[ MDKSA-2007:200 ] - Updated tk packages fix vulnerabilities

2007-10-18 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:200
 http://www.mandriva.com/security/
 ___
 
 Package : tk
 Date: October 18, 2007
 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0
 ___
 
 Problem Description:
 
 A vulnerablity in Tk was found that could be used to overrun a buffer
 when loading certain GIF images.  If a user were tricked into opening
 a specially crafted GIF file, it could lead to a denial of service
 condition or possibly the execution of arbitrary code with the user's
 privileges.
 
 Updated packages have been patched to prevent this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5137
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 60f740fa8977a3d6ab49a40b750a3d1b  
2007.0/i586/libtk8.4-8.4.13-1.1mdv2007.0.i586.rpm
 05990645a727a885dd8fe6608f5dc8b8  
2007.0/i586/libtk8.4-devel-8.4.13-1.1mdv2007.0.i586.rpm
 6a5bcabc72b1395745a3d43c3b915465  2007.0/i586/tk-8.4.13-1.1mdv2007.0.i586.rpm 
 db9748c866c5e06eff04bc21dd6bf459  2007.0/SRPMS/tk-8.4.13-1.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 2df6cd7b62339579d5ae094cb8599b06  
2007.0/x86_64/lib64tk8.4-8.4.13-1.1mdv2007.0.x86_64.rpm
 fab4f39016d8ee9222547cc720c5769e  
2007.0/x86_64/lib64tk8.4-devel-8.4.13-1.1mdv2007.0.x86_64.rpm
 7b0c87404cffe6cb73fd731c312e9369  
2007.0/x86_64/tk-8.4.13-1.1mdv2007.0.x86_64.rpm 
 db9748c866c5e06eff04bc21dd6bf459  2007.0/SRPMS/tk-8.4.13-1.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 e33895b367c8d1982f3269a5c73dc801  
2007.1/i586/libtk8.4-8.4.14-1.1mdv2007.1.i586.rpm
 7dc650450f7d3d307411935bea210cf8  
2007.1/i586/libtk8.4-devel-8.4.14-1.1mdv2007.1.i586.rpm
 7b97b6cf3fd8032fd3ee3ce4ad7c255f  2007.1/i586/tk-8.4.14-1.1mdv2007.1.i586.rpm 
 c4e8e865f6c1d3e36bb201e2ee2f9ab1  2007.1/SRPMS/tk-8.4.14-1.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 11e5c61b9e2703782c8ce440270a3eaf  
2007.1/x86_64/lib64tk8.4-8.4.14-1.1mdv2007.1.x86_64.rpm
 27430c69edd74459d4b8be1edb2f4613  
2007.1/x86_64/lib64tk8.4-devel-8.4.14-1.1mdv2007.1.x86_64.rpm
 118d089330e5a08125f5a2b15a7c2f8a  
2007.1/x86_64/tk-8.4.14-1.1mdv2007.1.x86_64.rpm 
 c4e8e865f6c1d3e36bb201e2ee2f9ab1  2007.1/SRPMS/tk-8.4.14-1.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 46626982fee7008f9c33437c36de3ce3  
2008.0/i586/libtk-devel-8.5a6-8.1mdv2008.0.i586.rpm
 f9ee0b9ae377c06319de116ef3b5cd34  
2008.0/i586/libtk8.5-8.5a6-8.1mdv2008.0.i586.rpm
 c52bd1e8b18c214715e5a83a05d5ce77  2008.0/i586/tk-8.5a6-8.1mdv2008.0.i586.rpm 
 988dbc066b5e5ced3b97edcefd171a8a  2008.0/SRPMS/tk-8.5a6-8.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 02c6ef1b37706392f4fabf98a570c50f  
2008.0/x86_64/lib64tk-devel-8.5a6-8.1mdv2008.0.x86_64.rpm
 f47bbdadd81cc964898046fde9e3d9f4  
2008.0/x86_64/lib64tk8.5-8.5a6-8.1mdv2008.0.x86_64.rpm
 d247ad4d59c410442db053159220e16b  
2008.0/x86_64/tk-8.5a6-8.1mdv2008.0.x86_64.rpm 
 988dbc066b5e5ced3b97edcefd171a8a  2008.0/SRPMS/tk-8.5a6-8.1mdv2008.0.src.rpm

 Corporate 3.0:
 66a845d440a9e2349213fae27271c780  
corporate/3.0/i586/expect-8.4.5-3.1.C30mdk.i586.rpm
 27bedea45e60fc2da882019c8b31d3a7  
corporate/3.0/i586/itcl-8.4.5-3.1.C30mdk.i586.rpm
 de54d041b4c3e2543cc3da2f0c657a81  
corporate/3.0/i586/tcl-8.4.5-3.1.C30mdk.i586.rpm
 36be5f9bac328bf45baeac3cdbdd47ff  
corporate/3.0/i586/tcllib-8.4.5-3.1.C30mdk.i586.rpm
 406b9d9ddaaf92b60c7baf154ffcf410  
corporate/3.0/i586/tclx-8.4.5-3.1.C30mdk.i586.rpm
 477a109cb62b37fd8bf41ca1df368aa1  
corporate/3.0/i586/tix-8.4.5-3.1.C30mdk.i586.rpm
 d893211a561731ad81935ac16210fd73  
corporate/3.0/i586/tk-8.4.5-3.1.C30mdk.i586.rpm 
 b60191000be9b0abd1c8c9a199aff8c4  
corporate/3.0/SRPMS/tcltk-8.4.5-3.1.C30mdk.src.rpm

 Corporate 4.0:
 d501589065ada8f8443f118b3e50a86b  
corporate/4.0/i586/expect-8.4.11-1.1.20060mlcs4.i586.rpm
 3b3dd07ea762151dea7a858ffb40a950  
corporate/4.0/i586/itcl-8.4.11-1.1.20060mlcs4.i586.rpm
 ce8a6ba003a58318d88d9cf85701d108  
corporate/4.0/i586/iwidgets-8.4.11-1.1.20060mlcs4.i586.rpm
 fc38d955a50378b5e60a13e56fb72d92  
corporate/4.0/i586/libtcl8.4-8.4.11-1.1.20060mlcs4.i586.rpm
 5f811fc02c05775092056dcbcce5cdfa  
corporate/4.0/i586/libtk8.4-8.4.11-1.1.20060mlcs4.i586.rpm
 d556c96e07f5874434cb6de855ad3397  
corporate/4.0/i586/tcl-8.4.11-1.1.20060mlcs4.i586.rpm
 ec615811cd2d9a30d70e19efcbc3e5d1  
corporate/4.0/i586/tcllib-8.4.11-1.1.20060mlcs4.i586.rpm
 5fa89f9eedf7bf7c9bfa6b4532c3f745  
corporate/4.0/i586/tclx-8.4.11-1.1.20060mlcs4.i586.rpm
 50c4cf284aae086ee97c5c88264e380b  
corporate/4.0/i586/tix-8.4.11-1.1.20060mlcs4.i586.rpm
 9c10c63d3114b15276006bc13ac22135  
cor

S21SEC-038-en: Alcatel Omnivista 4760 Cross-Site Scripting

2007-10-18 Thread S21sec Labs 

##
 - S21Sec Advisory -
##

Title:   Alcatel Omnivista 4760 Cross-Site Scripting
   ID:   S21SEC-038-en
 Severity:   Medium -
  History:   10.Jun.2007 Vulnerability discovered
   20.Jun.2007 Vendor contacted
   19.Oct.2007 Advisory released
 Authors:   Juan de la Fuente Costa ([EMAIL PROTECTED])
   Pablo Seijo Cajaraville ([EMAIL PROTECTED])
   URL:   http://www.s21sec.com/avisos/s21sec-038-en.txt
Release:   Public

[ SUMMARY ]

Alcatel-Lucent OmniVista 4760 is an innovative, modular platform that  
provides a suite of network management applications.
This powerful Java-based tool, accessed through a Web browser,  
provides centralized management for the OmniPCX Enterprise.


