 |
SNMPc TRAP Community Name Overflow
updated: 1-May-08
A stack overflow vulnerability was discovered in Castle Rock Computing SNMPc Network Manager < 7.1.1 when an overly long community string is sent in the SNMP TRAP packet. The packets format will be valid ASN.1, including the length of the community string. An attacker can craft a single UDP packet that can lead to the execution of arbitrary code in the context of LocalSystem.
Upgrade to the latest version.
HP-UX running WBEM Services, Remote Code Execution and Gain Extended Privileges
updated: 1-May-08
Security vulnerabilities were identified in HP-UX B.11.11, B.11.23, B.11.31 running HP WBEM Services vA.02.05.08 or earlier, HP-UX B.11.23, B.11.31 running HP WBEM Services HP WBEM Services vA.02.07 or earlier.
These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
Install the software patches from HP.
SugarCRM Community Edition Local File Disclosure
updated: 1-May-08
SugarCRM Community Edition prior to 4.5.1j and 5.0.0c are vulnerable to local file contents disclosure. This vulnerability can be exploited by a malicious user to disclose potentially sensitive information. The flaw is caused due to a lack of input filtering in the SugarCRM RSS module, which can be exploited to disclose the content of local files.
The RSS module allows SugarCRM users to add RSS feeds to their personal RSS list. The application expects an URL value pointing to a valid RSS feed. However, the URL variable value is not properly sanitized and any URI value can be entered instead. In this particular case, it was discovered that it is possible to enter a file path to any files on the local system hosting the SugarCRM application.
As a result SugarCRM does not display the new RSS feed in the list as it is not a valid RSS URL Feed. However, the application creates a local file with the filename of the md5 hash of the URL entered. The file is created in the directory cache/feeds. If the Apache web server is used, the file is created with the user www-data containing read permission.
Upgrade to the latest version.
Reference
http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf
GroupWise 7.0 mailto: scheme buffer overflow
updated: 1-May-08
The scheme "mailto" of GroupWise 7.0 was vulnerable to a buffer overflow vulnerability, if one takes as default mail client to GroupWise. The fault is to implement the scheme followed by an extensive argument and this causes the buffer overflow. This brings the consequence that can overwrite the EIP and is able to execute arbitrary code.
Proof of Concept was published.
Wordpress Cookie Integrity Protection Vulnerability
updated: 1-May-08
An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection.
If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user.
The vulnerability is fixed in Wordpress 2.5.1.
Reference
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
Insufficient Argument Validation of Hooked SSDT Functions on Multiple Antivirus and Firewalls
updated: 1-May-08
Insufficient argument validation of hooked SSDT functions was reported on multiple Antivirus and Firewalls that could lead to a Denial of Service and possibly to code execution attacks.
An attacker, utilizing these flaws, could be able to locally reboot the whole system shutting down the firewall or anti-virus protection. However,
in some cases it may be possible to extend the impact of these bugs, and they could lead to the execution of arbitrary code in the privileged kernel mode.
Vulnerable Packages include:
- BitDefender Antivirus 2008 Build 11.0.11
- Comodo Firewall Pro 2.4.18.184
- Sophos Antivirus 7.0.5
- Rising Antivirus 19.60.0.0 and 19.66.0.0.
Update these firewalls to the latest version.
Reference
http://www.coresecurity.com/?action=item&id=2249
KDE start_kdeinit: Multiple vulnerabilities
updated: 1-May-08
Multiple vulnerabilities were reported in start_kdeinit of kde < 4.0 that could possibly allow a local attacker to execute arbitrary code with root privileges.
A local attacker could possibly execute arbitrary code with root privileges, cause a Denial of Service or send Unix signals to other processes, when start_kdeinit is setuid root.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671
Comix Multiple Vulnerabilities
updated: 1-May-08
Comix < 3.6.4-r1 does not properly sanitize filenames containing shell metacharacters when they are passed to the rar, unrar, or jpegtran programs. Comix also creates directories with predictable names.
A remote attacker could exploit the first vulnerability by enticing a user to use Comix to open a file with a specially crafted filename, resulting in the execution of arbitrary commands. The second vulnerability could be exploited by a local attacker to cause a Denial of Service by creating a file or directory with the same filename as the predictable filename used by Comix.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1796
HP Software Update HPeDiag Disclosure of Information and Execution of Arbitrary Code
updated: 26-Apr-08
A potential vulnerability has been identified with the HPeDiag ActiveX control which is a component of HP Software Update v4.000.009.002 running under windows. The vulnerability could be exploited to allow remote disclosure of information and execution of arbitrary code.
Install the update from HP.
SILC Multiple Vulnerabilities
updated: 26-Apr-08
Multiple vulnerabilities were found in SILC Client < 1.1.4, Server < 1.1.2, and Toolkit < 1.1.7, allowing for Denial of Service and execution of arbitrary code.
A remote attacker could exploit these vulnerabilities to cause a Denial of Service or execute arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1552
BadBlue uninst.exe DoS
updated: 26-Apr-08
Due to the fact that BadBlue 2.72 has not released a patch for the previously documented directory traversal vulnerability (CVE 2007-6378), an attacker may utilize these two flaws in conjunction to place a malicious executable in the web root and compromise a vulnerable server.
Restrict access to the executables already in the web root (badblue.exe, uninst.exe, and dyndns.exe) and take steps to ensure that users cannot write files to the web root.
JRockit Multiple Vulnerabilities
updated: 26-Apr-08
Multiple vulnerabilities have been identified in BEA JRockit < 1.4.2.16 and < 1.5.0.14
A remote attacker could entice a user to run a specially crafted applet on a website or start an application in Java Web Start to execute arbitrary code outside of the Java sandbox and of the Java security restrictions with the privileges of the user running Java. The attacker could also obtain sensitive information, create, modify, rename and read local files, execute local applications, establish connections in the local network, bypass the same origin policy, and cause a Denial of Service via multiple vectors.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
RSA Authentication Agent Login Page Cross Site Scripting
updated: 26-Apr-08
Cross site scripting was reported on RSA Authentication Agent 5.3.0.258 login page. An attacker may be able to cause execution of malicious scripting code in the browser of a victim user who clicks on a link to a RSA Authentication Agent login page. Such code would run within the context of the target domain.
Upgrade to RSA Authentication Agent 5.3.3.378.
Reference
http://www.procheckup.com/Vulnerability_2007.php
http://www.rsa.com/node.aspx?id=2807
Cross-domain redirect on RSA Authentication Agent
updated: 26-Apr-08
A remote URI redirection vulnerability affects the RSA Authentication Agent < 5.3.0.258. This issue is due to a failure of the application to properly sanitize URI-supplied data assigned to the 'url' parameter.
An attacker may leverage this issue to carry out convincing phishing attacks against unsuspecting users by causing an arbitrary page to be loaded once a RSA Authentication Agent specially-crafted URL is visited.
Upgrade to RSA Authentication Agent 5.3.3.378.
Reference
http://www.procheckup.com/Vulnerabilities.php
http://www.rsa.com/node.aspx?id=2807
Realtek HD Audio Codec Drivers (Vista) Local Privilege Escalation
updated: 26-Apr-08
Realtek HD Audio Codec Drivers < 6.0.1.5605 are prone to a local privilege escalation due to insufficient validation of user-mode buffers. Successful exploitation grants SYSTEM privileges to authenticated users, no special privileges are required to exploit the flaw.
