[Full-disclosure] IRM025: TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS
IRM Security Advisory 025 TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS Vulnerability Type / Importance: Remote DoS / High Problem Discovered: 16 April 2007 Vendor Contacted: 16 April 2007 Advisory Published: 29 November 2007 http://www.irmplc.com/index.php/160-Advisory-025 Abstract: The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which when remotely triggered, prevents any further RV communication until the daemon is manually restarted. Description: The RV daemon (RVD) within TIBCO's Rendezvous messaging product is responsible for the communication of messages between RV-enabled applications. The vulnerability exists as the result of an error in the code that parses information within one of the headers in a TIBCO proprietary network protocol packet. Technical Details: Within a Rendezvous wire format TCP packet, the first four bytes represent the number of bytes of data to expect within the packet, for example: \x00\x00\x00\x7c //total length of data in packet \x99\x55\xee\xaa // magic number \x06 // number of following bytes including null \x6d\x74\x79\x70\x65\x00 //the text mtype ...etc In the above example the number of data bytes in the packet is 0x7c, or 124 bytes. If this value is set to zero in a packet sent to the RVD daemon then it stops responding to all subsequent communication. This appears to result from a memory leak, which continues to attempt to allocate memory. Eventually, operating system alert messages start to appear, warning that the virtual memory in the underlying operating system is running low. Vendor Patch Information: TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented as being fixed in the release notes as follows: 1-84MR37 - Fixed a daemon memory growth defect associated with messages of length zero Workaround: There are no known workarounds for this vulnerability Tested/Affected Versions: IRM confirmed the presence of this vulnerability in Rendezvous versions 7.5.2, 7.5.3 and 7.5.4 Credits: Research Advisory: Varun Uppal and Andy Davis About IRM: Information Risk Management Plc (IRM) is a vendor independent information risk consultancy, founded in 1998. IRM has become a leader in client side risk assessment, technical level auditing and in the research and development of security vulnerabilities and tools. IRM is headquartered in London with Technical Centres in Europe and Asia as well as Regional Offices in the Far East and North America. Please visit our website at www.irmplc.com for further information. Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
Tonnerre Lombard ha scritto: Isn't the FTP client compiled with stack overflow protection? If so, how is that supposed to help? By terminating the program before the payload is executed May I suggest that this protection is not perfect? I was hoping that people on this mailing list consider this to be an established fact. You can suggest it. However, ftp.exe is also linked with the secure exception handlers option. How do you divert execution when ftp.exe is running on a platform with encrypted global pointers? ftp.exe is no Internet Explorer, either, you cannot arbitrarily load third party DLLs in it. Why, it doesn't even link shell32.dll or ole32.dll. And I remind you these are buffer overflows in a text field of an user interface Rajesh and others like him have been peddling this vulnerability for months if not years. Some security professionals should stop fooling themselves and have the basic honesty to admit their behavior is rather more fitting of a small-time loan shark or mafia picciotto, if not the honesty to submit straight away to the vendor what is clearly just a bug with no strategical security implications ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1409-3] New samba packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1409-3 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp November 29, 2007 http://www.debian.org/security/faq - Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-4572, CVE-2007-5398 This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. Several local/remote vulnerabilities have been discovered in samba, a LanManager-like file and printer server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5398 Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. CVE-2007-4572 Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch8. For the old stable distribution (sarge), these problems have been fixed in version 3.0.14a-3sarge10. For the unstable distribution (sid), these problems have been fixed in version 3.0.27-1. We recommend that you upgrade your samba packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge10.dsc Size/MD5 checksum: 1083 0bfa07175e6a85cfb61a3830fb734eb3 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a.orig.tar.gz Size/MD5 checksum: 15605851 ebee37e66a8b5f6fd328967dc09088e8 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge10.diff.gz Size/MD5 checksum: 129540 5ea7188f82fa906546a6662b28af8297 Architecture independent packages: http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.14a-3sarge10_all.deb Size/MD5 checksum: 12117242 6c204acdb31569e289aadda70c68a654 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 1015718 c33f6ca75b9d1f6d73ffc13bab96d11c http://security.debian.org/pool/updates/main/s/samba/swat_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 4224078 1cc205092e39efdbdf4ec9bee64a5e0c http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 660394 829cc98a9a966343d322a8dd496d6c64 http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 1824874 38b963ae9101140895bd57ff53a44ab9 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 3129422 e6602430b35d167c3578c9975fe4e606 http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 20270272 0a0ef0b4578ce431c0d828513d5ee2cf http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 459810 41b20720299851b45346b930d2fc36d0 http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 3251748 f4493391e5ab09339760837b172b72a5 http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 402474 de7b02b496661c57c2b978aa4724ac36 http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 2409218 8eafa00fffe5522860b4679640c93897 http://security.debian.org/pool/updates/main/s/samba/python2.3-samba_3.0.14a-3sarge10_alpha.deb Size/MD5 checksum: 5238790 b028a1ebf6a60cbe2a27ebdddcaeca2e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/samba/swat_3.0.14a-3sarge10_amd64.deb Size/MD5 checksum: 4123250 78b704b1cd7eb5bb3aaa2b7b885df247
Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com
fellow scots stick up for each other, so remember that the next time you talk to a scotsman, because we're tough and bold and we'll kick you in the teeth you swedish fuck. You know why Scots wear kilts, right? Sheep can hear zippers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple
On Wed, 28 Nov 2007 21:44:40 PST, Daniel H. Renner said: From what I've noticed, users of MS' FTP client aren't the usual Windows GUI user. So that would be one good social engineering trick... I wouldn't be surprised if a large percentage of those FTP client users aren't suffering from the same smug I'm too klewed to fall for it attitude that many Mac users have pgpMnP0cRjksI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Contact @ Avast!