The platform's open architecture enables today's IT managers and  
administrators to effectively monitor and maintain the
network, while lowering the company's total cost of ownership. This  
suite of network management applications includes:


* LDAP Directory
* Configuration
* Accounting/Performance Management
* Alarm Notification
* Network Topology


[ AFFECTED VERSIONS ]

This vulnerability has been tested in Alcatel Omnivista 4760.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in Alcatel Omnivista 4760 that  
allows injecting JavaScript code in text variables.

This issue allows javascript code execution in the user browser.

The identified parameters are: "action" and "Langue"

Parameter: action

URL: http://www.somesite.com/php-bin/Webclient.php? 
action=alert("xss")


Parameter: Langue

URL: http://www.somesite.com/?Langue=";>alert("xss")<";


[ WORKAROUND ]

Alcatel-Lucent has released a patch to address this vulnerability.  
More info at:

http://www1.alcatel-lucent.com/psirt/statements/2007003/4760xss.htm

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Juan de la Fuente Costa <[EMAIL PROTECTED]> S21Sec
- Pablo Seijo Cajaraville <[EMAIL PROTECTED]> S21Sec

With special thanks to:

- Miguel Angel Aguilar Bermejo


[ REFERENCES ]

* S21Sec
  http://www.s21sec.com
  http://blog.s21sec.com

[ GLSA 200710-19 ] The Sleuth Kit: Integer underflow

2007-10-18 Thread Raphael Marichez 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200710-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: The Sleuth Kit: Integer underflow
  Date: October 18, 2007
  Bugs: #181977
ID: 200710-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


An integer underflow vulnerability has been reported in The Sleuth Kit
allowing for the user-assisted execution of arbitrary code.

Background
==

The Sleuth Kit is a collection of file system and media management
forensic analysis tools.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  app-forensics/sleuthkit   < 2.0.9>= 2.0.9

Description
===

Jean-Sebastien Guay-Leroux reported an integer underflow in the
file_printf() function of the "file" utility which is bundled with The
Sleuth Kit (CVE-2007-1536, GLSA 200703-26). Note that Gentoo is not
affected by the improper fix for this vulnerability (identified as
CVE-2007-2799, see GLSA 200705-25) since version 4.20 of "file" was
never shipped with The Sleuth Kit ebuilds.

Impact
==

A remote attacker could entice a user to run The Sleuth Kit on a file
system containing a specially crafted file that would trigger a
heap-based buffer overflow possibly leading to the execution of
arbitrary code with the rights of the user running The Sleuth Kit.

Workaround
==

There is no known workaround at this time.

Resolution
==

All The Sleuth Kit users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-forensics/sleuthkit-2.0.9"

References
==

  [ 1 ] CVE-2007-1536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
  [ 2 ] CVE-2007-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799
  [ 3 ] GLSA 200703-26
http://www.gentoo.org/security/en/glsa/glsa-200703-26.xml
  [ 4 ] GLSA 200705-25
http://www.gentoo.org/security/en/glsa/glsa-200705-25.xml

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200710-19.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpMJjBykP9vt.pgp
Description: PGP signature

Official Windows binaries of "curl" contain vulnerable zlib 1.2.2 (CAN-2005-2096)

2007-10-18 Thread Stefan Kanthak 
The Windows binaries of "curl", built by the author and maintainer of
curl and available for download at 
are linked with zlib 1.2.2 , which is but
vulnerable to CAN-2005-2096:

| x:\>curl -V
| curl 7.17.0 (i586-pc-mingw32msvc) libcurl/7.17.0 zlib/1.2.2
| Protocols: tftp ftp telnet dict ldap http file
| Features: Largefile NTLM SSPI libz

A scan with ClamAV against the patterns published by Florian Weimer
at  verifies the
presence of the patterns of the vulnerable code:

| x:\>clamscan --database CAN-2005-2096.db
| CURL.EXE: CAN-2005-2096.zlib-1.2.2 FOUND
|
| --- SCAN SUMMARY ---
| Known viruses: 16
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1

Stefan Kanthak

[ GLSA 200710-18 ] util-linux: Local privilege escalation

2007-10-18 Thread Raphael Marichez 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200710-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: util-linux: Local privilege escalation
  Date: October 18, 2007
  Bugs: #195390
ID: 200710-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The mount and umount programs might allow local attackers to gain root
privileges.

Background
==

util-linux is a suite of Linux programs including mount and umount,
programs used to mount and unmount filesystems.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  sys-apps/util-linux < 2.12r-r8>= 2.12r-r8

Description
===

Ludwig Nussel discovered that the check_special_mountprog() and
check_special_umountprog() functions call setuid() and setgid() in the
wrong order and do not check the return values, which can lead to
privileges being dropped improperly.

Impact
==

A local attacker may be able to exploit this vulnerability by using
mount helpers such as the mount.nfs program to gain root privileges and
run arbitrary commands.

Workaround
==

There is no known workaround at this time.

Resolution
==

All util-linux users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.12r-r8"

References
==

  [ 1 ] CVE-2007-5191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200710-18.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgp6rNxmwc31x.pgp
Description: PGP signature

Serious holes affecting SiteBar 3.3.8

2007-10-18 Thread Tim Brown 
All,

As a result of a short security audit of SiteBar, a number of security holes 
were found.  The holes included code execution, a malicious redirect and 
multiple cases of Javascript injection.

After liasing with the developers, the holes have been patched.  Attached are 
the advisory and patch relating to these flaws.

CVEs open already relating to this audit:

* CVE-2006-3320 (Javascript injection) - previously reported by other parties 
but not resolved and so included for completeness

* CVE-2007-5492 (code execution) - first reported in my attached advisory to 
the vendor, independently rediscovered by Robert Buchholz of Gentoo whilst 
auditing the differences between the patched and unpatched versions (3.3.8 vs 
3.3.9)

* CVE-2007-5491 (file permissions issue) - apparently patched by the vendor at 
the same time as my issues were resolved and discovered by Robert Buchholz of 
Gentoo whilst auditing the differences between the patched and unpatched 
versions (3.3.8 vs 3.3.9)

It is intended that CVE-2007-5492 will be updated to reference both code 
execution flaws I reported.  All other issues in the advisory have been 
patched but no CVEs have yet been requested or assigned to the best of my 
knowledge.