A malicious attacker can take advantage of these flaws to elevate privileges by creating, reading or writing arbitrary registry keys, or overwriting arbitrary kernel addresses.
Upgrade the drive to the latest version.
Reference
http://www.wintercore.com/advisories/advisory_W010408.html
Openfire Denial of Service
updated: 26-Apr-08
A design error was reported in Openfire < 3.5.0 that might lead to a Denial of Service. Openfire's connection manager in the file ConnectionManagerImpl.java cannot handle clients that fail to read messages, and has no limit on their session's send buffer.
Remote authenticated attackers could trigger large outgoing queues without reading messages, causing a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1728
VLC User-assisted Execution of Arbitrary Code
updated: 26-Apr-08
Multiple vulnerabilities were found in VLC < 0.8.6f, allowing for the execution of arbitrary code.
A remote attacker could entice a user to open a specially crafted media file or stream, possibly resulting in the remote execution of arbitrary code.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1881
http://www.gentoo.org/security/en/glsa/glsa-200803-13.xml
IAX2 Incomplete 3-Way Handshake
updated: 26-Apr-08
A vulnerability was reported in Asterisk's IAX2 support allows remote attackers that can spoof IAX2 packets to cause the product generate increasing amounts of traffic that will be sent to the spoofed source.
Upgrade to Asterisk Open Source version 1.2.28, Asterisk Open Source version 1.4.19.1, Asterisk Business Edition version B.2.5.2, Asterisk Business Edition version C.1.8.1, AsteriskNOW version 1.0.3, or s800i (Asterisk Appliance) version 1.1.0.3.
Reference
https://www.altsci.com/concepts/page.php?s=asteri&p=2
http://downloads.digium.com/pub/security/AST-2008-006.html
Adobe Album Starter Unchecked Local Buffer Overflow
updated: 22-Apr-08
A vulnerability was discovered in Adobe Album Starter 3.2, Adobe After Effects CS3 and Adobe Photoshop CS3 that allows attackers to cause the product to overflow an internal buffer, which in turn can be used to cause it to execute arbitrary code.
This vulnerability is related to the parsing of header images, in that the applications do not verify that the image header is valid before trying to render it. This leaves an opportunity to cause an unchecked buffer overflow and allow for the execution of malicious code.
PoC exploit has been published.
Intel Centrino 2200BG Wireless Driver Probe Overflow
updated: 22-Apr-08
A vulnerability was reported in Intel Centrino 220BG / 2915ABG Wireless driver < 10.5 with drvr 9.0.4.16, which allows remote attackers via a malformed beacon packet to cause the driver to overflow an internal buffer which in turn can be used to execute arbitrary code. The following exploit code can be used to test the vulnerability.
PoC exploit has been published.
Reference
http://www.milw0rm.com/exploits/5461
DBmail Data Disclosure
updated: 22-Apr-08
A vulnerability in DBMail < 2.2.9 authldap module when used in conjunction with an Active Directory server has been reported by vugluskr. When passing a zero length password to the module, it tries to bind anonymously to the LDAP server. If the LDAP server allows anonymous binds, this bind succeeds and results in a successful authentication to DBMail.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6714
CUPS Integer Overflow Vulnerability
updated: 22-Apr-08
A possible integer overflow vulnerability was repoted in the PNG image handling in the file filter/image-png.c of CUPS < 1.2.12-r8.
A malicious user might be able to execute arbitrary code with the privileges of the user running CUPS (usually lp), or cause a Denial of Service by sending a specially crafted PNG image to the print server. The vulnerability is exploitable via the network if CUPS is sharing printers remotely.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722
RedDot CMS SQL Injection Vulnerability
updated: 22-Apr-08
The RedDot CMS 7.5 Build 7.5.0.48 is vulnerable to a pre-authentication SQL injection vulnerability. Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database.
PoC exploit has been published. Install the patch from developer.
Reference
http://www.irmplc.com/index.php/167-Advisory-026
Joomla Component Jom Comment SQL Injection
updated: 22-Apr-08
The Joomla! component Jom Comment 2.0 build 345 is vulnerable to SQL injection because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability using common SQL injection techniques to compromise data contained in the Joomla! / MySQL database. Data includes the username, password hash, and password salt of every application user including the site administrator.
Deciphering the PHP-Nuke Capthca
updated: 22-Apr-08
The Capthca used in the current version 8.1 of PHP Nuke can be deciphered with 100% accuracy.
PoC exploit has been published.
Reference
http://www.rooksecurity.com/exploits/php_nuke_captcha.zip
IBM DB2 UDB Arbitrary code execution in ADMIN_SP_C/ADMIN_SP_C2 Procedures
updated: 19-Apr-08
By using ADMIN_SP_C/ADMIN_SP_C2 procedures, an attacker may be able to execute arbitrary code in all version of IBM DB2 UDB. The ADMIN_SP_C/ADMIN_SP_C2 procedures are installed by default. ADMIN_SP_C2 is not available on 8.2.
To fix the problem, apply the FP16(v8), FP4a(v9.1) and FP1(v9.5) from IBM.
Reference
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21287889
IBM DB2 UDB Arbitrary file overwrite in SYSPROC.NNSTAT procedure
updated: 19-Apr-08
NNSTAT procedure retrieves currently available statistics on one or more nicknames. By supplying an existing file as a log file parameter, arbitrary files can be overwritten on all versions of IBM DB2 Database Server. The NNSTAT procedure is installed by default.
To fix the problem, apply the FP16(v8), FP4a(v9.1) and FP1(v9.5) from IBM.
Reference
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21287889
PowerDNS Recursor DNS Cache Poisoning
updated: 19-Apr-08
Insufficient randomness was used in PowerDNS Recursor < 3.1.5 to calculate the TRXID values and the UDP source port numbers.
A remote attacker could send malicious answers to insert arbitrary DNS data into the cache. These attacks would in turn help an attacker to perform man-in-the-middle and site impersonation attacks.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1637
Multiple DoS in JAR Files Manipulation Procedures
updated: 19-Apr-08
All versions of IBM DB2 Database Server on Windows platform has multiple vulnerabilities which can lead to Denial of Service (DoS) attacks against the instance. When RECOVERJAR and REMOVE_JAR procedures are called with a specially crafted parameter the DB2 instance crashes. Any DB2 database user can exploit these vulnerabilities since PUBLIC permissions are granted to both procedures by default. The RECOVERJAR and REMOVE_JAR procedures are installed by default.
To fix the problem apply the FP16(v8), FP4a(v9.1) and FP1(v9.5) from IBM.
Reference
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21287889
Wikepage Wiki v.2007-2 Cross-Site Scripting
updated: 19-Apr-08
Input passed to "wiki" in "index.php" is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
LightNEasy v.1.2.2 flat Multiple Vulnerabilities
updated: 19-Apr-08
Input passed to "page" in "index.php" and "LightNEasy.php" is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.
Input passed to "page" in "index.php" and "LightNEasy.php" is not properly sanitized before being used to include files. This can be exploited to include arbitrary files from local resources.
Input passed to "page" in "index.php" and "LightNEasy.php" is not properly sanitized before being used to create files.
Install the patch from vendor.
PHP Toolkit Data disclosure and Denial of Service
updated: 19-Apr-08
php-select of PHP Toolkit < 1.0.1 does not quote parameters passed to the "tr" command, which could convert the "-D PHP5" argument in the "APACHE2_OPTS" setting in the file /etc/conf.d/apache2 to lower case.
