 |
Buffer-overflow in the passwords handling of Trend Micro OfficeScan
updated: 28-Feb-08
Buffer-overflow in the decryption function of the passwords and endless dead processes vulnerabilities were reported in Trend Micro OfficeScan Corporate Edition <= v8.0 Patch 2 - build 1189 and <= v7.3 Patch 3 - build 1314.
PoC exploit has been released.
Reference
http://aluigi.org/poc/officescaz.zip
Symantec Scan Engine RAR File Buffer Overflow Vulnerability
updated: 28-Feb-08
A stack based buffer overflow vulnerability was reported in Symantec Scan Engine version 5.1.2. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a specially malformed RAR file, a stack-based buffer overflow will occur.
Successful exploitation allows remote unauthenticated attackers to execute arbitrary code with the privileges of the scan engine process. The scan engine can be configured to run either as a normal user or as root. In order to exploit this vulnerability, an attacker must be able to cause a malicious RAR file to be scanned by the Symantec Scan Engine. Normally, no authentication is required to reach the vulnerable code.
Install the updates from Symantec.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=667
http://www.symantec.com/avcenter/security/Content/2008.02.27.html
Symantec Scan Engine RAR File Denial of Service Vulnerability
updated: 28-Feb-08
A Denial of Service vulnerability was reported in Symantec Scan Engine version 5.1.2. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a malformed RAR file, the service will consume massive amounts of memory. This can result in a denial of service condition for the application and operating system.
Successful exploitation allows remote unauthenticated attackers to cause the process to consume excessive amounts memory. In order to exploit this vulnerability, an attacker must be able to cause a malicious RAR file to be scanned by the Symantec Scan Engine. Normally, no authentication is required to reach the vulnerable code.
Install the update from Symantec.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=666
Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability
updated: 28-Feb-08
A heap based buffer overflow vulnerability was reported in Mozilla Thunderbird < 2.0.0.12 when parsing the external-body MIME type in an electronic mail.
When calculating the number of bytes to allocate for a
heap buffer, sufficient space is not reserved for all of the data being copied into the buffer. This results in up to 3 bytes of the buffer being overflowed, potentially allowing for the execution of arbitrary code.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running Thunderbird. Exploitation
requires that an attacker social engineers a user into viewing a malicious message in Thunderbird. If the 'View->Message Pane' option is turned on (the "Preview" pane), which is the default, then all a targeted user has
to do is select the message in the browsing pane. Once the message is previewed, the vulnerability will be triggered.
Upgrade to 2.0.0.12 of Thunderbird.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=668
http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304
Asterisk Multiple Vulnerabilities
updated: 28-Feb-08
Multiple vulnerabilities have been found in Asterisk < 1.2.21.1-r1.
A stack buffer overflow in the IAX2 channel driver (chan_iax2) when bridging calls between chan_iax2 and any channel driver that uses RTP for media. A NULL pointer dereference in the IAX2 channel driver (chan_iax2). A vulnerability in the Skinny channel driver (chan_skinny), resulting in an overly large memcpy. A vulnerability in the IAX2 channel driver (chan_iax2), that does not correctly handle unauthenticated transactions using a 3-way handshake.
By sending a long voice or video RTP frame, a remote attacker could possibly execute arbitrary code on the target machine. Sending specially crafted LAGRQ or LAGRP frames containing information elements of IAX frames, or a certain data length value in a crafted packet, or performing a flood of calls not completing a 3-way handshake, could result in a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4103
xine-lib User-assisted Execution of Arbitrary Code
updated: 28-Feb-08
xine-lib < 1.1.10.1 is vulnerable to a buffer overflow within the open_flac_file() function in the file demux_flac.c when parsing tags within a FLAC file. A buffer overflow when parsing ASF headers has also been discovered.
A remote attacker could entice a user to play specially crafted FLAC or ASF video streams with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0486
VLC media player chunk context validation error
updated: 28-Feb-08
The VideoLAN (VLC) media player < 0.8.6e package is vulnerable to an arbitrary memory corruption vulnerability, which can be exploited by malicious remote attackers to compromise a user's system. The vulnerability is caused due to the VLC ('demux/mp4/mp4.c') library not properly sanitizing certain tags on a MOV file before using them to index an array on the heap. This can be exploited to get arbitrary code execution by opening a specially crafted file.
PoC exploit has been published. Upgrade to the latest version.
Reference
http://www.coresecurity.com/?action=item&id=2147http://www.coresecurity.com/?action=item&id=2147
Sybase MobiLink Heap Overflow
updated: 28-Feb-08
A vulnerability was discovered in the Sybase MobiLink10.0.1.3629 that during the handling of some strings like username, version and remote ID (all
pre-auth) when have a length major than 128 bytes.
Successful exploitation allows attackers to cause the product to crash by supplying it with malformed data.
PoC exploit has been published.
Reference
http://aluigi.org/poc/mobilinkhof.zip
http://aluigi.altervista.org/adv/mobilinkhof-adv.txt
Format string and buffer-overflow in SurgeMail
updated: 28-Feb-08
Two vulnerabilities were reported in SurgeMail <= 38k4 and beta 39a: format string in webmail.exe's page command
And buffer-overflow in the building of environment strings.
PoC exploit has been published.
Reference
http://aluigi.org/poc/surgemailz.zip
Double-Take Multiple Vulnerabilities
updated: 28-Feb-08
Multiple vulnerabilities have been discovered in Double-Take version 5.0.0.2865: NULL pointer crash, termination through memory allocation, information disclosure, and other exceptions.
PoC exploit has been published.
Reference
http://aluigi.org/poc/doubletakedown.zip
BEA WebLogic Server Infinite Invalid Authentication Attempts
updated: 26-Feb-08
It's possible to launch a credentials brute force attack against known users through an BEA WebLogic Server's internal servlet that permits the bypass of the user locking mechanism.
To avoid credential brute force attacks, Weblogic server have a locking mechanism that lock the corresponding account after some invalid login attempts. The default lock shots if 5 invalid login attempts were made. The lock remains 30 minutes.
It was found that exists an internal servlet that allow the guess of valid credentials even if the attacked account is locked. This allows infinite invalid authentication attempts against an account.
When the correct credentials are guessed, it's only needed to wait for the account to unlock and then logon into the server.
