bug and manifests via the paper feed subsystem.


(Not so) technical details
==========================

Given that the world seems to turn faster than a couple of years ago,
the Phrack magazine has experienced a release timeout bug. This has in
turn triggered a paper leak condition that can be exploited remotely
by unprivileged users.

Be warned, your work can be leaked too. However, it first needs to pass
the Phrack reviewing watchdogs before it gets exposed to the paper feed
leak subsystem.


Proposed fix
============

Shorten the release cycle. This is currently an ongoing collective
effort. Feel free to contribute.


Thanks to
=========

All the authors that have submitted so far.


Revision History
================

        2014-04-04      Initial release


More information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory can be found at:

http://phrack.org/


Public key
==========

Email for contact staff(at)phrack[DOT]org. Please use the PGP key below.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PHRACK

mQINBFM+oeYBEADMTNkOinB/20s5T9Oo3eG39RaE6BQjgegag6x3DxIPQktLdT9L
vsC8OH0ut4KKx8iva62BxNMr8Y24cpMIG0mBgGxDn9U6TaexmhgeTKGZWaS/61Ew
EfgG4QSzQTj2soX9g6uo5HTRnl7cYPUsVRO7NIbNj15F9O6Q1xmnhSs79pyiqQ7/
uNgZJrNXY2ksd1jbfxUsHzV9KY7YjqVmUJEEHA6IHfmjwJ6E5accmHK+Q1RrPJL3
SafFFOlnvtZLW62ZMsEc5H8TsKl73E3fv2jHLkNIGO9mrmfLgBwM/KkuRy4WQVzL
TsgiRGLYKIbgPAFskbYdmH7elWBoUWA7YDw6yXZnysqL0St/g2/vYhVOVcGT9gKV
oTBNGSKDhvfMGSj8lphDOUIshuFkCWGX7XyI5KWPfgDdCTm6I+JPhrTfmrLfDi6V
GSLgX6r8Yulz0clChZlFBgKCmveI+KnCPj3k96pXcyenA9dR2GDQuCUjHSg4lYlp
OTDS7bPXE4KbPNKDFgwHFRJ7oATbzS7hMkLkDnRNEMxAPcZ0EXkEQQmHUHG4tLty
aAuE8vqC4eamd6Jz5GsSz8BK5FzsY0Wr0bK5L9TfkSyaIsAkRuFlI6OEYRfLxIwl
qkgxz0opRCr19V0bZ9UQWcnnQ/JwFc8Iq1Eazj4bWpDAQbvtx5uf+43CEwARAQAB
tB9QaHJhY2sgU3RhZmYgPHN0YWZmQHBocmFjay5vcmc+iQI9BBMBCAAnBQJTPqHm
AhsDBQkJZgGABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEPuBHb1p2hqMRHsP
/iozBA8LTwIPHhfsGURzUP0eCyUmOTkXrKq8rmotwGL2TrDz97J4RYhEOLSQ6o25
7HhKwukNcuYx55HduZDiQ/BtOV2dTqatHo3exiAaFTcGZXtFguJKDpDybyi8z2mS