An attacker could entice a system administrator to run "emerge php" or call "php-select -t apache2 php5" directly in a directory containing a lower case single-character named file, which would prevent Apache from loading mod_php and thereby disclose PHP source code and cause a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1734
Poppler User-assisted Execution of Arbitrary Code
updated: 19-Apr-08
The CairoFont::create() function in the file CairoFontEngine.cc of Poppler < 0.6.3 does not verify the type of an embedded font object inside a PDF file before dereferencing a function pointer from it.
A remote attacker could entice a user to open a specially crafted PDF file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, or Evince, potentially resulting in the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1693
Cisco Network Admission Control Shared Secret Vulnerability
updated: 18-Apr-08
A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM).
Cisco NAC Appliance software prior to 3.6.4.4, 4.0.6 and 4.1.2 are affected. Upgrade to the latest version.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml
Oracle Application Express Privilege Escalation Vulnerability
updated: 18-Apr-08
A design error vulnerability was reported in Oracle Application Express 3.0.1.00.08 web application development tool allows attackers to gain elevated privileges.
The vulnerability exists in "run_ddl" function within the "wwv_execute_immediate" package. This package is included in the "flows_030000" schema. This function allows attackers to execute SQL commands as any database user, such as SYS.
Successful exploitation allows the attacker to execute SQL commands as any database user. In order to exploit this vulnerability, an attacker must have access to an account which can execute the "flows_030000.wwv_execute_immediate.run_ddl" function. On a default installation of Oracle Database 11g, the following non-DBA users can execute this function: WMSYS, WKSYS, FLOWS_030000, OUTLN.
If combined with other SQL injection vulnerabilities which give access to above accounts, an attacker with normal database user access can take control of the whole database and possibly the whole computer system.
Install the Critical Patch Update for April 2008.
Reference
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=690
Apple Safari WebKit PCRE Handling Integer Overflow
updated: 18-Apr-08
An integer overflow was reported in the regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in WebKit of Apple Safari. When nesting regular expressions with large repetitions, a heap overflow occurs resulting in a condition allowing the execution of arbitrary code.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
Update to the latest version.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-022
http://support.apple.com/kb/HT1467
Speex User-Assisted Execution of Arbitrary Code
updated: 18-Apr-08
Speex < 1.2_beta3_p2 library does not properly validate the "mode" value it derives from Speex streams, allowing for array indexing vulnerabilities inside multiple player applications. Within Gentoo, xine-lib, VLC, gst-plugins-speex from the GStreamer Good Plug-ins, vorbis-tools, libfishsound, Sweep, SDL_sound, and speexdec were found to be vulnerable.
A remote attacker could entice a user to open a specially crafted Speex file or network stream with an application listed above. This might lead to the execution of arbitrary code with privileges of the user playing the file.
Upgrade to the latest version
rsync Execution of Arbitrary Code
updated: 18-Apr-08
An integer overflow was reported in in the
expand_item_list() function in the file util.c of rsync < 2.6.9-r6 which might lead to a heap-based buffer overflow when extended attribute (xattr) support is enabled.
A remote attacker could send a file containing specially crafted extended attributes to an rsync deamon, or entice a user to sync from an rsync server containing specially crafted files, possibly leading to the execution of arbitrary code.
Please note that extended attributes are only enabled when USE="acl" is enabled, which is the default setting.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1720
ICQ 6 Buffer Overflow Vulnerability
updated: 18-Apr-08
A critical remote buffer overflow vulnerability was reported in the latest ICQ version (ICQ 6.0). In newer versions, ICQ has a 'Personal Status Manager' feature, where a user can specify text messages for his status/mood (online/offline/etc.). The specified message will be visible in the title part of a remote user's ICQ chat window, when a chat session is initiated.
Upgrade to the latest version.
Reference
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-04-08
Multiple Vendor OpenOffice QPRO Multiple Heap Overflow Vulnerabilities
updated: 18-Apr-08
Multiple buffer overflow vulnerabilities in OpenOffice version 2.3, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The first vulnerability occurs when parsing "Attribute" records from the file. Due to a lack of bounds checking during a loop that reads these records, an attacker can trigger a heap overflow by inserting more than 256 records.
The second vulnerability is nearly identical to the first one, but involves the "Font Description" record instead of the "Attribute" record.
Successful exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the user opening the file. In order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Upgrade to version 2.4.
Reference
http://www.openoffice.org/security/cves/CVE-2007-5745.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=691
Multiple Vendor OpenOffice OLE DocumentSummaryInformation Heap Overflow Vulnerability
updated: 18-Apr-08
A heap based buffer overflow was reported in OpenOffice version 2.3.1, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the current user.
The vulnerability exists within the importer for files stored using the OLE format. When parsing the "DocumentSummaryInformation" stream, the vulnerable code does not correctly verify the size of a destination buffer before copying data from the file into it. This results in an exploitable heap overflow.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Upgrade to version 2.4.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=694
http://www.openoffice.org/security/cves/CVE-2008-0320.html
Multiple Vendor OpenOffice QPRO File Parsing Integer Underflow Vulnerability
updated: 18-Apr-08
An integer underflow vulnerability in OpenOffice 2.3, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The vulnerability exists within the code responsible for converting the QPRO file into an internal representation used by OpenOffice. A 16-bit integer is read in from the file, and later used as a loop counter that controls how many values are stored into local stack buffers. When verifying the value of this counter, the code decrements the counter without checking to see if this operation will underflow. This results in the loop running for many iterations, which leads to a stack based buffer overflow. This allows for the execution of arbitrary code.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. In order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Upgrade to version 2.4.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=693
http://www.openoffice.org/security/cves/CVE-2007-5745.html
Multiple Vendor OpenOffice EMF EMR_BITBLT Record Integer Overflow Vulnerability
updated: 18-Apr-08
An integer overflow vulnerability was discovered in OpenOffice 2.3, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user.
The vulnerability exists within the code responsible for parsing the EMR_STRETCHBLT record in an EMF file. This code reads in two 32-bit integers from the file, and then uses them in an arithmetic operation that calculates the number of bytes to allocate for a dynamic buffer. This calculation can overflow, resulting in an insufficiently sized buffer being allocated. Subsequently, this buffer is overflowed with data from the file.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. In order to exploit this vulnerability, an attacker must persuade a user to open a malicious file.
Upgrade to version 2.4.
Reference
http://www.openoffice.org/security/cves/CVE-2007-5746.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=692
IBM DB2 Universal Database db2dasStartStopFMDaemon Buffer Overflow Vulnerability
updated: 18-Apr-08
A buffer overflow vulnerability was reported in the db2dasrrm program, as included with IBM DB2 Universal Database 9.1 Fix Pack 4 on Linux.
This vulnerability exists due to insufficient validation of the length of the attacker-supplied "DASPROF" environment variable contents. By setting the variable to a specially crafted string, an attacker can cause a buffer overflow when the string is copied into a static-sized buffer stored on the stack. By overflowing the buffer, the attacker can overwrite execution control structures stored on the stack and execute arbitrary code.
Successful exploitation allows local attackers to gain root privileges. In order to exploit this vulnerability, the attacker must have access to execute the vulnerable set-uid root "db2dasrrm" program.
Install the V9.1 Fix Pack 4a, V8 FixPak 16, and V9.5 Fix Pack 1 from IBM.
Reference
http://www-1.ibm.com/support/docview.wss?uid=swg21256235
http://www-1.ibm.com/support/docview.wss?uid=swg21255572
http://www-1.ibm.com/support/docview.wss?uid=swg21287889
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=689
IBM DB2 Universal Database Administration Server File Creation Vulnerability
updated: 18-Apr-08
A file creation vulnerability was reported in the Administration Server of IBM DB2 Universal Database 9.1 release with Fix Pack 3 installed on Linux.