Tim
-- 
Tim Brown


Index: command.php
===
--- command.php	(revision 412)
+++ command.php	(working copy)
@@ -94,8 +94,15 @@
 {
 if (!$this->um->isAuthorized($this->command,
 in_array($this->command, array('Log In', 'Log Out', 'Sign Up')),
-SB_reqVal('command_gid'), SB_reqVal('nid_acl'), SB_reqVal('lid_acl')))
+SB_reqValInt('command_gid'), SB_reqValInt('nid_acl'), SB_reqValInt('lid_acl')))
 {
+$bld = 'build' . $this->shortName();
+$cmd = 'command' . $this->shortName();
+
+if (!method_exists($this,$bld) && !method_exists($this,$cmd))
+{
+$this->command = 'Unknown command!';
+}
 $this->um->accessDenied();
 return;
 }
@@ -849,6 +856,7 @@
 // be otherwise lost. Needed to go back.
 if ($disabled && $params['type'] == 'text')
 {
+$params['value'] = str_replace('"',"'",$params['value']);
 ?>
 
 
 
 um->isAuthorized($name,false,null,SB_reqVal('nid_acl'),SB_reqVal('lid_acl'))) continue;
+if (!$this->um->isAuthorized($name,false,null,SB_reqValInt('nid_acl'),SB_reqValInt('lid_acl'))) continue;
 
 if ($params['type'] == 'button')
 {
@@ -1664,7 +1673,7 @@
 
 function buildDeleteTree()
 {
-$node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+$node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
 if (!$node) return null;
 
 $fields['Folder Name'] = array('name'=>'name','value'=>$node->name, 'disabled'=>null);
@@ -1677,10 +1686,10 @@
 
 function commandDeleteTree()
 {
-$this->tree->removeNode(SB_reqVal('nid_acl'), false);
+$this->tree->removeNode(SB_reqValInt('nid_acl'), false);
 if ($this->um->getParam('user','use_trash'))
 {
-$this->tree->purgeNode(SB_reqVal('nid_acl'));
+$this->tree->purgeNode(SB_reqValInt('nid_acl'));
 }
 SB_unsetVal('nid_acl');
 $this->forwardCommand('Maintain Trees');
@@ -1834,7 +1843,8 @@
 return;
 }
 
-if (SB_reqChk('forward'))
+// This should handle login from translator.php, we should avoid external redirect
+if (SB_reqChk('forward') && strpos(SB_reqVal('forward'),'/') === false)
 {
 header('Location: '.SB_reqVal('forward'));
 exit;
@@ -2681,14 +2691,14 @@
 return null;
 }
 
-if (SB_reqVal('uid') == SB_ADMIN)
+$uid = intval(SB_reqVal('uid'));
+
+if ($uid == SB_ADMIN)
 {
 $this->error('Cannot modify administrator!');
 return null;
 }
 
-$uid = SB_reqVal('uid');
-
 $fields = array();
 $user = $this->um->getUser($uid);
 $fields['Username'] = array('name'=>'email', 'value'=>$user['username'], 'disabled' => null);
@@ -3960,7 +3970,7 @@
 function buildAddFolder()
 {
 $fields = array();
-$node = $this->tree->getNode(SB_reqVal('nid_acl',true));
+$node = $this->tree->getNode(SB_reqValInt('nid_acl',true));
 if (!$node) return null;
 
 if ($this->command == 'Add Folder')
@@ -4020,7 +4030,7 @@
 
 function commandAddFolder()
 {
-$nid = $this->tree->addNode(SB_reqVal('nid_acl'),SB_reqVal('name'),
+$nid = $this->tree->addNode(SB_reqValInt('nid_acl'),SB_reqVal('name'),
 SB_reqVal('comment'), SB_reqVal('sort_mode'));
 
 if ($this->um->pmode && !$this->hasErrors())
@@ -4037,7 +4047,7 @@
 $thi

Softwin's anti-virus BitDefender contains vulnerable zlib (CA-2007-07)

2007-10-18 Thread Stefan Kanthak 
At least the freeware version of Softwin's anti-virus solution
BitDefender Free Edition


ships with a completely outdated zlib 1.1.3 
that is vulnerable to CA-2007-07 .

The zlib.dll included in the versions 7.2, 8.0 and the current 10.0
of their products is dated 1998-07-12 and shows the version 1.1.3.

Stefan Kanthak

Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096)

2007-10-18 Thread Stefan Kanthak 
The Windows binary GSV48W32.EXE of "gsview"


ships with a zlib32.dll (originally named zlib.dll) v1.2.2
 which is vulnerable to CAN-2005-2096.

The zlib32.dll is dated 2005-03-06 (GSview 4.8 was release 2005-03-26),
i.e. before CAN-2005-2096 was published, so its very likely that all
the binaries provided by the author will show a vulnerable zlib if they
contain one.

A scan with ClamAV against the patterns published by Florian Weimer
at  verifies the
presence of the patterns of the vulnerable code:

| x:\>clamscan --database CAN-2005-2096.db
| ZLIB32.DLL: CAN-2005-2096.zlib-1.2.2 FOUND
|
| --- SCAN SUMMARY ---
| Known viruses: 16
| Engine version: 0.91.2
| Scanned directories: 1
| Scanned files: 1

Stefan Kanthak

[SECURITY] [DSA 1389-1] New zoph packages fix SQL injection

2007-10-18 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1389-1[EMAIL PROTECTED]
http://www.debian.org/security/Thijs Kinkhorst
October 18th, 2007  http://www.debian.org/security/faq
- --

Package: zoph
Vulnerability  : missing input sanitising
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2007-3905
Debian Bug : 435711

It was discovered that zoph, a web based photo management system, 
performs insufficient input sanitising, which allows SQL injection.

For the oldstable distribution (sarge) this problem has been fixed in
version 0.3.3-12sarge2.

For the stable distribution (etch) this problem has been fixed in
version 0.6-2.1etch1.

For the unstable distribution (sid) this problem has been fixed in
version 0.7.0.2-1.

We recommend that you upgrade your zoph package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:

http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.dsc
  Size/MD5 checksum:  570 ce9957fa5af8115a5aec530aabe6847f

http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1.diff.gz
  Size/MD5 checksum:53959 7c37d28798981a054c634cca92122199
http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3.orig.tar.gz
  Size/MD5 checksum:   153902 5ff9d8e182e16d53e0511b6d51da8521

  Architecture independent components:


http://security.debian.org/pool/updates/main/z/zoph/zoph_0.3.3-12sarge1_all.deb
  Size/MD5 checksum:   172190 a185b3cba99ea4bc0f46c73b68bb5a46

Debian GNU/Linux 4.0 alias etch
- ---

  Source archives:

http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.dsc
  Size/MD5 checksum:  850 a7bf5364534ae9fb38ba70dcc371e8c6

http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1.diff.gz
  Size/MD5 checksum:25826 c716e920cb6c9b19941af6359ecc697d
http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6.orig.tar.gz
  Size/MD5 checksum:   382577 7e139b32bd477cccf43454cb4c07c16d

  Architecture independent components:


http://security.debian.org/pool/updates/main/z/zoph/zoph_0.6-2.1etch1_all.deb
  Size/MD5 checksum:   394268 147f75305b9b891fb2ab502a94be3e9e