usIoGwyW6yiNmmjTVm9mV5BDKyHNagKra0ReKMPCTgQP3l+0GUTimNvlZdKkrmxw
yEi7i2xTpDGk3UklWDHuo4kcogRoJ+N+T1w8wv1JbPCXTxp1GoM6z42iG/kWBhpo
1ZG9NCVHGRaAN2en+MzLMf2lj/txuhwSImKvkLR+2XXfu7v0Z+ztBW3V0qez+R2h
0URBFqA8wwF5juc8Ik1M3fsEBbA4mnNIisgToeSsJNkGUw8hJKXsNs3xKppLiOpL
1j05xm5tCQMCUv+RiVW6esjj/jTNijaZLUqxYDhTDZwcNpKYsvE9o7ylkEOtxqHE
2GJCyHwkq1powSZaiLzK5RotOxuElyHdtYE60pacPcijolo7vM2gWJiSFaOz/BmP
CJiAxCeNu5H7xdZ94vLTAsVFaRvRTMlb+iUSHCJF9JQTYBgZ2OtpQ2yyEEL1a1Bi
wqxFxIQzVKzAV74z1SHDJRJR21HeAE85PEDlbGtswtdmqEiJ7jwqzZrk8Pe+onrF
RT31DRBJt45+viOP4bhow1WcBfr3OJ89oPp41+Yk/4BsuQINBFM+oeYBEAC1ciFl
0fCB5p1LDlIy/emTYiUccoRXA5cqbULshyFyBEJSpfI16yK/AkVmUe40L7Y44qwF
HMereGmiMH10CpzE28YiJx+bYsrg32tHErczEs2xtsO4gnGTgJf+1VVtICaoAobr
g0xUAcsevW+10lJtlo2BRDL9mldO4efeAvC9AlX76SgiTCT6LTXUMrNgtnW2HKbI
IZuOHdZAFKmh6NNmUb0ITK47Y4ZZ3wwCYJDiQ+KOjnWEuIwkG+YowflIbZYjB/7b
EZNs26SpWwNHw0XbP9JhyG1JKFauN72YI9/NSUAZmu6pAMy/JNCDfw2rChk+63Q1
mtTNXa13lpb8zRi0cBHEPSibIryyqhabe5dzrucD79ekKfp6m4Ts9B3nL313RHAe
z0ByRSuC/iDjyC5tYc3LH/aR+zFkmz50nV6Cwk0Of1TJ9UBi7kMSSvnZ+gCRabtU
D7cjq3TtraAicUs2yr0YdCiGHU71KGAMwhQIKZ7IxqUcVwDNTxd3wSVeC6GdRph4
5htgIWY3GTw7sjMdkFtZK8QsnmfCuIm+GYGiDqT63lpsBwle0KG3GgvU29OZD91G
323jsXHK+tw4Dvx2lpGfZ+1lNxFZWhLvSjllkNRtkBHOA5BKYOC9EaPktKdq25Ou
POuw3j++iFd3fNqlebQKC4luCp9AG/BfvjM2EwARAQABiQIlBBgBCAAPBQJTPqHm
AhsMBQkJZgGAAAoJEPuBHb1p2hqMke8P/0+O0WYVhBOuzi4V1KBuVZW1CeWNngM/
dEugOZn4GX+MdMPiVuM34LAxcZUWfdhLs1ebsGOKcUSn+aa6xYfotnhWGxxWUoRs
vgtRa7oDKXAEp2/b6QbXUPlK1htrK7kQtdvzqAVktKzWUp8XJxLSMOaN0B6ocS2p
vL2cFs5TPApHvaK0GvmtaC/REcRTgctey0EPzFaCsMAZ3Pxc9b+2rhMYozSkhs0O
gga/EfvhF5+LmB9mtFKGjomrUX7IPwUJ3RPuPZ63MTLqkZLtX833xx1aN4r/u5mD
3KI3rSgrtvDx7zBk0AnN9t9pI5WtEmK7vs1PhDJ+3TIG4Y8cL1u7U91/BE2CdoRB
yHGmJZ5vcmhCbQVWHIqXFw5V9FVjN3ZehmwtQTGkBThgvA4WKOD03Q9DtJKMoPgz
tiukTPBE4ez8zj5vR5SoR3fCWCUBJD+jBKyB+N+KAWUVsnwFKe07dsEAb2Gm6/aF
APChjN9MGeDV0JQR85w7wdGGtDVCNk/Rpg7JMbTgrKB3R1LERbjsOQG3+UeWwUWS
PGccf30uvPcpEVj6SFl78/OjL/xsZYn2+gOGvwChg2UzYJ53r04aPVFyAU4bt8QO
uH6Xyl34RAPjnQdQwMWmwTIv97lJaGU/KCW+RAxXX4iPLXN7GaVZRxQIwYAS4NSP
2tTJXfcKIpxZ
=SOfW
-----END PGP PUBLIC KEY BLOCK-----