This vulnerability exists due to unsafe file access from within the db2dasrrm program. When a user starts the DAS, the "db2dasrrm" process is started with root privileges. As part of the initialization, the "dasRecoveryIndex", "dasRecoveryIndex.tmp", ".dasRecoveryIndex.lock", and "dasRecoveryIndex.cor" files are created with root privileges. By removing and re-creating these files as symbolic links, an attacker can create arbitrary files as root.
Successful exploitation allows local attackers to gain root privileges. In order to exploit this vulnerability, an attacker must have access to an account that is allowed to start and stop the DB2 Administration Server. For example, the "dasusr1" account or an account with access to the "db2adm1" group.
Install the V9.1 Fix Pack 4a, V8 FixPak 16, and V9.5 Fix Pack 1 from IBM.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=688
http://www-1.ibm.com/support/docview.wss?uid=swg21256235
http://www-1.ibm.com/support/docview.wss?uid=swg21255572
http://www-1.ibm.com/support/docview.wss?uid=swg21287889
CA DSM gui_cm_ctrls ActiveX Control Vulnerability
updated: 18-Apr-08
CA products that implement the DSM gui_cm_ctrls ActiveX
control contain a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability, CVE-2008-1786, is due to insufficient verification of function arguments by the gui_cm_ctrls control. An attacker can execute arbitrary code under the context of the user running the web browser.
For BrightStor ARCserve Backup for Laptops & Desktops, only the server installation is affected. Client installations are not affected. For CA Desktop Management Suite, Unicenter Desktop Management Bundle, Unicenter Asset Management, Unicenter Software Delivery and Unicenter Remote Control, only the Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Install the fix from CA.
Reference
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256
http://community.ca.com/blogs/casecurityresponseblog/archive/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1786
IBM Informix Pre-Authentication Stack Overflow
updated: 18-Apr-08
The IBM Informix Database service 7.x through version 11.x is vulnerable to a stack based buffer overflow which can be exploited remotely before the authentication has been completed.
Install the fix from IBM.
Reference
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55224&apar=only
http://www-1.ibm.com/support/search.wss?rs=0&q=IC55225&apar=only
http://www.mwrinfosecurity.com/publications/mwri_ibm-informix-pre-auth-overflow_2008-04-14.pdf
Asterisk Multiple vulnerabilities
updated: 18-Apr-08
Multiple vulnerabilities have been found in Asterisk < 1.2.27 allowing for SQL injection, session hijacking and unauthorized usage.
Remote authenticated attackers could send specially crafted data to Asterisk to execute arbitrary SQL commands and compromise the administrative database. Remote unauthenticated attackers could bypass authentication using a valid username to hijack other user's sessions, and establish sessions on the SIP channel without authentication.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332
libpng Execution of Arbitrary Code
updated: 18-Apr-08
A vulnerability was reported in libpng < 1.2.26-r1 may allow for execution of arbitrary code in certain applications that handle untrusted images.
A remote attacker could entice a user or automated system to process a specially crafted PNG image in an application using libpng and possibly execute arbitrary code with the privileges of the user running the application. Note that processing of unknown chunks is disabled by default in most PNG applications, but some such as ImageMagick are affected.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
Opera Multiple Vulnerabilities
updated: 18-Apr-08
Multiple vulnerabilities have been discovered in Opera, < 9.27. A remote attacker could entice a user to visit a specially crafted web site or news feed and possibly execute arbitrary code with the privileges of the user running Opera.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1764
ClamAV libclamav PE WWPack Heap Overflow Vulnerability
updated: 18-Apr-08
A heap overflow vulnerability in ClamAV 0.92.1, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.
The vulnerability exists within the code responsible for reading in sections within a PE binary packed with the WWPack executable compressor.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Upgrade to ClamAV 0.93.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=687
ClamAV libclamav PeSpin Heap Overflow Vulnerability
updated: 18-Apr-08
A heap overflow vulnerability was discovered in ClamAV 0.92.1, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.
The vulnerability exists within the code responsible for decompressing sections within a PE binary packed with the PeSpin executable protector.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Upgrade to ClamAV 0.93.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=686
Autonomy Keyview Applix Graphics Parsing Vulnerabilities
updated: 15-Apr-08
Multiple vulnerabilities were reported in Autonomy Keyview 10.4.0.0, which can be exploited by malicious people to compromise a vulnerable system.
1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute of the "*BEGIN" tag in an Applix document can be exploited to cause a stack-based buffer overflow.
2) A boundary error when parsing overly long tokens from the input file can be exploited to cause a heap-based buffer overflow.
3) A boundary error when parsing the initial "*BEGIN" tag can be exploited to cause stack-based buffer overflow.
Successful exploitation of the above vulnerabilities allows execution of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite loop. Exploitation will result in maximum CPU usage until an application-configured timeout expires. In some cases memory usage will increase until the OS terminates the process.
Upgrade to Keyview 10.4.0.0 or later.
Reference
http://secunia.com/secunia_research/2007-95/
Lotus Notes EML Reader Buffer Overflows
updated: 15-Apr-08
Multiple vulnerabilities in Lotus Notes 8.0, which can be exploited by malicious people to compromise a user's system.
1) A boundary error in the EML reader (emlsr.dll) when parsing certain headers ("To:", "Cc:", "Bcc:", "From:", "Date:", "Subject:", "Priority:", "Importance:", and "X-MSMail-Priority:") in EML files can be exploited to cause a heap-based buffer overflow via an overly long string.
2) A boundary error in the EML reader (emlsr.dll) when encountering the beginning of RFC2047 encoded-words in headers can be exploited to cause a heap-based buffer overflow via an overly long string.
3) A boundary error in the EML reader (emlsr.dll) when parsing the text string in RFC2047 encoded-words in headers can be exploited to cause a heap-based buffer overflow via an overly long string.
4) A boundary error in the EML reader (emlsr.dll) when creating a filename based on the subject in an EML file can be exploited to cause a heap-based buffer overflow via an overly long string.
Apply patch available from the vendor.
Reference
http://secunia.com/secunia_research/2007-92/
Symantec Mail Security Applix Graphics Parsing Vulnerabilities
updated: 15-Apr-08
Multiple vulnerabilities were discovered in Symantec Mail Security for SMTP 5.0.1 p187, Symantec Mail Security for Exchange 5.0.7.373, and Symantec Mail Security for Domino 7.5.0.19, which can be exploited by malicious people to compromise a vulnerable system when scanning Applix documents.
1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute of the "*BEGIN" tag can be exploited to cause a stack-based buffer overflow.
2) A boundary error when parsing overly long tokens from the input file can be exploited to cause a heap-based buffer overflow.
3) A boundary error when parsing the initial "*BEGIN" tag can be exploited to cause stack-based buffer overflow.
Successful exploitation of the above vulnerabilities allows execution of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite loop. Exploitation will result in maximum CPU usage until an application-configured timeout expires. In some cases memory usage will increase until the OS terminates the process.
Install the patches from Symantec.
Reference
http://secunia.com/secunia_research/2007-98/
Autonomy Keyview EML Reader Buffer Overflows
updated: 15-Apr-08
Multiple vulnerabilities were discovered in Autonomy Keyview 10.3.0.0, which can be exploited by malicious people to compromise a user's system.
