 |
Multiple Vulnerabilities in ClamAV
updated: 31-Dec-07
ClamAV 0.92 uses own functions to create temporary files. One such routine is vulnerable to a race condition attack. Moreover, ClamAV fails to properly check for base64-UUEncoded files, allowing bypassing of the scanner through the use of such files.
Besides, the sigtool utility included in the ClamAV distribution fails to handle created files in a secure way.
Mozilla Firefox & SeaMonkey Multiple Vulnerabilities
updated: 31-Dec-07
The jar protocol handler in Mozilla Firefox < 2.0.0.11 and SeaMonkey < 1.1.7 does not properly check MIME types. The window.location property can be used to generate a fake HTTP Referrer. Multiple memory errors have also been reported.
A remote attacker could possibly exploit these vulnerabilities to execute arbitrary code in the context of the browser and conduct Cross-Site-Scripting or Cross-Site Request Forgery attacks.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960
ClamAV Multiple Vulnerabilities
updated: 31-Dec-07
An integer overflow vulnerability was reported in the cli_scanpe() function of ClamAV < 0.91.2-r1 when parsing Portable Executable (PE) files packed in the MEW format, that could be exploited to cause a heap-based buffer overflow.
An off-by-one error when decompressing MS-ZIP compressed CAB files and an unspecified vulnerability related to the bzip2 decompression algorithm were also discovered.
A remote attacker could entice a user or automated system to scan a specially crafted file, possibly leading to the execution of arbitrary code with the privileges of the user running ClamAV (either a system user or the "clamav" user if clamd is compromised).
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6337
Syslog-ng Denial of Service
updated: 31-Dec-07
A NULL pointer dereference was found in the
log_msg_parse() function of Syslog-ng < 2.0.6 when processing timestamps without a terminating whitespace character.
A remote attacker could send a specially crafted event to a vulnerable Syslog-ng server, resulting in a crash.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
Multi-Threaded DAAP Daemon Multiple Vulnerabilities
updated: 31-Dec-07
Multiple vulnerabilities were discovered in the XML-RPC handler in the file webserver.c of Multi-Threaded DAAP Daemon (mt-daapd) < 0.2.4.1.
The ws_addarg() function contains a format string vulnerability, as it does not properly sanitize username and password data from the "Authorization: Basic" HTTP header line. The ws_decodepassword() and ws_getheaders() functions do not correctly handle empty Authorization header lines, or header lines without a ':' character, leading to NULL pointer dereferences.
A remote attacker could send specially crafted HTTP requests to the web server in the Multi-Threaded DAAP Daemon, possibly leading to the execution of arbitrary code with the privileges of the user running the web server or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5824
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5825
exiftags Multiple Vulnerabilities
updated: 31-Dec-07
Exif metadata of exiftags < 1.01 is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions. Integer overflow vulnerabilities were also discovered in the parsetag() and other functions and an infinite recursion in the readifds() function caused by recursive IFD references.
An attacker could entice the user of an application making use of exiftags or an application included in exiftags to load an image file with specially crafted Exif tags, possibly resulting in the execution of arbitrary code with the privileges of the user running the application or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6356
Exiv2 Integer Overflow
updated: 31-Dec-07
An integer overflow vulnerability was found in the JpegThumbnail::setDataArea() method of exiv2 < 0.13-r1 leading to a heap-based buffer overflow.
An attacker could entice the user of an application making use of Exiv2 or an application included in Exiv2 to load an image file with specially crafted Exif tags, possibly resulting in the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6353
Libexif Multiple Vulnerabilities
updated: 31-Dec-07
An integer overflow vulnerability was discovered in the exif_data_load_data_thumbnail() function of libexif < 0.6.16-r1 leading to a memory corruption and an infinite recursion in the exif_loader_write() function.
An attacker could entice the user of an application making use of libexif to load an image file with specially crafted Exif tags, possibly resulting in the execution of arbitrary code with the privileges of the user running the application or a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6352
Buffer-overflow in Extended Module Player
updated: 31-Dec-07
The functions which handle the OXM file format (not active in Windows and Amiga) in Extended Module Player 2.5.1 are vulnerable to a buffer-overflow caused by the bypassing of the "ilen > 263" check due to the sign of ilen. So setting ilen to a negative value will allow an attacker to overflow the buf buffer and possibly executing malicious code.
Poc exploit has been published. Upgrade to the latest version.
