 |
Remote Command Execution in dotDefender Site Management
updated: 2-Jan-10
A remote command execution vulnerability exists in the dotDefender (3.8-5) Site Management.
After passing the Basic Auth login, user can create/delete applications. The mentioned vulnerability is in the 'deletesite' implementation and the 'deletesitename' variable. Insufficient input validation allows an attacker to inject arbitrary commands.
PEAR Net_Traceroute Command Injection
updated: 2-Jan-10
An input sanitation error in PEAR Net_Traceroute < 0.21.2. The $host parameter to the traceroute() function in Traceroute.php is not properly sanitized before being passed to exec().
A remote attacker could exploit this vulnerability when user input is passed directly to PEAR Net_Traceroute in a PHP script, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running the affected PHP script.
Upgrade to the latest version.
Cacti Multiple Security Issues
updated: 2-Jan-10
Cacti 0.8.7e and earlier versions are affected by multiple security issues, namely, cross site scripting vulnerabilities and privilege escalation issue.
Install the patch from developer.
Reference
http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch
HP Data Protector Express and HP Data Protector Express Single Server
updated: 2-Jan-10
A potential security vulnerability has been identified with HP Data Protector Express 3.x and 4.x and HP Data
Protector Express Single Server Edition (SSE) 3.x and 4.x running on supported Microsoft Windows, Linux, and
NetWare versions. The vulnerability could be exploited locally to create a Denial of Service (DoS) or to execute arbitrary code.
HP Data Protector Express 3.x and HP Data Protector Express SSE 3.x prior to build 47065 HP Data Protector Express 4.x and HP Data Protector Express SSE 4.x prior to build 46537 running on all supported versions of Microsoft Windows, Linux, and Novell NetWare are affected.
Install the patch from HP.
UW IMAP toolkit: Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities have been found in the UW IMAP toolkit and the c-client library < 2007e.
A remote attacker could send an e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, possibly leading to the execution of arbitrary code. A local attacker could gain privileges by specifying a long folder extension argument to the tmail or dmail program. Furthermore, a remote attacker could send a specially crafted mail message to the UW IMAP toolkit or another daemon using the c-client library, leading to a Denial of Service. A remote SMTP server could respond to the QUIT command with a close of the TCP connection instead of the expected 221 response code, possibly leading to a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5514
Wireshark Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities have been discovered in Wireshark, allowing for the remote execution of arbitrary code, or Denial of Service.
A remote attacker could entice a user to open a specially crafted "erf" file using Wireshark, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. A remote attacker could furthermore send specially crafted packets on a network being monitored by Wireshark or entice a user to open a malformed packet trace file using Wireshark, possibly resulting in a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3829
Autodesk SoftImage Scene TOC Arbitrary Command Execution
updated: 2-Jan-10
Autodesk Softimage by default saves a .scntoc file along with the scene content tree. The scene TOC (scene table of contents) is an XML-based file that contains scene information.
When opening a scene file, Softimage looks for a corresponding scene TOC file and automatically reads and applies the information it contains. Scene TOC XML files can be modified to execute arbitrary commands without user intervention by design. An attacker can take full control of the machine where SoftImage is installed by sending a specially crafted scene package and enticing the user to open it.
Autodesk Softimage 7.x and Autodesk Softimage XSI 6.x are affected. Disable the default reading of SCTOC script.
Reference
http://www.coresecurity.com/content/softimage-arbitrary-command-execution
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
updated: 2-Jan-10
Autodesk 3D Studio Max provides a built-in scripting language, allowing users to bind custom code to actions performed in the application.
Execution of scripting code does not require explicit permission from the user. This mechanism can be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.
Autodesk 3DSMax 2010 and prior are affected. Disable the automatic loading of embedded MaxScript.
Reference
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
Autodesk Maya Script Nodes Arbitrary Command Execution
updated: 2-Jan-10
Autodesk Maya offers so called "Script Nodes" as a way to program animation behavior using MEL (Maya Embedded Language) and the Python programming language. The Autodesk Maya file formats support embedding of scripting code as part of a scene package. Programs embeded in Maya files using scripting code are automatically executed upon opening of the file.
An attacker can take control of a system where Maya is installed by sending a specially crafted scene package and enticing the user to open it. The scripting code will run with the privileges of the user running the Maya application.
Autodesk Maya 2010 and prior, and Alias Wavefront Maya 7.0 and prior are affected. Prevent script nodes from executing when opening a file.
Reference
http://www.coresecurity.com/content/maya-arbitrary-command-execution
VMware vCenter and ESX Update Release and vMA Patch Release Address Multiple Security Issue
updated: 2-Jan-10
Updated Java JRE packages and Tomcat packages address several security issues. Updates for the ESX Service Console and vMA include kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is also updated for ESXi userworlds.
HP Operations Manager Server Backdoor Account Code Execution
updated: 2-Jan-10
Hewlett-Packard OpenView Operations Manager for Windows contains a flaw exists due to a hidden account present within the Tomcat users XML file. Using this account a malicious user can access the org.apache.catalina.manager.HTMLManagerServlet class. This is defined within the catalina-manager.jar file installed with the product.