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHF8RmXm3vHE4uyloRAg2WAKDcWvMUaZf1ahtha4yGGnBLN2bSFwCcCKcw
Z8I79ybTvjkGwBp2wveTmlA=
=Cikh
-END PGP SIGNATURE-

rPSA-2007-0219-1 libpng

2007-10-18 Thread rPath Update Announcements 
rPath Security Advisory: 2007-0219-1
Published: 2007-10-18
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Denial of Service
Updated Versions:
[EMAIL PROTECTED]:1/1.2.22-1-0.1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-1814

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269

Description:
Previous versions of the libpng package can cause applications to
crash when loading malformed PNG files.  It is not currently known
that this vulnerability can be exploited to execute malicious code.

http://wiki.rpath.com/Advisories:rPSA-2007-0219

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

Re[2]: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu

2007-10-18 Thread Thierry Zoller 
Dear Felix,
While I love your comment and really welcome constructive criticism,
I actually think you should keep the focus on the Fox News style
question marks. Nowhere is being said that this is the end of
Defence in Depth (as a paradigm), we ask the question.

Then again you seem to be judging about something you haven't seen
nor read. Is this because I ask the Fox News style questions and you
give Fox News style comments ?

FFL> the title is misleading at best.
While I have the upmost respect of your person, in this particular
case, I am sorry dude, but how can you tell ? Have you seen the
presentation? Have you heard the conclusion? I don't think so?
Though you are more than welcome to see it :)

FFL> Defense in Depth has nothing to do
FFL> with security software.
In a certain sense it has. Defence in depth is a Paradigm as not only
applied to how you design software but also how you implement solutions.
The talk is about reality, not an RFC or CISSP Definition.

FYI, while certainly not a reference, here is what Wikipedia has to say:
"Defense in Depth is an Information Assurance (IA) strategy where
multiple layers of defense are placed through out an Information
Technology (IT) system and addresses personnel, technology and
operations for the duration of the system's lifecycle."
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)

FFL> To the contrary. The paradigm describes an
FFL> approach where you assume that invidual (even multiple) elements of your
FFL> defense fall, in the worst possible way (which could be code
FFL> execution).
Thank you for the definition, though I must let you know I am fully
aware of it. (I miss an mandatory RFC link) The presentation will
talk of exactly that "...assume.. multiple elements of your defense fall"

What currently is being done in the industry is to ADD more layers of
defence to protect against one failing, this is being done by adding
one parsing engine after the other. Again nobody said Defence in Depth
is wrong in itself, it's just the way the Software Industry has led
companies to implement it. _This_ is the point.

Don't get me wrong, defence in depth as general Paradigm is perfectly
fine :) But you would have had to listen to the talk to draw that
conclusion, this is what I find most irrating about your comment. And
it raises a big question mark as to your motivation for this public
comment.

FFL> What you are describing is people adding security software
FFL> _instead_ of applying a thorough defense in depth design.
I am describing nothing Felix, you are judging about a Presentation
_you have not even seen_. How dare you !!! ==

FFL> Your presentation title suggests that one of the very few paradigms
FFL> that actually promises long term security benefits does not work.
Felix I am suggesting nothing, your are taking a friendly invitation
as reason to bitch about how you THINK the talk will be given, though
you have no clue.

FFL> Wrong. I suggest you find a better title.
Zu befehl ! =)

The title fits the presentation perfectly, I find it rather arrogant
and bloated to comment in this way and fashion on a public mailing
list. I welcome any other comment to my personal Inbox, Phone, Fax
whatever, I will ignore any other comment by public means before
the actually talk was given and there is actual substance to start
a discussion. I would have loved to receive a question before you
shoot.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Re: Multiple CSRF in SimplePHPBlog

2007-10-18 Thread Hanno Böck 
Am Mittwoch 17 Oktober 2007 schrieb [EMAIL PROTECTED]:
> SimplePHPBlog
> Cross Site Request Forgeries
> Tested on v0.4.9

What's the purpose on reporting issues on old versions?
I don't know simplephpblog, but a quick look on their page tells me that 
they've released a bunch of security related updates since 0.4.9. Their 
current one is 0.5.1.

-- 
Hanno Böck  Blog:   http://www.hboeck.de/
GPG: 3DBD3B20   Jabber: [EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part.

Re: SSH attacks - anyone else seen these?

2007-10-18 Thread Tim 
On Tuesday 16 October 2007, James Lay wrote:
> Nothing in my logs..just out of curiosity, are you running sshd with
> protocol version 1, 2, or both?

I'm running SSH with protocol version 2 only. But as someone else mentioned, 
this is obviously not an attack against SSH anyways. It just arrived on my 
(non-standard) ssh port and I was interested in what it was aimed at.

Thanks for all the replies, btw!

-- 
Tim

CFP C H A S E - 2 0 0 7 Lahore Pakistan

2007-10-18 Thread chase 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1






  C  H  A  S  E  -  2  0  0  7 
Lahore
  December 07-08 2007

http://www.chase.org.pk/



CHASE-2007 is a unique information and network security  
event of its kind being organized in Pakistan. It was 
first organized previous year in 2006 and proved to be 
successful with the participation of the community.

In addition to presentations and talks, CHASE-2007 
introduces trainings, CTF and other contests. For details, 
please visit the website at:

http://www.chase.org.pk/


** CALL FOR PAPERS ** 

If you are a hacker or a computer and internet security 
professional and have something to talk about, then you have 
an opportunity to do so at CHASE 2007. Please download and 
fill out submission form and send your presentation as early 
as possible to: 

cfp AT chase DOT org DOT pk 

Last date for filing submissions is Friday November 02, 2007. 

All those individuals who would like to present are urged to 
at least send their abstracts as early as possible to the 
mail above. To see guidelines for submission, please visit 
the following page:

http://www.chase.org.pk/en/index.html


** TRAININGS **

This event would offer trainings in two tracks. To see 
details of the training and to get registered, please visit
the link below:

http://www.chase.org.pk/en/training.html


** Call For Participation **

Those who just want to participate may please register as 
early as possible. Just visit the website or send an email 
to: 

register AT chase DOT org DOT pk.

The event comprises of two days. First day is for talks and 
the second day is for trainings. You need to register 
separately for both days. To see details and to see how you 
can register, please visit the following page:

http://chase.org.pk/en/register.html

** Call For Participation in Contests **

CHASE-2007 introduces various contests: CTF, Quiz and 
Gaming. To participate and to see details, please visit the 
following page:

http://www.chase.org.pk/en/contests.html


Hoping to see you all at CHASE-2007 Lahore.


- - --
CHASE Team
[EMAIL PROTECTED]

Tuesday October 09, 2007.




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFHC0ljaVLjC8ViUeIRAjkvAKCsfvWrSUH1WtLQS5f23c25C47PJQCgmfA3
CMPo/UWWYNl2onux8lxUfVY=
=xGvp
-END PGP SIGNATURE-

[CORRECTED] Microsoft Windows XP SP2/2003 - Macrovision SecDrv.sys privilege escalation (0day)

2007-10-18 Thread Reversemode 


Hi,

Symantec researcher Elia Florio has warned, at the company's weblog,of a
0day attack in Windows XP and 2003 that allows unprivileged users to
gain SYSTEM privileges via a buggy driver installed by default.

