 |
POP Peeper UIDL Remote Buffer Overflow
updated: 28-Feb-09
POP Peeper 3.4 is vulnerable to a buffer overflow attack. To trigger this vulnerability, POP Peeper has to connect to an exploitation server acting as a POP3 daemon. POP Peeper then uses the UIDL command to get unique IDs for each email it later plans on retrieving. The exploitation server can send an oversized ID (1040 bytes), overflowing a buffer on the stack, giving the attacker complete control over the process.
PoC exploit has been published. Upgrade to the latest version.
Reference
http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt
HP Virtual Rooms Client Remote Execution of Arbitrary Code
updated: 28-Feb-09
A potential security vulnerability has been identified with HP Virtual Rooms 7.0 client running on Windows. The vulnerability could be exploited to allow remote execution of arbitrary code.
Upgrade to HP Virtual Rooms client 7.0.1 or later.
APC PowerChute Network Shutdown's Web Interface XSS
updated: 28-Feb-09
Linked cross site scripting vulnerability was reported in the parameter "referrer" of /security/applet vulnerable of APC PowerChute Network Shutdown's Web Interface. Besides a response splitting vulnerability was found on the parameter "page" of script contexthelp.
Reference
http://www.dsecrg.com/pages/vul/show.php?id=82
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539
Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting
updated: 28-Feb-09
Cisco Unified Meeting Place 6.0 and possibly 7.0 contains a stored cross site scripting vulnerability in the "E-mail Address" field of the profile page.
Upgrade to the latest version.
Cisco Unified MeetingPlace Web Conferencing Authentication Bypass
updated: 28-Feb-09
The Cisco Unified MeetingPlace Web Conferencing server 6.0 and 7.0 contain a vulnerability that could allow an unauthenticated user to use a crafted URL to bypass the authentication mechanisms of the server. If successful, the user could gain full administrative access to the Cisco Unified MeetingPlace application.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml
ksquirrel-libs Radiance RGBE Buffer Overflows
updated: 28-Feb-09
ksquirrel-libs 0.8.0 contains some buffer overflows vulnerabilities, which can be exploited by malicious people to compromise an application using the library.
The vulnerabilities are caused due to boundary errors within the "mt_codec::getHdrHead()" function in kernel/kls_hdr/fmt_codec_hdr.cpp, which can be exploited to cause stack-based buffer overflows by e.g.
tricking a user into opening a specially crafted Radiance RGBE (*.hdr) file.
Do not open untrusted Radiance RGBE images in an application using ksquirrel-libs.
Reference
http://secunia.com/secunia_research/2008-63/
Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
updated: 28-Feb-09
The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine Cisco ACE Module and Cisco ACE 4710 Application Control Engine contain multiple vulnerabilities that, if exploited, can could result in administrative level access via default user names and passwords, privilege escalation, or denial of service (DoS) condition.
Install the software updates from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Cisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities
updated: 28-Feb-09
Multiple vulnerabilities exist in the Cisco Application Networking Manager (ANM) <= 2.0 and Cisco Application Control Engine (ACE) Device Manager <= A3(2.1) applications, namely, ACE Device Manager and ANM invalid directory permissions, ANM default user credentials vulnerability, ANM MySQL default credentials vulnerability, and ANM Java agent privilege escalation.
These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access.
Install the software updates from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
SHOUTcast DNAS Relay Server Buffer Overflow
updated: 28-Feb-09
SHOUTcast 1.9.8 contains a buffer overflow vulnerability, due to a boundary error when receiving data from a relay master server. This can be exploited to overflow a static buffer by tricking a SHOUTcast admin into setting up a server to act as relay for a malicious server.
Successful exploitation allows to e.g. overwrite the password of the web administration interface.
Relay trusted servers only.
Reference
http://secunia.com/secunia_research/2008-62/
HP OpenView Network Node Manager Remote Unauthorized Access, Denial of Service
updated: 28-Feb-09
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS).
Install the update from HP.
Orbit Downloader Long URL Parsing Buffer Overflow
updated: 28-Feb-09
Orbit Downloader 2.8.2 and 2.8.3 contains a buffer overflow vulnerability, due to a boundary error when generating the "Connecting" log message for HTTP downloads. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into downloading from a malicious HTTP server or opening a specially crafted HTTP URL containing an overly long host name.