This servlet allows a remote user to upload a file via a POST request to /manager/html/upload. If an attacker uploads malicious content it can then be accessed and executed on the server which leads to arbitrary code execution under the context of the SYSTEM user.
Install the update from HP.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-085
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960
HP Operations Manager for Windows, Remote Unauthorized Access
updated: 2-Jan-10
A potential security vulnerability has been identified with HP Operations Manager for Windows v8.10. The vulnerability could be exploited remotely to gain unauthorized access.
Install the patch from HP.
IBM SolidDB invalid error code vulnerability
updated: 2-Jan-10
A remotely exploitable vulnerability was found in IBM SolidDB Server 6.30.0.33 core component. Exploitation of this bug does not require authentication and will lead to a remotely triggered denial of service of the database service.
Install the IBM SolidDB Universal Cache 6.3 Fix Pack 3. Blocking or restricting network access to port 2315/tcp will prevent exploitation of the bug but it may have a negative impact for the operation of any application embedding or using the SolidDB engine.
Reference
http://www-01.ibm.com/support/docview.wss?rs=0&q1=solidb&uid=swg24024510
http://www.coresecurity.com/content/ibm-soliddb-errorcode-dos
Gimp PSD Image Parsing Integer Overflow Vulnerability
updated: 2-Jan-10
A vulnerability was reported in Gimp 2.6.7, caused by an integer overflow error within the "read_channel_data()" function in plug-ins/file-psd/psd-load.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PSD file.
Install the fix from developer.
Reference
http://secunia.com/secunia_research/2009-43/
HP Openview NNM 7.53 Invalid DB Error Code vulnerability
updated: 2-Jan-10
A remotely exploitable vulnerability was found in the database server core component used by HP Openview NNM 7.53. Exploitation of the bug does not require authentication and will lead to a remotely triggered denial of service of the internal database service.
Install the security fix from HP. The database service of HP Openview Network Node Manager is remotely accessible on port 2690/tcp. Restricting or blocking access to that port will prevent exploitation but may prevent normal operation of Openview NNM.
Reference
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01926980
http://www.coresecurity.com/content/openview_nnm_internaldb_dos
Cisco Catalyst Blade Switch 3020/3120, Remote Denial of Service
updated: 2-Jan-10
A potential vulnerability has been identified with the Cisco Catalyst Blade Switch 3020/3021. The vulnerability could be exploited remotely to create a Denial of Service.
Cisco Catalyst Blade Switch 3020 for c-Class BladeSystem running firmware earlier than v12.2(50), Cisco Catalyst Blade Switch 3120G and Cisco Catalyst Blade Switch 3120X for HP running firmware earlier than v12.2(50) are affected.
Install the firmware updates from vendor.
RhinoSoft Serv-U TEA Decoding Buffer Overflow
updated: 2-Jan-10
RhinoSoft Serv-U 9.0.0.5 contains a buffer overflow vulnerability, caused by a boundary error in a function when processing a hexadecimal representation of a string using a TEA decoding algorithm. This can be exploited to cause a stack-based buffer overflow by passing an overly long string.
Successful exploitation may allow execution of arbitrary code. Update to version 9.1.0.0.
Reference
http://secunia.com/secunia_research/2009-46/
Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability
updated: 2-Jan-10
A stack overflow vulnerability was reported in Novell eDirectory 8.8 SP5. The specific flaw exists in the handling of URL parameters when posting to the login form of the HTTPSTK web server.
Successful exploitation can lead to complete system compromise under the SYSTEM credentials. PoC exploit has been published.
Reference
http://tcc.hellcode.net/advisories/hellcode-adv005.txt
Alteon OS BBI Multiple Vulnerabilities
updated: 2-Jan-10
Various XSS and XSRF vulnerabilities were identified in the Alteon OS Browser-Based Interface (BBI) <=25.1.0.0.
An attacker may exploit the XSRF issue to perform certain administrative actions, e.g. change using predictable URL requests once the user has authenticated and obtained a valid session with the switch.
For XSS, an attacker may inject 36 bytes of JavaScript code into log via SSH login parameter. Login parameter will be written into log as is. BBI or telnet login parameter does not write into log - only SSH. And when log page will be generated all input from SSH login parameter will be displayed as is.
Both vulnerabilities give chance to change switch configuration file or attack Administrator's workstation. A possibility of embedding a code into a log without authentication increases attacker's chance to succeed.
Turn off BBI, change default SSHd port, and allow access to SSH and BBI only for trusted machines and networks.
Reference
http://dsecrg.com/pages/vul/show.php?id=161
Home FTP Server 'SITE INDEX' Command Remote Denial of Service
updated: 2-Jan-10
Home FTP Server 1.10.1.139 contains a denial of service vulnerability that causes the application to stop service when sending multiple irregular "SITE INDEX" commands to the server.
PoC exploit has been published.
Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
updated: 2-Jan-10
Avast's aswRdr.sys Driver does not sanitize user supplied input IOCTL and this lead to Kernel Heap Overflow that propagates on the system with a BSOD and potential risk of Privilege Escalation.
Avast antivirus 4.8.1356.0 is vulnerable. PoC exploit has been published.
Reference
http://www.efblog.net/2009/11/avast-aswrdrsys-kernel-pool-corruption.html
Gimp BMP Image Parsing Integer Overflow Vulnerability
updated: 2-Jan-10
Gimp 2.6.7 has a vulnerability caused by an integer overflow error within the "ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted BMP file.
Upgrade to a safer version.
Reference
http://secunia.com/secunia_research/2009-42/
McAfee Network Security Manager Authentication Bypass and Session Hijacking
updated: 2-Jan-10
McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration) is affected.
Upgrade NSM software to NSM 5.1.11.8.1 or above.
Reference
http://www.secureworks.com/ctu/advisories/SWRX-2009-002
McAfee Network Security Manager Cross-Site Scripting
updated: 2-Jan-10
McAfee Network Security Manager is vulnerable to cross-site scripting (XSS) caused by improper validation of user-supplied input.
A remote attacker could exploit this vulnerability using vulnerable parameters in a specially-crafted URL to execute script in a victim's web browser within the security context of the Network Security Manager site.
McAfee Network Security Manager (NSM), version 5.1.7.7 (default configuration) is affected.
Upgrade to McAfee NSM 5.1.11.6 or above.
Reference
http://www.secureworks.com/ctu/advisories/SWRX-2009-001
Transport Layer Security Renegotiation Vulnerability
updated: 2-Jan-10
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Cisco AnyConnect VPN Client is affected. Install the fix from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Horde Multiple Vulnerabilities
updated: 2-Jan-10
Multiple vulnerabilities in the Horde Application Framework can allow for arbitrary files to be overwritten and cross-site scripting attacks.
A remote authenticated attacker could exploit these vulnerabilities to overwrite arbitrary files on the server, provided that the user has write permissions. A remote authenticated attacker could conduct Cross-Site Scripting attacks.
Horde < 3.3.5, horde-webmail < 1.2.4, and horde-groupware < 1.2.4 are affected. All Horde users should upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3237
Sun Java Web Start Arbitrary Command Execution Vulnerability
updated: 2-Jan-10
Sun Microsystems Java Runtime contains a flaw exists in the implementation of security model permissions during the removal of installer extensions.
By modifying an existing installer extension JNLP file, a condition occurs that allows for code supplied by a different URL than the original installer extension URL to run as a secure applet. This condition can result in arbitrary command injection under the privileges of the currently logged in user.
Install the update from Sun Microsystems.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-09-077
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
IBM Tivoli Storage Manager CAD Service Buffer Overflow
updated: 2-Jan-10
IBM Tivoli Storage Manager Express Client 5.3.6.2 contains a vulnerability, caused by an input validation error in the CAD service. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet via TCP.
Successful exploitation allows execution of arbitrary code. Update to a fixed version.
Reference
http://secunia.com/secunia_research/2008-51/
HTML Injection in Oracle WebLogic Server Console
updated: 2-Jan-10
There is an HTML Injection vulnerability in WebLogic Server 10.3 Administration Console that allows the attacker to gain administrative access to the server. It is possible to craft such URL that will, when requested from the server, return a document with arbitrarily chosen HTML injected. An obvious use for this type of vulnerability is cross-site scripting that can be used, among other things, for obtaining session cookies from WebLogic administrators. These cookies, when stolen, provide the attacker with administrative access to WebLogic Administration Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is only being accessed via HTTPS, and even if the Administrative Port is enabled.
Install the patch from Oracle.
Reference
http://www.acrossecurity.com/aspr/ASPR-2009-10-30-1-PUB.txt
Symantec ConsoleUtilities ActiveX Control Buffer Overflow
updated: 2-Jan-10
During the first access of the Management Website an ActiveX Control will be installed (AeXNSConsoleUtilities.dll), in which the function "BrowseAndSaveFile" is vulnerable to a stack based buffer overflow.
Symantec Altiris Notification Server 6.x, Symantec Management Platform 7.0.x and Symantec Altiris Deployment Solution 6.9.x are affected.
Install the fix from Symantec.
Reference
http://sotiriu.de/adv/NSOADV-2009-001.txt
Novell eDirectory LDAP Null Base DN Denial of Service Vulnerability
updated: 2-Jan-10
A denial of service vulnerability was reported in Novell eDirectory Server's LDAP implementation. Novell eDirectory's NDSD process binds to port 389/TCP for handling LDAP requests. When the service processes a search request with an undefined BaseDN, it will become unresponsive resulting in an inability to query or authenticate to that server.
This vulnerability allows attackers to deny services on vulnerable installations of Novell eDirectory. Authentication is not required in order to exploit this vulnerability.
Install the update from Novell.
Reference
http://www.novell.com/support/viewContent.do?externalId=7004721
http://www.zerodayinitiative.com/advisories/ZDI-09-075
|
|
