 |
PeerCast Buffer Overflow
updated: 31-Jan-08
A heap-based buffer overflow was reported within the "handshakeHTTP()" function of PeerCast < 0.1218 when processing HTTP requests.
A remote attacker could send a specially crafted request to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the PeerCast server, usually "nobody".
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6454
Xdg-Utils Arbitrary Command Execution
updated: 31-Jan-08
The "xdg-open" and "xdg-email" shell scripts of Xdg-Utils < 1.0.2-r1 did not properly sanitize their input before processing it.
A remote attacker could entice a user to open a specially crafted link with a vulnerable application using Xdg-Utils (e.g. an email client), resulting in the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386
Winamp Ultravox Streaming Metadata Parsing Buffer Overflows
updated: 31-Jan-08
Two vulnerabilities were reported in Winamp < 5.52, due to boundary errors in in_mp3.dll within the construction of stream titles when parsing Ultravox streaming metadata. This can be exploited to cause stack-based buffer overflows via overly long "" and "" tag values in the section.
Successful exploitation allows execution of arbitrary code.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0065
http://secunia.com/secunia_research/2008-2/advisory/
Kazehakase Multiple Vulnerabilities
updated: 31-Jan-08
Kazehakase < 0.5.0 includes a copy of PCRE which is vulnerable to multiple buffer overflows and memory corruptions vulnerabilities.
A remote attacker could entice a user to open specially crafted input (e.g bookmarks) with Kazehakase, which could possibly lead to the execution of arbitrary code, a Denial of Service or the disclosure of sensitive information.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200711-30.xml
GOffice Multiple Vulnerabilities
updated: 31-Jan-08
GOffice < 0.6.1 includes a copy of PCRE which is vulnerable to multiple buffer overflows and memory corruptions vulnerabilities.
An attacker could entice a user to open specially crafted documents with GOffice, which could possibly lead to the execution of arbitrary code, a Denial of Service or the disclosure of sensitive information.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200711-30.xml
libxml2 Denial of Service
updated: 31-Jan-08
The xmlCurrentChar() function of libxml2 < 2.6.30-r1 does not properly handle some UTF-8 multibyte encodings.
A remote attacker could entice a user to open a specially crafted XML document with an application using libxml2, possibly resulting in a high CPU consumption. Note that this vulnerability could also be triggered without user interaction by an automated system processing XML content.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6284
Netkit FTP Server Denial of Service
updated: 31-Jan-08
An FTP client connected to a vulnerable Netkit FTP server < 0.17-r7 with passive mode and SSL support can trigger an fclose() function call on an uninitialized stream in ftpd.c.
A remote attacker can send specially crafted FTP data to a server with passive mode and SSL support, causing the ftpd daemon to crash.
Disable passive mode or SSL, or upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6263
MaraDNS CNAME Denial of Service
updated: 31-Jan-08
MaraDNS < 1.2.12.08 is prone to a Denial of Service vulnerability impacting CNAME resolution. A specially crafted DNS could prevent an authoritative canonical name (CNAME) record from being resolved because of an "improper rotation of resource records".
A remote attacker could send specially crafted DNS packets to a vulnerable server, making it unable to resolve CNAME records.
Add "max_ar_chain = 2" to the "marac" configuration file, or upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0061
Insecure Use of RC4 in LSrunasE and Supercrypt
updated: 31-Jan-08
LSrunasE and Supercrypt are utilities used to run commands under a different user account within Windows batch scripts. Passwords are encrypted using strong cryptography. Due to insecure use of the RC4 algorithm, the encryption can be trivially broken.
LSrunasE 1.0 and Supercrypt 1.0 are vulnerable. Upgrade to the latest version.
Reference
http://www.csnc.ch/en/downloads/advisories.html
Tripwire Enterprise/Server XSS
updated: 31-Jan-08
Tripwire Enterprise/Server Management Web Interface Systems 7 login page contains a vulnerability in the login page is susceptible to a cross site scripting attack.
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Install the patch from vendor.
PostgreSQL Multiple Vulnerabilities
updated: 31-Jan-08
PostgreSQL < 8.0.15 contains multiple vulnerabilities that could result in privilege escalation or a Denial of Service.
If using the "expression indexes" feature, PostgreSQL executes index functions as the superuser during VACUUM and ANALYZE instead of the table owner, and allows SET ROLE and SET SESSION AUTHORIZATION in the index functions.
Additionally, several errors involving regular expressions were found. Eventually, a privilege escalation vulnerability via unspecified vectors in the DBLink module was reported. This vulnerability is exploitable when local trust or ident authentication is used, and is due to an incomplete fix.
A remote authenticated attacker could send specially crafted queries containing complex regular expressions to the server that could result in a Denial of Service by a server crash, an infinite loop or a memory exhaustion. The two other vulnerabilities can be exploited to gain additional privileges.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6601
Firebird DB Server Memory Corruption
updated: 31-Jan-08
The Firebird database manager contains an Integer Overflow in the processing of certain tags on the XDR protocol used for communication with the server. This led the server to corrupt the process memory and crash.