In his/her post, Elia brings us an important clue:"At the moment, it’s
still not clear how the driver is used by Windows because this file does
not have the typical Microsoft file properties present in other Windows
system files". Such a file is not common so looking for this sort of
.sys we come across a couple of them. One of those drivers is
secdrv.sys, which is developed by Macrovision as part of SafeDisc.
Mario Ballano (48bits.com) and I we have been taking a look at the
driver and quickly found this interesting piece of code.

.text:00015E2C cmp [ebp+var_10], 0CA002813h
.text:00015E33 jz  short loc_15E69

As you can see the IOCTL is METHOD_NEITHER which is a potential
vulnerability by itself (few drivers are correctly handling this
method). Let's see whether this time is different...

.text:00015ED9 calldword ptr [eax+10h] ; Internal
Dispatcher
.text:00015EDC mov [ebp+var_1C], eax
.text:00015EDF cmp [ebp+var_1C], 0Ah
.text:00015EE3 jz  short loc_15EFC
.text:00015EE5 mov eax, [ebp+arg_4]
.text:00015EE8 mov dword ptr [eax], 0C001h
.text:00015EEE mov eax, [ebp+arg_4]
.text:00015EF1 and dword ptr [eax+4], 0
.text:00015EF5 mov eax, 0C001h
.text:00015EFA jmp short loc_15F21
.text:00015EFC ;
---
.text:00015EFC
.text:00015EFC loc_15EFC:  ; CODE XREF:
sub_15E12+D1j
.text:00015EFC mov ecx, [ebp+var_4]
.text:00015EFF mov esi, [ebp+var_C]
.text:00015F02 mov eax, [ebp+arg_0]
.text:00015F05 mov edi, [eax+3Ch]  ; Output Buffer
(Irp->UserBuffer)
.text:00015F08 mov eax, ecx; Inline memcpy
.text:00015F0A shr ecx, 2
.text:00015F0D rep movsd
.text:00015F0F mov ecx, eax
.text:00015F11 and ecx, 3
.text:00015F14 rep movsb

No luck. As you can see the buffer supplied by the user is not properly
checked so you can overwrite any address you wish, even kernel
addresses. The first 4 DWORDs of the input buffer are copied into the
output buffer without any further validation. However,there is
restriction: InputBuffer[1] should be a fixed value in order to reach
this piece of code. No problem. Take a look at the exploit code.

The driver copies bytes into the output buffer but also into the input
buffer so both need to be sanitized. I've released a K-plugin for
kartoffel that exploits this flaw on Windows XP SP2 and 2003 (32-bit).

Download at http://kartoffel.reversemode.com/downloads.php.
This K-plugin can only be used for personal study and research purposes.
Do not email me requesting shellcodes, customized exploit or something
like that.

Despite there is no patch available, at the momment, we are disclosing
this information since an exploit has been caught in the wild so we see
no reason to hide information that can be useful for administrators and
researchers.

References:

[1]http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html
[2]http://www.macrovision.com
[3]http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=43&Itemid=15
[4]http://blog.48bits.com/?p=172

Regards,
Rubén.

[security bulletin] HPSBMA02274 SSRT071445 rev.2 - HP System Management Homepage (SMH) for HP-UX, Remote Cross Site Scripting (XSS)

2007-10-18 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01183265
Version: 2

HPSBMA02274 SSRT071445 rev.2 - HP System Management Homepage (SMH) for HP-UX, 
Remote Cross Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-10-03
Last Updated: 2007-10-17

Potential Security Impact: Remote cross site scripting (XSS) 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System 
Management Homepage (SMH) for HP-UX. These vulnerabilities could by exploited 
remotely to allow cross site scripting (XSS).

References: none

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- ->HP System Management Homepage (SMH) revision A.2.2.6.2 or earlier running 
on HP-UX B.11.11, B.11.23, and B.11.31.

BACKGROUND

The Hewlett-Packard Company thanks Thijs Bosschert (Fox-IT) for reporting this 
vulnerability to [EMAIL PROTECTED] 

To determine if a system has an affected version, search the output of "swlist 
-a revision -l fileset" for an affected fileset. For affected systems, verify 
that the recommended action has been taken. 

AFFECTED VERSIONS

HP-UX B.11.11 
= 
SysMgmtHomepage.SMH-RUN 
- ->action: install revision A.2.2.6.2 or subsequent and 
- ->install PHSS_36869 or subsequent 

HP-UX B.11.23 
= 
SysMgmtHomepage.SMH-RUN 
- ->action: install revision A.2.2.6.2 or subsequent and 
- ->install PHSS_36870 or subsequent 

HP-UX B.11.31 
= 
SysMgmtHomepage.SMH-RUN 
- ->action: install revision A.2.2.6.2 or subsequent and 
- ->install PHSS_36871 or subsequent 

END AFFECTED VERSIONS

RESOLUTION
HP has provided the following patches to resolve these vulnerabilities. The 
patches are available from http://itrc.hp.com 

HP-UX B.11.11
 PHSS_36869 or subsequent
 
HP-UX B.11.23
 PHSS_36870 or subsequent
 
HP-UX B.11.31
 PHSS_36871 or subsequent
 


- -> Note: The patches listed above are for SMH vA.2.2.6.2 only. Systems 
running SMH prior to v.A.2.2.6.2 must be updated to SMH vA.2.2.6.2 and then the 
appropriate patch must be installed. SMH versions after vA.2.2.6.2, when 
available, will resolve the vulnerability and will not require not require the 
patches listed above. 

- ->SMH vA.2.2.6.2 or subsequent is available from: 
http://www.hp.com/go/softwaredepot/ 

MANUAL ACTIONS: Yes - Update 
- ->Update to SMH vA.2.2.6.2 or subsequent. Install patches on SMH v.A.2.2.6.2. 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security 
Bulletins and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see: https://www.hp.com/go/swa 

HISTORY: 
Version:1 (rev.1) - 3 October 2007 Initial Release 
Version:2 (rev.2) - 17 October 2007 Patches require update to SMH vA.2.2.6.2 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
-verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Stora

[security bulletin] HPSBUX02273 SSRT071476 rev.2 - HP-UX Running Apache, Remote Unauthorized Denial of Service (DoS)

2007-10-18 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01182588
Version: 2

HPSBUX02273 SSRT071476 rev.2 - HP-UX Running Apache, Remote Unauthorized Denial 
of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-10-10
Last Updated: 2007-10-16

Potential Security Impact: Remote unauthorized Denial of Service (DoS) 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX Apache 
v2.0.59.00. The vulnerability could be exploited remotely to create an 
unauthorized Denial of Service (DoS).

References: CVE-2007-3847, CVE-2007-3304

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running Apache v2.0.59.00

BACKGROUND

To determine if a system has an affected version, search the output of "swlist 
-a revision -l fileset" for an affected fileset. Then determine if the 
recommended action has been taken. 