1) A boundary error in the EML reader (emlsr.dll) when parsing certain headers ("To:", "Cc:", "Bcc:", "From:", "Date:", "Subject:", "Priority:", "Importance:", and "X-MSMail-Priority:") in EML files can be exploited to cause a heap-based buffer overflow via an overly long string.
2) A boundary error in the EML reader (emlsr.dll) when encountering the beginning of RFC2047 encoded-words in headers can be exploited to cause a heap-based buffer overflow via an overly long string.
3) A boundary error in the EML reader (emlsr.dll) when parsing the text string in RFC2047 encoded-words in headers can be exploited to cause a heap-based buffer overflow via an overly long string.
4) A boundary error in the EML reader (emlsr.dll) when creating a filename based on the subject in an EML file can be exploited to cause a heap-based buffer overflow via an overly long string.
Update to version 10.4.0.0 or later.
Reference
http://secunia.com/secunia_research/2007-91/
Autonomy Keyview Folio Flat File Parsing Buffer Overflows
updated: 15-Apr-08
21 vulnerabilities were reported in Autonomy Keyview 10.3.0.0, which can be exploited by malicious people to compromise a vulnerable system.
Boundary errors within the "Folio Flat File" speed reader
(foliosr.dll) when handling attribute values of a number of tags (eg. DI, FD, FT, JD, JL, LE, OB, OD, OL, PN, PS, PW, RD, QL, or TS) can be exploited to cause stack-based buffer overflows.
Upgrade to Keyview 10.4.0.0 or later.
Reference
http://secunia.com/secunia_research/2007-104/
Lotus Notes Folio Flat File Parsing Buffer Overflows
updated: 15-Apr-08
21 vulnerabilities were found in Lotus Notes 7.0.3 and 8.0, which can be exploited by malicious people to compromise a vulnerable system.
Boundary errors within the "Folio Flat File" speed reader
(foliosr.dll) when handling attribute values of a number of tags (eg. DI, FD, FT, JD, JL, LE, OB, OD, OL, PN, PS, PW, RD, QL, or TS) can be exploited to cause stack-based buffer overflows.
Apply patch available by contacting the vendor.
Reference
http://secunia.com/secunia_research/2007-107/
Lotus Notes Applix Graphics Parsing Vulnerabilities
updated: 15-Apr-08
Multiple vulnerabilities were reported in the Autonomy Keyview utilised in Lotus Notes 7.0.3 and 8.0, which can be exploited by malicious people to compromise a vulnerable system when viewing Applix documents.
1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute of the "*BEGIN" tag can be exploited to cause a stack-based buffer overflow.
2) A boundary error when parsing overly long tokens from the input file can be exploited to cause a heap-based buffer overflow.
3) A boundary error when parsing the initial "*BEGIN" tag can be exploited to cause stack-based buffer overflow.
Successful exploitation of the above vulnerabilities allows execution of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite loop. Exploitation will result in maximum CPU usage until an application-configured timeout expires. In some cases memory usage will increase until the OS terminates the process.
Install the patch from the vendor.
Reference
http://secunia.com/secunia_research/2007-96/
activePDF DocConverter Applix Graphics Parsing Vulnerabilities
updated: 15-Apr-08
Some vulnerabilities were reported in activePDF DocConverter< 3.8.4.5, which can be exploited by malicious people to compromise a vulnerable system when converting Applix documents.
1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute of the "*BEGIN" tag can be exploited to cause a stack-based buffer overflow.
2) A boundary error when parsing overly long tokens from the input file can be exploited to cause a heap-based buffer overflow.
3) A boundary error when parsing the initial "*BEGIN" tag can be exploited to cause stack-based buffer overflow.
Successful exploitation of the above vulnerabilities allows execution of arbitrary code.
4) A logic error when parsing long tokens can result in an infinite loop. Exploitation will result in maximum CPU usage until an application-configured timeout expires. In some cases memory usage will increase until the OS terminates the process.
Upgrade to version 3.8.4.5.
Reference
http://secunia.com/secunia_research/2007-97/
Symantec Mail Security Folio Flat File Parsing Buffer Overflows
updated: 18-Apr-08
21 vulnerabilities were discovered in Symantec Mail Security for SMTP 5.0.1 p187, Symantec Mail Security for Exchange 5.0.7.373, and Symantec Mail Security for Domino 7.5.0.19, which can be exploited by malicious people to compromise a vulnerable system.
Boundary errors within the "Folio Flat File" speed reader
(foliosr.dll) when handling attribute values of a number of tags (eg. DI, FD, FT, JD, JL, LE, OB, OD, OL, PN, PS, PW, RD, QL, or TS) can be exploited to cause stack-based buffer overflows.
Update to version 5.0.1 patch 189.
Reference
http://secunia.com/secunia_research/2007-105/
Lotus Notes htmsr.dll Buffer Overflows
updated: 18-Apr-08
Some vulnerabilities were reported in Lotus Notes 7.0.2 and 7.0.3, which can be exploited by malicious people to compromise a user's system.
1) A boundary error within the HTML speed reader (htmsr.dll) when handling links in e.g. the "background" attribute of tags can be exploited to cause a stack-based buffer overflow.
2) A boundary error within the HTML speed reader (htmsr.dll) when handling e.g. the "src" attribute of ![]() tags can be exploited to cause a stack-based buffer overflow.
3) A boundary error within the HTML speed reader (htmsr.dll) when handling large chunks of data inside an HTML document can be exploited to cause a heap-based buffer overflow.
Apply patch available from the vendor.
Reference
http://secunia.com/secunia_research/2008-3/
Adobe Flash Player "Declare Function (V7)" Heap Overflow
updated: 18-Apr-08
A vulnerability was reported in Adobe Flash Player 9.0.115.0, due to a boundary error in the processing of "Declare Function (V7)" tags. This can be exploited to cause a heap-based buffer overflow via specially crafted argument preload flags.
Successful exploitation may allow execution of arbitrary code.
Update to version 9.0.124.0.
Reference
http://secunia.com/secunia_research/2007-103/
activePDF DocConverter Folio Flat File Parsing Buffer Overflows
updated: 18-Apr-08
21 vulnerabilities were discovered in activePDF DocConverter 3.8.4.0, which can be exploited by malicious people to compromise a vulnerable system.
Boundary errors within the "Folio Flat File" speed reader (foliosr.dll) when handling attribute values of a number of tags (eg. DI, FD, FT, JD, JL, LE, OB, OD, OL, PN, PS, PW, RD, QL, or TS) can be exploited to cause stack-based buffer overflows.
Upgrade to version 3.8.4.5.
Reference
http://secunia.com/secunia_research/2007-106/
Lotus Notes kvdocve.dll Path Processing Buffer Overflow
updated: 18-Apr-08
A vulnerability was reported in Lotus Notes 7.0.2 and 7.0.3, which can be exploited by malicious people to compromise a user's system.
A boundary error within kvdocve.dll when processing overly long paths can be exploited to cause a buffer overflow via e.g. an overly long link inside the "src" attribute of an ![]() tag in an HTML document.
Apply patch available from the vendor.
Reference
http://secunia.com/secunia_research/2008-12/
Cezanne SW Blind SQL Injection
updated: 15-Apr-08
A blind SQL injection vulnerability was reported in the "FUNID" parameter of Cezanne 7 that allows injecting SQL code in text variables.