The affected servlet is:
/wl_management_internal1/LogfileSearch (Version 7 & 8) /bea_wls_diagnostics/accessor (Version 9)
BEA WebLogic Server 7.0sp6, 8.1sp4 and 9.0sp2 are affected. Install the updates from BEA website.
Reference
http://dev2dev.bea.com/pub/advisory/271
http://www.s21sec.com/avisos/s21sec-040-en.txt
Path Traversal Vulnerability in VMware Shared Folders
updated: 26-Feb-08
A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.
Successful exploitation requires that the Shared Folder's feature to be enabled which is the default on VMware products that have the feature AND at least one folder of the Host system is configured for sharing.
Disable VMWare shared folders.
Reference
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2129
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034
NULL pointer in SurgeFTP
updated: 26-Feb-08
When a Content-Length parameter is received from the client, SurgeFTP <= 2.3a2 tries to allocate the amount of memory (max 2147483647 bytes) specified in this field and then copies the data in the resulted new buffer.
The problem is in the lack of checks on the result of the allocation which leads to the crash of the entire server during the copying of the data to a NULL pointer if that amount of memory cannot be allocated.
PoC exploit has been published.
Reference
http://aluigi.org/poc/surgeftpizza.txt
Python PCRE Integer Overflow
updated: 26-Feb-08
Python < 2.3.6-r4 includes a copy of PCRE which is vulnerable to an integer overflow vulnerability, leading to a buffer overflow.
An attacker could exploit the vulnerability by tricking a vulnerable Python application to compile a regular expressions, which could possibly lead to the execution of arbitrary code, a Denial of Service or the disclosure of sensitive information.
Upgrade Python to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
HP Notebook PC Quick Launch Button Software Vulnerabilities
updated: 26-Feb-08
A potential security vulnerability has been identified with certain versions of the HP Notebook PC Quick Launch Button (QLB) software 6.3 or prior running on Windows. The vulnerability could be exploited remotely to execute arbitrary code or to gain privileged access.
Install the update from vendor.
ClamAV Multiple Vulnerabilities
updated: 26-Feb-08
Multiple vulnerabilities in ClamAV < 0.92.1. An integer overflow has been reported in the "cli_scanpe()" function in file libclamav/pe.c. Another unspecified vulnerability has been reported in file libclamav/mew.c.
A remote attacker could entice a user or automated system to scan a specially crafted file, possibly leading to the execution of arbitrary code with the privileges of the user running ClamAV (either a system user or the "clamav" user if clamd is compromised).
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0728
Access Violation & Limited Information Disclosure in WebcamXP
updated: 26-Feb-08
The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam.
The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request.
For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number.
The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F.
WebcamXP 3.72.440.0 is affected.
Two heap overflow in Foxit WAC Serve
updated: 26-Feb-08
WAC Server 2.0 Build 3503 contains 2 heap overflow flaws.
1. Telnet option heap overflow
The WAC server is vulnerable to a heap overflow exploitable through the usage of options longer than 260 bytes.
2. SSH packet heap overflow
The server is affected also by another heap overflow exploitable through big SSH packets, anyway no deeper research has been performed on this vulnerability.
PoC exploit has been published.
Reference
http://aluigi.org/poc/wachof.zip
XSS on BEA Plumtree Foundation and AquaLogic Interaction portals
updated: 26-Feb-08
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are vulnerable to a XSS vulnerability affecting the 'name' parameter which is submitted to the '/portal/server.pt' server-side script.
PoC exploit has been published. Upgrade to 6.5 release of AquaLogic Interaction.
NULL Pointer Crash in FreeSSHd
updated: 26-Feb-08
FreeSSHd 1.20 can be crashed through a NULL pointer access simply sending a SSH2_MSG_NEWKEYS packet as first command.
PoC exploit has been published.
Reference
http://aluigi.org/poc/freesshdnull.zip
Multiple Buffer-Overflow in NowSMS
updated: 26-Feb-08
NowSMS 2007.06.27 contains 2 buffer overflow problems.
1. Web authorization buffer-overflow
The web interface of NowSMS which listens on port 8800 allows the users to use the gateway for sending various types of messages (EMS, binary, WAP, MMS and so on).
The function which handles the base64 password located in the HTTP Authorization parameter is affected by a stack based buffer-overflow exploitable with more than 256 bytes.
The server can be exploited both in case it requires and doesn't require authentication.
2. SMPP buffer-overflow
NowSMS uses a stack buffer of 4 kilobytes for containing the incoming SMPP packets.
The lack of checks on the real size of these packets (max 0xffffffff bytes) leads to a buffer-overflow vulnerability which can be exploited by an attacker to execute malicious code remotely.
The SMPP server is not enabled by default and doesn't have a default listening port (the admin must decide it).
PoC exploit has been published.
Reference
http://aluigi.org/poc/nowsmsz.zip
Symantec Veritas Storage Foundation Scheduler Service DoS
updated: 26-Feb-08
A denial of service vulnerability was reported in Symantec Veritas Storage Foundation scheduler service for Windows version 5.0 (with VxSchedService.exe version 5.0.9.298).
When the Veritas Scheduler service (VxSchedService.exe) encounters certain packets, an invalid memory access occurs causing the service to crash.
Successful exploitation of this vulnerability allows remote attackers to cause the affected service to terminate. In order to exploit this vulnerability, an attacker must be able to establish a TCP session with the service on port 4888. No authentication is required to reach the vulnerable code.
Install the update from Symantec.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/
http://www.symantec.com/avcenter/security/Content/2008.02.20.html
ZyXEL Gateways Multiple Vulnerabilities
updated: 26-Feb-08
Multiple vulnerabilities were discovered on ZyXEL Prestige devices, including:
- privilege escalation: it allows retrieving administrative settings (i.e.: WEP key, ISP and dynamic DNS credentials) and also altering such settings
- SNMP read and SNMP *write* access enabled by default: not only we demonstrate how to change settings but we also show how to obtain the credentials for the Dynamic DNS service in cleartext
- poor session management allows hijacking of admin sessions
- authentication vulnerable to replay and password cracking attacks
- disclosure of credentials: several types of credentials travel in the clear when being submitted by the user, and also when being returned from the web interface back to the browser.