Reference
http://aluigi.org/poc/xmpbof.zip
Zoom Player Unicode Buffer Overflow
updated: 31-Dec-07
Zoom Player 6.00 beta 2 and prior is affected by an unicode buffer-overflow in the function which builds the error messages. The problem can be exploited for example through a malformed ZPL file containing a http link to a file with PLS extension which will force the program to use wsprintf for building the "Unable to play [%s]" error message.
PoC exploit has been published.
Reference
http://aluigi.altervista.org/adv/zoomprayer-adv.txt
VideoLAN VLC Buffer Overflow and Format String
updated: 31-Dec-07
Buffer-overflow in the handling of the subtitles VLC is able to handle the subtitles automatically in a very simple way, it just checks the presence of ssa files with the same name of the loaded video and a possible subtitles folder. The functions which handle the MicroDvd, SSA and Vplayer subtitle formats are vulnerable to some stack based buffer-overflow vulnerabilities which can allow an attacker to execute malicious code.
VideoLAN (VLC) version 0.8.6d and prior are affected.
Reference
http://aluigi.altervista.org/adv/vlcboffs-adv.txt
Socket Connection Timing Can Reveal Information About Network Configuration
updated: 31-Dec-07
Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.
PoC exploit has been published. Flash Player version 9.0.47.0, 9.0.98.0 and 9.0.115.0 are affected. Disable ActionScript socket functionality.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4324
Unicode buffer-overflow in Zoom Player
updated: 24-Dec-07
Zoom Player <= v6.00 beta 2 was affected by an unicode buffer-overflow in the function which builds the error messages. The problem can be exploited for example through a malformed ZPL file containing a http link to a file with PLS extension which will force the program to use wsprintf for building the "Unable to play [%s]" error message.
PoC exploit has been published.
Double Directory Traversal in Ada Image server
updated: 24-Dec-07
A directory traversal vulnerability was reported in Ada Image server <= 0.6.21 and SVN <= 28, which can be exploited through the usage of additional chars before the URI. The tests was good with any byte except NULL, line feed, ?, :, slash and backslash (so an amount of valid chars between 248 and 251 depending by the location of the char and if has been used the hex format).
A secondary type of directory traversal is exploitable through the template parameter.
If the root directory of the server is protected by authentication, the attacker must know the right username and password.
Apache Tomcat Insecure Default Security Policy
updated: 24-Dec-07
The JULI logging component of Tomcat 5.5.9 to 5.5.25 and Tomcat 6.0.0 to 6.0.15 allows web applications to provide their own logging configurations. The default security policy does not restrict this configuration and allows an untrusted web application to add files or overwrite existing files where the Tomcat process has the necessary file permissions to do so.
Apply the patch to the catalina.policy file.
Reference
http://tomcat.apache.org/security.html
http://svn.apache.org/viewvc?rev=606594&view=rev
CA Products That Embed Ingres Authentication Vulnerability
updated: 24-Dec-07
A potential vulnerability exists in the Ingres software that is embedded in various CA products. This vulnerability exists only on Ingres 2.5 and Ingres 2.6 on Windows, and does not manifest itself on any Unix platform. Ingres r3 and Ingres 2006 are not affected.
The vulnerability is associated with users who connect after the first user being assigned the privileges and identity of the first user. In all reported instances, the application (typically an ASP.NET application using the Ingres ODBC driver) was running on Microsoft IIS Web server, and with the Integrated Windows Authentication (IWA) option enabled. While IWA is not enabled by default, it is a commonly used option. It should be noted that the Ingres .NET data provider is not affected.
Install the fix from vendor.
Reference
http://community.ca.com/blogs/casecurityresponseblog/archive/2007/12/19.aspx
Adobe Flash Player ActiveX Control Universal Cross-Site Scripting
updated: 24-Dec-07
Cross site scripting vulnerability was reported in Adobe Flash Player 9.0.48.0 and earlier that allows remote attackers to run arbitrary JavaScript code in the security context of other domains, resulting in information disclosure and session hijacking. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists in the Flash Player ActiveX Control's handling of the navigateToURL API, which takes two arguments, a URL and the name of the frame to be navigated. The SWF movie can pass in a javascript: URI and the name of a frame on some other domain. The code in the URI executes in the security context of the named frame, rather than the security context of the SWF movie or the page that embeds it.
PoC exploit has been published. Install the patch from vendor.
