 |
CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow
updated: 29-Mar-08
CA products that implement the DSM ListCtrl ActiveX control are vulnerable to a buffer overflow condition that can allow a remote attacker to cause a denial of service or execute arbitrary code with the privileges of the user running the web browser. The vulnerability, CVE-2008-1472, is due to insufficient bounds checking on the ListCtrl AddColumn function.
Affected Products includes: BrightStor ARCServe Backup for Laptops and Desktops r11.5 CA Desktop Management Suite r11.2 C1 CA Desktop Management Suite r11.2a CA Desktop Management Suite r11.2 CA Desktop Management Suite r11.1 (GA, a, C1) Unicenter Desktop Management Bundle r11.2 C1 Unicenter Desktop Management Bundle r11.2a Unicenter Desktop Management Bundle r11.2 Unicenter Desktop Management Bundle r11.1 (GA, a, C1) Unicenter Asset Management r11.2 C1 Unicenter Asset Management r11.2a Unicenter Asset Management r11.2 Unicenter Asset Management r11.1 (GA, a, C1) Unicenter Software Delivery r11.2 C1 Unicenter Software Delivery r11.2a Unicenter Software Delivery r11.2 Unicenter Software Delivery r11.1 (GA, a, C1) Unicenter Remote Control r11.2 C1 Unicenter Remote Control r11.2a Unicenter Remote Control r11.2 Unicenter Remote Control r11.1 (GA, a, C1)
Install the updates from CA.
Reference
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspx
HP Compaq Notebook PC BIOS Local Unauthorized Access
updated: 29-Mar-08
A potential security vulnerability has been identified with HP Compaq Notebook PC BIOS. The vulnerability could be exploited to allow local unauthorized users access to the system.
Compaq Presario C700 Notebook, HP G7000 Notebook and Compaq Presario A900 Notebook using BIOS versions F.26 and earlier are affected. Install HP BIOS F.31 or later.
HP Compaq Business Notebook PC BIOS Local Denial of Service
updated: 29-Mar-08
A potential security vulnerability has been identified with HP Compaq Business Notebook PC BIOS. The vulnerability could be exploited to create a Denial of Service.
Upgrade the BIOS to the latest version.
HP OpenVMS SSH Using TCP/IP Services for OpenVMS Remote Unauthorized Access
updated: 29-Mar-08
A potential vulnerability has been identified with the SSH server in HP OpenVMS TCP/IP Services running on HP Integrity and HP Alpha. The vulnerability could be exploited to allow remote unauthorized access.
HP OpenVMS on HP Alpha running TCP/IP Services for OpenVMS v5.4 prior to ECO 7 HP OpenVMS on HP Integrity and HP Alpha running TCP/IP Services for OpenVMS v5.5 prior to ECO 3 HP OpenVMS on HP Integrity and HP Alpha running TCP/IP Services for OpenVMS v5.6 prior to ECO 2.
HP OpenVMS SSH Using TCP/IP Services for OpenVMS Remote Unauthorized Access
updated: 29-Mar-08
A potential vulnerability has been identified with the SSH server in HP OpenVMS TCP/IP Services running on HP Integrity and HP Alpha. The vulnerability could be exploited to allow remote unauthorized access.
HP OpenVMS on HP Alpha running TCP/IP Services for OpenVMS v5.4 prior to ECO 7, HP OpenVMS on HP Integrity and HP Alpha running TCP/IP Services for OpenVMS v5.5 prior to ECO 3, HP OpenVMS on HP Integrity and HP Alpha running TCP/IP Services for OpenVMS v5.6 prior to ECO 2 are affected.
Install the TCP/IP Services ECO kits for OpenVMS Update kit to fix the problem.
HP Compaq Notebook PC BIOS Local Unauthorized Access
updated: 29-Mar-08
A potential security vulnerability has been identified with HP Compaq Notebook PC BIOS. The vulnerability could be exploited to allow local unauthorized users access to the system.
Compaq Presario C700 Notebook, HP G7000 Notebook and Compaq Presario A900 Notebook using BIOS versions F.26 and earlier are affected. Upgrade the BIOS to the latest version.
Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
updated: 28-Mar-08
Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the
VPDN solution.
The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface
resources of the attacked device may be depleted.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
updated: 28-Mar-08
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Devices that run Cisco IOS and are configured for MVPN are affected. Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers
updated: 28-Mar-08
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack.
For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled.
To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception
is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
updated: 28-Mar-08
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that run branches of Cisco IOS based on 12.2 can be vulnerable to a denial of service vulnerability that can prevent any traffic from entering an affected interface. For a device to be vulnerable, it must be configured for Open Shortest Path First (OSPF) Sham-Link and Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN).
This vulnerability only affects Cisco Catalyst 6500 Series or Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720) modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B, Supervisor 720-3BXL, Route Switch Processor 720, Route Switch Processor 720-3C, and Route Switch Processor 720-3CXL are all potentially vulnerable.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
updated: 28-Mar-08
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Novell eDirectory for Linux Stack Overflow
updated: 28-Mar-08
Stack overflow vulnerability was reported in the libnldap library of Novell eDirectory. When a large LDAP delRequest message is sent, a stack overflow occurs overwriting a function pointer. This results in a situation allowing the execution of arbitrary code.
Install the update from Novell.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-013
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3382120&sliceId=SAL_Public&dialogID=59352034&stateId=0%200%2059350122
Multiple vulnerabilities in solidDB
updated: 28-Mar-08
Multiple vulnerabilities were reported in IBM solidDB <= 06.00.1018, including format string in logging function, crash caused by arbitrary array index, NULL pointer, and server termination through allocation error.
PoC exploit has been published.
Reference
http://aluigi.org/poc/soliduro.zip
SILC pkcs_decode buffer overflow
updated: 28-Mar-08
A remote buffer overflow vulnerability was found in a library used by both the SILC server 1.1.1 and client 1.1.3 to process packets containing cryptographic material may allow an un-authenticated client to execute arbitrary code on the server with the privileges of the user account running the server, or a malicious SILC server to compromise client systems and execute arbitrary code with the privileges of the user account running the SILC client program.
Upgrade to a safer version.
Reference
http://www.coresecurity.com/?action=item&id=2206
Multiple Heap Overflows in Xine-Lib
updated: 21-Mar-08
xine-lib <= 1.1.11 is affected by various heap overflow vulnerabilities caused by the wrong 32 bit calculation of the amount of memory to allocate for some destination buffers and arrays.