$Phrack: Phrack-SA2014-001.txt,v 1.1 2014/04/04 18:59:59 phrack_staff Exp $

-----BEGIN PGP SIGNATURE-----
Version: PHRACK

QlpoOTFBWSZTWRVLHZoAAyf9AH////373wMYQABAAGALu6EdPppZ5oxADW5Twt56
pmuBZyUFj3tsRMEAE0aCACmJNNMhhqegJok09RT9JMmIAAADTBJUQBoAAAAGQSnp
CjUhTCNAGgAAAYyGQ0Gg0aANAA0MEpkhMmimMkyp6nqB6IaDQHX2fw9YRIRL7GPm
kLUHaVB+XRDobo2ohMjkqXUEjOoXRpCExXqxxdzVW2lOSPQKNLBeskRwCzBoVEg1
yXDgZBTdxhvGLU5uuIgpUoHVjY26RlhCNEKEGrEDTosFogu1JKIIxAkg6sQRh2qV
5QQqs3VhESjzQwji1ZYR1lypFRBQlSMBbuCpd2XQXGQpJBGRIC0xQWa1YjYhBlQy
EuCIlsavprMmRkhEYSEEFSEIf6z+0/YWyFGWlutGK2Zqer0t4WFnnAdjZJI99wMS
IuSoY1LmD5CZ31t5SdLH+Wbh16d7+j0nhz0b4czZrDlnS0xgqRYCUNjhMcQxqE2x
qGxCG2xwNg4SSoQkkAUBBpBVpxoiKq0iK00qtK0lyiUotCjVVRS1RVhazbT3JVFx
fNKFLtExAhVS8NaTd0TCQyWIyESumsQLbkFqPGic6sKLxgvHtN7u+3w8T2JvUrkl
RqJ4avLzHxl0GOta2AEs2XcOqkKqWNMMs+butFMSgdomi5sJCM2dKMDGHFEFFmw8
2cZRVaJqNFEEq6hoAygi6MqIqipWHeM064o+J74qbLX606/XOm32hWBzvF92rSv4
fAVmGcQ2iYHmP0kDKoYjZZ+xJol7e3rDrVnWFBEQ7X6SBtBq5iQyns31u/iSwSMP
ByPIjfDOjrCzmmYCjb2GOEnXgi2kqeyBDw6a22GpjsmnQwLR3KdNfQyiAjVdTuIG
LJixRiW53zECTOBAj8DlIbqYQaptXEft14fDeMdVxlub5vfyIH7RmeS+xp3e2Py1
BpteSYeR8gHc6aUxM7c3ah9T5IIdLT/UskBJd5omhaTRV7qbZr9N+faszHrLUHU3
rJTo0yZKR52CCtdH/Kp0XNtk8UumiXNnSOqIg4R4oMfXmYIJ4yi0sSljTaGhJpUR
1mavfd6bfHtc+PXP36fvrlWDKYX3ucsj2boIKy8CeNVCZuAQm1VTQy4F9Az7QlsI
OKED42aeYh3Obr1zEJpuRmSu1fGA1XET8uUDLXzX8PQHFAniJAhj8IDLZW48Z0i+
UC5j8TnJ66fe0nJqDX3p1yzfLOGtECBDT8y+Xb+rUrof9u8AADk6gigEAgLK9iE2
EqeU/T1PSQ6oHT0LjD0+nHGd5wu8p8sxa95YrwpTHxQxRnTPTR/31zgUX2SwTbGL
0bhyBeVGvRDCJNMJRwbF6bR1p0iBWlBq8vVeK/LMoHzEAWxV8jVEGppTRotiGKrq
sFxnD4j7BfifOqncYzpoIREKizjczaBWlHkS40H9eCx++eDeJv4361uPOZ+U2i0N
ndaugW/Lr5Qhza9YXoD9DN0ylbRpoTeY2fWdgd9RbChq6Wvl+nZ3XBYof52raLbn
j0nQ4E8NRCEyQ65Ujkwbxzs3SFrJwBiKmpg4WXSph5l0ywrctN0PvDLmTak61qpd
QhlUgd788mhc8OCIgJ7Ot9zvT52xmgASsPGE7XtWjtrt67lHWwidOtWloSdLdAvU
nu3yvNgRoyPVilpV+OTeaRrXGt7uXmstG12Xwg1q7qTViaYPF0pIiID0owAkRmr0
5u8VBaHOrU1PPGVre3uXtl11sGTsa711vJFtzN3raKqqO/Gd847CGXfbzdO+Dk6R
d1RIKrONudEb6Zymnm8jfn4JdV1cGo1CmoLa5C8MV0jRCNFOI5TC5W3poaDG7s3U
xqWTYbEkM1DcOxojXOg8usdWwcQSEnQrLr5K8iKY319zYRt4+3C9sUedN51jH0W/