Reference
http://www.adobe.com/support/security/bulletins/apsb07-20.html
http://crypto.stanford.edu/advisories/CVE-2007-6244/
Adobe Flash Player JPG Processing Heap Overflow
updated: 24-Dec-07
Adobe Flash Player 9.0.48.0 and earlier contains a heap overflow vulnerability when parsing of JPG images embedded in SWF files. The Flash Player trusts the signed X and Y densities specified in the JPG header and makes memory allocations accordingly. A processing loop later treats these values as unsigned, leading to excessive loop iterations and heap corruption while decoding the rest of the image.
Successful exploitation allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Adobe Flash Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Reference
http://www.adobe.com/support/security/bulletins/apsb07-20.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6242
http://dvlabs.tippingpoint.com/advisory/TPTI-07-21
OpenSSL SSLv2 Client Crash
updated: 24-Dec-07
A vulnerability was found in the way OpenSSL < 0.9.7l and handles < 0.9.8d handling ServerHello packets allows remote attackers to cause the client connecting to it to crash, the following exploit code can be used to test your client for the vulnerability.
PoC exploit has been published. Upgrade to the latest version.
Reference
http://www.beyondsecurity.com/bestorm_overview.html
SurgeMail Webmail Host Header DoS
updated: 24-Dec-07
SurgeMail Mail Server 38k4 contains a vulnerability in the way it handles the Host field allows remote attackers to cause the product to crash. PoC exploit has been released.
Reference
http://retrogod.altervista.org/rgod_surgemail_crash.html
Perforce P4Web Denial of Service Through Resource Starvation
updated: 22-Dec-07
A single HTTP request with the Content-Length header variable set to a value greater than zero in a request which no body, will cause the P4Webs.exe process of Perforce 2006.1 to consume 99% of CPU time on the target system of up to 99%.
The attack can be executed remotely. No authentication is required for exploitation.
Upgrade to P4Web 2007.2 or later.
Reference
http://www.securityfocus.com/bid/26806
Appian Enterprise Business Suite DoS
updated: 22-Dec-07
Appian Enterprise Business Suite 5.6 SP1 is vulnerable to a remote DoS attack due to the way it handles packets on port 5400. This port handles process execution as describe in the Appian documentation, "Stores all relevant information about a process during its execution stage." The vulnerability can be executed by sending a specially crafted 609 byte size packet to the port (referenced below). Restarting the application will not work and an entire system reboot must be preformed to restore service.
PoC exploit has been published.
HP-UX Running Java JRE and JDK, Remote Unauthorized Access
updated: 22-Dec-07
Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities may allow remote unauthorized access.
HP-UX B.11.11, B.11.23, and B.11.31 running Java Runtime Environment (JRE) v5.0.10 and earlier, and Java Developer Kit (JDK), v1.4.2.16 and earlier are affected. Install the updates from vendor.
HP Tru64 UNIX running FFM, Local Denial of Service
updated: 22-Dec-07
A potential security vulnerability has been identified with the HP Tru64 UNIX Operating System v5.1B-4 and v5.1B-3 running FFM (File-on-File Mounting File System). The vulnerability could be exploited by a local, authorized user to cause a Denial of Service.
Install the updates from vendor.
HP laptops Software Update Tool Vulnerability
updated: 22-Dec-07
There is another remotely exploitable flaw within software preinstalled in HP notebook machines. A vulnerable ActiveX control EngineRules.dll of HP Software Update Client 3.0.8.4 contains an insecure method giving a potential attacker the remote system arbitrary file write access.
It has assigned CLSID: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D and is by default included to "Safe for Scripting" OLE components, that allows full execution scripting access to the control methods from within the browser.
PoC exploit has been released. Update to the latest version.
Reference
http:// www.anspi.pl/~porkythepig/hp-issue/wyfukanyszynszyl.txt
Application Inspection Vulnerability in Cisco Firewall Services Module
updated: 22-Dec-07
A vulnerability exists in the processing of data in the control-plane path with Layer 7 Application Inspections, that may result in a reload of the Cisco Firewall Services Module FWSM. The vulnerability can be triggered with standard network traffic, which is passed through the Application Layer Protocol Inspection process.
The only FWSM release affected by this vulnerability is FWSM System Software version 3.2(3). Install the fix from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml
ClamAV libclamav MEW PE File Integer Overflow Vulnerability
updated: 19-Dec-07
An integer overflow vulnerability was reported within the code responsible for parsing PE files packed with the MEW packer of in ClamAV 0.91.2.
During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data.
Disabling the scanning of PE files or update to the latest version.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
updated: 19-Dec-07
A stack based buffer overflow vulnerability was reported in Apple Mac OS X 10.4.10 mount_smbfs utility. The vulnerability exists in a portion of code responsible for parsing command line arguments. When processing the -W option, which is used to specify a workgroup name, the option's argument is copied into a fixed sized stack buffer without any checks on its length. This leads to a trivially exploitable stack based buffer overflow.