Update to version 2.8.5.
Reference
http://secunia.com/secunia_research/2009-9/
Adobe Flash Player Invalid Object Reference Vulnerability
updated: 28-Feb-09
An invalid object reference vulnerability was reported in Adobe Flash Player 9.0.124.0 could allow an attacker to execute arbitrary code with the privileges of the current user.
During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.
Install the patch from Adobe.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773
http://www.adobe.com/support/flashplayer/
KTorrent Multiple vulnerabilities
updated: 28-Feb-09
The web interface plugin of ktorrent < 2.2.8 does not restrict access to the torrent upload functionality and does not sanitize request parameters properly.
A remote attacker could send specially crafted parameters to the web interface that would allow for arbitrary torrent uploads and remote code execution with the privileges of the KTorrent process.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5906
XSS Attack using SMS to Optus/Huawei E960 HSDPA Router
updated: 28-Feb-09
Huawei E960 HSDPA Router (firmware version 246.11.04.11.110sp04) is vulnerable to XSS attack using SMS. One of the features of this router is the ability to send and receive SMS through its web interface. The SMS text is presented unescaped/unfiltered on the inbox view, and an attacker can craft malicious short messages to gain control over victim's router.
Reference
http://www.ilmuhacking.com/web-security/xss-attack-using-sms-huawei-e960-hsdpa-router/
NetMRI Login Application Cross-site Scripting
updated: 22-Feb-09
NetMRI 3.0.1 contains a cross-site scripting issue whereby portions of the GET request are echoed back in an error page. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
Install the patch from vendor.
Reference
http://www.netcordia.com/products/netmri-event-analysis.asp
HP OpenView Network Node Manager Remote Execution of Arbitrary Code & Unauthorized Access to Data
updated: 22-Feb-09
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be exploited remotely to allow execution of arbitrary code or unauthorized access to data.
Install the fix from HP.
HP Printers and Digital Senders Remote Unauthorized Access to Files
updated: 22-Feb-09
A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.
Affected devices include:
HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20080819 SPCL015A
HP LaserJet 4350 with firmware prior to 20080819 SPCL015A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9.
Install the firmware updates from HP.
OpenSSL Certificate Validation Error
updated: 22-Feb-09
Several functions in OpenSSL < 0.9.8j incorrectly check the result after calling the EVP_VerifyFinal() function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS.
A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
pam-krb5 Local Privilege Escalation, Local File Overwrite
updated: 22-Feb-09
A security vulnerability was reported in pam-krb5 <= 3.13 allowing overwrite and chown of arbitrary files via Solaris su. Subsequent code auditing for behavior in setuid applications uncovered another, more general and more serious bug that could result in privilege escalation.
Upgrade to 3.13 and later.
HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges
updated: 22-Feb-09
Potential security vulnerabilities have been identified with HP-UX B.11.11, B.11.23, B.11.31 running HP WBEM Services vA.02.07.01 or earlier. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
Install the fix from HP.
MS09-002 Cumulative Security Update for Internet Explorer
updated: 11-Feb-09
A remote code execution vulnerability exists in the way Internet Explorer 7 accesses an object that has been deleted or handles Cascading Style Sheets (CSS).
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx
MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution
updated: 11-Feb-09
Two vulnerabilities were reported in Microsoft Exchange 2000 Server SP3 with Update Rollup of Aug 2004, Exchange Server 2003 SP2, and Exchange Server 2007 SP1.
The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-003.mspx
MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution
updated: 11-Feb-09
A remote code execution vulnerability exists in the way that SQL Server checks parameters in the "sp_replwritetovarbin" extended stored procedure.
The vulnerability could allow remote code execution if untrusted users have access to an affected system or if a SQL injection vulnerability exists on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
SQL Server 2000 SP4, SQL Server 2005 SP2, MSDE 2000 SP4, SQL Server 2005 Express Edition SP2, and SQL Server 2005 Express Edition with Advanced Services SP2 are affected.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx
MS09-005 Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution
updated: 11-Feb-09
3 vulnerabilities were reported in Microsoft Office Visio 2002 SP2, 2003 SP3 and 2007 SP1 that could allow remote code execution if a user opens a specially crafted Visio file.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Install the update from Microsoft.
