[SECURITY] [DSA 1362-1] New lighttpd packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1362[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp August 29th, 2007 http://www.debian.org/security/faq - Package: lighttpd Vulnerability : various Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2007-3946 Debian Bug : 434888 Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3946 The use of mod_auth could leave to a denial of service attack crashing the webserver CVE-2007-3947 The improper handling of repeated HTTP headers could cause a denial of serve attack crashing the webserver. CVE-2007-3949 A bug in mod_access potentially allows remote users to bypass access restrictions via trailing slash characters. CVE-2007-3950 On 32-bit platforms users may be able to create denial of service attacks, crashing the webserver, via mod_webdav, mod_fastcgi, or mod_scgi. For the stable distribution (etch), these problems have been fixed in version 1.4.13-4etch3. For the unstable distribution (sid), these problems have been fixed in version 1.4.16-1. We recommend that you upgrade your lighttpd package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.dsc Size/MD5 checksum: 1098 e759ee83cf22697f62b11df286973b7a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3.diff.gz Size/MD5 checksum:33811 259574ed674f31dd8c44dc46809656bb Architecture independent packages: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch3_all.deb Size/MD5 checksum:99376 c4ea0d3adca48f1c749b4c3e49293bba alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_alpha.deb Size/MD5 checksum:71460 8b25398ab656e85d82ef611d7110191c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_alpha.deb Size/MD5 checksum:64650 d023bc4775d81b0f0be9d56043d2d893 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_alpha.deb Size/MD5 checksum: 318496 54eb4b6bdfcf41c72f5d3b2f8f91778d http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_alpha.deb Size/MD5 checksum:59244 6098a74659117029c062132179e88a96 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_alpha.deb Size/MD5 checksum:60996 2c30d7179beeea97d1e868d34cc314c5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_alpha.deb Size/MD5 checksum:64226 36bdb8c2ecbe874aaec676cd7c3992c9 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch3_amd64.deb Size/MD5 checksum:60664 8b1e4185d6961a8dd6823c90b698d1a0 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch3_amd64.deb Size/MD5 checksum:63542 420d82c389da7a774118495eca87ae76 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch3_amd64.deb Size/MD5 checksum:58986 17e377ca088aaa2f5fcb84902eaa75da http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_amd64.deb Size/MD5 checksum:63870 02499705ef7a069be4df2fff55fbfd97 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch3_amd64.deb Size/MD5 checksum: 297416 9931993931036ec2252d39cade28bc09 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch3_amd64.deb Size/MD5 checksum:70150 3665d99b3aa0153ad51168a392e3dbfd arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch3_arm.deb Size/MD5 checksum:62766 dfa6a3545577
The Long Run
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As of today, one of the best hacker books ever, long out of print and unavailable except from eBay and crusty used book stores in the East Village, is now available for free download here: http://www.immunityinc.com/downloads/TheLongRun.pdf Dave Aitel Content Management Director Immunity, Inc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG1ZzHB8JNm+PA+iURAnBIAJ9h57WOgasWo9oMYLKD04FMh35kSQCeKoMk Xa3ZuXGa4gxUXmT8RIPmitE= =yHAA -END PGP SIGNATURE-
[SECURITY] [DSA 1361-1] New postfix-policyd packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1361[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp August 29th, 2007 http://www.debian.org/security/faq - Package: postfix-policyd Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3791 Debian Bug : 435735 It was discovered that postfix-policyd, an anti-spam plugin for postfix, didn't correctly bounds-test incoming SMTP commands potentially allowing the remote exploitation of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.80-2.1etch1. For the old stable distribution (sarge), this package was not present. For the unstable distribution (sid), this problem was fixed in version 1.80-2.2. We recommend that you upgrade your postfix-policyd package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - Source archives: http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1.diff.gz Size/MD5 checksum:11391 3b110e0653af37a0367abac9a2cc303b http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1.dsc Size/MD5 checksum: 661 1da40619537632f9986db4da5ec1f1bf http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80.orig.tar.gz Size/MD5 checksum:67138 