AFFECTED VERSIONS 

For IPv4: 
HP-UX B.11.11 
= 
hpuxwsAPACHE 
- ->action: install revision A.2.0.59.00.0 or subsequent 
restart Apache 
URL: ftp://ssrt1476:[EMAIL PROTECTED] 

For IPv6: 
HP-UX B.11.11 
HP-UX B.11.23 
HP-UX B.11.31 
= 
hpuxwsAPACHE,revision=B.1.0.00.01 
hpuxwsAPACHE,revision=B.1.0.07.01 
hpuxwsAPACHE,revision=B.1.0.08.01 
hpuxwsAPACHE,revision=B.1.0.09.01 
hpuxwsAPACHE,revision=B.1.0.10.01 
hpuxwsAPACHE,revision=B.2.0.48.00 
hpuxwsAPACHE,revision=B.2.0.49.00 
hpuxwsAPACHE,revision=B.2.0.50.00 
hpuxwsAPACHE,revision=B.2.0.51.00 
hpuxwsAPACHE,revision=B.2.0.52.00 
hpuxwsAPACHE,revision=B.2.0.53.00 
hpuxwsAPACHE,revision=B.2.0.54.00 
hpuxwsAPACHE,revision=B.2.0.55.00 
hpuxwsAPACHE,revision=B.2.0.56.00 
hpuxwsAPACHE,revision=B.2.0.58.00 
hpuxwsAPACHE,revision=B.2.0.58.01 
hpuxwsAPACHE,revision=B.2.0.59.00 

action: install revision B.2.0.59.00.0 or subsequent 
restart Apache 
URL: ftp://ssrt1476:[EMAIL PROTECTED] 

END AFFECTED VERSIONS 


RESOLUTION
HP has made the following available to resolve the vulnerability. 

OS Release 
 Depot name 
 MD5 Sum 
 
B.11.11 (IPv4)
 HPUXWSA-B218-01-ipv4.depot
 eb3bb933baac0f05e1e0809ef1e84eb2
 
B.11.11 (IPv6) 
 HPUXWSA-B218-01-ipv6.depot
 540a56b155699336bcbfac0eaf87e3ce
 
B.11.23 PA-32
 HPUXWSA-B218-01-1123-32.depot
 2900a0cbea01b6905dc768680fbd5381
 
B.11.23 IA-64
 HPUXWSA-B218-01-1123-64.depot
 3be084d96e8a509692e37c71c0184014
 
B.11.31 PA-32
 HPUXWSA-B218-01-1131-32.depot
 861122eef70f1b53d68c5adafc64cdb5
 
B.11.31 IA-64
 HPUXWSA-B218-01-1131-64.depot
 8dc5757fe27fb5994da16e91f9a4
 

The updates can be obtained from: 
ftp://ssrt1476:[EMAIL PROTECTED]/ 
ftp://ssrt1476:[EMAIL PROTECTED]/ 

MANUAL ACTIONS: Yes - Update 
Install Apache v2.0.59.00.0 or subsequent. 

PRODUCT SPECIFIC INFORMATION 
HP-UX Software Assistant: 
HP-UX Software Assistant is an enhanced application that replaces HP-UX 
Security Patch Check. It analyzes all HP-issued Security Bulletins and lists 
recommended actions that may apply to a specific HP-UX system. It can also 
download patches and create a depot automatically. 
For more information see: https://www.hp.com/go/swa 

HISTORY 
Revision: 1 (rev.1) - 10 October 2007 Initial release 
Revision: 2 (rev.2) - 16 October 2007 Corrected B.11.11 IPv4 version typo. 

Third Party Security Patches: 
Third party security patches which are to be installed on systems running HP 
software products should be applied in accordance with the customer's patch 
management policy. 


Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
-verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product C

[SECURITY] [DSA 1388-1] New dhcp packages fix arbitrary code execution

2007-10-18 Thread Steve Kemp 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA 1388-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
October 18th, 2007http://www.debian.org/security/faq
- 

Package: dhcp
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2007-5365
Debian Bug : 446354

It was discovered that dhcp, a DHCP server for automatic IP address assignment,
didn't correctly allocate space for network replies.  This could potentially
allow a malicious DHCP client to execute arbitary code upon the DHCP server.

For the old stable distribution (sarge), this problem has been fixed in
version 2.0pl5-19.1sarge3.

For the stable distribution (etch), this problem has been fixed in
version 2.0pl5-19.5etch1.

For the unstable distribution (sid), this problem will be fixed shortly.

We recommend that you upgrade your dhcp package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

Source archives:

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3.diff.gz
Size/MD5 checksum:86946 9a8f4a8219d0df0ea8d00a766afb1cb3
  http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3.dsc
Size/MD5 checksum:  687 22ac1bac4dbdd4bb034921b496eb7ad8

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.1sarge3_alpha.udeb
Size/MD5 checksum:53920 bdcdd8fe476006baff32bba6797ce8f6
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge3_alpha.deb
Size/MD5 checksum:80140 e2a2bea48927595e106b4f1261107e0b
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3_alpha.deb
Size/MD5 checksum:   122328 d6090dcc6f6ea0dd216723fe67495485
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge3_alpha.deb
Size/MD5 checksum:   115802 b9e74f333e37f9cb54b417f436eb3ef7

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge3_amd64.deb
Size/MD5 checksum:   108782 e2c5b850e6d2cfaeee28e8a0cea6e978
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge3_amd64.deb
Size/MD5 checksum:76042 4482f2e622739b61bb36fa5709b7ba97
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3_amd64.deb
Size/MD5 checksum:   116080 c3be5b81038f5f29ccf50726fb111cfc
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.1sarge3_amd64.udeb
Size/MD5 checksum:47164 34edcdd4ec9571f151dd7ba763967fa2

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3_arm.deb
Size/MD5 checksum:   113770 046155a2ebcaeff5177fa053acbf38b9
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.1sarge3_arm.udeb
Size/MD5 checksum:45586 e167fa982d418f5139d0acada21e582d
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge3_arm.deb
Size/MD5 checksum:73770 46378f1b6fd06f3861cea60854847f68
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge3_arm.deb
Size/MD5 checksum:   106770 c1c4485c8c2cf462c532fae2a59805ab

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client_2.0pl5-19.1sarge3_i386.deb
Size/MD5 checksum:   102632 c536a455a338b39df9e422f8014aee5c
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-relay_2.0pl5-19.1sarge3_i386.deb
Size/MD5 checksum:71246 e83e575491184c6e43311cbb9a3b7c76
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.1sarge3_i386.udeb
Size/MD5 checksum:40786 0521d5a40275999472be2c6adea13dcd
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3_i386.deb
Size/MD5 checksum:   108930 fc742b760b3130fc35fbdca1b543e9ab

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.1sarge3_ia64.udeb
Size/MD5 checksum:74626 02a39276494c2c4d574450c84b9d308e
  
http://security.debian.org/pool/updates/main/d/dhcp/dhcp_2.0pl5-19.1sarge3_ia64.deb
Size/MD5 checksum:   144928 8bc8479e568cdea075d4b0cf198e8592
  
http:

Nortel Telephony Server Denial of Service

2007-10-18 Thread daniel . stirnimann 
#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: Telephony Server

# Vendor:  Nortel

# Subject: Telephony Server Denial of Service

# Risk:High

# Effect:  Currently exploitable

# Author:  Cyrill Brunschwiler (cyrill.brunschwiler (at) csnc (dot) ch

# Date:October, 18th 2007

#

#


Introduction:

-

A malicious user who can send a flood of packets to specific E-LAN ports on the 
Telephony Server is able to crash the telephony application. The server needs 
to be rebooted to resume normal operation.