Repeated attempts are followed by a crash of the process in charge of restarting the database server. This may also grant attackers remote execution of arbitrary code on servers running Firebird.
Vulnerable Systems include Firebird SQL <= 1.0.3, <= 1.5.5, <= 2.0.3, <= 2.1.0 Beta 2.
PoC exploit has been published.
Reference
http://www.coresecurity.com/?action=item&id=2095
xine-lib User-assisted Execution of Arbitrary Code
updated: 31-Jan-08
xine-lib < 1.1.9.1 does not properly check boundaries when processing SDP attributes of RTSP streams, leading to heap-based buffer overflows.
An attacker could entice a user to play specially crafted RTSP video streams with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0238
ngIRCd Denial of Service
updated: 31-Jan-08
The IRC_PART() function in the file irc-channel.c of ngIRCd < 0.10.4 does not properly check the number of parameters, referencing an invalid pointer if no channel is supplied.
A remote attacker can exploit this vulnerability to crash the ngIRCd daemon.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0285
CherryPy Directory Traversal Vulnerability
updated: 31-Jan-08
CherryPy < 3.0.2-r1 does not sanitize the session id, provided as a cookie value, in the FileSession._get_file_path() function before using it as part of the file name.
A remote attacker could exploit this vulnerability to read and possibly write arbitrary files on the web server, or to hijack valid sessions, by providing a specially crafted session id. This only affects applications using file-based sessions.
Upgrade to the latest version.
Blam User-assisted Arbitrary Code Execution
updated: 31-Jan-08
Blam < 1.8.4 doesn't properly handle environment variables, potentially allowing a local attacker to execute arbitrary code.
The "/usr/bin/blam" script sets the "LD_LIBRARY_PATH" environment variable incorrectly, which might result in the current working directory (.) being included when searching for dynamically linked libraries of the Mono Runtime application.
A local attacker could entice a user to run Blam in a directory containing a specially crafted library file which could result in the execution of arbitrary code with the privileges of the user running Blam.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4790
F5 BIG-IP Web Management ASM Security Report XSS
updated: 27-Jan-08
F5 BIG-IP Application Security Manager Web management interface contains a cross-site scripting vulnerability in the Security Report function. Parameter report_type in page /dms/policy/rep_request.php is not sanitized before it gets embedded in the HTML output as a hidden form value.
The vulnerability has been identified in version 9.4.3. However, other versions may be also affected.
Administrators should not browse untrusted sites while logged into the BIG-IP web management interface. It is not possible to log out of the interface so it is important to shut down the browser after the interface is no longer needed. Closing the interface browser window or removing the BIG-IP cookie is not sufficient.
PatchLink Update Unix Client File Clobbering Vulnerability
updated: 27-Jan-08
The log rotation utility "logtrimmer" of PatchLink Update Unix Client utilizes space in /tmp improperly and is subject to a symlink attack. By creating a targeted symlink a non root user can clobber root owned files causing DoS.
Exploit nobody:/tmp> ln -s /etc/shadow patchlink.tmp
After logs are rotated /etc/shadow will be size 0, since patchlink.tmp is removed by logtrimmer after the log rotation process has finished.
Create a subdirectory under /tmp or /var/tmp to work from. For example adding: mkdir /var/tmp/plink chmod 700 /var/tmp/plink.
Besdies, the script rebootTask contains the following lines for HP-UX Shutdown and reboot:
echo "shutdown -r -y 120" > /tmp/plshutdown
chmod 500 /tmp/plshutdown
at now < /tmp/plshutdown
A race condition exists where a local user could symlink /tmp/plshutdown to a file in their home directory and inject malicous code. This could be done possibly by continuously writing to the file while waiting for the at command to run.
$ ln -s /tmp/plshutdown /var/tmp/runme
#/bin/perl while(1){ `echo "chmod 777 /etc/shadow" > /var/tmp/runme`; }
This could be fixed by creating a subdirectory to work from under /var/tmp or /tmp.
Reference
http://vapid.dhs.org
GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability
updated: 27-Jan-08
The login process of Proficy of GE-Fanuc's Proficy Information Portal 2.6 involves sending the username in cleartext and the password in Base64 encoded format. This transmission can potentially be intercepted and decoded by an attacker with access to the data traffic.
An attacker can harvest user credentials by intercepting the traffic between the browser and the Proficy server.
The vendor issued a KB article on how to resolve this vulnerability at the GE-Fanuc website.
GE Fanuc Proficy Information Portal 2.6 Arbitrary File Upload and Execution
updated: 27-Jan-08
Any authenticated user can use the "Add WebSource" option to upload any file (including asp) to the server of GE-Fanuc's Proficy Information Portal 2.6, to the main virtual directory where it can be launched by simply requesting it with a web browser.
This vulnerability exists due to a faulty Java RMI call which is associated with the "Add WebSource" which allows the user to set the name and path of where the file should be placed, and another parameter is a base64 encoded content for the file itself.
