[ GLSA 200603-11 ] Freeciv: Denial of Service

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Freeciv: Denial of Service
  Date: March 16, 2006
  Bugs: #125304
ID: 200603-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A memory allocation bug in Freeciv allows a remote attacker to perform
a Denial of Service attack.

Background
==

Freeciv is an open source turn-based multiplayer strategy game, similar
to the famous Civilization series.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  games-strategy/freeciv   < 2.0.8 >= 2.0.8

Description
===

Luigi Auriemma discovered that Freeciv could be tricked into the
allocation of enormous chunks of memory when trying to uncompress
malformed data packages, possibly leading to an out of memory condition
which causes Freeciv to crash or freeze.

Impact
==

A remote attacker could exploit this issue to cause a Denial of Service
by sending specially crafted data packages to the Freeciv game server.

Workaround
==

Play solo games or restrict your multiplayer games to trusted parties.

Resolution
==

All Freeciv users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=games-strategy/freeciv-2.0.8"

References
==

  [ 1 ] CVE-2006-0047
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0047
  [ 2 ] Original advisory
http://aluigi.altervista.org/adv/freecivdos-adv.txt

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-11.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpPPFpxqsOf7.pgp
Description: PGP signature

[ GLSA 200603-12 ] zoo: Buffer overflow

[Stefan Cornelius]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200603-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: zoo: Buffer overflow
  Date: March 16, 2006
  Bugs: #125622
ID: 200603-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in zoo may be exploited to execute arbitrary when
creating archives of specially crafted directories and files.

Background
==

zoo is a file archiving utility for maintaining collections of files,
written by Rahul Dhesi.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  app-arch/zoo  < 2.10-r2>= 2.10-r2

Description
===

zoo is vulnerable to a new buffer overflow due to insecure use of the
strcpy() function when trying to create an archive from certain
directories or filenames.

Impact
==

An attacker could exploit this issue by enticing a user to create a zoo
archive of specially crafted directories and filenames, possibly
leading to the execution of arbitrary code with the rights of the user
running zoo.

Workaround
==

There is no known workaround at this time.

Resolution
==

All zoo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/zoo-2.10-r2"

References
==

  [ 1 ] RedHat Bug #183426
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-12.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpBbtAL519Vp.pgp
Description: PGP signature

[SECURITY] [DSA 1003-1] New xpvm packages fix insecure temporary file

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1003-1[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 16th, 2006http://www.debian.org/security/faq
- --

Package: xpvm
Vulnerability  : insecure temporary file
Problem type   : remote
Debian-specific: no
CVE ID : CAN-2005-2240
Debian Bug : 318285

Eric Romang discoverd that xpvm, a graphical console and monitor for
PVM, creates a temporary file that allows local attackers to create or
overwrite arbitrary files with the privileges of the user running
xpvm.

For the old stable distribution (woody) this problem has been fixed in
version 1.2.5-7.2woody1.

For the stable distribution (sarge) this problem has been fixed in
version 1.2.5-7.3sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.2.5-8.

We recommend that you upgrade your xpvm package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1.dsc
  Size/MD5 checksum:  578 e23e82b7f0ff80c89f5d398487e9bae0

http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1.diff.gz
  Size/MD5 checksum: 6818 9f38fd365ee274cbd6bf4e7a11f2e64f
http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5.orig.tar.gz
  Size/MD5 checksum:   193901 dfdaa0dc8433ab15d6899312c2355e56

  Alpha architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_alpha.deb
  Size/MD5 checksum:   192732 03aa819d7f03740ea88c8c4f62185cbe

  ARM architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_arm.deb
  Size/MD5 checksum:   179226 8b369479bb83d81b380e9b9d74def5ec

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_i386.deb
  Size/MD5 checksum:   170050 2bb210c8f0c22a468bfc0e625db6c784

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_ia64.deb
  Size/MD5 checksum:   231764 e4bc6ee3f41fc8a401d66b8fb81afeb4

  HP Precision architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_hppa.deb
  Size/MD5 checksum:   192568 55fe8f452a97e8ebeb570abb6189762c

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_m68k.deb
  Size/MD5 checksum:   161240 0acf0fe7d58ec17e7eb2022ab974631e

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_mips.deb
  Size/MD5 checksum:   185354 3b64125f1b9e9d7e0a9cd3e68884bbe4

  Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_mipsel.deb
  Size/MD5 checksum:   184380 9cd8290f7a8079e5aacfb72992052c51

  PowerPC architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_powerpc.deb
  Size/MD5 checksum:   177318 e886c63da2ec9c1709f42581fd099580