Nortel has noted this as:

Title:  Potential CS1000 DoS Vulnerability

Number: 2007008384

http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY



Vulnerable:

---

Communication Server 1000

and others.


See associated products on the Nortel advisory.


Vulnerability Management:

-

June 2007:Vulnerability found

June 2007:Nortel Security notified

October 2007: Nortel Advisory available

October 2007: Compass Security Information


Remediation:



Follow the recommended actions for the affected systems, as identified in the 
Nortel Advisory.


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Latest web hacking incidents

2007-10-18 Thread Ofer Shezaf 

Following are the latest addition to the Web Hacking Incidents Database
(WHID), a Web Application Security Consortium project. For further
information about the incidents including reference to further
information about each incident, refer to WHID's site at
http://www.webappsec.org/projects/whid/


WHID 2007-48: MSU investigating hacking incident
Reported: 17 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown 

Information including birth date and social security number of 1400
students who enrolled online to the Montana State University has been
stolen by hackers. While no technical explanation is provided, the fact
that only students who enrolled online where affected points to a web
site breach.


WHID 2007-47: Commerce Bank, a US regional bank, hacked
Reported: 12 October 2007
Occured: 10 October 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection 

3,000 records were exposed and 20 actually stolen at Commerce Bank, a
small bank in Central USA. While the vulnerability exploited is not
clear, SQL injection was mentioned. Therefore the record is uncertain
and based on further information, it might be withdrawn.


WHID 2007-46: School Web site breached? Personal info of Pembroke
workers, volunteers accessible for months
Reported: 11 October 2007
Occured: 02 October 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization 

Personal information on anyone who worked or volunteered for the
Pembroke schools in the last four years was accessible via the Internet
because of a weakness in the district's computer system. The
information, including names, birth dates and Social Security numbers,
was available from May until Oct. 2, when school officials learned of
the problem.


WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"
Reported: 10 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting 

Using XSS on the sites of both Australian major political parties a
security researcher nicknamed Bsoric caused the Liberal Party's Web site
to read: "John Howard says: I want to suck your blood", while another
script caused a window to pop up on the Labor Party's Web site, urging
viewers to "Vote Liberal!"

WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out
Reported: 10 October 2007
Occured: 06 October 2007
Incident Type: Security Breach
WASC Threat Classification: Other 

A hacker exploited a leftover admin function on eBay to block users and
close sales.


---
About WHID: The web hacking incident database (WHID) is a Web
Application Security Consortium project dedicated to maintaining a list
of web applications related security incidents. 

The database is unique in tracking only media reported security
incidents that can be associated with a web application security
vulnerability. We also try to limit the database to targeted attacks
only. Please refer to the FAQ for further information on what you will
find and what you will not find in WHID.

WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents. WHID has been features
in Information Week  and slash dot.


Ofer Shezaf
[EMAIL PROTECTED], Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project; 
Leader, WASC Web Hacking Incidents Database Project

Nortel IP Phone forced re-authentication

2007-10-18 Thread daniel . stirnimann 
#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: IP Phone

# Vendor:  Nortel

# Subject: IP Phone forced re-authentication

# Risk:High

# Effect:  Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:October, 18th 2007

#

#


Introduction:

-

The UNIStim signalisation protocol is vulnerable against spoofed 
re-authentication messages. A malicious user can send spoofed registration 
messages to the server to which a UNIStim IP phone is connected. This can force 
the legitimate IP phone into a situation where it must re-register

with the server to maintain service. A continuous stream of these messages 
prevents the IP phone from properly registering.


Nortel has noted this as:

Title:  DoS Potential Vulnerability - UNIStim IP Phone Forced to Re-register

Number: 2007008385

http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY


Vulnerable:

---

Nortel IP Phone 1140E

IP Softphone 2050

and others.


See associated products on the Nortel advisory.


Vulnerability Management:

-

June 2007:Vulnerability found

June 2007:Nortel Security notified

October 2007: Nortel Advisory & Patches available

October 2007: Compass Security Information


Remediation:



Follow the recommended actions for the affected systems, as identified in the 
Nortel Advisory.


Technical Description:

--

A malicious user can send a resume message to the signaling server to which an 
IP phone is connected. The resume message is a UNIStim UDP datagram. In order 
for the signaling server to detect which IP phone wants to resume the

connection it reads the source IP address from the UDP datagram to identify the 
client. That means we can send a spoofed resume UNIStim UDP datagram.


The server sends the new sequence number back to the IP phone. However, because 
we spoofed the above message, we don't see the response. The effect is that, 
the IP phone is out of sync with the server. During this time, the IP phone can 
not take on or make any calls. As soon as the IP phone realizes that it is out 
of sync (watchdog timeout

expired) it will re-authenticate against the signaling server. Note that if the 
malicious user continues to send spoofed resume messages

the hard phone will not be able to go online.


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Nortel IP Phone Flooding Denial of Service

2007-10-18 Thread daniel . stirniman 
#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: IP Phone

# Vendor:  Nortel

# Subject: IP Phone Flooding Denial of Service

# Risk:High

# Effect:  Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:October, 18th 2007

#

#


Introduction:

-

A malicious user who can send spoofed packets to an IP phone is able to freeze 
it. A potential victim does not recognize that his IP phone is offline until he 
tries to use it. Signs which make it obvious for the victim that his IP phone 
is not working are that he does not here a line peep sound when trying to make 
a call or that the LCD display is not updated.


The attack uses valid UNIStim "Mute / UnMute" messages which are sent to the IP 
phone with a spoofed server source address.


Nortel has noted this as:

Title:  Potential DoS Vulnerability - IP Phone Freeze to Offline State

Number: 2007008386

http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY


Vulnerable:

---

Nortel IP Phone 1140E

IP Softphone 2050

and others.


See associated products on the Nortel advisory.


Vulnerability Management:

-

June 2007:Vulnerability found

June 2007:Nortel Security notified

October 2007: Nortel Advisory available

October 2007: Compass Security Information


Remediation:



Follow the recommended actions for the affected systems, as identified in the 
Nortel Advisory.


Technical Description:

--

Flooding an IP phone with valid UNIStim messages freezes the IP phone. The IP 
phone needs to be rebooted by pulling the power cord in order to work again.


The proof-of-concept code uses "Mute / UnMute" UNIStim messages. The ID number 
is increased sequentially from 1 to 65535. After the packets have been sent, 
the phone is frozen and cannot be used. The phone does not ring if it's number 
is called and the LCD display is not updated.