Successful exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have execute permission for the set-uid root mount_smbfs binary.
Reference
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=633
http://docs.info.apple.com/article.html?artnum=307179
CUPS Multiple Vulnerabilities
updated: 19-Dec-07
An integer underflow was found in the asn1_get_string() function of the SNMP backend of CUPS < 1.3.5
, leading to a stack-based buffer overflow when handling SNMP responses. It was also discovered that the alternate pdftops filter creates temporary files with predictable file names when reading from standard input. Furthermore, the resolution of a Denial of Service vulnerability introduced another Denial of Service vulnerability within SSL handling.
A remote attacker on the local network could exploit the first vulnerability to execute arbitrary code with elevated privileges by sending specially crafted SNMP messages as a response to an SNMP broadcast request. A local attacker could exploit the second vulnerability to overwrite arbitrary files with the privileges of the user running the CUPS spooler (usually lp) by using symlink attacks. A remote attacker could cause a Denial of Service condition via the third vulnerability when SSL is enabled in CUPS.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6358
http://www.gentoo.org/security/en/glsa/glsa-200703-28.xml
E2fsprogs Multiple Buffer Overflows
updated: 19-Dec-07
Multiple integer overflows were discovered in libext2fs of E2fsprogs < 1.40.3, that are triggered when processing information from within the file system, resulting in heap-based buffer overflows.
An attacker could entice a user to process a specially-crafted ext2 or ext3 file system image (with tools linking against libext2fs, e.g. fsck, forensic tools or Xen's pygrub), possibly resulting in the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497
Asterisk Database Matching Order Authentication Bypass
updated: 19-Dec-07
Due to the way database-based registrations ("realtime") are processed, IP addresses are not checked when the username is correct and there is no password. An attacker may impersonate any user using host-based authentication without a secret, simply by guessing the username of that user. This is limited in scope to administrators who have set up the registration database ("realtime") for authentication and are using only host-based authentication, not passwords. However, both the SIP and IAX protocols are affected.
Asterisk prior to 1.2.26, 1.4.16, B.2.3.6 and C.1.0-beta8 are affected. Upgrade to the latest version.
Reference
http://downloads.digium.com/pub/security/AST-2007-027.html
Google Toolbar Dialog Spoofing Vulnerability
updated: 19-Dec-07
Google Toolbar allows spoofing the information presented in the dialog which is being displayed when adding a new Google Toolbar button. This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks (e.g. show a login form of a bank).
Google Toolbar 5 beta and 4 for Internet Explorer, and Google Toolbar 4 for Firefox are affected.
Reference
http://aviv.raffon.net/2007/12/18/GoogleToolbarDialogSpoofingVulnerability.aspx
Trend Micro ServerProtect StRpcSrv.dll Insecure Method Exposure Vulnerability
updated: 19-Dec-07
Trend Micro ServerProtect v5.58 contains an insecure method exposure vulnerability in the SpntSvc.exe daemon, bound by default on TCP port 5168 and exposing the following DCE/RPC interface through TmRpcSrv.dll. Various sub-functions from StRpcSrv.dll are exposed in this interface and allow for full file system access that can be trivially leveraged to executed arbitrary code.
Install the update from vendor.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-07-077.html
http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt
Hewlett-Packard HP-UX swagentd Buffer Overflow Vulnerability
updated: 19-Dec-07
A vulnerability was reported in HP-UX 11.11 within the function sw_rpc_agent_init (opcode 0x04) defined in swagentd. Specific malformed arguments can cause function pointers to be overwritten and thereby result in arbitrary code execution.
Successful exploitation allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard HP-UX operating system. Authentication is not required to exploit this vulnerability.
Install the update from vendor.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6195
http://www.zerodayinitiative.com/advisories/ZDI-07-079.html
Net::DNS Malformed Packet DoS
updated: 19-Dec-07
A denial of service vulnerability was found in Net::DNS 0.60 build 654 allows a malicious server to cause the Net::DNS package to crash by sending it a malformed DNS response, this in turn would cause any product using the package to crash with it.
PoC exploit was released.
Reference
https://rt.cpan.org/Public/Bug/Display.html?id=30316
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341
IRC Services Denial of Service
updated: 19-Dec-07
A Denial of Service vulnerability has been reported in IRC Services < 5.0.63, since the "default_encrypt()" function in file encrypt.c does not properly handle overly long passwords.
