The project includes virtual tours of the theater, backstage and museum, along with 240,000 archival photos and 16,000 documents, more than 40 digital exhibits and close-up views of costumes worn by stars such as Maria Callas. Performances of operas are available on another platform through Italy’s RAI state television

New 90-day limits on work visas for Chinese journalists followed Beijing’s expulsion of American journalists and raised the threat of further retaliation by the Chinese government.

This is the 17th installment of The Rationalist, my column for the Times of India.

One of my favourite English words comes from chess. If it is your turn to move, but any move you make makes your position worse, you are in ‘Zugzwang’. Narendra Modi was in zugzwang after the Pulwama attacks a few days ago—as any Indian prime minister in his place would have been.

An Indian PM, after an attack for which Pakistan is held responsible, has only unsavoury choices in front of him. He is pulled in two opposite directions. One, strategy dictates that he must not escalate. Two, politics dictates that he must.

Let’s unpack that. First, consider the strategic imperatives. Ever since both India and Pakistan became nuclear powers, a conventional war has become next to impossible because of the threat of a nuclear war. If India escalates beyond a point, Pakistan might bring their nuclear weapons into play. Even a limited nuclear war could cause millions of casualties and devastate our economy. Thus, no matter what the provocation, India needs to calibrate its response so that the Pakistan doesn’t take it all the way.

It’s impossible to predict what actions Pakistan might view as sufficient provocation, so India has tended to play it safe. Don’t capture territory, don’t attack military assets, don’t kill civilians. In other words, surgical strikes on alleged terrorist camps is the most we can do.

Given that Pakistan knows that it is irrational for India to react, and our leaders tend to be rational, they can ‘bleed us with a thousand cuts’, as their doctrine states, with impunity. Both in 2001, when our parliament was attacked and the BJP’s Atal Bihari Vajpayee was PM, and in 2008, when Mumbai was attacked and the Congress’s Manmohan Singh was PM, our leaders considered all the options on the table—but were forced to do nothing.

But is doing nothing an option in an election year?

Leave strategy aside and turn to politics. India has been attacked. Forty soldiers have been killed, and the nation is traumatised and baying for blood. It is now politically impossible to not retaliate—especially for a PM who has criticized his predecessor for being weak, and portrayed himself as a 56-inch-chested man of action.

I have no doubt that Modi is a rational man, and knows the possible consequences of escalation. But he also knows the possible consequences of not escalating—he could dilute his brand and lose the elections. Thus, he is forced to act. And after he acts, his Pakistan counterpart will face the same domestic pressure to retaliate, and will have to attack back. And so on till my home in Versova is swallowed up by a nuclear crater, right?

Well, not exactly. There is a way to resolve this paradox. India and Pakistan can both escalate, not via military actions, but via optics.

Modi and Imran Khan, who you’d expect to feel like the loneliest men on earth right now, can find sweet company in each other. Their incentives are aligned. Neither man wants this to turn into a full-fledged war. Both men want to appear macho in front of their domestic constituencies. Both men are masters at building narratives, and have a pliant media that will help them.

Thus, India can carry out a surgical strike and claim it destroyed a camp, killed terrorists, and forced Pakistan to return a braveheart prisoner of war. Pakistan can say India merely destroyed two trees plus a rock, and claim the high moral ground by returning the prisoner after giving him good masala tea. A benign military equilibrium is maintained, and both men come out looking like strong leaders: a win-win game for the PMs that avoids a lose-lose game for their nations. They can give themselves a high-five in private when they meet next, and Imran can whisper to Modi, “You’re a good spinner, bro.”

There is one problem here, though: what if the optics don’t work?

If Modi feels that his public is too sceptical and he needs to do more, he might feel forced to resort to actual military escalation. The fog of politics might obscure the possible consequences. If the resultant Indian military action causes serious damage, Pakistan will have to respond in kind. In the chain of events that then begins, with body bags piling up, neither man may be able to back down. They could end up as prisoners of circumstance—and so could we.