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Nortel IP Phone Surveillance Mode

2007-10-18 Thread daniel . stirnimann 
#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: IP Phone

# Vendor:  Nortel

# Subject: IP Phone Surveillance Mode

# Risk:High

# Effect:  Currently exploitable

# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)

# Date:October, 18th 2007

#

#


Introduction:

-

An IP phone can be put into surveillance mode if the correct UNIStim message is 
sent to the IP phone. The UNIStim message ID must match the expected ID between 
the signaling server and the IP phone. The protocol uses only 16bit for the ID 
number. If a malicious user sends 65536 spoofed UNIStim message with all 
possible ID numbers he is able to successfully launch this attack.


Nortel has noted this as:

Title:  UNIStim IP Phone Remote Eavesdrop Potential Vulnerability

Number: 2007008383

http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY


Vulnerable:

---

Nortel IP Phone 1140E

IP Softphone 2050

and others.


See associated products on the Nortel advisory.


Vulnerability Management:

-

June 2007:Vulnerability found

June 2007:Nortel Security notified

October 2007: Nortel Advisory & Patches available

October 2007: Compass Security Information


Remediation:



Follow the recommended actions for the affected systems, as identified in the 
Nortel Advisory.


Technical Description:

--

A malicious user sends n spoofed "Open Audio Stream" messages to an IP phone 
which it intents to put into surveillance mode. If the ID of the message 
matches the ID number between the signaling server and the IP phone, the 
message is accepted and the audio stream is opened to the host given in the 
"Open Audio Stream" message.


To increase the probability of exploiting this vulnerability the number of 
spoofed messages need to be as close as possible to the maximum. The RUDP 
datagram uses a 32bit field for the ID number. However, the implementation of 
Nortel makes only use of 16bit. That means if we send 65536 messages with 
different IDs we will hit the correct ID by 100%. However, there is a small 
catch, if the number of spoofed messages is too high, the IP phone will crash 
and a manual reboot is required to bring it back online.


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Nortel UNIStim IP Softphone Buffer-Overflow

2007-10-18 Thread daniel . stirnimann 
#

#

# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#

#

#

# Product: IP Softphone

# Vendor:  Nortel

# Subject: UNIStim IP Softphone Buffer-Overflow

# Risk:High

# Effect:  Currently not exploitable

# Author:  Cyrill Brunschwiler (cyrill.brunschwiler (at) csnc (dot) ch

# Date:October, 18th 2007

#

#


Introduction:

-

Flooding an UNIStim IP Softphone on the RTCP Port with garbage immediately 
results in a Microsoft Windows error message which is mostly caused by

memory corruption (buffer overflow).

This vulnerability may be exploitable to gain user privileges on the client 
workstation and execute malicious commands or code.


Nortel has noted this as:

Title:  UNIStim IP Softphone - Potential Vulnerability Due to Buffer Overflow

Number: 2007008382

http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY


Vulnerable:

---

IP Softphone 2050


Vulnerability Management:

-

June 2007:Vulnerability found

June 2007:Nortel Security notified

October 2007: Nortel Advisory available

October 2007: Compass Security Information


Remediation:



According to Nortel the vulnerability is still under investigation.

The Nortel advisory will be reissued if the investigation results in new 
prevention information.


Reference:

http://www.csnc.ch/static/advisory/secadvisorylist.html

Microsoft Windows XP/2003 Macrovision SecDrv.sys privilege escalation (0day)

2007-10-18 Thread Reversemode 

Hi,

Symantec researcher Elia Florip has warned, at the company's weblog
[1],of a 0day attack in Windows XP and 2003 that allows unprivileged
users to gain SYSTEM privileges via a buggy driver installed by default.

In his/her post, Elia brings us an important clue:"At the moment, it's
still not clear how the driver is used by Windows because this file does
not have the typical Microsoft file properties present in other Windows
system files". Such a file it is not common so looking for this sort of
.sys we come across a couple of them. One of those drivers is
*secdrv.sys*, which is developed by Macrovision as part of SafeDisc.
Mario Ballano (48bits.com) and I we have been taking a look at the
driver and quickly found this interesting piece of code.

.text:00015E2C cmp [ebp+var_10], 0CA002813h
.text:00015E33 jz  short loc_15E69

As you can see the IOCTL is METHOD_NEITHER which is a potential
vulnerability by itself (few drivers are correctly handling this
method). Let's see whether this time is different...

.text:00015ED9 calldword ptr [eax+10h] ; Internal
Dispatcher
.text:00015EDC mov [ebp+var_1C], eax
.text:00015EDF cmp [ebp+var_1C], 0Ah
.text:00015EE3 jz  short loc_15EFC
.text:00015EE5 mov eax, [ebp+arg_4]
.text:00015EE8 mov dword ptr [eax], 0C001h
.text:00015EEE mov eax, [ebp+arg_4]
.text:00015EF1 and dword ptr [eax+4], 0
.text:00015EF5 mov eax, 0C001h
.text:00015EFA jmp short loc_15F21
.text:00015EFC ;
---
.text:00015EFC
.text:00015EFC loc_15EFC:  ; CODE XREF:
sub_15E12+D1j
.text:00015EFC mov ecx, [ebp+var_4]
.text:00015EFF mov esi, [ebp+var_C]
.text:00015F02 mov eax, [ebp+arg_0]
.text:00015F05 mov edi, [eax+3Ch]  ; Input Buffer
.text:00015F08 mov eax, ecx; Inline memcpy
.text:00015F0A shr ecx, 2
.text:00015F0D rep movsd
.text:00015F0F mov ecx, eax
.text:00015F11 and ecx, 3
.text:00015F14 rep movsb

No luck. As you can see the buffer supplied by the user is not properly
checked so you can overwrite any address you wish, even kernel
addresses. Anyway, this piece of code is not very comfortable for
developing the exploit since it is overwriting the same buffer that is
used as input vector. The ideal situation would be bytes being copied
from the input buffer into the output buffer. Surprise, surprise...

---
.text:00015EFC
.text:00015EFC loc_15EFC:  ; CODE XREF:
sub_15E12+D1j
.text:00015EFC mov ecx, [ebp+var_4]
.text:00015EFF mov esi, [ebp+var_C] ; Input Buffer
.text:00015F02 mov eax, [ebp+arg_0]
.text:00015F05 mov edi, [eax+3Ch]  ; Output Buffer
(Irp->UserBuffer)
.text:00015F08 mov eax, ecx; Inline memcpy
.text:00015F0A shr ecx, 2
.text:00015F0D rep movsd
.text:00015F0F mov ecx, eax
.text:00015F11 and ecx, 3
.text:00015F14 rep movsb

The first 4 DWORDs of the input buffer are copied into the output buffer
without any further validation. However,there is a restriction:
InputBuffer[1] should be a fixed value in order to reach this piece of
code. No problem. Take a look at the exploit code.

I've released a K-plugin for kartoffel that exploits this flaw on
Windows XP SP2 and 2003 (32-bit).

Download at http://kartoffel.reversemode.com/downloads.php.
*This K-plugin can only be used for personal study and research
purposes. Do not email me requesting shellcodes, customized exploit or
something like that*

References:

[1]http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html
[2]http://www.macrovision.com
[3]http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=43&Itemid=15
[4]http://blog.48bits.com/?p=172 (castilian)

Despite there is no patch available, at the momment, we are disclosing
this information since an exploit has been caught in the wild so we see
no reason to hide information that can be useful for administrators and
researchers.

Regards,
Rubén.