A remote attacker could provide an overly long password to the vulnerable server, resulting in a Denial of Service.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6122
Portage Information Disclosure
updated: 19-Dec-07
It was reported that the "etc-update" utility of Portage < 2.1.3.11 uses temporary files with the standard umask, which results in the files being world-readable when merging configuration files in a default setup.
A local attacker could access sensitive information when configuration files are being merged.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6249
MS Office 2007: Digital Signature does not protect Meta-Data
updated: 19-Dec-07
Microsoft Office (12.0.6017.5000) documents carry meta data information according to the DublinCore metadata in the file docProps/core.xml . Among these meta data information are the fields "LastModifiedBy", "creator" together with several others that can be displayed/changed through the menu "Office Button -> Prepare -> Properties".
These entries can be changed without invalidating the signature. At least under Windows Operating Systems these information are also shown in the Windows file systems properties.
The meta data of signed Microsoft Office documents can be changed. An attacker can change the values to spoof the origin of signed documents, hoping to induce trust or otherwise deceive the user.
TrendMicro AntiVirus ZIP Processing Vulnerability
updated: 19-Dec-07
While decoding the .uue file., * TrendMicro Antivirus prior to PccScan.dll build 1451 will create a .zip file, by manipulating the .uue file, we can make the TrendMicro AV generate a .zip file which contains a long file name.
Due to the incorrect usage of wcsncpy_s() API while PccScan.dll is trying to copy this long file name into a static buffer, the SfCtlCom.exe will crash.
Because SfCtlCom.exe is running under SYSTEM privilege, local privilege is possible in some cases, e.g. there is a just-in-time debugger presented.
The vulnerability can be exploited remotely, by sending Email or convince the victim visit attacker controlled website. Or can be exploited locally to gain the SYSTEM privilege.
Install the patch from vendor.
Reference
http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464
MS07-063 – Vulnerability in SMBv2 Could Allow Remote Code Execution
updated: 12-Dec-07
A remote code execution vulnerability exists in the SMBv2 protocol that could allow a remote anonymous attacker to run code with the privileges of the logged-on user.
Windows Vista is affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
MS07-064 – Vulnerabilities in DirectX Could Allow Remote Code Execution
updated: 12-Dec-07
A remote code execution vulnerability exists in the way DirectX handles SAMI, WAV and AVI format files.. This vulnerability
could allow code execution if a user opened a specially crafted file. If a user is logged on with administrative user rights,
an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts
are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user
rights.
DirectX 7.0, 8.1, 9.0c and 10.0 are affected. Install the fix from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
MS07-065 – Vulnerability in Message Queuing Could Allow Remote Code Execution
updated: 12-Dec-07
A remote code execution vulnerability exists in the Message Queuing Service when it incorrectly validates input strings
before passing the strings to a buffer. An attacker could exploit the vulnerability by constructing a specially crafted MSMQ
message that could allow remote code execution in a remote attack scenario on Microsoft Windows 2000 Server and a local
elevation of privilege in a local scenario on Microsoft Windows 2000 Professional and Windows XP. An attacker who
successfully exploited this vulnerability could take complete control of an affected system.
Windows 2000 SP4 and XP SP2 are affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
MS07-066 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege
updated: 12-Dec-07
An elevation of privilege vulnerability exists in the way that the Windows kernel processes certain access requests. This
vulnerability could allow an attacker to run code and to take complete control of the system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full administrative rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted than users who operate with administrative user
rights.
Windows Vista is affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
MS07-067 – Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege
updated: 12-Dec-07
A local elevation of privilege vulnerability exists in the way that the Macrovision driver incorrectly handles configuration
parameters. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the
local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user
rights.
Windows XP SP2 and 2003 SP2 are affected. Install the fix from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-067.mspx
MS07-068 - Vulnerability in Windows Media File Format Could Allow Remote Code Execution
updated: 12-Dec-07
A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems
Format (ASF) files. In client applications, such as Windows Media Player, an attacker could exploit the vulnerability by
constructing specially crafted Windows Media Format Runtime content that could potentially allow remote code execution if a
user visits a specially crafted Web site or opens an e-mail message with specially crafted content. In server applications,
such as Windows Media Services, an attacker could exploit the vulnerability by constructing specially crafted Windows Media
Format Runtime content that could potentially allow remote code execution if the server processes the specially crafted
content. In client and server applications, an attacker who successfully exploited this vulnerability could take complete
control of an affected system.