Reference
http://www.s21sec.com/es/avisos/s21sec-043-en.txt
Cezanne SW Cross-Site Scripting
updated: 15-Apr-08
Cross site scripting vulnerabilities were reported in the variables LookUPId, CbFun, TitleParms, WidgetsHeights, WidgetsLinks, WidgetsTitles, CFTARGET, PersonOid, DESTLINKOID, PersonOID, FolderTemplateId, FolderTemplateName and SleUserName of Cezanne 6.5.1/Cezanne 7 that allows injecting JavaScript code in text variables.
Reference
http://www.s21sec.com/es/avisos/s21sec-042-en.txt
http://www.s21sec.com/es/avisos/s21sec-041-en.txt
Multiple Vulnerabilities in HP OpenView Network Node Manager
updated: 13-Apr-08
Multiple vulnerabilities, CGIs directory traversal, Denial of Service in ovalarmsrv, NULL pointer in ovalarmsrv, and process termination in ovtopmd, were reported in HP OpenView Network Node Manager <= 7.53.
PoC exploit has been published.
Reference
http://aluigi.org/poc/closedviewx.zip
policyd-weight Insecure Temporary File Creation
updated: 13-Apr-08
policyd-weight < 0.1.14.17 creates and uses the "/tmp/.policyd-weight/" directory in an insecure manner.
A local attacker could exploit this vulnerability to delete arbitrary files or change the ownership to the "polw" user via symlink attacks.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1569
gnome-screensaver Privilege Escalation
updated: 13-Apr-08
gnome-screensaver < 2.20.0-r3 incorrectly handles the results of the getpwuid() function in the file src/setuid.c when using directory servers (like
NIS) during a network outage.
A local user can crash gnome-xscreensaver by preventing network connectivity if the system uses a remote directory service for credentials such as NIS or LDAP, which will unlock the screen.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0887
http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml
EMC DiskXtender MediaStor Format String Vulnerability
updated: 13-Apr-08
A format string vulnerability was reported in EMC DiskXtender 6.20.060 for Windows. When handling requests on the RPC interface with UUID b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly validate the content of a string in requests. Since this string is passed directly to a formatting function, a format string vulnerability occurs.
Successful exploitation results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to exploit this vulnerability, authentication is required.
Install the updates from EMC.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685
EMC DiskXtender File System Manager Stack Buffer Overflow Vulnerability
updated: 13-Apr-08
A buffer overflow vulnerability was reported in EMC DiskXtender 6.20.060 for Windows. The File System Manager is prone to a stack-based buffer overflow vulnerability. When handling requests on the RPC interface with UUID b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly validate the length of a string in the request. By making a specially crafted request, a stack based buffer overflow occurs.
Successful exploitation results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to exploit this vulnerability, authentication is required.
Install the updates from EMC.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=684
EMC DiskXtender Authentication Bypass Vulnerability
updated: 13-Apr-08
An authentication bypass vulnerability in EMC DiskXtender 6.20.060 for Windows. Each of the main components of the DiskXtender suite is vulnerable to an authentication bypass vulnerability. Specifically, the authentication code contains a hard-coded login and password. By connecting to the RPC interface, and logging on with these credentials, it is possible to bypass the normal authentication process.
Successful exploitation results in an unauthenticated attacker gaining administrative access to the DiskXtender server. This allows an attacker to create and delete files on the backup server, and run other DiskXtender commands. This could potentially lead to the execution of arbitrary code with SYSTEM privileges.
Install the updates from EMC.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683
Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability
updated: 13-Apr-08
There exists a vulnerability in Borland InterBase 2007 'ibserver.exe'. The attacker who successfully exploited this vulnerability can gain control of vulnerable systems. PoC exploit has been published.
F5 BIG-IP Management Interface Perl Injection
updated: 13-Apr-08
It is possible for a logged-in user with Resource Manager or Administrator privileges to inject arbitrary Perl code, including spawning Unix shell commands, that gets immediately executed with root privileges. (For the Administrator role this does not provide any new privileges because it is already provided with full shell access as root.)
F5 BIG-IP Management Interface version 9.4.3 was affected.
Watchguard Firebox PPTP VPN User Enumeration Vulnerability
updated: 13-Apr-08
The PPTP VPN service offered by Watchguard Firebox < 10 allows valid usernames to be enumerated based upon the error codes returned by the appliance.
The impact of this vulnerability is that password guessing attacks can be performed much more efficiently by conducting them only against those usernames known to be valid. Additionally, these usernames may be valid on other systems and may also aid social engineering attacks.
Upgrade to Watchguard Firebox software version 10.
Reference
https://www.watchguard.com/archive/softwarecenter.asp
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1618
Tomcat Multiple Vulnerabilities
updated: 11-Apr-08
Multiple vulnerabilities in Tomcat < 6.0.16 may lead to local file overwriting, session hijacking or information disclosure.
These vulnerabilities can be exploited by a malicious web application to add or overwrite files with the permissions of the user running Tomcat, or a remote attacker to conduct session hijacking or disclose sensitive data.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002
lighttpd Multiple Vulnerabilities
updated: 11-Apr-08
Multiple vulnerabilities in lighttpd < 1.4.19-r2 may lead to information disclosure or a Denial of Service.
A remote attacker could exploit the first vulnerability to read arbitrary files. The second vulnerability can be exploited by a remote attacker to cause a Denial of Service by terminating a victim's SSL connection.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531
Buffer Overflow in Python zlib Extension Module
updated: 11-Apr-08
The zlib extension module of Python <= 2.5.2 contains a method for flushing decompression streams that takes an input parameter of how much data to flush. This parameter is a signed integer that is not verified for sanity and is thus potentially negative.
When passed a negative value memory is misallocated and then the signed integer is converted to an unsigned integer resulting in buffer overflow.
PoC exploit has been published. Install the patch from developer.
Reference
http://bugs.python.org/issue2586
http://svn.python.org/view?rev=62235&view=rev
PECL APC Buffer Overflow
updated: 11-Apr-08
A buffer overflow vulnerability in apc_search_paths() function in the file apc.c of PECL APC < 3.0.16-r1 when processing long filenames.
A remote attacker could exploit this vulnerability to execute arbitrary code in PHP applications that pass user-controlled input to the include() function.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1488
SAP Netweaver Cross-Site-Scripting
updated: 11-Apr-08
SAP Netweaver have a web interface for accessing file system of the portal, users can make "feedbacks" of files, input passed to the content of these feedbacks is not properly sanitized before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site
This issue can be solved activating "Secure Editing" in Portal (System Configuration -> System Configuration -> Knowledge management (in detailed Navigation) -> Utilities -> Editing -> HTML Editing).
Reference
http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.php
Microsoft Windows SharePoint Services PictureSource XSS
updated: 11-Apr-08
A stored XSS vulnerability exists in Microsoft Windows SharePoint Services 2.0 where a malicious user can bypass sanitization and inject JavaScript into a web page they are editing. Under normal circumstances, SharePoint does not permit users to include JavaScript in any submitted content.
If JavaScript is enabled in a user's browser, when the user views the page, the JavaScript will be executed. As a result, an attacker could potentially steal credentials and takeover the browser or machine of any user who views the page.
Unless editing web pages in SharePoint 2.0 is necessary, disable this feature. If the feature is necessary, ensure users must authenticate to a service before giving them the privilege to create or edit pages, and only afford users the privileges if they need to create or edit pages. PoC exploit has been published.
Reference
http://www.caughq.org/advisories/CAU-2008-0002.txt
Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability
updated: 11-Apr-08
Adobe Flash Player contains a security vulnerability when it attempts to access embedded Actionscript objects that have not been properly instantiated.