3d6caea3c5ef4a1b97816180a21a94f3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_alpha.deb Size/MD5 checksum:77270 07b5622f7801eb74ec409337f49581b9 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_amd64.deb Size/MD5 checksum:74814 4aae549d216b8653e0817ed7368ed70a arm architecture (ARM) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_arm.deb Size/MD5 checksum:74760 0eee0050d13f6aa3a41a52764fca3bce hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_hppa.deb Size/MD5 checksum:76708 52fad04d43236faf0617d1585bff6632 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_i386.deb Size/MD5 checksum:69196 be22b73cc4c4d9d050ba55170f161dc5 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_ia64.deb Size/MD5 checksum:90026 9b788319cb954d7cf687c3eb0b410eef mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_mips.deb Size/MD5 checksum:75046 26f79e015c2d4df43d0fe96e9a128416 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_mipsel.deb Size/MD5 checksum:75056 ec377db9df88eb197355451879f1c28b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_s390.deb Size/MD5 checksum:72406 53f9a23da464947ccd421ae5e1af99a8 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/postfix-policyd/postfix-policyd_1.80-2.1etch1_sparc.deb Size/MD5 checksum:71428 548b97ce3a610f011f4e4c48d4f48dd0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG1dotwM/Gs81MDZ0RAjzsAJ0U0GU5iQY6IbFDOTtRFPsBMq1VZQCgk5kW f2oDHJ+WAH2CRzZAp+ZP5/4= =MdGa -END PGP SIGNATURE-
Multiple vulnerabilities in Doomsday 1.9.0-beta5.1
###
Luigi Auriemma
Application: Doomsday
http://www.doomsdayhq.com
http://www.dengine.net
http://sourceforge.net/projects/deng/
Versions: <= 1.9.0-beta5.1 and current SVN
Platforms:Windows, Linux and Mac
Bugs: A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
B] Msg_Write global buffer-overflow through PKT_CHAT
C] undelimited strcpy in PKT_CHAT
D] integer overflow in PKT_CHAT
E] static buffer-overflow in NetSv_ReadCommands
F] client format string through PSV_CONSOLE_TEXT
Exploitation: remote, versus servers or clients depending by the bug
Date: 29 Aug 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Doomsday (aka deng) is an open source port of the original Doom code
with tons of enhancements and addons which make it the most advanced
port at the moment.
###
===
2) Bugs
===
-
A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
-
When a chat message is received, the server takes the incoming packet
and reads who sent it, its destination and naturally the entire message
which is copied in a heap buffer using the remaining size of the packet
for calculating the amount of data to allocate.
Then a strcpy() is performed for copying the message from the packet to
the new allocated buffer called msg.
If the message is directed to the server it's displayed in the console
using the D_NetPlayerEvent function.
Subsequently the message is copied from msg in a global buffer called
netBuffer for sending the message to all the other clients using the
function MSG_Write.
This explanation is valid for the other three bugs below too since they
are exploited all through this same set of instructions which are
showed here:
from sv_main.c:
void Sv_HandlePacket(void)
...
case PKT_CHAT:
// The first byte contains the sender.
msgfrom = Msg_ReadByte();
// Is the message for us?
mask = Msg_ReadShort();
// Copy the message into a buffer.
msg = M_Malloc(netBuffer.length - 3);
strcpy(msg, (char *) netBuffer.cursor);
// Message for us? Show it locally.
if(mask & 1)
{
Net_ShowChatMessage();
gx.NetPlayerEvent(msgfrom, DDPE_CHAT_MESSAGE, msg);
}
// Servers relay chat messages to all the recipients.
Msg_Begin(PKT_CHAT);
Msg_WriteByte(msgfrom);
Msg_WriteShort(mask);
Msg_Write(msg, strlen(msg) + 1);
for(i = 1; i < MAXPLAYERS; i++)
if(players[i].ingame && mask & (1 << i) && i != from)
{
Net_SendBuffer(i, SPF_ORDERED);
}
M_Free(msg);
break;
In the case of D_NetPlayerEvent we have the following global buffer
overflow of msgBuff caused by a sprintf or strcpy depending by the
number of players in the server.
Important note: although this is a global buffer-overflow, on the
Windows game server (not the dedicated one) is possible to control the
code flow since EIP takes the value sent by the attacker, and so could
be possible to execute malicious code.
Then this bug can be exploited not only versus the servers but also
versus all the clients connected since the big data is forwarded to
them by the same server.
from d_net.c:
charmsgBuff[256];
float netJumpPower = 9;
...
long int D_NetPlayerEvent(int plrNumber, int peType, void *data)
...
// DDPE_CHAT_MESSAGE occurs when a PKT_CHAT is received.
// Here we will only display the message (if not a local message).
else if(peType == DDPE_CHAT_MESSAGE && plrNumber != consoleplayer)
...