Reference
http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf
EMC RepliStor Multiple Heap Overflow Vulnerabilities
updated: 26-Feb-08
Multiple heap overflow vulnerabilities were reported in EMC RepliStor 6.2 SP2 or prior, within the code responsible for compression. In each case, data is decompressed without consideration for the size of the destination buffer. This results in an exploitable heap overflow.
Successful exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the RepliStor Server or Control Server, usually SYSTEM. In order to exploit these vulnerabilities, an attacker needs to be able to connect to the targeted server on TCP port 7144 or 7145. No authentication is required to reach the vulnerable code paths.
Install the updates from EMC.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/
WoltLab Burning Board SQL Injection Vulnerability
updated: 26-Feb-08
SQL injection vulnerability was reported in WoltLab Burning Board 3.0.3 PLX or prior. PoC exploit has been published.
Symantec VERITAS Storage Foundation Administrator Service Heap Overflow
updated: 26-Feb-08
Symantec Veritas Storage Foundation 5.0 contains a flaw resides in the Administrator service, vxsvc.exe, which listens by default on UDP port 3207. The process trusts a user-supplied size value, receiving the specified amount of data into a static heap buffer. By sending a specially crafted packet, an attacker can overflow that buffer leading to arbitrary code execution in the context of the SYSTEM user.
Install the update from Symantec.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-007.html
http://www.symantec.com/avcenter/security/Content/2008.02.20a.html
PunBB Blind Password Recovery Vulnerability
updated: 26-Feb-08
PunBB <= 1.2.16 password reset functionality uses internally mt_rand() to generate a new password and a new activation link that are both send to the user by email.
Unfortunately PunBB initialises the mersenne twister random number generator on every request with a number between 0 and 1,000,000, depending on the current microsecond. This means there are only one million possible new passwords and new activation links. It would be possible to bruteforce this limited area, but the amount of time and traffic that would be required is huge.
Upgrade to PunBB 1.2.17.
Reference
http://www.sektioneins.de/advisories/SE-2008-01.txt
IBM Lotus QuickPlace Cross Site Scripting
updated: 26-Feb-08
A vulnerability in the way IBM Lotus QuickPlace 7.0 handles incoming searches allows attackers to cause it to insert arbitrary HTML and/or JavaScript.
ProjectPier Cross Site Scripting and Request Forgery
updated: 26-Feb-08
ProjectPier <= 0.80 contains a Cross Site Scripting and Request Forgery vulnerability. PoC exploit has been published. Update to version 0.8.0.1 or above.
Lst Network Print Server Format String and Buffer Overflow
updated: 26-Feb-08
Two security vulnerabilities have been discovered in Larson Software Technology Network Print Server 9.4.2 build 105.
The server is affected by a format string vulnerability located in the logging functions (by default enabled and set on "Information") which passes the log message directly to vsnprintf without the format argument.
The LICENSE command handled by the server leads to a buffer-overflow vulnerability when a license string longer than 128 bytes is copied in a stack buffer using strncpy in the wrong way.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/lstnpsx-adv.txt
SCI Chat Directory Traversal
updated: 26-Feb-08
A directory traversal vulnerability in SCI Photo Chat Server 3.4.9 that allows remote attackers to access files that reside outside the bounding HTML root directory.
Reference
http://aluigi.altervista.org/adv/scichatdt-adv.txt
Multiple Security Vulnerabilities in Dokeos
updated: 26-Feb-08
Multiple SQL Injection, Blind SQL Injection, and Cross Site Scripting vulnerabilities were reported in Dokeos 1.8.4. Install the fix from developer.
Reference
http://www.dokeos.com/wiki/index.php/Security#Dokeos_1.8.4_SP2_download
Multiple Vulnerabilities in Python Server Pages
updated: 26-Feb-08
Several cross site scripting, a cross-domain redirect and a webroot disclosure on Spyce were reported in Python Server Pages 2.1.3.
All Spyce sample scripts that return client-supplied input back to the browser are vulnerable to XSS. It is also possible to redirect users to third-party sites and obtain the webroot path by not submitting required parameters to certain scripts.
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Spyce-based site. Such code would run within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorized third parties.
Attackers can redirect victim users to third-party sites. Such behavior can help attackers perform phishing attacks by redirecting the victim to a spoof login page.
Remove sample scripts from live environments.
Reference
http://www.procheckup.com/Vulnerabilities.php
Firefox and Opera Memory Information Leak
updated: 26-Feb-08
Opera < 9.24 and Firefox < 2.0.0.12 contains vulnerable code for handling BMP files with partial palette. The code allows attackers to craft a BMP file that leaks information from the heap. This information can be sent to remote server using canvas tag (HTML 5) and JavaScript.
Also other browser (for example Apple Safari) contain vulnerable BMP handling code, but since there is no way of acquiring the image data (due to not all canvas method being implemented), it doesn't pose a serious threat. As a matter of fact Apple Safari has a similar problem with certain GIF files.
Upgrade to the latest version.
Reference
http://gynvael.coldwind/vx
Sophos Email Security Appliance Cross Site Scripting
updated: 26-Feb-08
A Cross Site Scripting vulnerability was discovered in the web administration interface of Sophos ES1000 or ES4000 < 2.1.1.0. Administration web interface is available on the public network interface, over HTTPS on port 18080.
Lack of input validation for 'error' and 'go' parameters of the 'Login' script, allows malicious JavaScript code injection. This can be exploited by a malicious user to steal Sophos ES1000 Email Security Appliance administrator credentials, and shut down the appliance, or change its configuration.
Upgrade to Sophos Email Appliance version 2.1.1.0 and above.
Reference
http://www.sophos.com/support/knowledgebase/article/34733.html
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-02-13
OpenCA Cross Site Request Forgery (XSRF)
updated: 26-Feb-08
OpenCA 0.9.2.5 suffers from a typical cross-site request forgery (XSRF) problem. This means that an authenticated user (a registration officer, for example) can be manipulated into executing certain activities on the CA without his knowledge and consent. In a CA, this is especially problematic as this means an attacker can issue arbitrary certificates this way.
As the user is authenticated using a session cookie and the forms that are used to execute certain activities on the CA are not protected by some kind of token, one can easily put activities for example into an tag on
another website. If a user has an active session on the CA, these activities are executed.
Apply the patch from developer.