  IBM S/390 architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_s390.deb
  Size/MD5 checksum:   170366 2d178c7ea0cd7adf104def5ec1ff04e8

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.2woody1_sparc.deb
  Size/MD5 checksum:   174756 c032fe787399c178a923e18c580eabe6


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.3sarge1.dsc
  Size/MD5 checksum:  583 91a79d771abce0da5a05f39b51db43d6

http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.3sarge1.diff.gz
  Size/MD5 checksum: 6879 4f34cd8274c09a525854ae010e41725e
http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5.orig.tar.gz
  Size/MD5 checksum:   193901 dfdaa0dc8433ab15d6899312c2355e56

  Alpha architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.3sarge1_alpha.deb
  Size/MD5 checksum:   192062 dcf8219bac63f15bea7b0b40c0e23f76

  AMD64 architecture:


http://security.debian.org/pool/updates/main/x/xpvm/xpvm_1.2.5-7.3sarge1_amd64.deb
  Size/MD5 checksum:

[SECURITY] [DSA 1004-1] New vlc packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1004-1[EMAIL PROTECTED]
http://www.debian.org/security/ Moritz Muehlenhoff
March 16th, 2006http://www.debian.org/security/faq
- --

Package: vlc
Vulnerability  : buffer overflow
Problem-Type   : local (remote)
Debian-specific: no
CVE ID : CVE-2005-4048
Debian Bug : 342208

Simon Kilvington discovered that specially crafted PNG images can trigger
a heap overflow in libavcodec, the multimedia library of ffmpeg, which may
lead to the execution of arbitrary code.
The vlc media player links statically against libavcodec.

The old stable distribution (woody) isn't affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 0.8.1.svn20050314-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.8.4.debian-2.

We recommend that you upgrade your vlc package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1.dsc
  Size/MD5 checksum: 1883 b01ca47f88d5b1b3aa67aa9cf8558f79

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1.diff.gz
  Size/MD5 checksum:  873 f50e58c336006d091a54374866edc02d

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314.orig.tar.gz
  Size/MD5 checksum:  9746520 51ecfbb072315eacf7fcaf250c26f5cb

  Alpha architecture:


http://security.debian.org/pool/updates/main/v/vlc/gnome-vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 1270 d38080ad62c08a7cd260bca1309826f5

http://security.debian.org/pool/updates/main/v/vlc/gvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 1278 8e832e0aa51c192025331640e5039602

http://security.debian.org/pool/updates/main/v/vlc/kvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  980 26f78ab914f614b94cf20ac5e3403ae4

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  1092778 36678b430b42c0404b38d78fab6fe0fa

http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:   730978 ab97ad39cc17192a24355ae337996db7

http://security.debian.org/pool/updates/main/v/vlc/qvlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  966 440c2a0b1f27b61cd0854d140627d0d3

http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  6365392 aeb7805b91ba501d491b29aeb7a21af3

http://security.debian.org/pool/updates/main/v/vlc/vlc-alsa_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  876 249ee46d747ddd2ce87d4c08ee6f4705

http://security.debian.org/pool/updates/main/v/vlc/vlc-esd_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  874 f919dccff01446bc5950f6868d47e9e4

http://security.debian.org/pool/updates/main/v/vlc/vlc-ggi_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  876 8049e253efd274026cac0f31e2f1ef4f

http://security.debian.org/pool/updates/main/v/vlc/vlc-gnome_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  870 0e677f46d898c3798bd393af55791952

http://security.debian.org/pool/updates/main/v/vlc/vlc-gtk_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:  866 189cbaf6b6c5e56678e6af172a4f153f

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum:11120 accad8c91e2ad6e841f0237efed25d45

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 4414 7fbdc10f3320fb31c4a6919fc4a2b84b

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 4540 bd7ed6fe7992a74f03efe2fc385e485d

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.1.svn20050314-1sarge1_alpha.deb
  Size/MD5 checksum: 7282 598c83b24ba1d91902ec8e84d70aed1b

http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.1.svn20050314-1sa

Re: Invision Power Board v2.1.4 - session hijacking

[Peter Conrad]

Hi,

On Tue, Mar 14, 2006 at 07:32:16PM +0100, Hans Wolters wrote:
> 
> Once you visit a site where Invision Board is used the first click on  
> the Log In link points the visitor to a link with the session id in it:
> 
> index.php?s=&act=Login&CODE=00
> 
> If you copy this session id, login and start a different browser (not  
> a new instance) then you only need to copy the session id url into  
> the different browser to login without giving the password and login  
> name.

so you're saying that you can hijack a user's session if you have access
to his session id? Well, that's not a vulnerability, that's how HTTP
sessions work.