These bugs allow an attacker to control some registers or directly the code flow (like with demux_qt) which could leat to the execution of malicious code.
For brevity will be showed directly the instructions in the source code which do these bad allocations.
PoC exploit has been published.
Reference
http://aluigi.org/poc/xinehof.zip
ViewVC Multiple Vulnerabilities
updated: 21-Mar-08
Multiple security issues have been reported in ViewVC < 1.05. A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT folders, and view restricted content via the revision view, the log history, or the diff view.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1292
ssl-cert eclass Certificate Disclosure
updated: 21-Mar-08
The docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs).
A local attacker could recover the SSL keys from publicly readable binary packages when "emerge" is called with the "--buildpkg (-b)" or "--buildpkgonly (-B)" option. Remote attackers can recover these keys if the packages are served to a network. Binary packages built using "quickpkg" are not affected.
Conserver < 8.1.16, postfix < 2.4.6-r2, netkit-ftpd < 0.17-r7, ejabberd < 1.1.3, unrealircd < 3.2.7-r2,
cyrus-imapd < 2.3.9-r1, dovecot < 1.0.10, stunnel < 4.21-r1, and inn < 2.4.3-r1 are affected.
Upgrading to newer versions of the above packages will neither remove possibly compromised SSL certificates, nor old binary packages. Please remove the certificates installed by Portage, and then emerge an upgrade to the package.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383
OpenLDAP Denial of Service Vulnerabilities
updated: 21-Mar-08
Multiple Denial of Service vulnerabilities have been reported in OpenLDAP < 2.3.41.
A remote attacker can cause a Denial of Serivce by sending a malformed "objectClasses" attribute, and via unknown vectors that prevent the "new_attrs" array from being NULL terminated, and via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0658
Sun Solaris rpc.ypupdated Arbitrary Command Execution
updated: 21-Mar-08
Insufficient filtering done on user provided input by the rpc.ypupdated RPC process under the Sun Solaris operating system 10 allows remote attackers to cause the process to execute arbitrary commands.
PoC exploit has been published.
Reference
http://www.milw0rm.com/exploits/5282
IBM Rational ClearQuest Web Multiple XSS
updated: 20-Mar-08
Multiple cross site scripting vulnerabilities exist in the variables contextid, schema, userNameVal, and username of IBM's Rational ClearQuest Web interface.
Install the patch 2003.06.16 Patch 2008A, 7.0.0.2_iFix01, and 7.0.1.1_iFix01 from IBM.
HP StorageWorks Library and Tape Tools Local Unauthorized Access
updated: 20-Mar-08
A potential security vulnerability has been identified with HP StorageWorks Library and Tape Tools (LTT) running on HP-UX B.11.11, B.11.23. The vulnerability could be exploited by a local authorized user to gain unauthorized access.
Install the software update from HP.
MoinMoin Multiple Vulnerabilities
updated: 20-Mar-08
Several vulnerabilities have been reported in MoinMoin Wiki Engine < 1.6.1. These vulnerabilities can be exploited to allow remote attackers to inject arbitrary web script or HTML, overwrite arbitrary files, or read protected pages.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1099
Firefox Information Leak Vulnerability
updated: 19-Mar-08
A information leakage vulnerability was reported in Firefox 2.0.0.12 allows remote attackers to enumerate all the configuration settings of the browser without requiring user authorization or interaction.
PoC exploit was published.
Reference
http://www.0x000000.com/
Asterisk Multiple RTP Buffer Overflows
updated: 19-Mar-08
2 security issues were discovered in the SDP parser in Asterisk 1.4.18. One is an invalid write to an attacker-controllable, almost arbitrary memory location and the other is a stack buffer overflow with limited attacker-controllable values.
Upgrade to Asterisk 1.4.18.1.
Reference
http://labs.musecurity.com/advisories/MU-200803-01.txt
RTP Codec Payload Handling Two Buffer Overflows
updated: 19-Mar-08
Two buffer overflows exist in the RTP payload handling code of Asterisk < 1.4.18.1 or < 1.4.19-rc3. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation.
Upgrade to the latest version.
Reference
http://downloads.digium.com/pub/security/AST-2008-002.html
Asterisk Logger and Manager Format String Vulnerability
updated: 19-Mar-08
Logging messages displayed using the Asterisk < 1.6.0-beta6 ast_verbose logging API call are not displayed as a character string, they are displayed as a format string. Output as a result of the Manager command "command" is not appended to the resulting response message as a character string, it is appended as a format string. It is possible in both instances for an attacker to provide a formatted string as a value for input which can cause a crash.
Upgrade to the latest version.
Reference
http://downloads.digium.com/pub/security/AST-2008-004.html
Asterisk SIP Channel Driver Unauthenticated Calls
updated: 19-Mar-08
Unauthenticated calls can be made via the Asterisk SIP channel driver using an invalid From header. This acts similarly to the SIP configuration option 'allowguest=yes', in that calls with a specially crafted From header would be sent to the PBX in the context specified in the general section of sip.conf.
Asterisk Open Source < 1.4.19-rc3, Asterisk Business Edition version < C.1.6.2, AsteriskNOW < 1.0.2, Asterisk Appliance Developer Kit < 1.4 revision 109393, and s800i (Asterisk Appliance) < 1.1.0.2 are affected. Upgrade to the latest version.
Reference
http://downloads.digium.com/pub/security/AST-2008-003.html
Leopard Wiki Server Path Traversal
updated: 19-Mar-08
The Leopard bundled Wiki Server is vulnerable to a path traversal attack, which can be exploited by non-privileged system users via a forged file upload to write arbitrary files on locations in the server filesystem, restricted only by privileges of the Wiki Server application.
Mac OS X Server 10.5.2 (Leopard Server) and Mac OS X version 10.5 (Leopard) are affected. Install the updates from Apple.
Reference
http://docs.info.apple.com/article.html?artnum=106704
Novell GroupWise Windows Client API Security Vulnerability
updated: 19-Mar-08
A security vulnerability exists in the Novell GroupWise Windows client API that can allow programmatic access to non-authorized email under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.
Novell GroupWise 7 and 6.5 are affected. Install the updates from Novell.