// If there are more than two players, include the name of
// the player who sent this.
if(num > 2)
sprintf(msgBuff, "%s: %s", Net_GetPlayerName(plrNumber),
(const char *) data);
else
strcpy(msgBuff, data);
B] Msg_Write global buffer-overflow through PKT_CHAT
The Msg_Write function used for filling the "send" buffer suffers of a
global buffer-overflow too, in this case the target buffer is netBuffer
which is 32768 bytes long.
from net_msg.c:
void Msg_Write(const void *src, int len)
{
memcpy(netBuffer.cursor, src, len);
netBuffer.cursor
Re: InterWorx-CP Multiple HTML Injections Vulnerabilitie
InterWorx 3.0.3 has been released that addresses this problem. http://interworx.com/forums/showthread.php?t=2501
Re[2]: Unexploitable buffer-overflow in the logging function of the Unreal engine
Dear [EMAIL PROTECTED], Thanks, it's really useful. Only small correction: sc config beep start= disabled --Wednesday, August 29, 2007, 6:48:35 PM, you wrote to bugtraq@securityfocus.com: rgc> perhaps disabling the BEEP driver with "NET STOP BEEP" and or rgc> "SC DISABLE BEEP" will mitigate the freezeups due to ASCII 0x07 rgc> printing. -- ~/ZARAZA http://securityvulns.com/
HPSBMA02236 SSRT061260 rev.1 - HP OpenView Performance Manager (OVPM) Running Shared Trace Service on HP-UX, Solaris, and Windows, Remote Arbitrary Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01109171 Version: 1 HPSBMA02236 SSRT061260 rev.1 - HP OpenView Performance Manager (OVPM) Running Shared Trace Service on HP-UX, Solaris, and Windows, Remote Arbitrary Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-08-07 Last Updated: 2007-08-07 Potential Security Impact: Remote arbitrary code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenView Performance Manager (OVPM) running Shared Trace Service on HP-UX, Solaris, and Windows. The vulnerability could be remotely exploited to execute arbitrary code. References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Performance Manager (OVPM) 5.x and 6.x running on HP-UX PA-RISC and IPF (B.11.11,B.11.23), Solaris (5.7, 5.8, 5.9), Windows (2000, 2003 and Windows XP). BACKGROUND The Hewlett-Packard Company thanks Cody Pierce of TippingPoint DV Labs (dvlabs.tippingpoint.com) for reporting this vulnerability to [EMAIL PROTECTED] The Hewlett-Packard Company thanks an anonymous researcher working with the iDefense VCP for reporting this vulnerability to [EMAIL PROTECTED] To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset. Then determine if the recommended patch or update is installed. AFFECTED VERSIONS HP-UX B.11.23 (IA) = HPOvLcore.HPOVXPL action: install revision 3.10.040 or subsequent URL: http://openview.hp.com/ecare/getsupportdoc?docid=QXCR1000390205 HP-UX B.11.23 (PA) HP-UX B.11.11 HP-UX B.11.00 = HPOvLcore.HPOVXPL action: install revision 3.10.040 or subsequent URL: http://openview.hp.com/ecare/getsupportdoc?docid=QXCR1000390205 END AFFECTED VERSIONS RESOLUTION HP has provided a hotfix to resolve this vulnerability. Please contact HP Support and request the hotfix for QXCR1000390205: http://openview.hp.com/ecare/getsupportdoc?docid=QXCR1000390205 MANUAL ACTIONS: Yes - NonUpdate Install the hotfix PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version: 1 (rev.1) - 7 August 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention o
Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page Advisory ID: cisco-sa-20070829-ccm http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml Revision 1.0 For Public Release 2007 August 29 1600 UTC (GMT) + Summary === Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml. Affected Products = Vulnerable Products +-- Cisco CallManager and Unified Communications Manager versions prior to the following are affected by these vulnerabilities: * 3.3(5)sr2b * 4.1(3)sr5 * 4.2(3)sr2 * 4.3(1)sr1 The software version of a CallManager or Unified Communications Manager system can be determined by navigating to "Show > Software" via the administration interface. For Unified Communications Manager version 5.0, the software version can also be determined by running the command "show version active" in the Command Line Interface (CLI). For CallManager and Unified Communications Manager version 3.x and 4.x systems, the software version can be determined by navigating to "Help > About Cisco Unified CallManager" and selecting the "Details" button via the administration interface. Note: Cisco Unified CallManager versions 4.3, 5.1 and 6.0 have been renamed to Cisco Unified Communications Manager. Software versions 3.3, 4.0, 4.1, 4.2 and 5.0 retain the Cisco Unified CallManager name. Products Confirmed Not Vulnerable + No other Cisco products are known to be affected by this vulnerability. No other versions of CallManager or Unified Communications Manager are vulnerable. Details === Cisco Unified CallManager/Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The cross-site scripting vulnerability and the SQL injection vulnerability are