Bye,
Peter
-- 
Peter ConradTel: +49 6102 / 80 99 072
[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
Bahnhofstr. 18  http://www.tivano.de/
63263 Neu-Isenburg

Germany

Re: Invision Power Board v2.1.4 - session hijacking

[matt]

This report is ridiculous and quite frankly shows that the author does not 
understand how IPB works.

Yes, the author is correct in finding that if you: copy the user's IP address, 
copy the user's user-agent and copy the user's session ID then they can 
"hijack" your session.

That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.

This report is bogus. Feel free to relabel it "Stateless HTTP authentication 
potential vulnerability" and remove it from Invision Power Board's category.

Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability

[Thierry Zoller]

Dear XFOCUS Team,

Is this the same vuln as discovered by class101 ?
http://www.zerodayinitiative.com/advisories/ZDI-06-004.html



-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Milkeyway Multiple Vulnerabilities

[ascii]

Milkeyway Captive Portal Multiple Vulnerabilities

 Name  Multiple Vulnerabilities in Milkeyway Captive Portal
 Systems Affected  WebCalendar (any version, verified on 0.1 and 0.1.1)
 Severity  Medium Risk
 Vendorsourceforge.net/projects/milkeyway
 Advisory  http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
 AuthorFrancesco "aScii" Ongaro (ascii at katamail . com)
 Date  20060316

I. BACKGROUND

Milkeyway is a software for the management and administration of
internet access within public structures and frameworks, where
the service supplying must be submitted to a scrupulous inspection.

II. DESCRIPTION

Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.
There are also some XSS vulnerabilities.

III. ANALYSIS

Since there are 28 detected different vulnerabilities only an
abstract will be included in this mail, please refer to the complete
advisory aviable here:

http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt

1) LOGIN PAGE authenticate() SQL INJECTION
2) add_userIp() SQL INJECTION
3) updateTimeStamp() SQL INJECTION
4) authuser.php USER DELETE SQL INJECTION
5) delete_user() SQL INJECTION
6) authuser.php MODIFY USER modify_user() SQL INJECTION
7) authuser.php MULTIPLE XSS
8) authuser.php EDIT SQL INJECTION
9) authuser.php RELEASE USER SQL INJECTION
10) releaseUser() SQL INJECTION
11) authuser.php ORDERING SQL INJECTION
12) authgroup.php ADD GROUP SQL INJECTION
13) add_team() SQL INJECTION
14) authgroup.php DELETE GROUP SQL INJECTION
15) delete_team() SQL INJECTION
16) authgroup.php MODIFY TEAM SQL INJECTION
17) modify_team() SQL INJECTION
18) traffic.php MULTIPLE SQL INJECTION
19) userstatistics.php ADD USER SQL INJECTION
20) userstatistics.php DELETE USER SQL INJECTION
21) userstatistics.php MODIFY USER SQL INJECTION
22) userstatistics.php EDIT USER SQL INJECTION
23) userstatistics.php MULTIPLE XSS
24) userstatistics.php $_GET['username'] SQL INJECTION 1
25) userstatistics.php $_GET['username'] SQL INJECTION 2
26) chgpwd.php SQL INJECTION 1
27) chgpwd.php SQL INJECTION 2
28) logout.php SQL INJECTION

IV. DETECTION

Milkeyway 0.1 and 0.1.1 are vulnerable.

V. WORKAROUND

Input validation will fix the vulnerability.
Magic quotes ON will protect you against most of these injections
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the
input has no single or double quotes around, making magic quotes
useless.

11) SQL is injectable by $_GET['filter']

 in authuser.php -
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;
else $orderBy ="order by ".$orderingFilter." ".$direction;
$result = mysql_query("SELECT * FROM authuser ".$orderBy );
--

VI. VENDOR RESPONSE

Vendor has been contacted.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20060301 Bug discovered
20060316 Vendor contacted
20060316 Advisory released

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Re: [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability

[eyas]

no

> Dear XFOCUS Team,
> 
> Is this the same vuln as discovered by class101 ?
> http://www.zerodayinitiative.com/advisories/ZDI-06-004.html
> 
> 
> 
> -- 
> http://secdev.zoller.lu
> Thierry Zoller
> Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
eyas <[EMAIL PROTECTED]>

Re: [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability

[[EMAIL PROTECTED]]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
no, but our discoveries are all patched with the same patch, look at
the MS advisory closely:

http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

Microsoft thanks  the
following for working with us to help protect customers:

?