Reference
https://secure-support.novell.com/KanisaPlatform/Publishing/732/3263374_f.SAL_Public.html
Argon Client Management Services Directory Traversal
updated: 19-Mar-08
The Argon Client Management Services TFTP Boot Server 2.5.3.1 is affected by a classical directory traversal vulnerability which allows an attacker to download (upload is not allowed) any file from the disk where is located the tftp folder.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/argonauti-adv.txt
http://aluigi.org/testz/tftpx.zip
Multiple Vendor CUPS CGI Heap Overflow Vulnerability
updated: 19-Mar-08
A heap based buffer overflow vulnerability was reported in CUPS 1.3.5, as included in various vendors' operating system distributions. By passing a specially crafted request, an attacker can trigger a heap based buffer overflow.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. Depending on the underlying operating system and distribution, CUPS may run as the lp, daemon, or a different user.
Disabling printer sharing will prevent this vulnerability from being exploited remotely. However, local users will still be able to obtain the privileges of the CUPS service user.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=674
Array overrun in RPC library used by kadmin
updated: 19-Mar-08
Two bugs were reported in the RPC library server code, used in the kadmin server, causes an array overrun if too many file descriptors are opened. Memory corruption can result.
An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild.
Apply the patch from developer.
Reference
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt
Double-free, uninitialized data vulnerabilities in krb5kdc
updated: 19-Mar-08
When Kerberos 4 support is enabled in the MIT Kerberos 5 KDC, malformed messages may trigger two bugs:
CVE-2008-0062: A global variable holding a pointer to the message to be sent back to the client is only set for two recognized krb4 message types, but may be used (and freed) in additional cases, resulting in use of a null or dangling pointer.
CVE-2008-0063: The incoming krb4 message is copied into a fixed-size buffer on the stack, but the remainder of the buffer is left untouched, and the bounds checks use the size of the buffer, not the size of the data copied into it.
By default, Kerberos 4 support is compiled in but not enabled in recent versions, and these bugs are not exposed unless Kerberos 4 support is enabled.
CVE-2008-0062: An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host.
CVE-2008-0063: An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms.
MIT Kerberos 5 <= 1.6.3 KDC are affected. Apply the patch from developer.
Reference
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
PCRE Buffer Overflow
updated: 19-Mar-08
PCRE contains a buffer overflow vulnerability when processing a character class containing a very large number of characters with codepoints greater than 255.
A remote attacker could exploit this vulnerability by sending a specially crafted regular expression to an application making use of the PCRE library, which could possibly lead to the execution of arbitrary code or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674
Dovecot Multiple Vulnerabilities
updated: 19-Mar-08
Dovecot < 1.0.13-r1 uses the group configured via the "mail_extra_groups" setting, which should be used to create lockfiles in the /var/mail directory, when accessing arbitrary files. Besides, dovecot does not escape TAB characters in passwords when saving them, which might allow for argument injection in blocking passdbs such as MySQL, PAM or shadow.
Remote attackers can exploit the first vulnerability to disclose sensitive data, such as the mail of other users, or modify files or directories that are writable by group via a symlink attack. Please note that the "mail_extra_groups" setting is set to the "mail" group by default when the "mbox" USE flag is enabled.
The second vulnerability can be abused to inject arguments for internal fields.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1218
VMWare Updates for Critical Security Issues
updated: 19-Mar-08
Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line.
VMware Workstation <= 6.0.2, VMware Player <= 2.0.2, VMware ACE <= 2.0.2, VMware Server <= 1.0.4 and VMware Fusion <= 1.1 are affected. Upgrade to the latest version.
Website META Language Insecure Temporary File Usage
updated: 19-Mar-08
Temporary files are handled insecurely in the files wml_backend/p1_ipp/ipp.src, wml_contrib/wmg.cgi, and wml_backend/p3_eperl/eperl_sys.c, allowing users to overwrite or delete arbitrary files with the privileges of the user running the program.
Local users can exploit the insecure temporary file vulnerabilities via symlink attacks to perform certain actions with escalated privileges.
All Website META Language users should upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0666
IBM Informix Dynamic Server Authentication Password Stack Overflow
updated: 17-Mar-08
A vulnerability was reported in the oninit.exe process of IBM Informix Dynamic Server that listens by default
on TCP port 1526. During authentication, the process does not validate the length of the supplied user password. An attacker can provide a overly long password and overflow a stack based buffer resulting in arbitrary code execution.
Install the update from IBM.
Reference
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55210
http://www-1.ibm.com/support/docview.wss?uid=swg1IC55209
http://www.zerodayinitiative.com/advisories/ZDI-08-012
Airspan WiMAX ProST Authentication Bypass Vulnerability
updated: 17-Mar-08
An authentication bypass vulnerability was reported
in Airspan ProST Modem management with firmware version prior to 6.5.40.0 with Hardware rev prior to 4.1.
This issue is due to a failure of the application to properly handle access validation functionality. The access gained through this issue grants admin privileges.
MG-SOFT Net Inspector Multiple Vulnerabilities
updated: 17-Mar-08
Multiple vulnerabilities have been discovered in MG-SOFT Net Inspector 6.5.0.828, namely, format string in mghttpd, directory traversal in mghttpd,
crash in MgWTrap3, and Denial of Service in niengine. These vulnerabilities allow attackers to crash the system, as well as cause it potentially execute arbitrary code.
Reference
http://aluigi.altervista.org/adv/netinsp-adv.txt
Sun Cluster rpc.metad Denial of Service
updated: 17-Mar-08
A vulnerability was reported in Sun OS 5.1 Clustering service rpc.metad that allows remote attackers to cause it to crash by sending it malformed data.
PoC exploit has been published.
Reference
http://www.milw0rm.com/exploits/5258
NetWin Surgemail LIST Universal
updated: 17-Mar-08
A vulnerability was found in NetWin 3.8k4-4 IMAP server which allows authenticated users to cause an internal buffer to overflow which in turn can be used to cause the product to execute arbitrary code.
PoC exploit has been published.
Reference
http://www.milw0rm.com/exploits/5259
Ruby WEBrick Directory Traversal
updated: 17-Mar-08
The Ruby WEBrick HTTPd server was found containing a directory traversal security vulnerability.
Ruby < 1.8.5-p115 or < 1.9.0-2 are affected. Install the patches from the developer.
Reference
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/
Raidsonic NAS-4220 Crypt Disk Key Leak
updated: 17-Mar-08
The NAS-4220-B can hold two SATA disks. Disks are encrypted through a loop back device using AES128. The problem came to attention when one could access the NAS after reboot without supplying the hard disk key.