Reference
https://www.cynops.de/advisories/CVE-2008-0556.txt
JSPWiki Multiple Vulnerabilities
updated: 26-Feb-08
Two vulnerabilities were reported in JSPWiki v2.5.139 or prior.
1. Local .jsp File Inclusion Vulnerability: An input validation problem exists within JSPWiki which allows to execute (include) arbitrary local .jsp files. An attacker may leverage this issue to execute arbitrary server-side script code on a vulnerable server with the privileges of the web server process.
2. JSPWiki Cross-Site Scripting Vulnerability: An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Reference
http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0
Pulseaudio Privilege Escalation
updated: 26-Feb-08
The pa_drop_root() function of pulseaudio < 0.9.9 does not properly check the return value of the system calls setuid(), seteuid(), setresuid() and setreuid() when dropping its privileges.
A local attacker could cause a resource exhaustion to make the system calls fail, which would cause Pulseaudio to run as root. The attacker could then perform actions with root privileges.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0008
Apache Web Server htpasswd Predictable Salt Weakness
updated: 26-Feb-08
Apache 2.2's htpasswd utility uses a predictable sale which weakens considerable the protection provided for Apache's stored passwords, which in turn can be used to recover the passwords into their clear text form.
Install the patch from developer.
Reference
http://www.tux.org/~peterw/
http://issues.apache.org/bugzilla/show_bug.cgi?id=31440
ELFdump Crash when Analyzing Crafted ELF File
updated: 26-Feb-08
Due to the fact that FreeBSD does not validate the data returned by the le32dec and be32dec functions, and uses them without any restrictions it is possible to cause ELFdump to crash by providing it with a malformed ELF file.
FreeBSD 5.5, 6.2 and 6.3 are affected. PoC exploit has been published.
Reference
http://www.fr33project.org/vulnsexpl/Advisories/ELFdump_bin_120562/advisory.txt
Mplayer Multiple Arbitrary Execution Vulnerabilities
updated: 26-Feb-08
Two vulnerabilities were discovered in MPlayer 1.0rc2 and SVN before r25824.
URL IPv6 Address Parsing Remote Heap Overflow: A heap overflow condition exists in the parsing of IPv6 addresses, allowing for arbitrary code execution.
CDDB Remote Stack Overflow: A remote attacker may execute arbitrary code on a client machine by causing a specially crafted CDDB response to be sent to the client.
Successful exploitation allows attackers to cause it to crash by tricking MPlayer into accessing a malformed IPv6 addresses or by responding to it with an arbitrary long CDDB entry.
Upgrade to the latest version.
Reference
http://labs.musecurity.com/advisories/MU-200802-01.txt
Philips VOIP841 Multiple Vulnerabilities
updated: 26-Feb-08
Multiple vulnerabilities (Hidden Administration Account, Directory Traversal and Insecure Credential Storage) were discovered in Philips' VOIP841 wireless phone version 1.0.4.50 and 1.0.4.80 that allow access to sensitive files as well administrative access to the phone.
PoC exploit has been published.
Reference
http://www.milw0rm.com/exploits/5113
Boost Denial of Service
updated: 26-Feb-08
Two vulnerabilities have been reported in Boost < 1.34.1-r2. A failed assertion was found in file regex/v4/perl_matcher_non_recursive.hpp and a NULL pointer dereference was found in function
get_repeat_type() file basic_regex_creator.hpp when processing regular expressions.
A remote attacker could provide specially crafted regular expressions to an application using Boost, resulting in a crash.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0172
SQL injection in Cisco Unified Communications Manager
updated: 14-Feb-08
Cisco Unified Communication Manager < 5.1(3a) and < 6.1(1a) is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages.
An attacker can trigger this SQL injection vulnerability by entering a specially crafted value is entered in the key parameter of either the admin or user interface page. Attacks against this vulnerability are conducted through the web interface and use the http or https protocol. A successful attack could terminate a SQL call and force a connection to the back-end database resulting in the disclosure of potentially sensitive information such as usernames and password hashes.
Install the update from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml
Cisco Unified IP Phone Overflow and Denial of Service
updated: 14-Feb-08
Cisco Unified IP Phone models contain multiple overflow and denial of service vulnerabilities. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers.
Install the update from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml
HP System Management Homepage Cross Site Scripting
updated: 14-Feb-08
Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) for HP-UX. These vulnerabilities could by exploited remotely to allow cross site scripting.
HP SMH A.2.2.6.2 or earlier running on HP-UX B.11.11, B.11.23, and B.11.31 are affected. Install the patch from vendor.
HP-UX Running the Ignite-UX or the DynRootDisk get_system_info Command Local Unqualified Configuration Change
updated: 14-Feb-08
A potential security vulnerability has been identified in HP-UX running the Ignite-UX or the DynRootDisk (DRD) get_system_info command. This command can change system networking parameters without notification (unqualified configuration change).
HP-UX B.11.11, B.11.23, B.11.31 running the Ignite-UX vC.7.0.212, vC.7.1.93, vC.7.2.94, vC.7.3.144 or the DynRootDisk (DRD) vA.1.0.16.417, vA.1.0.18.245, vA.1.1.0.344, vA.2.0.0.592 get_system_info command are affected.
Install the updates from vendor.
Fortinet FortiClient Local Privilege Escalation
updated: 14-Feb-08
Fortinet Endpoint Solution For Enterprise, FortiClient 3.0 MR5 Patch 3 and lower is prone to a local privilege escalation due to the improper device filtering carried out by its filter driver, fortimon.sys .
The driver affected filters certain devices, enabling pass-through filtering. However, its own Device's DeviceExtension is not correctly initialized so any logged user could force the kernel to operate with user-mode controlled memory just by direclty issuing a special request to the driver's device.
This leads to local arbitrary code execution in the context of the kernel. Even Guest users can elevate privileges to SYSTEM.
Upgrade to FortiClient 3.0 MR5 Patch 4 or MR6.
Reference
http://docs.forticare.com/firmware.xml
Adobe Flash Media Server 2 Memory Corruption Vulnerability
updated: 14-Feb-08
A memory corruption vulnerability was reported in a component of Adobe Flash Media Server 2.0.4 on Windows called the Edge server. This vulnerability exists within the code responsible for parsing RTMP messages. A certain sequence of requests can lead to an area of memory being used after it has been released. This leads to the execution of arbitrary code.