An authenticated attacker can compromise the server running Proficy Information Portal, enabling him to progress to the control/process network.
A possible workaround is to remove the write permission of the IIS user from the Proficy directory.
GE Fanuc Cimplicity 6.1 Heap Overflow
updated: 27-Jan-08
A heap overflow exists in a mandatory component in Cimplicity <= HMI 6.1 SP6, which can be triggered remotely without authentication. Successful exploitation allows attackers to execute arbitrary code.
Install the hotfix from vendor.
SSH service at Dell DRAC4 Denial of Service
updated: 27-Jan-08
A denial of service vulnerability was reported in the SSH server on the Dell Remote Access Controller 4/P (DRAC 4/P) with Firmware Version 1.50 (Build 02.16) by using nmap-4.03-3 from Debian unstable, which is also included in Ubuntu Depper.
As there is another issue when having the DRAC4 virtual drives enabled, a second reboot needs to be performed manually, otherwise a SuSE Linux Enterprise Server 10 (SLES 10) with and without Service Pack 1 (SP1) will not boot up correctly and will end with lots of segmentation faults, I/O errors and so on. Please note, that the remote Denial of Service does not depend on the operating system used on the server.
Upgrade to Firmware Version 1.60 (Build 10.04) for Dell Remote Access Controller 4 (DRAC 4/I and DRAC 4/P).
Reference
ftp://ftp.us.dell.com/sysman/readme_160_A00.txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4360
Default Passwords in the Cisco Application Velocity System
updated: 25-Jan-08
Versions of the Cisco Application Velocity System (AVS) 3110, 3120, 3180, and 3180A Management Station appliances that are running software versions prior to AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system.
After upgrading to software version AVS 5.1.0, users will be prompted to modify these credentials.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml
Cisco PIX and ASA Time-to-Live Vulnerability
updated: 25-Jan-08
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) running software versions prior to 7.2(3)006 or 8.0(3) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml
Apache mod_negotiation XSS and HTTP Response Splitting
updated: 25-Jan-08
Mod_negotiation doesn't sanitize filenames in '406 Not Acceptable' response and '300 Multiple Choices' message body. This could lead to cross site scripting if the name of the file is controlled by an attacker (i.e. by previously uploading it).
Moreover, as the list of the filenames is also sent, without being sanitized, in the response header, it could result in a HTTP Response Splitting issue if the name of the file contains '\n' (Line Feed).
Apache <=1.3.39 <= 2.0.61 <= 2.2.6 are affected.
Reference
http://www.mindedsecurity.com/MSA01150108.html
IBM AIX pioout BSS Buffer Overflow Vulnerability
updated: 24-Jan-08
A buffer overflow vulnerability was reported in IBM AIX 5.2 and 5.3 'pioout' program, due to insufficient input validation when copying user-supplied data to a fixed-size buffer. By passing a long string as a command line option, an attacker can cause an exploitable buffer overflow.
Successful exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have access to execute the set-uid root 'pioout' program.
Removing the set-uid bit from the binary will prevent exploitation, but will also make the program unusable by non-root users, or install the interim fixes from vendor.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=648
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
IBM Tivoli PMfOSD HTTP Request Method Buffer Overflow
updated: 23-Jan-08
A buffer overflow vulnerability was reported in the web server component of IBM Tivoli Provisioning Manager for OS Deployment 5.1.0.3. This vulnerability specifically exists within the logging functionality of the web server component. By making requests with a large HTTP request method, an attacker can cause a static-sized buffer to be overrun with data they supplied.
Successful exploitation allows an attacker to cause a denial of service condition or potentially execute arbitrary code with SYSTEM privileges.
Install the Interim Fix 3 version 5.1.0.3 from vendor.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=647
Citrix Presentation Server IMA Service Heap Overflow
updated: 25-Jan-08
A vulnerability was discovered on Citrix Metaframe Presentation Server version 3.0, Presentation Server version 4.0, version 4.5, Access Essentials version 1.0, version 1.5, version 2.0, and Desktop Server version 1.0.
The specific flaw resides in the Independent Management Architecture service, ImaSrv.exe, which listens by default on TCP port 2512 or 2513. The process trusts a user-suppled value as a parameter to a memory allocation. By supplying a specific value, an undersized heap buffer may be allocated.
Subsequently, an attacker can then overflow that heap buffer by sending an overly large packet leading to arbitrary code execution in the context of the SYSTEM user.
Install the update from Citrix.
Reference
http://support.citrix.com/article/CTX114487
SocksCap Hostname Resolution Stack Overflow
updated: 25-Jan-08
A vulnerability was found in SocksCap 2.40-051231 and prior. Due to the fact that no length check is done during the hostname resolution process whenever the SockCap tries to resolve a remote resource, it is possible to cause the product to overflow a buffer used by the product. The overflow is triggered whenever the hostsname's name is more then 692 bytes.