The key is stored in /system/.crypt, "/system" is a small configuration partition on the same disk that holds the encrypted partition. The system partition is created by the system software running on the NAS-4220. The configuration partition of the second hard disk is not mounted by default but also contains the .crypt file holding the key for the encrypted partition on the same disk.
Reference
http://www.mulliner.org/security/advisories/raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt
Sun JDK Image Parsing Library Vulnerabilities
updated: 17-Mar-08
A vulnerability in Sun JDK < 1.6.0u5 image parsing library allows attackers that can supply the JDK with a malformed JPEG file to trigger a buffer overflow which in turn can be used at the very least to crash the Java environment, but in more problematic cases to execute arbitrary code.
Upgrade Sun JDK to the latest version.
Reference
http://scary.beasts.org/security/CESA-2007-005.html
Timbuktu Pro Path Traversal and Log Injection
updated: 17-Mar-08
The following vulnerabilities have been identified in Timbuktu Pro 8.6.5:
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/' are not properly sanitized when checking the destination filename. The problem resides in the Notes feature implemented by tb2ftp.dll loaded by the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet containing peer information (computer name, user name and IP address) are taken from the packet sent to the target and used to display this information on the screen of the target.
The vulnerabilities discovered in Timbuktu Pro allow a remote attacker to upload a file to an arbitrary location on the victim's machine and forge peer information on the log lines of the victim's application.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1117
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1118
Zabbix (zabbix_agentd) Denial of Service
updated: 17-Mar-08
There are some Denial of Service issues with Zabbix which can be exploited by a malicious user from an authorized host.
This can be triggered by sending the agent a file checksum request (vfs.file.cksum[file]) with file argument being some "special" device node like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even more).
If the malicious user sends requests, then the zabbix_agentd service will not be able to serve any requests until it's restarted.
CiscoWorks Internetwork Performance Monitor Remote Command Execution Vulnerability
updated: 17-Mar-08
CiscoWorks Internetwork Performance Monitor (IPM) version 2.6 for Sun Solaris and Microsoft Windows operating systems contains a process that causes a command shell to automatically be bound to a randomly selected TCP port.
Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080313-ipm.shtml
LIVE555 Media Server Denial of Service
updated: 17-Mar-08
A Denial of Service vulnerability has been reported in LIVE555 Media Server < 2008.02.08, due to a signedness error in the parseRTSPRequestString() function when processing short RTSP queries.
A remote attacker could send a specially crafted RTSP query to the vulnerable server, resulting in a crash.
Upgrade LIVE555 Media Server to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6036
Cisco Secure ACS for Windows User-Changeable Password Vulnerabilities
updated: 13-Mar-08
Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application.
The first set of vulnerabilities address several buffer overflow conditions in the UCP application that could result in remote execution of arbitrary code on the host system where UCP is installed.
The second set of vulnerabilities address cross-site scripting in the UCP application pages.
Both sets of vulnerabilities could be remotely exploited, and do not require valid user credentials.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml
Format String in McAfee Framework and ePolicy Orchestrator
updated: 13-Mar-08
The logDetail function of applib.dll (which is just a link to naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding new log entries and is affected by a format string vulnerability caused by the calling of vsnwprintf without the needed format argument.
In McAfee ePolicy Orchestrator this vulnerability can be exploited through the sending of a simple UDP packet with a malformed sender, package or computer field. The output log file Agent_HOSTNAME.log is located in the Db folder.
PoC exploit has been published. McAfee Framework <= 3.6.0.569 implemented in McAfee ePolicy Orchestrator 4.0 is affected.
Reference
http://aluigi.org/poc/meccaffi.zip
Solaris fifofs I_PEEK Kernel Memory Leak
updated: 13-Mar-08
An integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative value to the I_PEEK ioctl.
Solaris 8, 9 and 10 are affected. PoC exploit has been published.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5225
http://www.milw0rm.com/exploits/5227
Java Web Start tempbuff Stack Buffer Overflow
updated: 13-Mar-08
A stack buffer overflow flaw was reported in the useEncodingDecl() function of Sun Microsystems Java Runtime used while checking xml based JNLP files for UTF8 characters.
When a user downloads a malicious JNLP file, the data immediately preceding the opening of the xml tag is read into a static buffer. If an overly long key name in the xml header is included, a stack based buffer overflow occurs, resulting in an exploitable condition.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
Install the update from Sun Microsystems.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-009
http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1
Java Web Start encoding Stack Buffer Overflow
updated: 13-Mar-08
A stack buffer overflow was discovered in the useEncodingDecl() function of Sun Microsystems Java Runtime used while parsing the xml header character encoding attribute. When a user downloads a malicious JNLP file, the charset value is read into a static buffer. If an overly charset name in the xml header is included, a stack based buffer overflow occurs, resulting in an exploitable condition.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
Install the update from Sun Microsystems.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-010
http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1
Sarg Arbitrary Code Execution
updated: 13-Mar-08
Sarg (Squid Analysis Report Generator) < 2.2.5 doesn't properly check its input for abnormal content when processing Squid log files.
A remote attacker using a vulnerable Squid as a proxy server or a reverse-proxy server can inject arbitrary content into the "User-Agent" HTTP client header, that will be processed by sarg, which will lead to the execution of arbitrary code, or JavaScript injection, allowing Cross-Site Scripting attacks and the theft of credentials.
Upgrade Sarg to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1168
Mapbender SQL Injections
updated: 13-Mar-08
SQL injection vulnerabilities were reported in Mapbender 2.4.4, due to the lack of input validation on the user input $_REQUEST["gaz"], and then unquoted and un-escaped into an SQL statement. As no prepared statements are used here, an attacker can execute arbitrary SQL commands.
PoC exploit has been published. Upgrade Mapbender to release 2.4.5 rc1.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0301
Mapbender Command Execution
updated: 13-Mar-08
A remote command execution vulnerability was discovered in Mapbender due to the lack of input filtering on the "factor" input field. This PHP code is written into a newly generated file in the Mapbender webfolder. Therefore, it is possible to remotely execute the code by requesting the new file.