Successful exploitation of this vulnerability results in the execution of arbitrary code with SYSTEM level privileges. In order to exploit this vulnerability, an attacker only needs the ability to connect to the target server on TCP port 1935 or 19350.
Unsuccessful attempts at exploitation will likely result in the Edge server crashing. After crashing, the Edge server will be restarted automatically. This gives an attacker an unlimited number of attempts at exploitation.
Upgrade to 2.0.5 of Flash Media Server.
Reference
http://www.adobe.com/support/security/bulletins/apsb08-03.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=663
Adobe Flash Media Server 2 Multiple Integer Overflow Vulnerabilities
updated: 14-Feb-08
Multiple integer overflow vulnerabilities were reported in Adobe Flash Media Server 2.0.4. These vulnerabilities exist within the code responsible for parsing RTMP messages. In each case, a 32-bit value taken directly from the packet is used in an arithmetic operation to calculate the number of bytes to allocate for a dynamic buffer. This operation can overflow, which later leads to a heap overflow.
Successful exploitation of these vulnerabilities results in the execution of arbitrary code with SYSTEM level privileges. In order to exploit these vulnerabilities, an attacker only needs the ability to connect to the target server on TCP port 1935 or 19350.
Unsuccessful attempts at exploitation will likely result in the Edge server crashing. After crashing, the Edge server will be restarted automatically. This gives an attacker an unlimited number of attempts at exploitation.
Upgrade to 2.0.5 of Flash Media Server.
Reference
http://www.adobe.com/support/security/bulletins/apsb08-03.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=662
MS08-003 Vulnerability in Active Directory Could Allow Denial of Service
updated: 13-Feb-08
A denial of service vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 and Windows Server 2003. The vulnerability also exists in implementations of Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003. The vulnerability is due to improper validation of specially crafted LDAP requests.
An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
Windows XP SP2, 2003 SP2 and 2000 SP4 are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-003.mspx
MS08-004 Vulnerability in Windows TCP/IP Could Allow Denial of Service
updated: 13-Feb-08
A denial of service vulnerability exists in TCP/IP processing in Windows Vista. An attacker could exploit the vulnerability by creating a specially crafted DHCP server that returns a specially crafted packet to a host, corrupting TCP/IP structures and causing the affected system to stop responding and automatically restart.
Windows Vista is affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-004.mspx
MS08-005 Vulnerability in Internet Information Services Could Allow Elevation of Privilege
updated: 13-Feb-08
A local elevation of privilege vulnerability exists in the way that the Internet Information Service handles file change notifications in the FTPRoot, NNTPFile\Root, and WWWRoot folders.
An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
Windows XP SP2, 2003 SP2, 2000 SP4 and Vista are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx
MS08-006 Vulnerability in Internet Information Services Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web pages. An attacker could exploit the vulnerability by passing malicious input to a Web site's ASP page.
An attacker who successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges.
Windows XP SP2 and 2003 SP2 are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx
MS08-007 Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in the way that the WebDAV Mini-Redirector handles responses. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Windows XP SP2, 2003 SP2, and Vista are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx
MS08-008 Vulnerability in OLE Automation Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in Object Linking and Embedding (OLE) Automation that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Windows XP SP2, 2003 SP2, 2000 SP4, Vista, Office 2004 for Mac, and Visual Basic 6.0 Service Pack 6are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-008.mspx
MS08-009 Vulnerability in Microsoft Word Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in the way that Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed value. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Office 2000 SP3, XP SP3 and 2003 SP2 are affected. Install the fix from vendor.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-009.mspx
MS08-010 Cumulative Security Update for Internet Explorer
updated: 13-Feb-08
A remote code execution vulnerability exists in the way Internet Explorer handles a property method, handles a property method and argument validation in image processing.
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
Besides, a remote code execution vulnerability exists in a component of Microsoft Fox Pro. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
Internet Explorer 5.01, 6 SP1 and 7 are affected. Install the fix from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-011 Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in Microsoft Works File Converter due to the way that it improperly validates section length headers, header index table information, and various filed lengths information with the .wps format.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Microsoft Office 2003 SP3, Works 8.0 and Works Suite 2005 are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-011.mspx
MS08-012 Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution
updated: 13-Feb-08
A remote code execution vulnerability exists in the way Microsoft Office Publisher validates application data when loading Publisher files to memory and memory index values.
An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) file. When a user views the .pub file, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Office 2000 SP3, Office XP SP3 and Office 2003 SP2 are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-012.mspx
MS08-013 Vulnerability in Microsoft Office Could Allow Remote Code Execution
updated: 13-Feb-08
The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office document with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP2 and Office 2004 for Mac are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS08-013.mspx
ClamAV libclamav PE File Integer Overflow Vulnerability
updated: 13-Feb-08
An integer overflow vulnerability was reported in the code responsible for parsing and scanning PE files of ClamAV <= 0.92. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.
Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.
Successful exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Address Space Layout Randomization (ASLR) and non-executable memory protection technologies (such as DEP, NX, XD, PaX, etc) can help mitigate exploitation of this type of vulnerability.
Upgrade to version 0.92.1.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=658
Novell Client NWSPOOL.DLL EnumPrinters Stack Overflow Vulnerability
updated: 13-Feb-08
A stack overflow vulnerability was reported in Novell Netware Client nwspool.dll which is responsible for handling RPC requests through the spoolss named pipe. The EnumPrinters function exposed by this DLL contains a logical flaw allowing an attacker to bypass a patch introduced to prevent the vulnerability.
Exploitation of this vulnerability leads to arbitrary code execution in the context of the SYSTEM user.
Install the update from vendor.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-005.html
http://download.novell.com/Download?buildid=SszG22IIugM~
F5 BIG-IP Web Management Console CSRF
updated: 13-Feb-08
By design the F5 BIG-IP web management interface allows a logged-in user with Resource Manager or Administrator privileges to execute an arbitrary bigpipe shell command through the web "Console" feature.
It is possible to craft URL links that would execute the command with a simple HTTP GET request. Cross-site attacks may leverage this functionality to reconfigure the BIG-IP appliance, including creating new administrators.
The vulnerability has been identified in version 9.4.3. However, other versions may be also affected.
