[USN-479-1] MadWifi vulnerabilities
=== Ubuntu Security Notice USN-479-1 June 28, 2007 linux-restricted-modules-2.6.15/.17/.20 vulnerabilities CVE-2006-7177, CVE-2006-7178, CVE-2006-7179, CVE-2006-7180, CVE-2007-2829, CVE-2007-2830, CVE-2007-2831 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: linux-restricted-modules-2.6.15-28-3862.6.15.12-28.2 linux-restricted-modules-2.6.15-28-6862.6.15.12-28.2 linux-restricted-modules-2.6.15-28-amd64-generic 2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-amd64-k8 2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-amd64-xeon 2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-k7 2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-powerpc2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-powerpc-smp2.6.15.12-28.2 linux-restricted-modules-2.6.15-28-sparc642.6.15.12-28.2 linux-restricted-modules-2.6.15-28-sparc64-smp2.6.15.12-28.2 Ubuntu 6.10: linux-restricted-modules-2.6.17-11-3862.6.17.8-11.2 linux-restricted-modules-2.6.17-11-generic2.6.17.8-11.2 linux-restricted-modules-2.6.17-11-powerpc2.6.17.8-11.2 linux-restricted-modules-2.6.17-11-powerpc-smp2.6.17.8-11.2 linux-restricted-modules-2.6.17-11-powerpc64-smp 2.6.17.8-11.2 linux-restricted-modules-2.6.17-11-sparc642.6.17.8-11.2 linux-restricted-modules-2.6.17-11-sparc64-smp2.6.17.8-11.2 Ubuntu 7.04: linux-restricted-modules-2.6.20-16-3862.6.20.5-16.29 linux-restricted-modules-2.6.20-16-generic2.6.20.5-16.29 linux-restricted-modules-2.6.20-16-lowlatency 2.6.20.5-16.29 linux-restricted-modules-2.6.20-16-powerpc2.6.20.5-16.29 linux-restricted-modules-2.6.20-16-powerpc-smp2.6.20.5-16.29 linux-restricted-modules-2.6.20-16-powerpc64-smp 2.6.20.5-16.29 linux-restricted-modules-2.6.20-16-sparc642.6.20.5-16.29 linux-restricted-modules-2.6.20-16-sparc64-smp2.6.20.5-16.29 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Multiple flaws in the MadWifi driver were discovered that could lead to a system crash. A physically near-by attacker could generate specially crafted wireless network traffic and cause a denial of service. (CVE-2006-7177, CVE-2006-7178, CVE-2006-7179, CVE-2007-2829, CVE-2007-2830) A flaw was discovered in the MadWifi driver that would allow unencrypted network traffic to be sent prior to finishing WPA authentication. A physically near-by attacker could capture this, leading to a loss of privacy, denial of service, or network spoofing. (CVE-2006-7180) A flaw was discovered in the MadWifi driver's ioctl handling. A local attacker could read kernel memory, or crash the system, leading to a denial of service. (CVE-2007-2831) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.12-28.2.diff.gz Size/MD5:95847 7268e81920ebf31b3957a889dcc1b3ad http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.12-28.2.dsc Size/MD5: 3194 5d844eb1f6c9304676a9af245eedbc8d http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.12.orig.tar.gz Size/MD5: 97745908 fb5765cfa2b0fdb06deb54fd6e537772 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-common_2.6.15.12-28.2_all.deb Size/MD5:18308 614eae382b29bb3f9168ee3408c60368 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/avm-fritz-firmware-2.6.15-28_3.11+2.6.15.12-28.2_amd64.deb Size/MD5: 475432 ed3d019d253d1b237aada47ec19eeca3 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/avm-fritz-kernel-source_3.11+2.6.15.12-28.2_amd64.deb Size/MD5: 2405554 59476d60b880d45a81a4f7c8d07f1ebc http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/fglrx-control_8.25.18+2.6.15.12-28.2_amd64.deb Size/MD5:76604 b7920c007021d963dc584e2b856690f5 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/fglrx-kernel-source_8.25.18+2.6.15.12-28.2_amd64.deb Size/MD5: 510756 594f8d20fdafaf79afe7e0d551dc7e02
TSLSA-2007-0021 - kerberos5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Trustix Secure Linux Security Advisory #2007-0021 Package names: kerberos5 Summary: Multiple vulnerabilities Date: 2007-06-29 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Secure Linux 3.0.5 Trustix Operating System - Enterprise Server 2 - -- Package description: kerberos5 (MIT) Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well. Problem description: kerberos5 TSL 3.0.5 TSL 3.0 TSL 2.2 TSEL 2 - SECURITY Fix: Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious users to compromise a vulnerable system. - An error exists within the gssrpc__svcauth_gssapi function in the RPC library, which can cause kadmind and possibly other third-party products to free an uninitialised pointer when receiving an RPC credential with a length of zero. - A signedness error exists within the gssrpc__svcauth_unix() function in the RPC library, which is used by kadmind and possibly other third-party products. This can be exploited to cause a stack-based buffer overflow. - Fixes stack-based buffer overflow error in kadmind within the rename_principal_2_svc function which could allow remote authenticated users to execute arbitrary code via a crafted request to rename a principal. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2442, CVE-2007-2443 and CVE-2007-2798 to these issues. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from URI:http://http.trustix.org/pub/trustix/updates/ URI:ftp://ftp.trustix.org/pub/trustix/updates/ About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: URI:http://www.trustix.org/support/ Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: URI:http://www.trustix.org/TSL-SIGN-KEY The advisory itself is available from the errata pages at URI:http://www.trustix.org/errata/trustix-2.2/ URI:http://www.trustix.org/errata/trustix-3.0/ and URI:http://www.trustix.org/errata/trustix-3.0.5/ or directly at URI:http://www.trustix.org/errata/2007/0021/ MD5sums of the packages: - -- 6f48bee85cfe39f80e5484ce99bb0650 3.0.5/rpms/kerberos5-1.4.3-5tr.i586.rpm 659f3f6fce1d91eaa06479583b4e5da6 3.0.5/rpms/kerberos5-devel-1.4.3-5tr.i586.rpm bd6b5d1a468e30fc36f5f97826a7bdc3 3.0.5/rpms/kerberos5-libs-1.4.3-5tr.i586.rpm 61ff640389980466b95371b3d4461586 3.0/rpms/kerberos5-1.4.1-9tr.i586.rpm 32bc34057013d9a6fe9eada6ed3ced0b 3.0/rpms/kerberos5-devel-1.4.1-9tr.i586.rpm 0becc6d64fc6d50c0ea1af8e7114caf8 3.0/rpms/kerberos5-libs-1.4.1-9tr.i586.rpm 52e757dd22d5f94b01b75f54a0596920 2.2/rpms/kerberos5-1.3.6-8tr.i586.rpm d26587d79d66d9497748934d9621ca96 2.2/rpms/kerberos5-devel-1.3.6-8tr.i586.rpm 42b65bdba8e49bba71269c82587ec142 2.2/rpms/kerberos5-libs-1.3.6-8tr.i586.rpm - -- Trustix Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFGhO6Ei8CEzsK9IksRAuEwAJwOd7L0vX7nytRI8x9XRPxMT4nGawCgoJ0R k8/Mon4sgZBhWMzG2uqW4XE= =LEVZ -END PGP SIGNATURE-
[SECURITY] [DSA 1325-1] New evolution packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1325-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff June 29th, 2007 http://www.debian.org/security/faq - -- Package: evolution Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1002 CVE-2007-3257 Several remote vulnerabilities have been discovered in Evolution, a groupware suite with mail client and organizer. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1002 Ulf Harnhammer discovered that a format string vulnerability in the handling of shared calendars may allow the execution of arbitrary code. CVE-2007-3257 It was discovered that the IMAP code in the Evolution Data Server performs insufficient sanitising of a value later used an array index, which can lead to the execution of arbitrary code. For the oldstable distribution (sarge) these problems have been fixed in version 2.0.4-2sarge2. Packages for hppa, mips and powerpc are not yet available. They will be provided later. For the stable distribution (etch) these problems have been fixed in version 2.6.3-6etch1. Packages for mips are not yet available. They will be provided later. For the unstable distribution (sid) these problems will be fixed soon. We recommend that you upgrade your evolution packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.dsc Size/MD5 checksum: 1977 578b24366558cbb610a52fde5df44b3b http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1.diff.gz Size/MD5 checksum:54055 12965737c082f0532cf2d27cd7627a47 http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3.orig.tar.gz Size/MD5 checksum: 17176288 7af880364d53b18ba72b1f85f3813c81 Architecture independent components: http://security.debian.org/pool/updates/main/e/evolution/evolution-common_2.6.3-6etch1_all.deb Size/MD5 checksum: 10103432 5b0a1644494c4200d85c8ec4dcf578bd Alpha architecture: http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_alpha.deb Size/MD5 checksum: 2740178 58094673290b0d2f0f02724409f8de73 http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_alpha.deb Size/MD5 checksum: 6443430 c9a5ad93c1d5ef443c012997c32f7c92 http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_alpha.deb Size/MD5 checksum: 218784 1d29838627ce81b8ed50959553a2e8bf http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_alpha.deb Size/MD5 checksum: 119354 df6e947cef9e051d7e20a1dcebd82415 http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_alpha.deb Size/MD5 checksum:94514 6fa19364ce5e782a4dfed7e18ecc3e37 AMD64 architecture: http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_amd64.deb Size/MD5 checksum: 2564562 c8421df9d8ca72b77334540c46b5198f http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_amd64.deb Size/MD5 checksum: 6504728 525c0348998ec55980c3fd3384a0b6f0 http://security.debian.org/pool/updates/main/e/evolution/evolution-dev_2.6.3-6etch1_amd64.deb Size/MD5 checksum: 213638 9bac9cf35da6ffe9cb19abb20ba63aed http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins_2.6.3-6etch1_amd64.deb Size/MD5 checksum: 117566 8415d9121b8c63e25b3cdf8109b43f81 http://security.debian.org/pool/updates/main/e/evolution/evolution-plugins-experimental_2.6.3-6etch1_amd64.deb Size/MD5 checksum:94500 5fa8d2938b94f43216dc2170291da97d ARM architecture: http://security.debian.org/pool/updates/main/e/evolution/evolution_2.6.3-6etch1_arm.deb Size/MD5 checksum: 2250610 44497cf9d0a45358384187ac7efab563 http://security.debian.org/pool/updates/main/e/evolution/evolution-dbg_2.6.3-6etch1_arm.deb Size/MD5 checksum: 6188510 37315f3a07a716a6e5023aa6607fdf7c