Ollie Whitehouse of Symantec  for reporting the
Microsoft Office Remote Code Execution Using a Malformed Routing Slip
Vulnerability - CVE-2006-0009

?

FelicioX  for working with Microsoft on the
Microsoft Office Excel Remote Code Execution Using a Malformed Range
Vulnerability ? CVE-2005-4131

?

Peter Winter-Smith of NGS Software
 for reporting similar behavior
to the Remote Code Execution with Microsoft Office Excel Vulnerability
- - CVE-2005-4131

?

TippingPoint  and the Zero Day
Initiative  for reporting the
Microsoft Office Excel Remote Code Execution Using a Malformed File
Format Parsing Vulnerability - CVE-2006-0028

?

Dejun of the Fortinet Security Response Team 
for reporting the Microsoft Office Excel Remote Code Execution Using a
Malformed Description Vulnerability - CVE-2006-0029

?

Eyas of the XFOCUS Security Team  for
reporting the Microsoft Office Excel Remote Code Execution Using a
Malformed Record Vulnerability ? CVE-2006-0031


only FelicioX and NGSS found the same bug ;)

Thierry Zoller wrote:
> Dear XFOCUS Team,
>
> Is this the same vuln as discovered by class101 ?
> http://www.zerodayinitiative.com/advisories/ZDI-06-004.html
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEGSZUFJS99fNfR+YRAh9xAJwM9sP9dSlqsn9IsO3czfdj+1sknQCdH/MD
Y01obA6+miFI7VGgcYHeOQ0=
=KczF
-END PGP SIGNATURE-

Re: Linux zero IP ID vulnerability?

[Andrea Purificato - bunker]

Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:

> I've recently stumbled upon an interesting behaviour of some Linux kernels
> that may be exploited by a remote attacker to abuse the ID field of IP
> packets, effectively bypassing the zero IP ID in DF packets countermeasure
> implemented since 2.4.8 (IIRC).

Hi Marco!

I've just tested this thing on available hardware:


- [PIRELLI HOME ACCESS GATEWAY]

[EMAIL PROTECTED]:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v
[cut]PORT STATE SERVICE
1720/tcp open  H.323/Q.931
MAC Address: (Pirelli Broadband Solutions)
Device type: PBX
Running: 3Com embedded
OS details: 3Com NBX PBX
[cut]IPID Sequence Generation: Incremental

(closed port)
[EMAIL PROTECTED]:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0 

[EMAIL PROTECTED]:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0

(opened port)
[EMAIL PROTECTED]:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192

[EMAIL PROTECTED]:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192


- [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)]
- (no iptables rules)

[EMAIL PROTECTED]:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139
[cut]PORT STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
1080/tcp open  socks
6000/tcp open  X11
MAC Address: (Xnet Technology)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
[cut]IPID Sequence Generation: All zeros

(closed port + S flag)
[EMAIL PROTECTED]:~$ cat hping.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0

(opened port + S flag)
[EMAIL PROTECTED]:~$ cat hping.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840

(closed port + SA flag)
[EMAIL PROTECTED]:~$ cat hpingSA.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0

(opened port + SA flag)
[EMAIL PROTECTED]:~$ cat hpingSA.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0
len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0


Seems to be interesting the results obtained from 2.6.15.6 with +S flag.
-- 
Andrea "bunker" Purificato
+++[>++>+>
++<<<-]>.>++.>.<--.>-.<+++.

http://rawlab.altervista.org 

Re: Invision Power Board v2.1.4 - session hijacking

[Hans Wolters]

Matt,

On 16-mrt-2006, at 15:55, [EMAIL PROTECTED] wrote:

This report is ridiculous and quite frankly shows that the author  
does not understand how IPB works.


Yes, the author is correct in finding that if you: copy the user's  
IP address, copy the user's user-agent and copy the user's session  
ID then they can "hijack" your session.


That's because, to all intents and purposes you are the same person.

A stateless HTTP application HAS to authenticate against SOMETHING.

This report is bogus. Feel free to relabel it "Stateless HTTP  
authentication potential vulnerability" and remove it from Invision  
Power Board's category.


You finally answered, that is something. We can continue this  
discussion here so you can't close

the topic like you did on the Invision Board site.

I will state again what the problem is:

1. Users behind a proxy that do not initiate the X-FORWARDED-FOR  
header will all have the same

ipnumber.

2. A user using an OS that can close the Desktop session without  
killing the applications like the browser
will possible still be logged in into the targeted Invision  
Board site.


Both situations will make it easier to hijack the session once it is  
installed on a server with tranparent sessions.