Administrators should not browse untrusted sites while logged into the BIG-IP web management interface. It is not possible to log out of the interface so it is important to shut down the browser after the interface is no longer needed. Closing the interface browser window or removing the BIG-IP cookie is not sufficient.
Adobe Acrobat Javascript for PDF Integer Overflow Vulnerability
updated: 13-Feb-08
An integer overflow vulnerability was reported in Acrobat and Acrobat Reader <= 8.1.1 when parsing of embedded JavaScript code within PDF documents. When the function printSepsWithParams() is called with certain malicious parameter values an integer overflow can occur resulting in a memory corruption. This may be subsequently leveraged to execute arbitrary code under the privileges of the current user.
Install the update from vendor.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-004.html
http://www.adobe.com/support/security/advisories/apsa08-01.html
Multiple Remote SiteScope Vulnerabilities
updated: 13-Feb-08
IOActive has discovered multiple critical vulnerabilities within the Mercury SiteScope server monitoring software, some of which allow for complete remote compromise of the entire monitored network, as well as arbitrary code execution on all servers managed by the SiteScope software.
Gallery Multiple Vulnerabilities
updated: 13-Feb-08
Multiple vulnerabilities were discovered in Gallery < 2.2.4. A remote attacker could exploit these vulnerabilities to execute arbitrary code, conduct Cross-Site Scripting and Cross-Site Request Forgery attacks, or disclose sensitive information.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6693
Multiple Buffer Overflows in Legacy mod_jk2
updated: 13-Feb-08
mod_jk2 <= 2.0.4 are vulnerable to multiple stack overflow vulnerabilities. Specifically, multiple locations where these vulnerabilities are exploitable via the Host request header in any given request. These overflows all result in remote code execution under the user of the running Apache process.
Although a legacy module which is end of life, F5 BIG-IP <= 9.2.3.30 may use this module in their products rendering them vulnerable to remote exploitation.
Upgrade to the latest version.
Horde IMP Security Bypass
updated: 13-Feb-08
The "frame" and "frameset" HTML tags of Horde < 4.1.6 are not properly filtered out. He also reported that certain HTTP requests are executed without being checked.
A remote attacker could entice a user to open a specially crafted HTML e-mail, possibly resulting in the deletion of arbitrary e-mail messages.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6018
Linux kernel vmsplice unchecked user-pointer dereference
updated: 13-Feb-08
A new vmsplice() system call was introduced in the 2.6.17 release of the Linux kernel. In the 2.6.23 kernel the system call functionality has been further extended resulting in two new critical vulnerabilities.
Specifically, inappropriate dereference of user-supplied memory pointers in the code beginning at line 1378 in the vmsplice_to_user() kernel function (fs/splice.c).
Besides, The copy_from_user_mmap_sem() function copies data from user-process memory with the use of __copy_from_user_inatomic() without validating user-supplied pointer with access_ok().
Gnumeric User-assisted Execution of Arbitrary Code
updated: 13-Feb-08
Multiple integer overflow and signedness errors have been reported in the excel_read_HLINK() function in file plugins/excel/ms-excel-read.c of Gnumeric < 1.8.1when processing XLS HLINK opcodes.
A remote attacker could entice a user to open a specially crafted XLS file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0668
scponly Multiple Vulnerabilities
updated: 13-Feb-08
scponly < 4.8 does not filter the - -o and -F options to the scp executable. Subversion and rsync support invokes subcommands in an insecure manner.
A local attacker could exploit these vulnerabilities to elevate privileges and execute arbitrary commands on the vulnerable host.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6350
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6415
Cacti Multiple Vulnerabilities
updated: 13-Feb-08
Multiple vulnerabilities exist in Cacti <= 0.8.7a (XSS, SQL Injection, Path Disclosure, HTTP Response Splitting).
Upgrade to 0.8.7b and 0.8.6k.
WinIPDS Directory Traversal and DoS
updated: 26-Feb-08
Two vulnerabilities have been discovered in Intermate WinIPDS 3.3 Revision G52-33-021.
Directory traversal in web administration WinIPDS includes a web server for the remote administration of the service. This web interface is vulnerable to a classical directory traversal attack exploitable with both the plain slash and backslash delimiters allowing an attacker to download any file from the disk on which is installed the program.
Denial of Service versus the IPDS port 5001 is the port used by the IPDS service for the remote printing of the files. The problem here is that packets smaller than the size they should have cause CPU at 100% and the inability to handle the printing commands of the users. The packet's types which cause this effect are 3, 5, 7, 13,
14 and 15.
Reference
http://aluigi.altervista.org/adv/winipds-adv.txt
OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
updated: 26-Feb-08
A serious weakness has been discovered in OpenBSD's PRNG, which allows an attacker to predict the next transaction ID (typically up to 8-10 guesses) given a series of consecutive 12-15 transaction IDs.
Reference
http://www.trusteer.com/docs/dnsopenbsd.html
Apache mod_negotiation XSS and Http Response Splitting
updated: 26-Feb-08
Mod_negotiation doesn't sanitize filenames in '406 Not Acceptable' response and '300 Multiple Choices' message body. This could lead to Cross Site Scripting if the name of the file is controlled by an attacker (i.e. by previously uploading it).
Moreover, as the list of the filenames is also sent, without being sanitized, in the response header, it could result in a Http Response Splitting issue if the name of the file contains '\n' (Line Feed).
Apache <= 1.3.39, <= 2.0.61 and <= 2.2.6 are affected.
Reference
http://www.mindedsecurity.com/MSA01150108.html
Anon Proxy Server Buffer Overflow
updated: 26-Feb-08
A vulnerability in Anon Proxy Server < 0.103 allows remote attackers to cause it to crash by overflowing an internal buffer, this can be also leveraged to cause the product to execute arbitrary code.
When user authentication is enabled, the server can be exploited by passing a long username containing quotes. The username is checked for length, but the function strquotecpy() in the file access.c escapes quote characters by per-pending a backslash, enlarging the string without checking it for the resulting length.
Upgrade to the latest version.
Directory traversal in SafeNet Sentinel Protection and Key Server
updated: 26-Feb-08
SafeNet Sentinel Protection Server and SafeNet Sentinel Keys Server <= 7.4.1.0 are affected by a directory traversal vulnerability exploitable using the backslash delimiter (the servers don't support hex chars) allowing an attacker to download any file in the disk on which the services are installed.