CORE FORCE Kernel Buffer Overflow
updated: 25-Jan-08
A kernel buffer overflow vulnerabilities and a improper validated input arguments have been found in the Firewall and Registry modules of CORE FORCE 0.95.67. The vulnerabilities allow unprivileged logged on users to crash the system (denial of service), and they also may lead to a privilege escalation or even a local root exploit.
Upgrade to CORE FORCE 0.95.172.
Reference
http://www.coresecurity.com/?action=item&id=2025
BitDefender Update Server - Unauthorized Remote File Access Vulnerability
updated: 25-Jan-08
BitDefender Update Server, which is part of several of BitDefender's Enterprise products, is running an Http-Daemon. The http.exe process is running with localsystem privileges and is vulnerable to the plain old directory traversal vulnerability. Thus it is possible to access files outside of the applications root directory with the named privileges.
Reference
http://oliver.greyhat.de/2008/01/19/bitdefender-unauthorized-remote-file-access-vulnerability/
Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index Vulnerability
updated: 19-Jan-08
An invalid array index vulnerability was discovered in the X.Org X server R7.3, as included in various vendors' operating system distributions.
The vulnerability exists within the XFree86-Misc extension. When processing a request, a 32-bit value from the client's request is used as an index into an array of structures. This structure contains an array of function pointers, one of which is used later in the request handling. By supplying a large array index, an arbitrary function pointer can be dereferenced. This results in the execution of arbitrary code.
Successful exploitation allows an attacker to execute arbitrary code with root privileges.
Upgrade to Xserver version 1.4.1.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=646
Multiple Vendor X Server TOG-CUP Extension Information Disclosure Vulnerability
updated: 19-Jan-08
An information disclosure vulnerability was found in the X.Org X server R7.3, as included in various vendors' operating system distributions.
The vulnerable code exists within the TOG-CUP extension. A 32-bit client supplied value is taken directly from the request, and then used as an index into an array. The value located at this index is then stored into a buffer which is later sent to the client. This allows a client to read memory from arbitrary locations in server memory.
Successful exploitation allows an attacker to read arbitrary memory within the X Server's address space.
Upgrade to Xserver version 1.4.1.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=644
Multiple Vendor X Server XInput Extension Multiple Memory Corruption
updated: 19-Jan-08
Multiple memory corruption vulnerabilities in the X.Org X server R7.3, as included in various vendors' operating system distributions.
Vulnerable code exists within multiple functions in the XInput extension. By sending specially crafted X11 requests, an attacker is able to corrupt heap memory located after their request data. This results in a potentially exploitable condition.
Successful exploitation allows an attacker to execute arbitrary code with root privileges.
Upgrade to Xserver version 1.4.1.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=643
Multiple Vendor X Server EVI and MIT-SHM Extensions Integer Overflows
updated: 19Jan-08
Multiple integer overflow vulnerabilities in the X.Org X server R7.3, as included in various vendors' operating system distributions.
One vulnerability exists within the EVI extension. When processing a request, the server uses a 32-bit value provided by the client in an arithmetic operation that calculates the number of bytes to allocate for a dynamic buffer. This operation can overflow, which later leads to a potentially exploitable heap overflow.
Another vulnerability exists within the MIT-SHM extension. When allocating a pixmap, the server uses values from the request to verify that the requested size is not greater than the amount of allocated shared memory. The calculation can overflow, which leads to the overwriting of arbitrary addresses in memory that aren't part of the shared memory segment.
Successful exploitation allows an attacker to execute arbitrary code with root privileges.
Upgrade to Xserver version 1.4.1.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=645
Cisco Unified Communications Manager CTL Provider Heap Overflow
updated: 17-Jan-08
Cisco Call Manager 4.1(3) contains a heap overflow vulnerability within the CTL Provider Service, CTLProvider.exe, which binds to TCP port 2444. The service operates over a SSL encrypted transport. Due to a logic flaw in the way data is received in a loop a heap allocation can be arbitrarily overflown resulting in the control of subsequent heap chunks. Successful exploitation of this vulnerability may result in a DoS condition or the execution of arbitrary code.
Install the fix from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml
http://dvlabs.tippingpoint.com/advisory/TPTI-08-02
Apple Quicktime Image File IDSC Atom Memory Corruption Vulnerability
updated: 17-Jan-08
QuickTime Player 7.3 and QuickTime PictureViewer 7.3 contais a memory corruption vulnerability within the parsing of malformed Image Descriptor (IDSC) atoms. Specifying a malicious atom size can result in an under allocated heap chunk and subsequently an exploitable heap corruption situation.
Successful exploitation allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Upgrade to the latest version.
Reference
http://docs.info.apple.com/article.html?artnum=307301
http://www.zerodayinitiative.com/advisories/TPTI-08-01.html
TIBCO SmartSockets RTServer Multiple Untrusted Loop Bounds Vulnerabilities
updated: 17-Jan-08
Multiple untrusted loop bounds vulnerabilities were reported in TIBCO SmartSockets RTserver 6.8.0.