In order for exploitation to occur, an attacker would have to modify a DeclareFunction2 Actionscript tag within an SWF file. Exploitation of this vulnerability can result in arbitrary code execution under the context of the currently logged in user.
Install the update from Adobe.
Reference
http://www.adobe.com/support/security/bulletins/apsb08-11.html
Vulnerability in Windows Kernel Allows Elevation of Privilege (MS08-025)
updated: 11-Apr-08
An elevation of privilege vulnerability exists due to the Windows kernel improperly validating input passed from user mode to the kernel. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Windows 2000 SP4, 2003 SP2, XP SP2, Vista SP1 and 2008 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx
Cumulative Security Update for Internet Explorer (MS08-024)
updated: 11-Apr-08
A remote code execution vulnerability exists in Internet Explorer 5.01, 6 ad 7 because of the way that it processes data streams.
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx
Security Update of ActiveX Kill Bits (MS08-023)
updated: 11-Apr-08
A remote code execution vulnerability exists in the ActiveX control hxvz.dll. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user
Windows 2000 SP4, 2003 SP2, XP SP2, Vista SP1 and 2008 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx
Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (MS08-022)
updated: 11-Apr-08
A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages.
This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
VBScript 5.6 and JScript 5.6 and prior are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
Vulnerabilities in GDI Allows Code Execution (MS08-021)
updated: 11-Apr-08
A remote code execution vulnerability exists in the way that GDI handles integer calculations. The vulnerability could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Windows 2000 SP4, 2003 SP2, XP SP2, Vista SP1 and 2008 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
Vulnerability in DNS Client Allows Spoofing (MS08-020)
updated: 11-Apr-08
A spoofing vulnerability exists in Windows DNS clients. The vulnerability could allow an unauthenticated attacker to send malicious responses to DNS requests made by vulnerable clients, thereby spoofing or redirecting Internet traffic from legitimate locations.
Windows 2000 SP4, 2003 SP2, and XP SP2 are affected. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
Vulnerabilities in Microsoft Visio Allows Code Execution (MS08-019)
updated: 11-Apr-08
A remote code execution vulnerability exists in the way Microsoft Visio validates object header data in specially crafted files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Affected software include: Microsoft Visio 2002 SP2, Microsoft Visio 2003 SP3, and Microsoft Visio 2007 SP1. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
Vulnerability in Microsoft Project Allows Code Execution (MS08-018)
updated: 11-Apr-08
A remote code execution vulnerability exists in the way Microsoft Project handles specially crafted Project files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Affected software include: Microsoft Project 2000 SP1, Microsoft Project 2002 SP1, and Microsoft Office Project 2003 SP2. Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-018.mspx
HP OpenView Network Node Manager Running Shared Trace Service, Remote Arbitrary Code Execution
updated: 11-Apr-08
A potential vulnerability has been identified with HP OpenView Network Node Manager running Shared Trace Service. The vulnerability could be remotely exploited to execute arbitrary code.
Affected software include: HP OpenView Network Node Manager v6.41, v7.01, v7.50, v7.51 running XPL earlier than 03.10.040 on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP, and Linux.
Install the patch from HP.
HP Storage Essentials Software, Remote Unauthorized Access to Data
updated: 11-Apr-08
A potential security vulnerability has been identified with HP Storage Essentials Software. The vulnerability could be exploited remotely to gain unauthorized access to data.
Install the patch from HP.
HP Integrity Servers iLO-2 Management Processors Denial of Service
updated: 11-Apr-08
HP Integrity Server model numbers rx2660, rx3600, rx6600 running iLO-2 MP firmware v F.01.58 and earlier HP Integrity Blade Server model bl860c running iLO-2 MP firmware v T.01.22 and earlier.
Install the patch from HP.
Wayport Public Access PC Authentication Bypass Weakness
updated: 11-Apr-08
There is an Authentication Bypass weakness on Wayport Public Access PCs. To exploit the weakness, one needs to open an Internet Explorer Window through the 'help' function that is available before the card gets swiped and do the following:
Help --> Tools --> Manage Add-ons --> Disable Blocker Class. This add-on controls the entire charging element of the Solution.
An attacker who successfully exploits this misconfiguration could, besides browsing the web for free, use a public access PC as a launching pad.
Websphere MQ MCAUSER Setting Bypass Vulnerability
updated: 11-Apr-08
A method of bypassing Websphere MQ service authorization control has been discovered, due to an error in the state model responsible for permitting connections to a channel. A connection can be established to the Queue Manager if the "2035 Not Authorised" response is ignored and the connection attempt continues.
The vulnerability could enable an attacker to access sensitive channels that have been restricted with the MCAUSER parameter. This would enable an attacker to gain full read and write access to all queues defined within the channel. Additionally, an attacker could perform remote fingerprinting of the software, alter the Queue Manager configuration and potentially execute Operating System commands through the creation of an appropriate trigger process.
Affected systems include: Websphere MQ 5.1 - 5.3 for Solaris and Websphere MQ 6.0 for Windows. Install the fix pack from IBM.
Reference
http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-mcauser-setting-bypass-advisory_2008-03-26.pdf
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
Websphere MQ Security Exit Authentication Bypass Vulnerability
updated: 11-Apr-08
A method of bypassing Websphere MQ Security authentication mechanism has been discovered , due to an error in the process for checking whether a connection has successfully passed the authentication check enforced by a security exit. A connection can be established to the Queue Manager if an authentication packet is not sent before the connection is established.
The vulnerability could enable an attacker to bypass a security exit that has been applied to a channel. This would enable an attacker to gain full access to all queues defined within the queue manager with full read and write access. Additionally, an attacker could perform remote fingerprinting of the software, alter the Queue Manager configuration and potentially execute Operating System commands through the creation of an appropriate trigger process.
Affected systems include: Websphere MQ 5.1 - 5.3 for Solaris and Websphere MQ 6.0 for Windows. Install the fix pack from IBM.
Reference
http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-authentication-bypass-advisory_2008-03-26.pdf
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037#1
HP USB Floppy Drive Key for ProLiant Servers Local Virus Infection
updated: 5-Apr-08
A potential security vulnerability has been identified with two types of optional HP USB Floppy Drive Keys intended for use with certain ProLiant servers. This vulnerability could cause a local 'W32.Fakerecy' or 'W32.SillyFDC' virus infection.
Affected products include: Option Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key and Option Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key.
Check the HP USB Floppy Drive Key for the potential virus infections and cleaned before use.
Computer Associates Alert Notification Service Multiple RPC Buffer Overflow Vulnerabilities
updated: 5-Apr-08
Multiple buffer overflow vulnerabilities were reported in Computer Associates Alert Notification Service. The Alert Service is a component of multiple Computer Associates' products. It is used to provide status updates and notifications regarding various system events. It implements an RPC interface with GUID 3d742890-397c-11cf-9bf1-00805f88cb72.
Multiple buffer overflows exist in the handlers for various opcodes. In each case, unsafe library functions are used to copy attacker supplied data into fixed size stack buffers. By making specially crafted requests, attackers are able to cause an exploitable buffer overflow.
Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code with SYSTEM privileges. In order to exploit these vulnerabilities, it is necessary for an attacker to have valid domain credentials.
Computer Associates' Threat Manager for the Enterprise version 8.1, and other products that contain the Alert Notification Service are suspected to be vulnerable as well.
Install the updates from Computer Associates.