You stated that the user agent can be used for additional checks. Let  
me state that it is very easy to fake that. Once you can get the  
specific user to visit a site where the session id is disclosed you  
have both the session id and the user agent. At that moment you will  
be able to login as that user _if_ you have the same ipnumber (behind  
a proxy for instance).


Faking the user agent itself can be done with lots of tools or even  
at the command line.


As for hiding the session id, in certain situations it will keep  
showing up not matter what you do. Popups, javascript, etc.. You must  
be absolutely sure this will not take place.


One last thing, you might be right when you state that I do not know  
how the board works, however, I do not need to know since the session  
hijacking itself reveals how it works, you are not checking enough in  
certain situations. Since this is not open source I can't check it  
(not willing to buy a version if I will not use it).


Matt, as stated in the original posting I tried to contact you twice  
before I disclosed the information. You are making yourself  
ridiculous (to use the words you like to use) in front of all your  
customers. Be a good sport, think about how

you want to fix this and patch the board.

Kind regards,

Hans
 

Remote overflow in MSIE script action handlers (mshtml.dll)

[Michal Zalewski]

Good morning,

This might not come as a surprise, but there appears to be a *very*
interesting and apparently very much exploitable overflow in Microsoft
Internet Explorer (mshtml.dll).

This vulnerability can be triggered by specifying more than a couple
thousand script action handlers (such as onLoad, onMouseMove, etc) for any
single HTML tag. Due to a programming error, MSIE will then attempt to
write memory array out of bounds, at an offset corresponding to the ID of
the script action handler multiplied by 4 (due to 32-bit address clipping,
the result is a small positive integer).

The list of IDs can be found on the Web, and is as follows (values in
parentheses = resulting offsets):

  onhelp = 0x8001177d (+0x45df4)
  onclick = 0x80011778 (+0x45de0)
  ondblclick = 0x80011779 (+0x45de4)
  onkeyup = 0x80011776 (+0x45dd8)
  onkeydown = 0x80011775 (+0x45dd4)
  onkeypress = 0x80011777 (+0x45ddc)
  onmouseup = 0x80011773 (+0x45dcc)
  onmousedown = 0x80011772 (+0x45dc8)
  onmousemove = 0x80011774 (+0x45dd0)
  onmouseout = 0x80011771 (+0x45dc4)
  onmouseover = 0x80011770 (+0x45dc0)
  onreadystatechange = 0x80011789 (+0x45e24)
  onafterupdate = 0x80011786 (+0x45e18)
  onrowexit = 0x80011782 (+0x45e08)
  onrowenter = 0x80011783 (+0x45e0c)
  ondragstart = 0x80011793 (+0x45e4c)
  onselectstart = 0x80011795 (+0x45e54)

What happens next depends on the structure of the page in which the
malicious tag is embedded, as well as previously visited page and
previously initialized extensions (all these factors can be controlled by
the attacker).

When the offending page contains no additional elements, and the user is
not redirected from elsewhere, the browser will typically crash
immediately, because there is no allocated memory at the resulting offset.
In all other cases, crashes will typically occur later, due to attempted
use of unrelated but corrupted in-memory buffers -for example, when the
user attempts to leave or reload the page. Another good example is coming
from a page that contains Macromedia Flash - this usually causes the Flash
plugin itself to choke on corrupted memory on cleanup.

For non-believers, there's a short but fiery demonstration page available
at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your
browser).

Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
as I can tell, other browser makes (Firefox, Opera) are not susceptible to
this attack.

I eagerly await due reprimend from Microsoft for not disclosing this
vulnerability in a manner that benefits them most, not passing start, not
collecting $200 (from iDefense?).

Regards,
/mz
http://lcamtuf.coredump.cx/silence/

Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Michal Zalewski]

On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:

> BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
> (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
> (xpsp_sp2_gdr.051123-1230)) and it didn't worked.

Daniel followed up with me in private and confirmed that the PoC *did*
work for him when he followed certain additional instructions: because the
attack depends on memory layout and usage, to get consistent results, be
sure to close *all* MSIE windows, then go to Start -> Run... and type:

  iexplore http://lcamtuf.coredump.cx/iedie.html

That should crash the browser immediately, because there are no other
buffers nearby to "absorb" the initial fencepost. Still, if no dice, try
hitting 'Reload' a couple of times.

/mz

Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Daniel Bonekeeper]

BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
(xpsp_sp2_rtm.040803-2158))
with mshtml.dll (6.00.2900.2802 (xpsp_sp2_gdr.051123-1230)) and it
didn't worked.

--
What this world needs is a good five-dollar plasma weapon.