When processing requests, SmartSockets uses values from the requests to control the number of iterations of several loops. Inside these loops, various memory operations are performed. Since attackers can control these values, potentially exploitable conditions arise.
Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges. Unsuccessful attempts will likely crash the RTserver. The service does not restart, which makes repeated exploitation attempts more difficult.
Upgrade to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=641
http://www.tibco.com/mk/advisory.jsp
TIBCO SmartSockets RTserver Multiple Untrusted Pointer Offset Vulnerabilities
updated: 17-Jan-08
Multiple untrusted pointer offset vulnerabilities were found in TIBCO SmartSockets RTserver 6.8.0.
When processing requests, SmartSockets uses values from the requests as offsets added to valid pointers. The resulting pointer values are then used in various memory operations. Since attackers can control these offset values, potentially exploitable conditions arise.
Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges. Unsuccessful attempts will likely crash the RTserver. The service does not restart, which makes repeated exploitation attempts more difficult.
The RTserver is the core component of the SmartSockets framework. Without it, applications will be unable to pass messages. The severity of these issues will likely vary depending on the the application using the
SmartSockets framework.
Upgrade to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=640
http://www.tibco.com/mk/advisory.jsp
TIBCO SmartSockets RTServer Multiple Untrusted Pointer Vulnerabilities
updated: 17-Jan-08
Mmultiple untrusted pointer vulnerabilities in TIBCO SmartSockets RTserver 6.8.0.
When processing requests, SmartSockets uses values from the requests as pointers. These pointer values are then used in various memory operations. Since attackers can control these values, potentially exploitable conditions arise.
Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges. Unsuccessful attempts will likely crash the RTserver. The service does not restart, which makes repeated exploitation attempts more difficult.
Upgrade to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=639
http://www.tibco.com/mk/advisory.jsp
FreeBSD pty snooping
updated: 17-Jan-08
Two issues exist in the FreeBSD 6.0 pty handling.
If openpty is called as non-root user the newly created pseudo-terminal is world readable and writeable. While this is documented to be the case, script still uses openpty and script may be used by non-root users.
The ptsname function incorrectly extracts two characters from the name of a device node in /dev without verifying that it's actually operating on a valid pty which the calling user owns. pt_chown uses the bad result from ptsname to change ownership of a pty to the user calling pt_chown.
If an unprivileged user is running script, or another program which uses openpty, an attacker may snoop text which is printed to the users terminal.
If a malicious user has read access to a device node with characters in the device name that match the name of a pty, then the malicious user can read the content of the pty from another user. The malicious user can open a lot of tty's resulting in a high probabilty of a new user obtaining the pty name of a "vulnerable" pty.
Do not run script as a non-root user.
Reference
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:01.pty.asc
HP-UX Running X Font Server Remote Code Execution
updated: 17-Jan-08
A potential security vulnerability has been identified with HP-UX .11.11, B.11.23, B.11.31 running the X Font Server (xfs). The vulnerability could be exploited remotely to execute arbitrary code.
Install the software patches from vendor.
Linux Kernel IPv6 Jumbo Bug
updated: 17-Jan-08
When the Linux kernel receives a malformed IPv6 jumbo packet - it will drop the packet and try to write some statistics. In the affected kernel versions it is not assured that the structure which provides the information is correctly initialized - resulting in a kernel crash.
PoC exploit has been published.
Reference
http://blog.s21sec.com/2008/01/ipv6-bug-in-linux-kernel.html
IBM Tivoli Storage Manager Express Backup Server Heap Overflow
updated: 17-Jan-08
A heap overflow vulnerability was reported in IBM Tivoli Storage Manager Express 5.3. The specific flaw resides in the TSM Express Backup Server service, dsmsvc.exe, which listens by default on TCP port 1500. The process trusts
a user-supplied length value. By supplying a large number, an attacker can overflow a static heap buffer leading to arbitrary code execution in the context of the SYSTEM user.
Upgrade to the latest version.
Reference
http://www-1.ibm.com/support/docview.wss?uid=swg21291536
http://www.zerodayinitiative.com/advisories/ZDI-08-001.html
Apache mod_proxy_ftp Undefined Charset UTF-7 XSS Vulnerability
updated: 17-Jan-08
A Cross site scripting vulnerability exist in Apache version 2.2.x, 2.0.x and 1.3.x with mod_proxy_ftp, since mod_proxy_ftp.c of Charset is not defined and we can provide XSS attack using ";" char in URL by setting Charset to UTF-7.
Upgrade to the latest version.
Reference
http://securityreason.com/achievement_securityalert/46
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
Apache2 mod_proxy_balancer CSRF, XSS, Memory Corruption and DoS
updated: 17-Jan-08
Multiple vulnerabilities have been discovered in Apache 2.2.x with mod_proxy_balancer management interface.
1. Apache2 Cross-Site Request Forgery (CSRF)
Due to the fact that all actions are performed by GET method there exist "CSRF". The balancer-manager should use POST for requests which have side-effects which would significantly mitigate the "CSRF" issue.