PoC exploit has been published. Upgrade Mapbender to release 2.4.5 rc1.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0300
http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php
MS08-014 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
updated: 12-Mar-08
Multiple vulnerabilities were reported in Excel 2000, 2002, 2003 and 2007, Excel Viewer 2007, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Office 2004 for Mac and office 2008 for Mac:
- Excel Data Validation Record Vulnerability CVE-2008-0111
- Excel File Import Vulnerability - CVE-2008-0112
- Excel Style Record Vulnerability - CVE-2008-0114
- Excel Formula Parsing Vulnerability - CVE-2008-0115
- Excel Rich Text Validation Vulnerability - CVE-2008-0116
- Excel Conditional Formatting Vulnerability - CVE-2008-0117
- Macro Validation Vulnerability - CVE-2008-0081
Install the updates from Microsoft.
Reference
http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx
MS08-015 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
updated: 12-Mar-08
A remote code execution exists in Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Outlook 2000 SP3, 2002 SP2, 2003 SP2, 2003 SP3, and 2007 are affected. Install the updates from Microsoft.
Reference
http://www.microsoft.com/technet/security/bulletin/MS08-015.mspx
MS08-016 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
updated: 12-Mar-08
A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Excel files and processes malformed Office files. An attacker could exploit the vulnerability by creating a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.
Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP2, Excel Viewer 2003, Excel Viewer 2003 SP3 and Office 2004 for Mac are affected. Install the updates from Microsoft.
Reference
http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx
MS08-017 Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution
updated: 12-Mar-08
A remote code execution vulnerability exists in the way Microsoft Office Web Components manages memory resources when parsing specially crafted URLs. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Office 2000 SP3, Office XP SP3, Visual Studio .NET 2002 SP1, Visual Studio .NET 2003 SP1, BizTalk Server 2000, BizTalk Server 2002, and Commerce Server 2000 are affected. Install the updates from Microsoft.
Reference
http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx
International Components for Unicode Multiple Vulnerabilities
updated: 12-Mar-08
Two vulnerabilities have been discovered in the International Components for Unicode icu < 3.8.1-r1, possibly resulting in the remote execution of arbitrary code or a Denial of Service.
A remote attacker could submit specially crafted regular expressions to an application using the library, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4770
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4771
Apache Multiple Vulnerabilities
updated: 12-Mar-08
Multiple vulnerabilities have been discovered in Apache < 2.2.8.
A remote attacker could entice a user to visit a malicious URL or send specially crafted HTTP requests (i.e using Adobe Flash) to perform Cross-Site Scripting and HTTP response splitting attacks, or conduct a Denial of Service attack on the vulnerable web server.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0456
Adobe LiveCycle Workflow XSS Vulnerability
updated: 12-Mar-08
Adobe LiveCycle Workflow 6.2 Management Web Interface contains a vulnerability which is susceptible to a cross site scripting (XSS) attack. Input passed to the URL of the web management login page is not properly sanitized before being returned to the user.
A remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords.
Install the patch from Adobe.
Reference
http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/
http://www.adobe.com/support/security/bulletins/apsb08-10.html
Timbuktu Pro Remote Path Traversal and Log Injection
updated: 12-Mar-08
Two vulnerabilities were identified in Timbuktu Pro 8.6.5 for Windows and Timbuktu Pro 8.7 for Mac OS X.
1. File transfer directory traversal (CVE-2008-1117): The '\' and '/' are not properly sanitized when checking the destination filename. The problem resides in the Notes feature implemented by tb2ftp.dll loaded by the tb2pro.exe. This is the main issue.
2. Log input manipulation (CVE-2008-1118): Several fields of the packet containing peer information (computer name, user name and IP address) are taken from the packet sent to the target and used to display this information on the screen of the target.
These vulnerabilities allow a remote attacker to upload a file to an arbitrary location on the victim's machine and forge peer information on the log lines of the victim's application.
Install the fix from vendor.
Reference
http://www.coresecurity.com/?action=item&id=2166
Session Fixation Vulnerability in WebLogic Administration Console
updated: 12-Mar-08
A session fixation vulnerability was reported in BEA WebLogic 10.0 Administration Console that allows the attacker to assume administrator's identity and thus gain administrative access to console.
The session management used for setting up and maintaining administrative sessions allows the attacker to fix the administrative session cookie(s) in administrator's web browser and use this cookie to access the administration console after the administrator has logged into it. The vulnerability is exploitable even if the Administration Console is only accessed/accessible via HTTPS and even if Administrative Port is enabled.
Install the update from BEA.
Reference
http://www.acrossecurity.com/aspr/ASPR-2008-03-11-2-PUB.txt
http://dev2dev.bea.com/pub/advisory/270
HTML Injection in BEA WebLogic Server Console
updated: 12-Mar-08
An HTML Injection vulnerability was reported in WebLogic Server 10 Administration Console that allows the attacker to gain administrative access to the server.
It was possible to craft such URL that will, when requested from the server, return a document with arbitrarily chosen HTML injected. An obvious use for this type of vulnerability is cross- site scripting that can be used, among other things, for obtaining session cookies from WebLogic administrators. These cookies, when stolen, provide the attacker with administrative access to WebLogic Administration Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is only being accessed via HTTPS, and even if the Administrative Port is enabled.
Install the update from BEA.
Reference
http://www.acrossecurity.com/aspr/ASPR-2008-03-11-1-PUB.txt
http://dev2dev.bea.com/pub/advisory/269
SQL Injection Vulnerabilities in Mapbender
updated: 12-Mar-08
Due to the lack of input validation, an attacker is able to inject SQL commands in many PHP scripts of Mapbender < 2.4.5 rc1. This vulnerability can be exploited regardless of PHP magic quotes. For demonstration purposes, the injection into the "gaz" variable of the file http/php/mod_gazetteer_edit.php is shown.
Upgrade to a safer version.
Reference
http://www.redteam-pentesting.de/advisories/rt-sa-2008-002.php
phpMyAdmin SQL Injection Vulnerability
updated: 12-Mar-08
phpMyAdmin < 2.11.5 uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters.
An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1149
Ghostscript Buffer Overflow
updated: 12-Mar-08
A stack-based buffer overflow has been discovered in
the zseticcspace() function in the file zicc.c of Ghostscript when processing a PostScript file containing a long "Range" array in a .seticcscpate operator.
A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted PostScript file, which could possibly lead to the execution of arbitrary code or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0411
F5 BIG-IP Web Management Console XSS
updated: 12-Mar-08
F5 BIG-IP web management interface contains a potentially persistent cross-site scripting vulnerability in the "Console" feature. Output from executed console commands is wrapped in textarea so the content is displayed verbatim but there is no protection against forced premature termination of the textarea block with an injected textarea tag.