Format String and DoS in Opium OPI and cyanPrintIP Servers
updated: 26-Feb-08
Two vulnerabilities Opium OPI <= 4.10.1028 and cyanPrintIP <= 4.10.1030.
1.Format string in ReportSysLogEvent
The LPD servers are affected by a format string vulnerability in the ReportSysLogEvent function used for logging. The best way for exploiting this vulnerability is through a malformed queue name which will be used to build a "Print queue" error message directly passed to vsprintf without the needed format argument.
After the exploitation will be created a dump and the server will be automatically restarted by the Restart process.
2. Service crash through "Send queue state" commands
The servers are not able to handle the two "Send queue state" LPD commands (3 and 4) when received at the beginning of the connection, so when not expected by it.
The result is the immediate crash/termination of the server which will be not restarted automatically.
PoC exploit has been published.
Reference
http://aluigi.org/poc/cyanuro.zip
Apache Tomcat Information Disclosure Vulnerability
updated: 9-Feb-08
An information disclosure vulnerability was discovered in Apache Tomcat 6.0.5 to 6.0.15. If an exception occurs during the processing of parameters (eg if the client disconnects) then it is possible that the parameters submitted for that request will be incorrectly processed as part of a following request.
Upgrade to 6.0.16 or later.
Reference
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-6.html
Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability
updated: 9-Feb-08
A design error vulnerability exists in Adobe Reader and Adobe Acrobat Professional 8.11 and prior. A remote attacker who successfully exploits this vulnerability can control the printer without user's permission.
Install the patch from vendor.
Reference
http://www.adobe.com/support/security/advisories/apsa08-01.html
Level Platforms, Inc. Service Center Install Data HTTP Vulnerability
updated: 9-Feb-08
LPI's Managed Workplace Service Center 4.x, 5.x and 6.x contains at least one vulnerability that allows an attacker to remotely determine a wide variety of potentially useful information via an HTTP URL.
Until the vulnerability is resolved by LPI, prevent or restrict IP level access to the Service Center website by restricting access to trusted IP ranges, or through VPN's, review the security settings of each web page within Service Center, disallow indexing of the Service Center site by search engines using IP restrictions, robots.txt files or other measures.
Reference
http://www.tech-serve.com/research/advisories/2008/
HP Select Identity Software Remote Unauthorized Access
updated: 9-Feb-08
Potential security vulnerabilities have been identified with HP Select Identity software. The vulnerabilities could be exploited remotely to gain unauthorized access. The vulnerabilities can only be exploited by authenticated users.
Affected software includes:
HP Select Identity software v4.00, v4.01, v4.11, v4.12, v4.13, v4.20 running on HP-UX, Windows 2003 Server, Red Hat Linux AS3 and AS4, and Solaris.
Install the patches from vendor.
Reference
http://support.openview.hp.com/selfsolve/patches
IBM DB2 Universal Database db2pd Arbitrary Library Loading Vulnerability
updated: 8-Feb-08
A library loading vulnerability was discovered in IBM DB2 Universal Database 9.1 with FixPack 2 installed on a Linux system, due to the way the db2pd binary loads a library. The program will construct the path to a library to be loaded by concatenating the path to the instance directory with the static string "/sqllib/lib/libdb2fmtdmp.so". When an attacker sets the DB2INSTANCE environment variable to their user name, the binary will load the library from their directory.
Successful exploitation allows local attackers to gain root privileges. In order to exploit this vulnerability, an attacker must be able to execute the set-uid root db2pd binary.
Install the V9 Fix Pack 4 and version V8 FixPak 16 from vendor.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=653
IBM DB2 Universal Database Administration Server Memory Corruption
updated: 8-Feb-08
A memory corruption vulnerability was reported in IBM DB2 Universal Database Administration Server (DAS) DB2 9.1 with Fix Pack 2 for both Linux and Windows platforms. When handling certain remote administration requests, the Administration Server uses a 32-bit pointer value supplied by the remote client. By supplying carefully chosen address values, an attacker can cause memory corruption or force the program to access invalid memory locations.
Successful exploitation allows attackers to crash the service or execute arbitrary code within the context of the affected service. No authentication credentials are required. The attacker only needs the ability to establish a TCP session with the DAS on TCP port 523.
Install the V9 Fix Pack 4 and V8 FixPak 16 from vendor.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=654
Multiple Vulnerabilities in IPSwitch Instant Messaging
updated: 8-Feb-08
Multiple vulnerabilities were reported in IPSwitch Instant Messaging <= 2.0.8.1, including pre-auth NULL pointer crash in decryption function, format string in logging and arbitrary empty files creation.
PoC exploit has been published.
Reference
http://aluigi.org/poc/ipsimene.zip
Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability
updated: 8-Feb-08
A vulnerability was reported in VPN-1 SecuRemote / SecureClienetNGX R60 for Windows VPN-1 annd SecuRemote / SecureClient NGAI R56 for Windows relating to credential storage in the registry allow anyone with read access to the registry to utilize stored credentials to login and impersonate the user who stored their credentials.
Download and install SecuRemote / SecureClient NGX R60 HFA_02 Supplement 2.
Reference
https://usercenter.checkpoint.com/usercenter/portal/user/anon/page/supportCenter.psml
SDL_image Buffer Overflow Vulnerabilities
updated: 8-Feb-08
Two boundary errors have been identified in SDL_image < 1.2.6-r1, since the LWZReadByte() function in file IMG_gif.c and the IMG_LoadLBM_RW() function in file IMG_lbm.c each contain a boundary error that can be triggered to cause a static buffer overflow and a heap-based buffer overflow.
A remote attacker can make an application using the SDL_image library to process a specially crafted GIF file or IFF ILBM file that will trigger a buffer overflow, resulting in the execution of arbitrary code with the permissions of the application or the application crash.
Upgrade to the latest version.
Reference
http://secunia.com/advisories/28640/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6697
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0544
Symantec Backup Exec Remote File Upload Vulnerability
updated: 8-Feb-08
Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1 contain remote file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server. The server is found on TCP port 8080. A malicious HTTP POST request can upload a JSP script to the publicly accessible web directories allowing for arbitrary code execution.