2. Apache2 HTML Injection (XSS) Vulnerability
The HTML Injection (XSS) vulnerability exist in "mod_proxy_balancer.c". By Enabling Balancer Manager Support we can trigger XSS vulnerability .
Input passed to the "ss" - called ""StickySession Identifier", "wr" - called "Route", "rr" - called "Route Redirect" parameters in balancer-manager are not properly sanitized leading to execute arbitrary HTML and script code in a victim's browser.
Besides, input passed in the URL to "balancer-manager" is not properly sanitized leading to execute arbitrary HTML and script code in a victim's browser.
3. Apache2 Denial of Service
The Denial of Service is caused due to an error in the
"balancer_handler()" function that manages the loadfactors and member status. When attacker input invalid "bb" variable while editing worker settings leads to "Denial of Service Vulnerability".
4. Apache2 Memory Corruption
The Memory corruption is caused due to an error in the
"mod_proxy_balancer" when attacker input in the URL 7390 or 7506 or 7622 "A" chars.
Upgrade to the latest version.
Reference
http://securityreason.com/achievement_securityalert/48
Quicktime Player HTTP Error Message Buffer Overflow
updated: 17-Jan-08
A buffer overflow vulnerability in the way Quicktime 7.3.1.70 displays error messages allows remote attackers to cause it to crash and execute arbitrary code. The vulnerability is triggered by a malformed HTTP response whenever the Quicktime is asked to connect to an RTSP server whose TCP port 554 and 7070 are closed but non-filtered.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/poc/quicktimebof.zip
Safari 2 Denial of Service
updated: 17-Jan-08
A crafted HTML page can make Safari 2 crash when trying to parse the page due to an improper validation in the KHTML Webkit.
PoC exploit has been published. Upgrade to Safari 3.
Reference
http://www.s21sec.com/avisos/s21sec-039-en.txt
Cross site scripting in Moodle
updated: 17-Jan-08
Moodle 1.8.3 is vulnerable to Cross Site Scripting, letting you inject JavaScript and steal cookies. The XSS can only be triggered if there's a not installed moodle, so this can be considered low impact. Still it's possible to attack if an attacker knows from another person installing moodle.
Update to version 1.8.4.
Reference
http://int21.de/cve/CVE-2008-0123-moodle.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0123
Quicktime Player Buffer Overflow (LCD, RTSP)
updated: 17-Jan-08
QuickTime 7.3.1.70 and prior appears to have a buffer-overflow which happens during the filling of the LCD-like screen containing information about the status of the connection.
To exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed Quicktime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/quicktimebof-adv.txt
http://aluigi.org/poc/quicktimebof.txt
Xfce Multiple vulnerabilities
updated: 17-Jan-08
Xfce4 panel < 4.4.2 does not correctly calculate memory boundaries, leading to a stack-based buffer overflow in the launcher_update_panel_entry() function. Moreover, libxfcegui4 < 4.4.2 did not copy provided values when creating "SessionClient" structs, possibly leading to access of freed memory areas>
A remote attacker could entice a user to install a specially crafted "rc" file to execute arbitrary code via long strings in the "Name" and "Comment" fields or via unspecified vectors involving the second vulnerability.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6532
Several XSS, Cross-domain Redirection and Frame Injection on Sun Java System Identity Manager
updated: 17-Jan-08
The following issues have been found in Sun Java System Identity Manager 6.0, Sun Java System Identity Manager 7.0, Sun Java System Identity Manager 7.1:
- HTML injection via the "cntry" parameter
- XSS via the "lang" parameter
- XSS via the "resultsForm" parameter
- XSS via the "activeControl" parameter
- frame injection via the "helpUrl"
- cross-domain redirects within the "nextPage" parameter
Cross-site Scripting vulnerabilities may allow local or remote unprivileged users the ability to execute unauthorized scripting code in a user's browser when that user clicks a link to Sun Java System Identity Manager.
In addition, a further vulnerability may allow a local or remote unprivileged user to inject unauthorized HTML code into a user's browser when that user clicks a link to Sun Java System Identity Manager.
Additional vulnerabilities may allow a local or remote unprivileged user to redirect the browser to unintended remote sites or to inject frames containing data from unintended sites.
PoC exploits have been published.
Reference
http://www.procheckup.com/Vulnerability_PR07-06.php
http://www.procheckup.com/Vulnerability_PR07-07.php
http://www.procheckup.com/Vulnerability_PR07-08.php
http://www.procheckup.com/Vulnerability_PR07-09.php
http://www.procheckup.com/Vulnerability_PR07-10.php
http://www.procheckup.com/Vulnerability_PR07-12.php
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1
Novell NetWare Client nicm.sys Local Privilege Escalation
updated: 10-Jan-08
An input validation error vulnerability was reported in the nicm.sys, file version 3.0.0.4, as included with Novell's NetWare Client 4.91 SP4.