One possible persistent exploitation is for an attacker to create a log entry with an embedded script that gets executed any time the corresponding log file is later reviewed in the Console by an administrator. It is possible to craft URL links that would generate a suitable log entry with a simple HTTP GET request. This allows the attack to be carried out remotely. The vulnerability has been identified in F5 BIG-IP 9.4.3.
Panda Internet Security/Antivirus+Firewall 2008 cpoint.sys Kernel Driver Memory Corruption
updated: 11-Mar-08
The kernel driver cpoint.sys shipped with Panda Internet Security and Antivirus+Firewall 2008 contains a vulnerability in the code that handles IOCTL requests.
Exploitation of this vulnerability can result in local denial of service attacks (system crash due to a kernel panic), or local execution of arbitrary code at the kernel level (complete system compromise)
The issue can be triggered by sending a specially crafted IOCTL request. No special user rights are necessary to exploit the vulnerability.
Install the hotfix for Panda Internet Security 2008.
Hotfix for Panda Antivirus+Firewall 2008.
Reference
http://www.trapkit.de/advisories/TKADV2008-001.txt
http://www.pandasecurity.com/homeusers/support/card?id=41337&idIdioma=2&ref=ProdExp
Cacti Multiple Vulnerabilities
updated: 11-Mar-08
Inputs are not properly sanitized before being processed in Cacti < 0.8.7b, namely "view_type" parameter in the file graph.php, "filter" parameter in the file graph_view.php, "action" and "login_username" parameters in the file index.php, "local_graph_id" parameter in the file graph.php, "graph_list" parameter in the file graph_view.php, "leaf_id" and "id" parameters in the file tree.php, and "local_graph_id" in the file graph_xport.php.
Furthermore, CRLF injection attack are possible via unspecified vectors.
A remote attacker could exploit these vulnerabilities, leading to path disclosure, Cross-Site Scripting attacks, SQL injection, and HTTP response splitting.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0786
SAP MaxDB sdbstarter Privilege Escalation Vulnerability
updated: 11-Mar-08
A design error was reported in the "sdbstarter" program of SAP MaxDB 7.6.0.37, due to a design error in the handling of certain environment variables. These variables are used to specify the configuration settings to be used by various MaxDB components.
Successful exploitation allows an attacker to execute arbitrary code with root privileges. To exploit this vulnerability, an attacker must be able to execute the "sdbstarter" program. In a default installation, this requires that the attacker be a member of the "sdba" group.
Upgrade to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=670
Vulnerabilities in Timbuktu Pro
updated: 11-Mar-08
Denial of service and limited upload directory traversal vulnerabilities were reported in Timbuktu Pro 8.6.5.
PoC exploit has been released.
Reference
http://aluigi.org/poc/timbuto.zip
SAP MaxDB Signedness Error Heap Corruption Vulnerability
updated: 11-Mar-08
A signedness error was reported in the "vserver" component of SAP MaxDB 7.6.0.37. After accepting a connection, the "vserver" process forks and reads parameters from the client into various structures. When doing so, it trusts values sent from the client to be valid. By sending a specially crafted request, an attacker can cause heap corruption. This leads to a potentially exploitable memory corruption condition.
Successful exploitation allows an attacker to execute arbitrary code in the context of the running service. In order to exploit this vulnerability, an attacker must be able to establish a TCP session on port 7210 with the target host. Additionally, the attacker must know the name of an active database on the server.
Since this service uses the fork() system call once a connection has been accepted, an attacker can repeatedly attempt to exploit this vulnerability. Some exploitation attempts may result in the database process ceasing to run, in which case further exploitation attempts will not be possible.
Upgrade to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=669
NULL pointer in Remotely Anywhere 8.0.668
updated: 11-Mar-08
The RemotelyAnywhere.exe process (port 2000) can be easily crashed through a HTTP request with an invalid Accept-Charset parameter which leads to a NULL pointer.
The process will be restarted automatically within less than one minute by the management service so an attacker needs to send the malformed request at regular intervals for keeping the server down as much as he desires.
PoC exploit has been released.
Reference
http://aluigi.org/poc/remotelynowhere.txt
PDFlib Multiple Buffer Overflows
updated: 11-Mar-08
Multiple boundary errors were reported in the pdc_fsearch_fopen() function of PDFlib < 7.0.2_p8 when processing overly long filenames.
A remote attacker could send specially crafted content to a vulnerable application using PDFlib, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6561
Denial of Service in PacketTrap TFTP server 2.0.3901.0
updated: 11-Mar-08
The TFTP server implemented in the pt360 suite can be easily interrupted through the uploading of files with invalid names, in this case is raised an exception which blocks the TFTP component and forces the user to restart the whole application for re-running it.
PoC exploit has been released.
Reference
http://aluigi.org/testz/tftpx.zip
MPlayer Multiple Buffer Overflows
updated: 11-Mar-08
Multiple vulnerabilities have been discovered in MPlayer < 1.0_rc2_p25993, possibly allowing for the remote execution of arbitrary code.
A remote attacker could entice a user to open a specially crafted file, possibly resulting in the execution of arbitrary code with the privileges of the user running MPlayer.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0630
NULL pointer in Acronis True Image Windows Agent
updated: 11-Mar-08
A NULL pointer vulnerability was reported in Acronis True Image Windows Agent 1.0.0.54 and Acronis True Image Enterprise Server 9.5.0.8072, which can be exploited through the sending of a malformed packet to the server causing its immediate termination.
Reference
http://aluigi.altervista.org/adv/acroagent-adv.txt
Acronis True Image Group Server Invalid Memory Access
updated: 11-Mar-08
A vulnerability was reported in Acronis True Image Group Server version 1.5.19.191 and Acronis True Image Enterprise Server version 9.5.0.8072.
The packets used by this server contain some 16 bit fields which specify the length of the subsequent data. The problem is that the memory assigned for each packet is about 2048 bytes so the server allocates the amount of memory specified by that field and then tries to copy the data from the packet into this new buffer with the subsequent crash of the service due to the invalid read access.
Reference
http://aluigi.altervista.org/adv/acrogroup-adv.txt
MailEnable Professional/Enterprise Multiple Vulnerabilities
updated: 11-Mar-08
Multiple vulnerabilities have been discovered in the MailEnable product these vulnerabilities allow attacker to trigger buffer overflows as well as NULL pointer references.