Reference
http://www.microsoft.com/technet/security/Bulletin/MS09-005.mspx
3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass
updated: 11-Feb-09
3Com OfficeConnect Wireless Cable/DSL Router (Hardware version: 3COM_AP51_v01, Software version: 1.2.0 - Nov 14,2006) is prone to an authentication bypass vulnerability which permits to retrieve the complete system configuration as well as the services credentials (e.g. web console, wifi network).
Disable the "Remote Administration" option. However, a firmware update is required in order to resolve this issue.
Reference
http://www.ikkisoft.com
Trend Micro IWSVA/IWSS Authorization Module Password Leakage
updated: 11-Feb-09
There is possible to get username and password from "Proxy-Authorization" header of Trend Micro IWSVA/IWSS, which is not correctly removed when authorization header sends WMP.
XML injection in PyBlosxom
updated: 11-Feb-09
PyBlosxom 1.4.3 suffers an XML injection issue. The problem is with Atom flavor. Its head.atom, uses $(url) and $url variables, in many places, that were not properly escaped.
Injection can be made by forcing PyBloxsom to use Atom flavor such as http://host/path/%3Ccool%3E?flav=atom. A tag is injected in such URL.
Disable Atom flavor by deleting atom.flav directory.
OpenCORE Insufficient Bounds Checking during MP3 Decoding
updated: 11-Feb-09
OpenCORE 2.0 suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption.
Install the patches from the developer.
Reference
http://www.ocert.org/advisories/ocert-2009-002.html
sudo Privilege Escalation
updated: 11-Feb-09
sudo < 1.7.0 incorrectly handles group specifications in Runas_Alias (and related) entries when a group is specified in the list (using %group syntax, to allow a user to run commands as any member of that group) and the user is already a member of that group.
A local attacker could possibly run commands as an arbitrary system user (including root).
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034
VNC Multiple Integer Overflows
updated: 11-Feb-09
Multiple integer overflow vulnerabilities have been discovered in UltraVNC < 1.0.5.4 and TightVNC < 1.3.10, two remote control applications derived from the popular VNC software.
The vulnerabilities cause a miscalculation of a buffer size on the heap, allowing an attacker to corrupt a VNC client heap and can probably allow code execution (exploitation is very likely).
Upgrade to the latest version.
Reference
http://www.coresecurity.com/content/vnc-integer-overflows
HP Network Node Manager Multiple Information Disclosure Vulnerabilities
updated: 9-Feb-09
Two information disclosure vulnerabilities were reported within the CGI applications in HP Network Node Manager 7.53 for Linux and Windows.
The first vulnerability exists in the nnmRptConfig.exe CGI application. When responding to specifically crafted requests, the CGI will disclose the location of log directories.
The second vulnerability exists within the ovlaunch.exe CGI. If a parameter is incorrectly set in a specific request, the application will return various configuration details.
Successful exploitation of these vulnerabilities results in the disclosure of sensitive information. While the direct effects of these vulnerabilities are minimal, they may be useful to an attacker attempting to exploit other vulnerabilities.
Install the patch from HP.
Reference
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=771
HP Network Node Manager Multiple Command Injection Vulnerabilities
updated: 9-Feb-09
Multiple command injection vulnerabilities were reported in NNM CGI applications of HP Network Node Manager 7.53 for Linux and Windows.
The vulnerabilities are very similar and occur in the webappmon.exe and OpenView5.exe program. Part of the functionality of these applications is to start other programs and collect their output. In order to perform this, they each execute external programs along with any attacker controllable arguments for the application. The arguments may contain shell meta-characters. This allows an attacker to run arbitrary shell commands. The arguments are not filtered before being passed to the external program. This results in attacker supplied commands being run on the host.
Successful exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the affected service. On RedHat Enterprise 4, the application is started as the user 'bin'. All that is required for exploitation is the ability to create a TCP connection to port 80 on the targeted host.
Install the patch from HP.
Reference
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=770
HP-UX Running NFS Local Denial of Service
updated: 9-Feb-09
A potential security vulnerability has been identified with HP-UX B.11.31 only running ONCplus B.11.31.05 and earlier. This vulnerability could be exploited locally resulting in a Denial of Service.