OGOpyTnL4TdJcJllHSRpIaFyyHo40jDQsYd0elnVBb2zTDLdIWUCA4M7a01r9KkV
iB6UQKRJyWJ5oORBOhELXKqbKwu7pc3AJAOGKmFzdwFd0WYEC1qlgEBjGFfWYZIs
DoSCOUWVNw1MwEPfI1f4+S+2cc/Rqms+6C5Hh0VbaGhOWZkZPF2UYJICrso7KngS
pVs+zYWUikglAKfFtGrJ4HFt61eDGMsINqQ0KSlGwy4V84urQLWsU8/d6mGayJVM
uyI2HJdd4dy5WI8nho2YG3C4otBDEetL525+PJPpXT2TptE7i5lHSU0IXzWin5IX
E68wBEcWeKsAgmSbvxUjKjSr7em+KRgW6914o6tndBfLoiqTaFGogBZEC38mGYhs
IDupHplg6AGIF/6ZJg8nC4K50llWz+DXhKcz1tTxxO215v2o6S1RwBEboiCC9GY7
ZXrSrY6SOMfZZl4298976dAUFd+CPOZMC/KSvVkUVWt5d9XnezZLhaWyyLfGYxxg
kSK2wSSETyvt3TW30nLzSTxftvPblrXeJI1BC0bJPElxZI5BC27ttsLhBW7xjee6
63d3GC3Ll+fvq/l37O+7diycfYMbsUmXt3HPGpt+fr+b4+96PdmEapPM5+zvMR8P
2mO+zg8aZn5U18vpwzjUIHztzaCXwbD5KtWvjSjhJnrzW1sf9soV89oIOXNJt3a7
yW4W21Brg4M721jFvBSPUt/HMwjyclAvAgcLAi/BKl9RQt+FFz5ppVXG7Pz3hmrZ
G6vgqC87DPKXVnRpkao51Oe/2483CYz5Oni1uZjZQtu9mimum560KHVcLixWQ4br
3EtVjERj33nu1j51OcSYESKNSO3Z6AnbF1wssZw/w7UcUOqBzfw9dxHIQcy+5vJg
EW86AaOIHiXo4uJ7sTOJTliKpJQXKRxdWPGaLtka65qOr40yU2cBVHZdBU1e9XRJ
f2kF8V4+n7DKMqoh65pSxXXJBOtW6JFvoT1J+BJ/ucEe0pSaobDbYagXTgMSwIMY
Hdt/eLUzhAxCcM21U6lH6zN35W04NcJGBU7Q9IGr787R269OY2kV66qoCIAwBYYC
MexhnvihONSGRAE+j1QRCpEM8DdSWLRunrrFq0nNoNN8dVm1lh1iWB1e9h6Jiejk
4EoZAsLKQNtIoi7sqVpMo6h+x3d6qW5ub6B/0uM+e8hZGNXqiiIhqV9yDif9mOVG
UGl+etIPRRooOEWQJQUS8sgyrKMKqJ+jKcvVB786eaQFUZo4PCDojbX/FPbRhBFd
+kr1eOyaSKBI3WGNQnUUJnHsAhrxEibHtUaXtiDH1ZhxiCa2nMq9IdpjbRHpFC81
pBBFsUF3ZN8SO7etZDWW6uHIqymhWYICj3jXhK4rACeTl7YQVy6FvMrRKkGVH/xd
yRThQkBVLHZo
-----END PGP SIGNATURE-----

Prev by Date: [security bulletin] HPSBGN02986 rev.1 - HP IceWall Identity Manager and HP IceWall SSO Password Reset Option Running Apache Commons FileUpload, Remote Denial of Service (DoS)
Next by Date: [SECURITY] [DSA 2891-3] mediawiki regression update
Previous by thread: [security bulletin] HPSBGN02986 rev.1 - HP IceWall Identity Manager and HP IceWall SSO Password Reset Option Running Apache Commons FileUpload, Remote Denial of Service (DoS)
Next by thread: [SECURITY] [DSA 2891-3] mediawiki regression update
Index(es):
- Date
- Thread

[Index of Archives] [Linux Security] [Netfilter] [PHP] [Yosemite News] [Linux Kernel]

Powered by Linux