triggered when a specially crafted value is entered in the lang variable of either the admin or user logon pages. Attacks against these vulnerabilities are conducted through the web interface and use the http or https protocol. In the case of the cross-site scripting vulnerability, the malicious value includes scripting code enclosed by the and tags. In the case of the SQL injection vulnerability, the value terminates the SQL call and completes a call to the back-end database. An attacker must be able to convince a user into following a specially crafted URL in order to successfully exploit the cross-site scripting vulnerability. The cross-site scripting vulnerability is documented as bug ID CSCsi10728. The SQL injection vulnerability is documented as bug ID CSCsi64265. Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss XSS in Cisco CallManager User Logon and Admin Page (CSCsi10728) CVSS Base Score - 4.3 Access Vector -Network Access Complexity -Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Function
EnterpriseDB Advanced Server 8.2 Unitialized Pointer
EnterpriseDB Advanced Server 8.2 Unitialized Pointer Product Description: EnterpriseDB is a (comercial) relational database management system based on PostgreSQL. Vulnerable Versions: EnterpriseDB Advanced Server 8.2 in all supported operative systems. Tested Operative Systems: Microsoft Windows 2003 SP2 x86 Red hat Enterprise Linux 4 x86 Vulnerability Details: A problem was found in the product EnterpriseDB which may lead to remote code execution altought that point wasn't demostrated. At least, it is a denial of service. The issue exists in, almost, all the debugging functions (so is a post-authentication vulnerability), i.e., pldbg_get_stack. The function "pldbg_create_listener" is the responsible of starting the debug process and must be the first function called before the client sends any debugging command. The problem is that, when you call *any* debugging related function before the call to the main "pldbg_create_listener" an unitialized pointer is used causing a DOS (denial of service) that leads to remote code execution. Proof of concept: 1) Connect to one vulnerable EnterpriseDB as a low level user (the execution privilege over the pldbg_* function is granted by default). 2) Execute the following query: edb=> select pldbg_abort_target(1094861636); -- 0x41424344 in decimal (gdb) where #0 0x00ba81db in sendBytes () from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so #1 0x00ba82a1 in sendUInt32 () from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so #2 0x00ba82e3 in sendString () from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so #3 0x00ba8880 in pldbg_abort_target () from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so #4 0x0816669d in ExecMakeFunctionResult () #5 0x08168d51 in ExecProject () #6 0x0817544d in ExecResult () #7 0x08162f65 in ExecProcNode () #8 0x08161931 in ExecutorRun () #9 0x081fa2e3 in PortalRunSelect () #10 0x081fb12a in PortalRun () #11 0x081f5a8b in exec_simple_query () #12 0x081f76ec in PostgresMain () #13 0x081ca356 in ServerLoop () #14 0x081cb2b7 in PostmasterMain () #15 0x081865d7 in main () (gdb) x /i $pc 0xba81db :mov(%eax),%eax (gdb) i r eax0x41424344 1094861636 ecx0x4 4 edx0xbff46c04 -1074500604 ebx0xbacbd8 12241880 esp0xbff46bc0 0xbff46bc0 ebp0xbff46be8 0xbff46be8 esi0x4 4 edi0xbab597 12236183 eip0xba81db 0xba81db eflags 0x10286 66182 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 The complete database server (droping all active conections) crashes. Patch information: The issue was fixed by no longer exposing a direct pointer to the client application; instead, the server sends an opaque handle to the client and them validate each handle when it comes back to the debugger - if the debugger detects an invalid handle, it throws an error. The patch is available for customers in the EnterpriseDB website. Thanks: Thanks to Shahzad Khokhar, Vice President of Customer Support at EnterpriseDB Corporation. He were very kind and professional. Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret - joxeankoret[at]yahoo[dot]es signature.asc Description: This is a digitally signed message part
[USN-469-2] Enigmail regression
=== Ubuntu Security Notice USN-469-2August 29, 2007 enigmail regression https://launchpad.net/bugs/119038 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mozilla-thunderbird-enigmail2:0.94-0ubuntu4.5 Ubuntu 6.10: mozilla-thunderbird-enigmail2:0.94-0ubuntu5.3 Ubuntu 7.04: mozilla-thunderbird-enigmail2:0.94.2-0ubuntu3 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: USN-469-1 fixed vulnerabilities in the Mozilla Thunderbird email client. The updated Thunderbird version broken compatibility with the Enigmail plugin. This update corrects the problem. We apologize for the inconvenience. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.5.diff.gz Size/MD5:22259 dede7eae5fbd9b99ef83d7dee1157be8 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.5.dsc Size/MD5: 1419 890b147047b20aa848973069b43dae21 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.orig.tar.gz Size/MD5: 3126659 7e34cbe51f5a1faca2e26fa0edfd6a06 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.5_amd64.deb Size/MD5: 335288 a0d71b7b53a96fd55ee9fc4f4264cb82 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.5_i386.deb Size/MD5: 323042 82dab15b202afa9704bbbef4b3e58c3c powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.5_powerpc.deb Size/MD5: 326480 953b8528cb5f81d4637dfd0d557950ff sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.5_sparc.deb Size/MD5: 324822 d21cd61986a1beb5c8595d95e8e45565 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu5.3.diff.gz Size/MD5:22214 8b8dec00ee85599b0714853f4eca44ef http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu5.3.dsc Size/MD5: 1417 614d89339463c348d32f4545da4a48a9 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.orig.tar.gz Size/MD5: 3126659 7e34cbe51f5a1faca2e26fa0edfd6a06 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu5.3_amd64.deb Size/MD5: 334804 44427a6a3c6b451c947b3600260c8d73 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu5.3_i386.deb Size/MD5: 324080 0e4d0fa43db09a744d5d17b8e64d0238 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu5.3_powerpc.deb Size/MD5: 326938 e1d86d19aba75f8907180b906a36962d sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu5.3_sparc.deb Size/MD5: 326262 26e69170588b72ca7facaf118240055e Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.2-0ubuntu3.diff.gz Size/MD5:22954 e530af2953de787366e5e87e19b67c45 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.2-0ubuntu3.dsc Size/MD5: 1419 c5d843b76734aebbf246ee86713fcee2 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.2.orig.tar.gz Size/MD5: 3640996 9d4fd539b0cdfaac3083c4a9fcfd178d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94.2-0ubuntu3_amd64.deb Size/MD5: 336586 7f8e8d74c56ce8d41577190631490956 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94.2-0ubuntu3_i386.deb Size/MD5: 325348 5daea674e26c861c677d191e174832b1 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94.2-0ubuntu3_powerpc.deb Size/MD5: 330
Re: Unexploitable buffer-overflow in the logging function of the Unreal engine
perhaps disabling the BEEP driver with "NET STOP BEEP" and or "SC DISABLE BEEP" will mitigate the freezeups due to ASCII 0x07 printing.
[HISPASEC] Blizzard StarCraft Brood War 1.15.1 Remote DoS
HISPASEC Security Advisory http://blog.hispasec.com/lab/ Name : Blizzard StarCraft Brood War Remote DoS Class: Remote/Local DoS Threat level : MED Discovered : 2007-08-08 Published: 2007-08-29 Credit : Gynvael Coldwind Vulnerable : StarCraft Brood War 1.15.1 and prior StarCraft 1.15.1 and prior may also be affected == Abstract == StarCraft is a real-time strategy game by Blizzard Entertainment. StarCraft fails to handle exceptional conditions when generating a minimap preview of a malformed map. Additionally, since StarCraft includes a map distribution mechanizm (allowing players that do not own a map to download it when entering a game) it is possible to send a malformed map to a player that enters the game, and so, remotlly DoS his application. == Details == When a player enter a StarCraft Brood War game (local, lan game or an Internet Battle.net game) a preview of the map is generated. If the map was malformed StarCraft tries to read an area which is no allocated. This leads to a Denial of Service condition, since StarCraft generates a Access Volation (READ) exception which is not handled. Additionally, if a player enters a multiplayer game, and he does not own a map that the game is taking place on, StarCraft download the map from other players (not just the creator of the game). If StarCrafts download a malformed map from a remote player, it will try to generate a minimap and enter the DoS condition (this has been confirmed in testing). Since StarCraft is a full screen DirectX application a DoS may cause a need to reboot the whole system on older Windows systems. Proof of Concept map: http://blog.hispasec.com/lab/files/SC_PoC_DoS.scm Memory patcher disabling minimap preview generation: http://blog.hispasec.com/lab/files/SC_Patch.c http://blog.hispasec.com/lab/files/SC_Patch.exe (compiled binary) == Vendor status and solution == The vendor has been informed but has not yet released a proper patch (a fix for this issue was not included in the 1.15.1 patch). The sollution is to becareful when joining games on unknown maps. See SC_Patch.c and SC_Patch.exe (links in the Details section) for a memory patcher that disables minimap preview generation in the running StarCraft application. == Disclaimer == This document and all the information it contains is provided "as is", without any warranty. Hispasec Sistemas is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. Copyright (C) 2007 Hispasec Sistemas. -- Gynvael Coldwind mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]