SQL Injection In Script VBZooM V1.12
Discovered By: Hasadya Raed Contact : [EMAIL PROTECTED] Israel --- Script : VBZooM V1.12 VBZooM V1.12 reply.php SQL Injection Dork : POWERED BY VBZooM V1.12 --- B.File : reply.php --- Exploit : http://www.victim.com/Path_Script/sub-join.php?UserID=[SQL Injection]
Airscanner Advisory #07062901: FlexiSPY Victim/User Database Exposure (Full world readable access to ALL SMS/Emails/Voice data from victims/users)
http://airscanner.com/security/07062901_flexispy.htm Airscanner Mobile Security Advisory #07062901: FlexiSPY Victim/User Database Exposure (Full world readable access to ALL SMS/Emails/Voice data from victims/users) Product: FlexiSpy.com Website Platform: NA Requirements: NA Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com June 14, 2007 Risk Level: High - Sensitive information disclosure for all devices on which FlexiSpy is installed Summary: FlexiSpy.com's user administration web application contains a critical bug that allows anyone to view anyone elses captured voice, SMS, email, or location. This can be accessed via a 'Demo' account from the FlexiSpy.com website. Details: FlexiSpy is a program sold as 'Spy Software for mobile / cell phones' with which you can 'Catch cheating husbands wives and employees'. The software comes in several version, the most powerful of which has the following features: SMS Logging (incoming/outgoing) Email Logging (incoming/outgoing) Call History (incoming/outgoing) Call Duration (incoming/outgoing) Contact Name in Address book linked to each call/sms When an event occurs, the information related to that event is uploaded to their secure server. The person who purchased the software can then log into the website and review the information. The following figure is a screenshot taken from the 'Demo' page, which gives prospective users a chance to see what kind of data is collected. Figure 1: Screenshot of administration screen for 'demo' user To view information about an item, a user has to click on the link under the 'Type' column, which will then show the information related to that email, SMS, or call. Various bits of data are collected, such as callers phone number, the contents of the SMS message, and copies of the text in captured emails. Figure 2: Example of capture email Each item is assigned a specific id, which is contained in the URL: http://flexispy.com/report.do?act=doGetDetailid=2471018 The problem with the application is that the ID number can be manually changed (e.g. http://flexispy.com/report.do?act=doGetDetailid=2471000), thus allowing access to other users data. As a result, people who have the FlexiSpy program loaded on their phones are not only being subjected to the spying activities of the person who installed the spyware, but also have potentially been exposed to anyone who found this vulnerability. Note: Given that the numbers are for the most part sequentially assigned, a malicious hacker could have created an application that downloaded the details for each and every item stored in the database for each and every user/victim of the software. Workaround: Uninstall the software from the victim's phone. Delete all existing messages that are stored on FlexiSpy's server. Copyright (c) 2007 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
flac123 0.0.9 - Stack overflow in comment parsing
iSEC Partners Security Advisory - 2007-002-flactools http://www.isecpartners.com flac123 0.0.9 - Stack overflow in comment parsing Vendor URL: http://flac-tools.sourceforge.net/ Severity: High (Allows for arbitrary code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-06-05 Public release: 2007-06-28 Systems affected: Verified code execution on FreeBSD 6.2 - should affect most systems. Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt Summary: flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code. Details: The function local__vcentry_parse_value() in vorbiscomment.c does not correctly handle a long value_length, causing it to overflow the buffer dest during memcpy(). Fix Information: This is the sole issue corrected in version 0.0.10. Thanks to: -- Dan Johnson for quickly producing the fixed version. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. More information on exploiting media players and codecs and tools to do the same will be presented at BlackHat USA 2007. 115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052
Re: eTicket version 1.5.5 XSS Attack Vulnerability
The severity of this bug is inaccurate. Considering this bug is simply XSS, and only available when register_globals is On I would consider this Very Low. Ultimately eTicket is not designed to work with register_globals On, please turn it off. It is set to off in php.ini by default.