S Could anyone send me the security contact of avast! ? S [EMAIL PROTECTED] does not response. security@ vlk@ -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple
On Nov 29, 2007 12:11 PM, [EMAIL PROTECTED] wrote: On Wed, 28 Nov 2007 21:44:40 PST, Daniel H. Renner said: From what I've noticed, users of MS' FTP client aren't the usual Windows GUI user. So that would be one good social engineering trick... I wouldn't be surprised if a large percentage of those FTP client users aren't suffering from the same smug I'm too klewed to fall for it attitude that many Mac users have Or of there is a way to use this to take advantage of IE's ftp client view functionality... -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ERRATA: [ GLSA 200711-20 ] Pioneers: Multiple Denials of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE]GLSA 200711-20:04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Pioneers: Multiple Denials of Service Date: November 14, 2007 Updated: November 29, 2007 Bugs: #198807 ID: 200711-20:04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The fixed ebuild proposed in the original version of this Security Advisory did not address all the vulnerabilities of the Pioneers package. All users of the Pioneers package should upgrade to games-board/pioneers-0.11.3-r1. The corrected sections appear below. Synopsis Two Denial of Service vulnerabilities were discovered in Pioneers. Affected packages = --- Package / Vulnerable / Unaffected --- 1 games-board/pioneers 0.11.3-r1= 0.11.3-r1 Description === Roland Clobus discovered that the Pioneers server may free sessions objects while they are still in use, resulting in access to invalid memory zones (CVE-2007-5933). Bas Wijnen discovered an error when closing connections which can lead to a failed assertion (CVE-2007-6010). Resolution == All Pioneers users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =games-board/pioneers-0.11.3-r1 References == [ 1 ] CVE-2007-5933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5933 [ 2 ] CVE-2007-6010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6010 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTzZsuhJ+ozIKI5gRAnJYAJ9jW6VCcb5CvFI97X2VA7P1d7cBxwCgmQ+d 7f7PJ5k2jxWQP1SJCzhkhTY= =IRg0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple
Dude VanWinkle wrote: On Nov 29, 2007 12:11 PM, [EMAIL PROTECTED] wrote: On Wed, 28 Nov 2007 21:44:40 PST, Daniel H. Renner said: From what I've noticed, users of MS' FTP client aren't the usual Windows GUI user. So that would be one good social engineering trick... I wouldn't be surprised if a large percentage of those FTP client users aren't suffering from the same smug I'm too klewed to fall for it attitude that many Mac users have Or of there is a way to use this to take advantage of IE's ftp client view functionality... -JP That would seem to be more realistically attainable. Sincerely, Daniel H. Renner President Los Angeles Computerhelp A division of Computerhelp, Inc. 818-352-8700 http://losangelescomputerhelp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2007-025 - SQL Injection issue in res_config_pgsql
Asterisk Project Security Advisory - AST-2007-025 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in res_config_pgsql | |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | P. Chisteas p_christ AT hol DOT gr| |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher tlesher AT digium DOT com | |--+-| | CVE Name | CVE-2007-6171 | ++ ++ | Description | Input buffers were not properly escaped when providing | | | lookup data to the Postgres Realtime Engine. An attacker | | | could potentially compromise the administrative database | | | containing users' usernames and passwords used for SIP | | | authentication, among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use res_config_odbc with the | || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || | Product | Release | | || Series| | |+-+-| |Asterisk Open Source|1.0.x| None| |+-+-| |Asterisk Open Source|1.2.x| None| |+-+-| |Asterisk Open Source|1.4.x| 1.4.14 and previous | || | versions| |+-+-| | Asterisk Business Edition |A.x.x| None| |+-+-| | Asterisk Business Edition |B.x.x| None| |+-+-| | Asterisk Business Edition |C.x.x| C.1.0-beta5 and previous| || | versions|
[Full-disclosure] AST-2007-026 - SQL Injection issue in cdr_pgsql
Asterisk Project Security Advisory - AST-2007-026 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in cdr_pgsql| |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Authenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | Tilghman Lesher tlesher AT digium DOT com | |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher tlesher AT digium DOT com | |--+-| | CVE Name | CVE-2007-6170 | ++ ++ | Description | Input buffers were not properly escaped when providing | | | the ANI and DNIS strings to the Call Detail Record | | | Postgres logging engine. An attacker could potentially | | | compromise the administrative database containing users' | | | usernames and passwords used for SIP authentication, | | | among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use cdr_odbc with the| || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || |Product| Release | | | | Series| | |---+-+--| | Asterisk Open Source |1.0.x| All versions | |---+-+--| | Asterisk Open Source |1.2.x| 1.2.24 and previous | |---+-+--| | Asterisk Open Source |1.4.x| 1.4.14 and previous | |---+-+--| | Asterisk Business Edition |A.x.x| All versions | |---+-+--| | Asterisk Business Edition |B.x.x| B.2.3.3 and previous | |---+-+--| | Asterisk Business Edition |C.x.x| C.1.0-beta5 and previous | |---+-+--| |
Re: [Full-disclosure] Microsoft FTP Client Multiple
On Thursday 29 November 2007 07:11:58 [EMAIL PROTECTED] wrote: I wouldn't be surprised if a large percentage of those FTP client users aren't suffering from the same smug I'm too klewed to fall for it attitude that many Mac users have One would hope they would be klewed enough to use a better FTP program. ;) -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/