When the Novell NetWare Client is installed on a Windows-based operating system, the driver nicm.sys will be loaded at system startup. This driver allows any user to open the device "\\.\nicm" and issue IOCTLs with a buffering mode of METHOD_NEITHER.
Due to insufficient input validation, user mode software can pass kernel addresses as arguments to the driver. By using specially constructed input, a malicious user can use functionality within the driver to patch kernel addresses and execute arbitrary code in kernel mode.
Install the patch from vendor.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=637
OpenAFS Denial of Service
updated: 10-Jan-08
A Denial of Service vulnerability has been discovered in OpenAFS < 1.4.6, due to an improper handling of the clients callbacks lists.
A remote attacker could construct cases which trigger the race condition, resulting in a server crash.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6599
Squid Denial of Service
updated: 10-Jan-08
A Denial of Service vulnerability has been reported in Squid < 2.6.17 when performing cache updates.
A remote attacker could perform numerous specially crafted requests to the vulnerable server, resulting in a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6239
Claws Mail Insecure Temporary File Creation
updated: 10-Jan-08
The sylprint.pl script that is part of the Claws Mail < 3.0.2-r1 creates temporary files in an insecure manner.
A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6208
R Multiple Vulnerabilities
updated: 10-Jan-08
R < 2.2.1-r1 includes a copy of PCRE which is vulnerable to multiple buffer overflows and memory corruptions vulnerabilities.
An attacker could entice a user to process specially crafted regular expressions with R, which could possibly lead to the execution of arbitrary code, a Denial of Service or the disclosure of sensitive information.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200711-30.xml
McAfee E-Business Server Remote Preauth Code Execution / DoS
updated: 10-Jan-08
A vulnerability was discovered in the administration interface (TCP port 1718) of McAfee E-Business Server 8.5.2. When a malformed (oversized) initial authentication packet is sent to E-Business Server, the server will crash, and will have to be manually restarted.
A malformed authentication packet is:
"\x01\x3f\x2f\x05\x25\x2a" + "A" * 69953
Further research shown that the vulnerability allows an attacker to also remotely execute code.
PoC exploit has been published. Install the patch from vendor.
Reference
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=614472
http://www.infigo.hr/files/mcafee2.pl
Pre-auth remote commands execution in SAP MaxDB
updated: 10-Jan-08
SAP MaxDB 7.6.03.07 server executes "cons.exe DATABASE COMMAND" through system() when some special commands are called by the user.
Some of these special commands are "show" and "exec_sdbinfo" and this last one is just one of the small amount of commands which can be executed by the unauthenticated users before logging in.
The usage of system() for executing the cons program allows an external unauthenticated attacker to execute any command he wants on the target SAP MaxDB server simply passing the "&&" or other patterns for the execution of multiple commands in the shell.
So it's just enough to use the following SAP command to see the content of C: on Windows (the bug is naturally exploitable on any other platform supported by the server):
exec_sdbinfo && echo dir c:\ | cmd.exe
PoC exploit has been released.
Reference
http://aluigi.org/poc/sapone.zip
unp Arbitrary Command Execution
updated: 10-Jan-08
unp >= 1.0.14 does not escape file names properly before passing them to calls of the shell.
A remote attacker could entice a user or automated system to unpack a compressed archive with a specially crafted file name, leading to the execution of shell commands from within the filename. That code will be executed with the privileges of the user running unp.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6610
libcdio User-Assisted Execution of Arbitrary Code
updated: 27-Jan-08
A boundary error was reported in the "print_iso9660_recurse()" function in files cd-info.c and iso-info.c of libcdi < 0.78.2-r4 when processing long filenames within Joliet images.
A remote attacker could entice a user to open a specially crafted ISO image in the cd-info and iso-info applications, resulting in the execution of arbitrary code with the privileges of the user running the application. Applications linking against shared libraries of libcdio are not affected.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6613
MS08-001 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
updated: 10-Jan-08
A remote code execution vulnerability exists in the Windows kernel due to the way that the Windows kernel handles TCP/IP structures storing the state of IGMPv3 and MLDv2 queries. Supported editions of Microsoft Windows XP, Windows Server 2003, and Windows Vista all support IGMPv3.
In addition to IGMPv3, Windows Vista supports MDLv2, which adds multicast support for IPv6 networks. An anonymous attacker could exploit the vulnerability by sending specially crafted IGMPv3 and MLDv2 packets to a computer over the network.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Besides, a denial of service vulnerability exists in TCP/IP due to the way that Windows Kernel processes fragmented router advertisement ICMP queries. ICMP Router Discovery Protocol (RDP) is not enabled by default and is required in order to exploit this vulnerability.
However, on Windows 2003 Server and on Windows XP, RDP can be turned on by a setting in DHCP or by a setting in the registry. On Windows 2000, RDP can be turned on by a setting in the registry.