Windows Media Format Runtime 7.1, 9, 9.5, 11 and Windows Media Services 9.1 are affected. Install the update from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
MS07-069 - Cumulative Security Update for Internet Explorer
updated: 12-Dec-07
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly
initialized or that has been deleted or that contains certain unexpected method calls to HTML objects. An attacker could
exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability
could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights
as the logged on user.
Internet Explorer 5, 6 and 7 are affected. Install the patch from vendor.
Reference
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
Novell NetMail AntiVirus Agent Multiple Heap Overflow Vulnerabilities
updated: 11-Dec-07
Multiple heap overflow vulnerabilities were reported in Novell NetMail AntiVirus Agent which listens on a random high TCP
port. The avirus.exe service protocol reads a user-supplied ASCII integer value as an argument to a memory allocation
routine. The specified size is added to without any integer overflow checks and can therefore result in an under allocation.
A subsequent memory copy operation can then corrupt the heap and eventually result in arbitrary code execution.
Install the update from vendor.
Reference
https://secure-support.novell.com/KanisaPlatform/Publishing/990/3639135_f.SAL_Public.html
Websense Reporting Tools Portal Page Cross-Site Scripting
updated: 11-Dec-07
Websense Enterprise and Websense Web Security Suite 6.3 contain a vulnerability in the login page is susceptible to a cross
site scripting attack. Input passed to the "username" field of the login page is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script code in a user browser session in context of an affected site.
Install the hotfix from vendor.
Reference
http://www.websense.com/SupportPortal/SupportKbs/1840.aspx
http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulnerability/
Samba "send_mailslot()" Buffer Overflow Vulnerability
updated: 11-Dec-07
A buffer overflow vulnerability was reported in Samba 3.0.27a, due to a boundary error within the "send_mailslot()" function.
This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon
packet containing a username string placed at an odd offset followed by an overly long GETDC string.
Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled. Update
to the latest version.
Reference
http://secunia.com/secunia_research/2007-99/
WordPress Charset SQL Injection Vulnerability
updated: 11-Dec-07
The search function provided within WordPress 2.3.1 and prior fails to sanitize input based on different character sets. So
if WordPress tries to query MySQL database using certain specific character sets, WordPress search function is exploitable
using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK. All of them may use backslash as part of multibyte
character. WordPress with MySQL database created any other character sets fulfilling such property may also be
exploitable.
Executing this attack alone results in exposure of all database content on web interface without need of authentication.
However, if combined with other exploits (such as cookie authentication vulnerability in any remote user can obtain
WordPress admin privilege, resulting in server compromise.
Proof of concept exploit has been publish.
Convert WordPress database to use character sets not vulnerable to such SQL exploit. One such charset is UTF-8, which does
not use backslash as part of character and it supports various languages. Alternatively, edit WordPress theme to remove
search capability.
Reference
http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt
BarracudaDrive Multiple Vulnerabilities
updated: 11-Dec-07
Multiple web application vulnerabilities were discovered in BarracudaDrive 3.7.2 and prior, namely directory traversal,
scripts source visualization, arbitrary files deleting by users, NULL pointer crash in chat.ehintf by users, HTML injection
in the trace viewer.
Reference
http://aluigi.altervista.org/adv/barradrive-adv.txt
Lookup Insecure Temporary File Creation
updated: 10-Dec-07
The ndeb-binary function of Lookup < 1.4.1 does not handle temporay files correctly. A local attacker could use a symlink
attack to overwrite files with the privileges of the user running Lookup.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0237
AMD64 x86 Emulation Qt Library Multiple vulnerabilities
updated: 10-Dec-07
Qt < 20071114-r2 used by the AMD64 x86 emulation Qt libraries were vulnerable to several flaws. An attacker could trigger one
of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the
execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://www.gentoo.org/security/en/glsa/glsa-200708-16.xml
http://www.gentoo.org/security/en/glsa/glsa-200710-28.xml
PEAR::MDB2 Information Disclosure
updated: 10-Dec-07
The request to store a URL string as a LOB in PEAR::MDB2 < 2.5.0_alpha1 is treated as a request to retrieve and store the
contents of the URL.
If an application using PEAR::MDB2 allows input of LOB values via a web form, remote attackers could use the application as an indirect proxy or obtain sensitive information, including "file://" URLs local to the web server.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5934
Cairo User-assisted Execution of Arbitrary Code
updated: 10-Dec-07
Multiple integer overflows were reported in Cairo < 1.4.12, one of which found to be leading to a heap-based buffer overflow
in the cairo_image_surface_create_from_png() function that processes PNG images.