Install the patch from HP.
RealNetworks RealPlayer IVR File Processing Multiple Code Execute Vulnerabilities
updated: 9-Feb-09
Two code execute vulnerabilities exist in RealNetworks RealPlayer 11 through malformed IVR files.
A heap corruption vulnerability that occurs when altering a field that determines the length of a structure. A vulnerability that allows an attacker to write one null byte to an arbitrary memory address by using an overly long file name length value.
A successful attack could take place by merely previewing the IVR file through Windows Explorer.
Reference
http://www.fortiguardcenter.com/advisory/FGA-2009-04.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0375
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0376
Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files
updated: 9-Feb-09
A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.
Affected firmware are:
HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20080819 SPCL015A
HP LaserJet 4350 with firmware prior to 20080819 SPCL015A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9
Install the updated firmware from HP.
Multiple Vulnerabilities in Cisco Wireless LAN Controllers
updated: 9-Feb-09
3 Denial of service and 1 privilege escalation vulnerabilities were reported in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers.
Install the update from Cisco.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
QIP 2005 Denial of Service Vulnerability
updated: 9-Feb-09
Denial-of-service vulnerability exists in QIP 2005 instant messenger software. An attacker could try to exploit the vulnerability by sending specially crafted message in RTF format to remote QIP client. The message could cause "freezing" the vulnerable application and using 100% CPU.
Squid Proxy Cache Denial of Service in Request Handling
updated: 9-Feb-09
Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.
Squid prior to 2.7.STABLE6, 3.0.STABLE13, and 3.1.0.5 are affected. Upgrade to the latest version.
Reference
http://www.squid-cache.org/Advisories/SQUID-2009_1.txt
Novell Netware Groupwise GWIA RCPT Command Buffer Overflow
updated: 3-Feb-09
A buffer overflow vulnerability was reported in Novell Netware Groupware, during the parsing of malformed RCPT verb arguments to the SMTP daemon.
When an overly long e-mail address is received an off-by-one condition is triggered which minimally will cause a denial of service and can result in arbitrary code execution.
Install the updates from Novell.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-010
http://download.novell.com/Download?buildid=GjZRRdqCFW0
http://download.novell.com/Download?buildid=HpEEW7aXWEY
Kaspersky Products Klim5.sys Local Privilege Escalation
updated: 3-Feb-09
The Klim5.sys of Kaspersky AV 2008 and Kaspersky AV for WorkStations 6.0 is prone to a local privilege escalation due to invalid user-supplied buffer checking. A local attacker can take advantage of this vulnerability to elevate privileges from Guest account to SYSTEM.
PoC exploit has been published. Install the updates from vendor.
Reference
http://www.wintercore.com/advisories/advisory_W020209.html
http://kartoffel.reversemode.com/downloads.php
Free Download Manager Remote Control Server Buffer Overflow
updated: 3-Feb-09
A vulnerability was reported in Free Download Manager 2.5 Build 758 and 3.0 Build 844, due to a boundary error in the Remote Control Server when processing "Authorization" headers in HTTP requests.
This can be exploited to cause a stack-based buffer overflow via an HTTP request containing an overly long "Authorization" header. Successful exploitation allows execution of arbitrary code.
Update to version 3.0 build 848.
Reference
http://secunia.com/secunia_research/2009-3/
Free Download Manager Torrent Parsing Buffer Overflows
updated: 3-Feb-09
Some vulnerabilities were reported in Free Download Manager 2.5 Build 758 and 3.0 Build 844, which can be exploited by malicious people to compromise a user's system.
1) A boundary error in the parsing of file names inside torrent files can be exploited to cause a heap-based buffer overflow via an overly long file name.
2) Two boundary errors when parsing names from torrent files can be exploited to cause stack-based buffer overflows via overly long file names.
3) A boundary error when parsing tracker URLs from torrent files can be exploited to cause a stack-based buffer overflow via an overly long tracker URL.
4) A boundary error when parsing comments from torrent files can be exploited to cause a stack-based buffer overflow via an overly long comment.
Successful exploitation of the vulnerabilities allows execution of arbitrary code by e.g. tricking a user into opening a specially crafted torrent file.
Update to version 3.0 build 848.
Reference
http://secunia.com/secunia_research/2009-5/
|
|