***

Also check out:

Why Modi Must Learn to Play the Game of Chicken With Pakistan—Amit Varma
The Two Pakistans—Episode 79 of The Seen and the Unseen
India in the Nuclear Age—Episode 80 of The Seen and the Unseen

© 2007 IndiaUncut.com. All rights reserved.
India Uncut * The IU Blog * Rave Out * Extrowords * Workoutable * Linkastic

This is the 17th installment of The Rationalist, my column for the Times of India.

One of my favourite English words comes from chess. If it is your turn to move, but any move you make makes your position worse, you are in ‘Zugzwang’. Narendra Modi was in zugzwang after the Pulwama attacks a few days ago—as any Indian prime minister in his place would have been.

An Indian PM, after an attack for which Pakistan is held responsible, has only unsavoury choices in front of him. He is pulled in two opposite directions. One, strategy dictates that he must not escalate. Two, politics dictates that he must.

Let’s unpack that. First, consider the strategic imperatives. Ever since both India and Pakistan became nuclear powers, a conventional war has become next to impossible because of the threat of a nuclear war. If India escalates beyond a point, Pakistan might bring their nuclear weapons into play. Even a limited nuclear war could cause millions of casualties and devastate our economy. Thus, no matter what the provocation, India needs to calibrate its response so that the Pakistan doesn’t take it all the way.

It’s impossible to predict what actions Pakistan might view as sufficient provocation, so India has tended to play it safe. Don’t capture territory, don’t attack military assets, don’t kill civilians. In other words, surgical strikes on alleged terrorist camps is the most we can do.

Given that Pakistan knows that it is irrational for India to react, and our leaders tend to be rational, they can ‘bleed us with a thousand cuts’, as their doctrine states, with impunity. Both in 2001, when our parliament was attacked and the BJP’s Atal Bihari Vajpayee was PM, and in 2008, when Mumbai was attacked and the Congress’s Manmohan Singh was PM, our leaders considered all the options on the table—but were forced to do nothing.

But is doing nothing an option in an election year?

Leave strategy aside and turn to politics. India has been attacked. Forty soldiers have been killed, and the nation is traumatised and baying for blood. It is now politically impossible to not retaliate—especially for a PM who has criticized his predecessor for being weak, and portrayed himself as a 56-inch-chested man of action.

I have no doubt that Modi is a rational man, and knows the possible consequences of escalation. But he also knows the possible consequences of not escalating—he could dilute his brand and lose the elections. Thus, he is forced to act. And after he acts, his Pakistan counterpart will face the same domestic pressure to retaliate, and will have to attack back. And so on till my home in Versova is swallowed up by a nuclear crater, right?

Well, not exactly. There is a way to resolve this paradox. India and Pakistan can both escalate, not via military actions, but via optics.

Modi and Imran Khan, who you’d expect to feel like the loneliest men on earth right now, can find sweet company in each other. Their incentives are aligned. Neither man wants this to turn into a full-fledged war. Both men want to appear macho in front of their domestic constituencies. Both men are masters at building narratives, and have a pliant media that will help them.

Thus, India can carry out a surgical strike and claim it destroyed a camp, killed terrorists, and forced Pakistan to return a braveheart prisoner of war. Pakistan can say India merely destroyed two trees plus a rock, and claim the high moral ground by returning the prisoner after giving him good masala tea. A benign military equilibrium is maintained, and both men come out looking like strong leaders: a win-win game for the PMs that avoids a lose-lose game for their nations. They can give themselves a high-five in private when they meet next, and Imran can whisper to Modi, “You’re a good spinner, bro.”

There is one problem here, though: what if the optics don’t work?

If Modi feels that his public is too sceptical and he needs to do more, he might feel forced to resort to actual military escalation. The fog of politics might obscure the possible consequences. If the resultant Indian military action causes serious damage, Pakistan will have to respond in kind. In the chain of events that then begins, with body bags piling up, neither man may be able to back down. They could end up as prisoners of circumstance—and so could we.

***

Also check out:

Why Modi Must Learn to Play the Game of Chicken With Pakistan—Amit Varma
The Two Pakistans—Episode 79 of The Seen and the Unseen
India in the Nuclear Age—Episode 80 of The Seen and the Unseen

The India Uncut Blog © 2010 Amit Varma. All rights reserved.
Follow me on Twitter.

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4

Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.

This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.

Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

Microsoft Windows WizardOpium local privilege escalation exploit.

Microsoft Windows 10 SMB version 3.1.1 SMBGhost local privilege escalation exploit.

Microsoft Windows suffers from an NtFilterToken ParentTokenId incorrect setting that allows for elevation of privileges.

In Microsoft Windows, by using the poorly documented SE_SERVER_SECURITY Control flag it is possible to set an owner different to the caller, bypassing security checks.

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:program fileshello.exe; The Windows API will try to interpret this as two possible paths: C:program.exe, and C:program fileshello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.

Ubiquiti Networks UniFi Cloud Key with firmware versions 0.5.9 and 0.6.0 suffer from weak crypto, privilege escalation, and command injection vulnerabilities.

Microsoft Windows 7 Build 7601 (x86) local privilege escalation exploit.

The Plantronics Hub client application for Windows makes use of an automatic update service SpokesUpdateService.exe which automatically executes a file specified in the MajorUpgrade.config configuration file as SYSTEM. The configuration file is writable by all users by default. This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64). This Metasploit module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64).

The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \.pipeWindscribeService allowing execution of programs with elevated privileges. Windscribe versions prior to 1.82 do not validate user-supplied program names, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on Windscribe versions 1.80 and 1.81 on Windows 7 SP1 (x64).

This Metasploit module leverages a trusted file overwrite with a dll hijacking vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64 targets.

This Metasploit module exploits a NULL pointer dereference vulnerability in MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call. The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint() function does not effectively check the validity of the tagPOPUPMENU objects it processes before passing them on to MNGetpItemFromIndex(), where the NULL pointer dereference will occur. This module has been tested against Windows 7 x86 SP0 and SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows, such as Windows Server 2008.

Local root exploit for the FreeBSD mqueuefs vulnerability as disclosed in FreeBSD-SA-19:15.mqueuefs.

Local root exploit for the FreeBSD fd vulnerability as disclosed in FreeBSD-SA-19:02.fd.

CentOS Control Web Panel version 0.9.8.836 suffers from a privilege escalation vulnerability.

This Metasploit module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling system(), in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on Debian 9.8 (x64) and CentOS 7.4.1708 (x64).

This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.

This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by Pulse Secure, LLC) allow privilege escalation, as demonstrated by Secure Access SSL VPN SA-4000 5.1R5 (build 9627) 4.2 Release (build 7631). This occurs because appropriate controls are not performed.

Whitepaper called Blind CreateRemoteThread Privilege Escalation.

Druva inSync Windows Client version 6.5.2 suffers from a local privilege escalation vulnerability.

Microsoft Windows suffers from a Desktop Bridge Virtual Registry arbitrary file read / write privilege escalation vulnerability.

Microsoft Windows suffers from a Desktop Bridge Virtual Registry NtLoadKey arbitrary file read / write privilege escalation vulnerability.

The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.

This Metasploit module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when Windows backup and restore is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked.

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Tracing functionality used by the Routing and Remote Access service. The issue results from the lack of proper permissions on registry keys that control this functionality. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

This Metasploit module attempts to exploit a race condition in mail.local with the SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1), NetBSD 6.1 - 6.1.5, and NetBSD 6.0 - 6.0.6. Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.

Cisco Unified Contact Center Express suffers from a privilege escalation vulnerability.

Cisco AnyConnect Secure Mobility Client for Windows version 4.8.01090 suffer from a privilege escalation vulnerability due to insecure handling of path names.

IBM AIX High Availability Cluster Multiprocessing (HACMP) suffers from a local privilege escalation vulnerability that results in root privileges.

IBM AIX versions 6.1, 7.1, and 7.2 suffer from a Bellmail privilege escalation vulnerability.

CA Technologies support is alerting customers about a medium risk vulnerability that may allow a local attacker to gain additional privileges with products using CA Common Services running on the AIX, HP-UX, Linux, and Solaris platforms. The vulnerability, CVE-2016-9795, occurs due to insufficient validation by the casrvc program. A local unprivileged user can exploit the vulnerability to modify arbitrary files, which can potentially allow a local attacker to gain root level access.

Xorg X11 server on AIX local privilege escalation exploit.

This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.