A remote attacker could entice a user to view or process a specially crafted PNG image file in an application linked against
Cairo, possibly leading to the execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503
Firebird Multiple Buffer Overflows
updated: 10-Dec-07
Multiple stack-based buffer overflows were discovered in Firebird < 2.0.3.12981.0-r2, as functions
isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input.
A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the
execution of arbitrary code with the privileges of the user running Firebird (usually firebird).
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5246
GNU Emacs Multiple Vulnerabilities
updated: 10-Dec-07
Two vulnerabilities were found in GNU Emacs < 22.1-r3, since the hack-local-variables() function in GNU Emacs 22 does not
properly match assignments of local variables in a file against a list of unsafe or risky variables, allowing to override
them. Besides, there was a stack-based buffer overflow in the format function when handling values with high precision.
Remote attackers could entice a user to open a specially crafted file in GNU Emacs, possibly leading to the execution of
arbitrary Emacs Lisp code or arbitrary code with the privileges of the user running GNU Emacs.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5795>br>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6109
Skype skype4com URI Handler Remote Heap Corruption
updated: 10-Dec-07
Skype prior to 3.6 GOLD contains a heap corruption flaw within the 'skype4com' URI handler created by Skype during
installation. When processing short string values through this handler an exploitable memory corruption may occur which can
result in arbitrary code execution under the context of the current user.
Upgrade to a safer version.
Reference
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5989
http://www.zerodayinitiative.com/advisories/ZDI-07-070.html
Two vulnerabilities in SquirrelMail GPG plugin
updated: 09-Dec-07
In SquirrelMail GPG plugin 2.0, 2.0.1 and 2.1, end users can delete stored user preferences and address books without any
complex hacks. Moreover, the software does not sanitize imported public key information. It allows attacker to inject custom
html tags in SquirrelMail message display.
POC exploit has been released.
Reference
http://www.topolis.lt/bugtraq/gpg-unsanitized-js-poc.eml.gz
Ruby-GNOME2 Format String Error
updated: 09-Dec-07
A format string error has been discovered in Ruby-GNOME2 < 0.16.0-r2, due to the "Gtk::MessageDialog.new()" method in the
file gtk/src/rbgtkmessagedialog.c does not properly sanitize the "message" parameter before passing it to the
gtk_message_dialog_new() function.
A remote attacker could send a specially crafted string to an application using Ruby-GNOME2, possibly leading to the
execution of arbitrary code with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6183
HP OpenView Network Node Manager Multiple CGI Buffer Overflows
updated: 7-Dec-07
A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM).
The specific flaw exists within the CGI applications that handle the management of the NNM server. Due to lack of bounds checking during a call to sprintf(), sending overly long arguments to the various CGI variables result in a classic stack overflow leading to compromise of the remote server. Exploitation leads to code execution running under the credentials of the web server. Further techniques can be leveraged to gain full SYSTEM access.
This vulnerability could be exploited remotely by an unauthorized user to execute arbitrary code with the permissions of the NNM server.
HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux are affected.
Install the patch from vendor.
Reference
http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
Denial of Service in Squid Cache Updates
updated: 7-Dec-07
Due to incorrect bounds checking, Squid < 2.6.STABLE17 is vulnerable to a denial of service check during some cache update reply processing.
Install the patch from developer or update to the latest version.
Reference
http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow
updated: 7-Dec-07
A remote stack overflow vulnerability exist in the RPC interface of CA BrightStor ARCServe BackUp R11.5, due to incorrect handling of RPC requests on TCP port 6504.
The interface is identified by 506b1890-14c8-11d1-bbc3-00805fa6962e v1.0. An arbitrary anonymous attacker can execute arbitrary code on the affected system by exploiting this vulnerability.
Install the fix from vendor.
Reference
http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp
http://www.fortiguardcenter.com/advisory/FGA-2007-14.html
Avast! AntiVirus TAR Processing Remote Heap Corruption
updated: 7-Dec-07
There is a vulnerability in Avast! Antivirus Home/Professional < 4.7.1098 and Avast! Professional 4.7.1043. While parsing the .TAR file, Avast! Antivirus Library does not properly check the value of certain field, thus result into a remote heap corruption.
The vulnerability can be exploited remotely, by sending Email or convince the victim visit attacker controlled website, which allows an attacker to execute arbitrary code.
Upgrade to the latest version.