The IMAP service (MEIMAPS.exe) of MailEnable is affected by some buffer-overflow vulnerabilities caused by too long parameters passed to the FETCH, EXAMINE and UNSUBSCRIBE commands allowing an attacker to execute malicious code.
Besides, the IMAP service is affected also by two NULL pointer vulnerabilities exploitable through the omission of the required arguments for the SEARCH and APPEND commands, where the first can be used by unauthenticated attackers too.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/maildisable-adv.txt
http://aluigi.org/poc/maildisable.zip
PacketTrap TFTP Server Denial of Service
updated: 11-Mar-08
A vulnerability was reported in the way pt360's (PacketTrap) TFTP server 2.0.3901.0 works allows remote attackers to cause it to become stuck by uploading to it files with invalid filenames.
The TFTP server implemented in the pt360 suite can be easily crashed through the uploading of files with invalid names. When this occurs an exception is raised which blocks the TFTP component and forces the user to restart the whole application for re-running it.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/packettrash-adv.txt
http://aluigi.org/testz/tftpx.zip
MicroWorld eScan Server Directory Traversal
updated: 11-Mar-08
A vulnerability was discovered in the way the MicroWorld eScan server 9.0.742.98 works allows remote attackers to cause the product to provide access to files that would be otherwise inaccessible.
Although the server tries to avoid possible directory traversal attacks for example rejecting the dotdot patterns, is still possible for an attacker to download any file from the disk of the remote system simply applying a slash or a backslash at the beginning of the filename for selecting the root path of the disk. For example /boot.ini, \windows\win.ini and so on.
Only downloading files is allowed by the server, so deleting or uploading custom files is not possible.
Reference
http://aluigi.altervista.org/adv/escaz-adv.txt
Multiple Vulnerabilities in ASG-Sentry
updated: 11-Mar-08
Multiple vulnerabilities were reported in ASG-Sentry 7.0.0. These vulnerabilities include arbitrary files deleting, heap-overflow in FxAgent, termination of FxIAList, and buffer-overflow in FxIAList.
PoC exploit has been published.
Reference
http://aluigi.org/poc/asgulo.zip
Directory traversal and NULL pointer in Acronis PXE Server
updated: 11-Mar-08
Directory traversal and NULL pointer vulnerabilities were reported in Acronis PXE Server 2.0.0.1076.
The PXE Server (pxesrv.exe) implements a TFTP server for allowing the downloading of the bootstrap files (uploading is not allowed). This service is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares.
Besides, an incomplete TFTP request (anything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access.
PoC exploit has been published.
Reference
http://aluigi.org/testz/tftpx.zip
VLC Multiple Vulnerabilities
updated: 11-Mar-08
Multiple vulnerabilities were found in < 0.8.6e, allowing for the execution of arbitrary code and Denial of Service.
A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a "Connection" header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the "demuxdump-file" option in a filename in a playlist or via an EXTVLCOPT statement in an
MP3 file.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0984
Canon MFD FTP Bounce Attack
updated: 11-Mar-08
Certain Canon Multi Function Devices (see Products affected below) allow remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command.
Disable FTP printing and protect FTP printing with username/password credentials.
Reference
https://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack
Vobcopy Insecure Temporary File Creation
updated: 11-Mar-08
Vobcopy < 1.1.0 appends data to the file "/tmp/vobcopy.bla" in an insecure manner.
A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5718
lighttpd Multiple Vulnerabilities
updated: 11-Mar-08
Lighttpd < 1.4.18-r2 contains a calculation error when allocating the global file descriptor array. Furthermore, it sends the source of a CGI script instead of returning a 500 error (Internal Server Error) when the fork() system call fails.
A remote attacker could exploit these vulnerabilities to cause a Denial of Service or gain the source of a CGI script.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111
Multiple vulnerabilities in Google's Android SDK
updated: 11-Mar-08
Several vulnerabilities have been found in Android SDK m3-rc37a and earlier for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality.
Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor.
Upgrade to a safer version.
Reference
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Sun Updates for Multiple Vulnerabilities in Java
updated: 7-Mar-08
Sun Java Runtime Environment 6 Update 4 and earlier contains multiple vulnerabilities. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.
Apply an update from Sun.
Checkpoint VPN-1 UTM Edge Cross Site Scripting
updated: 6-Mar-08
Insufficient input validation and output encoding on the login page of Checkpoint VPN-1 Edge W Embedded NGX version 7.5.48 allows attacker to perform html-injection by posting suitable string to the login form handler. The injection leads to reflected pre-authentication cross site scripting.
PoC exploit has been published. Update to version 7.5.48.
Reference
http://www.louhi.fi/advisory/checkpoint_080306.txt
Evolution Format String Vulnerability
updated: 6-Mar-08
A format string error has been discovered in the emf_multipart_encrypted() function in the file mail/em-format.c of Evolution < 2.12.3-r1 when reading certain data (e.g. the "Version:" field) from an encrypted e-mail.
A remote attacker could entice a user to open a specially crafted encrypted e-mail, potentially resulting in the execution of arbitrary code with the privileges of the user running Evolution.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0072
Borland StarTeam Server Multiple Integer Overflows
updated: 6-Mar-08
Multiple integer overflows have been found in Borland's StarTeam server 2008 version 10.0.0.57 caused by the calculation of the amount of memory it needs to allocate for some arrays received from the clients.
Successful exploitation allows an attacker to control some registers and could exist a possibility of executing malicious code.
PoC exploit has been published. Upgrade to the latest version.
Reference
http://aluigi.altervista.org/adv/starteammpx-adv.txt
http://aluigi.altervista.org/poc/starteammpx.zip
Versant Object Database Arbitrary Commands Execution
updated: 6-Mar-08
Versant Object Database version 7.0.1.3 was found containing a vulnerability that allows remote attackers to cause the product to execute arbitrary commands.
PoC exploit has been published. Upgrade to a safer version.
Reference
http://aluigi.altervista.org/adv/versantcmd-adv.txt
http://aluigi.org/poc/versantcmd.zip
Borland VisiBroker Smart Agent Heap Overflow
updated: 6-Mar-08
A remotely exploitable heap overflow was found in the Borladn VisiBroker Smart Agent 08.00.00.C1.03.
Smart Agent binds the UDP port 14000 and an UDP and TCP port which changes at every launch (the first free ports to bind found by the program). The protocol used on these three ports (so all exploitables) includes the handling of strings that are composed by a 32 bit number which tells how much long is the string and a subsequent 32 bit number which specifies the size in the packet padded to 8.