An anonymous attacker could exploit the vulnerability by sending specially crafted ICMP packets to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP2 and Windows Vista are affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege
updated: 10-Jan-08
An elevation of privilege vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of local procedure call (LPC) requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Windows 2000 SP4, Windows XP SP2 and Windows 2003 Server SP2 are affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms08-002.mspx
Motorola netOctopus Agent MSR Write Privilege Escalation
updated: 8-Jan-08
A privilege escalation vulnerability was reported in Motorola netOctopus 5.1.2 build 1011. The netOctopus Agent software is supposed to be installed on all client machines. It includes a driver nantsys.sys 5.0.0.115 loaded at system boot time. This driver exposes a device interface \\.\NantSys writable by all users.
This driver includes functionality for reading and writing arbitrary CPU Model Specific Registers (MSRs). Changing MSR values allows tuning of various low level CPU operations. By modifying SYSENTER_EIP_MSR, is is possible to execute arbitrary attacker supplied code in kernel context by executing a sysenter instruction.
Use the script from vendor to remove write permissions for the Everyone group for the \\.\NantSys device.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=636
http://www.netopia.com/support/software/technotes/netoctopus/Removing_the_nantsys_Driver.pdf
SynCE Remote Command Injection
updated: 8-Jan-08
The vdccm daemon of SynCE 0.92 is vulnerable to a remote command injection, due to the vdccm daemon not properly sanitizing certain input before using it to invoke external scripts. This can be exploited to execute arbitrary commands with the privileges of the vdccm daemon by sending specially crafted requests.
Upgrade to the latest version.
Reference
http://www.coresecurity.com/?action=item&id=2070
PostgreSQL Cumulative Security Release
updated: 8-Jan-08
PostgreSQL Global Development Group released updated versions of PostgreSQL which patch 5 security vulnerabilities. These releases update all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and 7.3.
They are considered CRITICAL and PostgreSQL DBAs and sysadmins should install the update as soon as they reasonably can.
Reference
http://www.postgresql.org/support/security
Linksys WRT54 GL Session riding (CSRF)
updated: 8-Jan-08
Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device. PoC exploit has been released.
Reference
http://en.wikipedia.org/wiki/Cross-site_request_forgery
HP Software Update Remote Code Execution
updated: 4-Jan-08
A potential security vulnerability has been identified with HP Software Update v4.000.005.007 or earlier running on Windows. The vulnerability could be exploited remotely to execute arbitrary code or gain privileged access.
Install the update from vendor.
XSS Vulnerabilities in Common Shockwave Flash Files
updated: 4-Jan-08
Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe Dreamweaver, Adobe Acrobat Connect, InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).
This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.
Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.
Reference
http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw
Georgia SoftWorks SSH2 Server Multiple Vulnerabilities
updated: 4-Jan-08
Format string and buffer overflow vulnerabilities have been discovered in GSW_SSHD 7.01.0003 and prior, these vulnerabilities allows remote attackers to overflow internal buffers found in the product as well as initiate a format string attack against it.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/gswsshit-adv.txt
SIP Channel Driver BYE Vulnerability
updated: 4-Jan-08
The handling of the BYE with Also transfer method was broken during the development of Asterisk 1.4. If a transfer attempt is made using this method the system will immediately crash upon handling the BYE message due to trying to copy data into a NULL pointer. It is important to note that a dialog must have already been established and up in order for this to happen.
Install the fix from developer.
Reference
http://downloads.digium.com/pub/security/AST-2008-001.html
Opera Multiple Vulnerabilities
updated: 4-Jan-08
2 vulnerabilities were reported opera < 9.25 in where plug-ins and Rich text editing could be used to allow cross domain scripting. An issue with TLS certificates and bitmaps might reveal random data from memory were also discovered.
A remote attacker could exploit these vulnerabilities, possibly leading to the execution of arbitrary code and cross domain scripting.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6524
OpenOffice.org User-assisted Arbitrary Code Execution
updated: 4-Jan-08
The HSQLDB engine, as used in Openoffice < 2.3.1, does not properly enforce restrictions to SQL statements.
A remote attacker could entice a user to open a specially crafted document, possibly resulting in the remote execution of arbitrary Java code with the privileges of the user running OpenOffice.org.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575
Wireshark Multiple Vulnerabilities
updated: 4-Jan-08
Multiple vulnerabilities have been discovered in Wireshark < 0.99.7, allowing for the remote execution of arbitrary code and a Denial of Service.
A remote attacker could send specially crafted packets on a network being monitored with Wireshark or entice a user to open a specially crafted file, possibly resulting in the execution of arbitrary code with the privileges of the user running Wireshark (which might be the root user), or a Denial of Service.
Upgrade to the latest version.
AMD64 x86 emulation GTK+ Library User-assisted Arbitrary Code Execution
updated: 4-Jan-08
The Cairo versions used by the AMD64 x86 emulation GTK+ libraries < 20071214 were vulnerable to integer overflow vulnerabilities.
A remote attacker could entice a user to view or process a specially crafted PNG image file in an application linked against Cairo, possibly leading to the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200712-04.xml
|
|