Install the update from vendor.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-08-003.html
http://www.symantec.com/avcenter/security/Content/2008.02.04.html
Logs Visualization in WS_FTP Server Manager
updated: 8-Feb-08
Two vulnerabilities were found in WS_FTP Server Manager <= 6.1.0.0, namely authorization bypassing in log visualization and ASP source visualization.
HP Virtual Rooms Remote Code Execution
updated: 8-Feb-08
A potential security vulnerability has been identified with HP Virtual Rooms v6 running on Microsoft Windows. The vulnerability could be exploited to allow remote execution of arbitrary code.
Upgrade to HP Virtual Rooms v7.
HP Storage Essentials SRM Remote Unauthorized Access
updated: 8-Feb-08
Potential vulnerabilities have been identified with the HP Storage Essentials, Storage Resource Management < 6.0.0. These vulnerabilities could be exploited remotely to allow unauthorized access to a managed device.
Upgrade to 6.0.0 of the HP Storage Essentials, Storage Resource Management software.
Apple iPhone Denial of Service
updated: 6-Feb-08
Denial of service vulnerability was reported in Apple iPhone 1.1.2 and 1.1.3. After further research it also appears that this was a known issue with Firefox version 1.5.04 and was effected cross-platform.
PoC exploit has been published.
Documentum Administrator / Webtop Arbitrary File Overwrite
updated: 6-Feb-08
Documentum Administrator 5.3.0.313 and Documentum Webtop 5.3.0.317 were found to be vulnerable to arbitrary file overwrite, by specifying an arbitrary filename attribute to the "dmclTrace.jsp" page. It is also possible to control the contents of the overwritten file, which could allow the remote upload and execution of arbitrary code in the context of the user running the application server.
Successful exploitation of this vulnerability would allow an attacker to overwrite arbitrary files on the server filesystem. This could be used to upload and execute arbitrary code in the context of the user running the application server.
Install the SP4 and later from vendor.
Reference
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_Documentum_dmclTrace_Arbitrary_file_overwrite.pdf
HP OpenView Network Node Manager Remote Denial of Service
updated: 6-Feb-08
A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows, and Linux. The vulnerability could be exploited remotely to create a Denial of Service.
Install the fix from vendor.
WinCom LPD Total Multiple Vulnerabilities
updated: 6-Feb-08
Multiple vulnerabilities have been discovered in WinCom LPD Total <= 3.0.2.623, these allow a remote attacker to overflow a buffer in control filename, bypass the administration mechanism, trigger an integer memcpy crash and buffer overflow the remote administration mechanism.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/wincomalpd-adv.txt
SAPlpd Multiple Vulnerabilities
updated: 6-Feb-08
Multiple vulnerabilities have been discovered in SAPlpd version 6.28 and prior (included in SAP GUI 7.10) that allow remote attackers to cause the server to overflow several internal buffers and to terminate without any authentication requirement.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/saplpdz-adv.txt
FTP Log Server Socket Termination
updated: 6-Feb-08
By sending the FTP Log Server <= 7.9.14.0, a few packets that contain malformed data an attacker can cause the daemon to crash.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/ftplogsrvz-adv.txt
IBM Informix Dynamic Server onedcu File Creation Vulnerability
updated: 6-Feb-08
A file creation vulnerability was reported IBM Informix Dynamic Server 10.00 UC6TL installed on a Linux system.
The set-uid root "onedcu" command requires six parameters to be specified when it is executed. The second parameter is a "Trace" file that this program will open and write to with elevated privileges.
Successful exploitation allows local attackers to gain root privileges.
Removing the set-uid bit from the "onedcu" program included with Informix will prevent exploitation. However, this could disable some functionality for non-root users, or upgrade to 10.00.xC8 of Informix Dynamic Server.
Reference
http://www-1.ibm.com/support/docview.wss?uid=swg27011556
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0368
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=651
IBM Informix Dynamic Server SQLIDEBUG File Creation Vulnerability
updated: 6-Feb-08
A file creation vulnerability was reported in IBM Informix Dynamic Server 10.00 UC6TL installed on a Linux.
When the SQLIDEBUG environment variable is set, several set-uid binaries will log debugging information to the specified file.
Successful exploitation allows local attackers to gain root privileges.
Removing the set-uid bit from all programs included with Informix will prevent exploitation. However, this could disable some functionality for non-root users, or upgrade to 10.00.xC8 of Informix Dynamic Server.
Reference
http://www-1.ibm.com/support/docview.wss?uid=swg27011556
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0369
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=650
Print Manager Plus Buffer Overflow
updated: 6-Feb-08
A vulnerability was discovered in the Print Manager Plus 7.0.127.16 allows remote attackers to overflow an internal buffer in the product in turn causing it crash and possibly execute arbitrary code.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/pqcorez-adv.txt
MPlayer Buffer Overflow Vulnerability
updated: 6-Feb-08
The MPlayer package 1.0rc2 and SVN before r25917 was vulnerable to a buffer overflow attack, which can be exploited by malicious remote attackers. The vulnerability is due to MPlayer not properly sanitizing certain tags on a FLAC file before using them to index an array on the stack. This can be exploited to execute arbitrary commands by opening a specially crafted file.
The Xine package 1.1.10 and probably other packages based on MPlayer, are vulnerable to this attack too.
Upgrade to the latest version.
Reference
http://www.coresecurity.com/?action=item&id=2103
MPlayer Arbitrary Pointer Dereference
updated: 6-Feb-08
The MPlayer package 1.0 rc2 is vulnerable to an arbitrary pointer dereference vulnerability, which can be exploited by malicious remote attackers to compromise a user's system.
The vulnerability is caused by the MPlayer libmpdemux ('demux_mov.c') library not properly sanitizing certain tags on a MOV file before using them to index an array on the heap. This can be exploited to execute arbitrary commands by opening a specially crafted file.
Upgrade to the latest version.
Reference
http://www.coresecurity.com/?action=item&id=2102
Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
updated: 02-Feb-08
Apache Tomcat is the servlet container for JavaServlet and JavaServer Pages Web within the Cisco Wireless Control System (WCS). A vulnerability exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited, may result in a remote code execution attack.
Cisco WCS devices running software 3.x and 4.0.x prior to 4.0.100.0 are affected by this vulnerability. Cisco WCS devices running software 4.1.x and 4.2.x prior to to version 4.2.62.0 are also vulnerable.
Install the fix from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml#@ID
|
|