It's enough to set 0xffffffff as first number to cause the allocation of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of strncpy(allocated_memory, our_string, our_padded_size) which can allow an attacker to crash the service or possibly executing malicious code.
Exists also a secondary minor vulnerability, in fact the server is automatically terminated if the amount of memory specified by the client can't be allocated.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/poc/visibroken.zip
http://aluigi.altervista.org/adv/visibroken-adv.txt
Perforce Server Multiple Vulnerabilities
updated: 6-Mar-08
Multiple vulnerabilities have been discovered in the Perforce Server 2007.3/143793.
The first type of vulnerabilities includes the NULL pointers generated by the absence of some parameters in the client's request and the lack of checks on the pointers returned by the functions which get these values from the packets.
A secondary type of vulnerabilities is exploitable through the server-DiffFile and server-ReleaseFile commands, in this case the problem is caused by the 32 bit number provided by the client which is used as amount of elements in the initialization of an array.
Another problem is then exploitable again with a malformed server-DiffFile command and allows to force the server in an endless loop which will cause its termination after having consumed all the memory and the resources of the system.
PoC exploit has been published.
Reference
http://aluigi.org/poc/perforces.zip
http://aluigi.altervista.org/adv/perforces-adv.txt
Eye-Fi Multiple Vulnerabilities
updated: 4-Mar-08
Eye-Fi 1.1.2 bas numerous vulnerabilities that can allow unauthorized image uploades to a PC, remotely altering the destination folder, remote crashing of the Eye-Fi service.
Install the update from vendor.
Reference
http://www.informit.com/articles/article.aspx?p=1174944
http://www.informit.com/articles/article.aspx?p=1177111
Mantis Cross Site Scripting
updated: 4-Mar-08
The filename for the uploaded file in bug_report.php of Mantis < 1.0.8-r1 was not properly sanitized before being stored.
A remote attacker could upload a file with a specially crafted to a bug report, resulting in the execution of arbitrary HTML and script code within the context of the users' browser. Note that this vulnerability is only exploitable by authenticated users.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6611
Paramiko Information Disclosure
updated: 4-Mar-08
The file "common.py" of Paramiko < 1.7.2 does not properly use RandomPool when using threads or forked processes.
A remote attacker could predict the values generated by applications using Paramiko for encryption purposes, potentially gaining access to sensitive information.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0299
SWORD Shell Command Injection
updated: 4-Mar-08
The diatheke.pl script used in SWORD < 1.5.8-r2 does not properly sanitize shell meta-characters in the "range" parameter before processing it.
A remote attacker could provide specially crafted input to a vulnerable application, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running SWORD (generally the web server account).
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0932
SplitVT Privilege Escalation
updated: 4-Mar-08
SplitVT < 1.6.6-r1 does not drop group privileges before executing the xprop utility.
A local attacker could exploit this vulnerability to gain the "utmp" group privileges.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0162
Cross Site Scripting and CSRF in TorrentTrader Classic
updated: 4-Mar-08
TorrentTrader Classic v1.08 was vulnerable to a cross site scripting and a CSRF flaw. Input passed to the msg property of account-inbox.php was not properly sanitized before being displayed to the user.
A malicious authenticated user can execute arbitrary HTML and scripting code in a user's browser session in context of an affected web site.
The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. A malicious person can perform a CSRF attack.
Reference
http://www.securitylab.ru/vulnerability/347887.php
PacketTrap PT360 Tool Suite TFTP Denial of Service
updated: 3-Mar-08
The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to denial of service condition. A remote or local attacker can exploit this flaw by sending a specially crafted packet to the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash. The TFTP server will need to be restarted to resume normal TFTP server operations.
Install the patch from PacketTrap Networks.
PacketTrap PT360 Tool Suite TFTP Arbitrary File Access
updated: 3-Mar-08
A flaw was reported within the PacketTrap PT360 suite 1.1.33.1.0. The TFTP server component was susceptible to directory traversal attack.
A remote or local attacker can exploit this flaw to retrieve arbitrary files outside of the TFTP server root directory. This vulnerability also allows a remote attacker to overwrite and modify system files which could facilitate a full system compromise.
Install the patch from PacketTrap Networks.
Squid Analysis Report Generator Buffer Overflow
updated: 3-Mar-08
Execution of arbitrary code in Squid Analysis Report Generator < 2.2.4 was possible by executing sarg with specially crafted squid log files (access and useragent log).
Upgrade to a safer version.
Audacity Insecure Temporary File Creation
updated: 2-Mar-08
The "AudacityApp::OnInit()" method in file src/AudacityApp.cpp of Audacity < 1.3.4-r1 does not handle temporary files properly.
A local attacker could exploit this vulnerability to conduct symlink attacks to delete arbitrary files and directories with the privileges of the user running Audacity.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061
SMSGate Denial of Service
updated: 2-Mar-08
A vulnerability was discovered in the way SMSGate 1.n handles incoming HTTP requests allows remote attackers to cause the server to crash.
When a too big HTTP Content-Length value is received, the server tries to allocate the specified amount of memory and when fails shows a debug messagebox in which the admin must choose if aborting the application, debugging it or ignoring the problem (in which case the server will continue to work correctly).
The entire server will be completely unreachable for all the time the Ignore button is not selected, so nobody can send SMS and the remote admin can't manage the server.
Exists also another problem caused by a malformed or non-existent Content-Length value which causes only the showing of an error messagebox (about the impossibility of writing the NULL delimiter at uninitialized pointer at offset 0xcccccccc) since the server will continue to work correctly.
Note the limitation described at the beginning of this section (local IPs only) doesn't affect the exploiting of the vulnerability, so any attacker from any IP address can block the server.
Reference
http://aluigi.altervista.org/adv/smsgheit-adv.txt
Ghostscript Buffer Overflow
updated: 2-Mar-08
Ghostscript version 8.61 and prior is vulnerable to a stack-based buffer overflow in the zseticcspace() function in zicc.c. The issue is over-trust of the length of a postscript array which an attacker can set to an arbitrary length. One slight amusement is that the overflowed type is "float", leading to machine code.
PoC exploit code has been published.
Reference
http://scary.beasts.org/security/CESA-2008-001.html
Livebox Router Buffer Overflow
updated: 2-Mar-08
ADI Convergence Galaxy FTP server v0.1 of Livebox is vulnerability to buffer overflow and denial of service attack to FTP service.
|
|