Reference
http://secway.org/advisory/AD20071206.txt
OpenNewsletter Multiple XSS Attacks
updated: 7-Dec-07
Multiple cross site scripting vulnerabilities were found in OpenNewsletter v2.5, due to insufficient data sanitization when parsing the PHP value 'type' on 'compose.php'.
Samba Arbitrary Code Execution
updated: 7-Dec-07
Samba < 3.0.27a contains two buffer overflow vulnerabilities potentially resulting in the execution of arbitrary code.
Upgrade to the latest version.
Reference
http://security.gentoo.org/glsa/glsa-200711-29.xml
Hugin Insecure Temporary File Creation
updated: 7-Dec-07
Hugin < 0.7_beta4-r1 creates the "hugin_debug_optim_results.txt" temporary file in an insecure manner.
A local attacker could exploit this vulnerability with a symlink attack, potentially overwriting an arbitrary file with the privileges of the user running the application.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5200
Cacti SQL Injection
updated: 7-Dec-07
An SQL injection vulnerability has been discovered in Cacti < 0.8.7a, due to the "local_graph_id" variable used in the file graph.php is not properly sanitized before being processed in an SQL statement.
A remote attacker could send a specially crafted request to the vulnerable host, possibly resulting in the execution of arbitrary SQL code.
Upgrade to the latest version.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6035
Cisco Security Agent for Windows System Driver Remote Buffer Overflow
updated: 7-Dec-07
A buffer overflow vulnerability exists in a system driver used by all versions of Cisco Security Agent for Microsoft Windows, during processing of a crafted TCP segment destined to TCP port 139 or 445. These ports are used by the Microsoft Server Message Block (SMB) protocol.
This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution.
Install the fix from vendor.
Reference
http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml
Cross Site Scripting in CiscoWorks
updated: 7-Dec-07
The initial CiscoWorks login page is susceptible to XSS attack, since input is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session.
Install the patch from vendor.
Reference
http://www.liquidmatrix.org/blog/
Cygwin Buffer Overflow in Filename Length Check
updated: 7-Dec-07
A vulnerability was reported in the filename length checking mechanism of cygwin1.dll < 1.5.24. Successful exploitation allows local attackers to overflow an internal buffer and cause the execution of arbitrary code.
Upgrade to a safer version.
HP Select Identity Remote Unauthorized Access
updated: 5-Dec-07
A potential security vulnerability has been identified with HP Select Identity v4.01 prior to v4.01.012 and v4.1x prior to v4.13.003 running on Windows 2003 Server, Red Hat Linux AS3, Solaris, and HP-UX. The vulnerability could be exploited remotely to gain unauthorized access.
Install the patch from vendor.
VLC Activex Bad Pointer Initialization Vulnerability
updated: 5-Dec-07
A vulnerability has been found in the ActiveX control DLL (axvlc.dll) used by VLC player 0.86, 0.86a, 0.86b y 0.86c. This library contains three methods whose parameters are not correctly checked, and may produce a bad initialized pointer. By providing these functions specially crafted parameters, an attacker can overwrite memory zones and execute arbitrary code.
PoC exploit has been published. Upgrade to VLC media player 0.8.6d.
Reference
http://www.coresecurity.com/?action=item&id=2035
http://www.coresecurity.com/files/attachments/CORE-2007-1004-VLC-tutorial.pdf
SonicWALL Global VPN Client Format String Vulnerability
updated: 5-Dec-07
SonicWALL Global VPN Client < 4.0.0.830 suffers from a format string vulnerability that can be triggered by supplying a format string in the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.
This vulnerability allows an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.
Upgrade to SonicWall VPN client 4.0.0.830.
Reference
http://www.sec-consult.com/305.html
Citrix NetScaler Web Management Cookie Weakness
updated: 5-Dec-07
A cookie weakness was reported in Citrix's NetScaler version 8.0, build 47.8.
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream, it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext.
This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.
Apache HTTP Server 413 Error Page XSS
updated: 5-Dec-07
A vulnerability in the way Apache 2.2.4 and prior handles malformed requests, specifically when it answers with an error code of 413 allows remote attackers to inject arbitrary HTML and/or JavaScript into the response received from the server.
Header injection has been demonstrated to be possible using Flash, but might be dependent on vulnerable Flash plugins. A relevant example published in the past is exploiting the Apache 'Expect' XSS using flash. However, in this case we need to spoof the HTTP METHOD to a specially-crafted value.
Reference
http://www.procheckup.com/Vulnerability_2007.php
|
|