Reference
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173103
Orbit Downloader "Download failed" buffer overflow
updated: 5-Apr-08
Orbit downloader < 2.6.5 was vulnerable to a buffer overflow attack, which can be exploited by malicious remote attackers to execute arbitrary code. The vulnerability is due to Orbit not properly converting an URL ascii string to unicode. This can be exploited to execute arbitrary code by downloading a file from a specially crafted URL.
Update to Orbit downloader 2.6.5.
Reference
http://www.coresecurity.com/?action=item&id=2211
SCO UnixWare pkgadd Directory Traversal Vulnerability
updated: 5-Apr-08
A directory traversal vulnerability within the pkgadd program distributed with SCO UnixWare operating system 7.1.4 allows attackers to gain root privileges.
By setting an environment variable to a value containing directory traversal sequences, such as "../", an attacker can cause the program to create or append to arbitrary files on the system.
Successful exploitation allows attackers gain root privileges. Access to execute arbitrary shell commands is required to exploit this issue.
Install the patch from SCO.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=676
http://www.sco.com/support/update/download/release.php?rid=324
Symantec Internet Security 2008 ActiveDataInfo.LaunchProcess Design Error Vulnerability
updated: 5-Apr-08
A design error was reported in an ActiveX control installed with Symantec Norton Internet Security 2008:
Progid: SymAData.ActiveDataInfo.1
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version: 2.7.0.1
This control contains functionality designed to allow Symantec to remotely execute programs on the target machine.
Successful exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user. In order for exploitation to occur, an attacker would have to lure a vulnerable user to a malicious web site.
Install the updates from Symantec.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=678
http://www.symantec.com/avcenter/security/Content/2008.04.02a.html
Symantec Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability
updated: 5-Apr-08
A buffer overflow vulnerability was reported in an ActiveX control installed by Symantec Norton Internet Security 2008:
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version 2.7.0.1
This control contains an exploitable stack based buffer overflow.
Successful exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user. In order for exploitation to occur, an attacker would have to lure a vulnerable user to a malicious web site.
Install the updates from Symantec.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=677
http://www.symantec.com/avcenter/security/Content/2008.04.02a.html
Borland CaliberRM StarTeam Multicast Service Buffer Overflow Vulnerability
updated: 5-Apr-08
A buffer overflow vulnerability in Borland CaliberRM enterprise software requirements management system. This vulnerability exists in the StarTeam Multicast Service component (STMulticastService). This service is implemented using the HTTP protocol.
While searching for the standard 0x0a0d that ends HTTP requests, a loop copies attacker supplied data byte by byte into a fixed-size stack buffer. If a large enough request is sent, the return address, SEH pointers, and other stack data is overwritten.
Borland CaliberRM 2006 (file version 9.0.809.000) and StarTeam Multicast Service 6.4 are affected.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=675
Cisco Unified Communications Disaster Recovery Framework Security Bypass and Command Execution
updated: 4-Apr-08
Multiple Cisco Unified Communications products contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions, which may result in a denial of service or the execution of arbitrary code.
This vulnerability exists due to insufficient authentication restrictions on a back up and restore feature of the affected application. An unauthenticated, remote attacker could exploit this vulnerability by connecting directly to an affected application component and issuing arbitrary commands. An exploit could allow the attacker to cause a denial of service condition on the affected system or systems that are managed by it. The attacker could gather sensitive information about other systems, which could include a username and password hash. The attacker could also execute arbitrary system commands on the affected system that could result in a complete system compromise.
Affected products include: Cisco Unified Communications Manager (CUCM) versions 5.1 and prior and 6.1 and prior, Cisco Unified Presence Server 1.3 and prior and 6.1 and prior, Cisco Emergency Responder 2.3 and prior, and Cisco Mobility Manager 1.2(6a) and prior. Install the update from Cisco.
Reference
http://tools.cisco.com/security/center/viewAlert.x?alertId=15568
Apple Updates for Multiple Vulnerabilities
updated: 4-Apr-08
Apple QuickTime prior to 7.4.5 contains multiple vulnerabilities in the way different types of image and media files are handled. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted image or media file that could be hosted on a web page.
Note that Apple iTunes installs QuickTime, so any system with iTunes may be vulnerable.
Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.
Upgrade QuickTime 7.4.5.
Reference
http://support.apple.com/kb/HT1241
Webwasher Denial of Service Vulnerability
updated: 4-Apr-08
Secure Computing Webwasher 6.6.3 build 3102 and prior contains a denial of service vulnerability. The attack can be initiated by an internal user sending a specially crafted URL to Webwasher. It could also be exploited by an external attacker by redirecting proxy users to the exploit URL.
Upgrade to the latest version.
bzip2 Denial of Service
updated: 4-Apr-08
bzip2 < 1.0.5 does not properly check offsets provided by the bzip2 file, leading to a buffer overread. Remote attackers can entice a user or automated system to open a specially crafted file that triggers a buffer overread, causing a Denial of Service. libbz2 and programs linking against it are also affected.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
Apache-SSL Mmory Disclosure
updated: 3-Apr-08
A memory disclosure vulnerability was reported in apache_1.3.34+ssl_1.57. Apache-SSL provides environment variables that are filled with (client) certificate data. If the subject of a client certificate contains special characters, parts of these variables can be overwritten or be filled with other parts of memory.
Upgrade to apache_1.3.41+ssl_1.59.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555
CUPS Multiple Vulnerabilities
updated: 3-Apr-08
Multiple vulnerabilities have been discovered in CUPS < 1.2.12-r7. A local attacker could send specially crafted network packets or print jobs and possibly execute arbitrary code with the privileges of the user running CUPS (usually lp), or cause a Denial of Service. The vulnerabilities are exploitable via the network when CUPS is sharing printers remotely.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1373
Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability
updated: 3-Apr-08
An untrusted library loading vulnerability was reported in Macrovision InstallShield InstallScript One-Click Install ActiveX control 12.0 that allows remote attackers to execute code with the privileges of the currently logged in user.
InstallShield InstallScript "One-Click Install" is implemented in an ActiveX control with the following properties:
File: %WINDIR%\Downloaded Program Files\setup.exe
CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A
This control is marked "safe for scripting".
When a user visits a website from which a web install can be performed, the ActiveX control downloads and loads several DLL files from the remote website. Since no sanity checks are performed on the DLL files, an attacker can substitute specially crafted libraries that will execute arbitrary code when loaded.
Install the hotfix from Macrovision.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=649
http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640
SLMail Pro Multiple Denial of Service
updated: 3-Apr-08
Multiple denial of service vulnerabilities have been discovered in SLMail Pro 6.3.1.0 (webcontainer.exe version 1.0.0.336).
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/slmaildos-adv.txt
2X ThinClientServer Directory Traversal
updated: 3-Apr-08
A directory traversal vulnerability in the 2X ThinClientServer version 5.0_sp1-r3497 (TFTPd.exe version 3.2.0.0) TFTP module, that allows remote attackers to access files that would be otherwise inaccessible.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/thindirtrav-adv.txt
avast! 4.7 aavmker4.sys Kernel Memory Corruption
updated: 3-Apr-08
The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability in the code that handles IOCTL requests.
Exploitation of this vulnerability can result in local denial of service attacks (system crash due to a kernel panic), or local execution of arbitrary code at the kernel level (complete system compromise).
Update to avast! 4.8 Professional Edition or avast! 4.8 Home Edition.
Reference
http://www.trapkit.de/advisories/TKADV2008-002.txt
|
|
