iPhoneDbg Toolkit

[Nicolas A. Economou]

Hello!

We are proud to announce the release of the iPhoneDbg Toolkit, an effort
towards iPhone exploit development.

You can find it here:
http://oss.coresecurity.com/projects/iphonedbg.html.

- What is the iPhoneDbg Toolkit?

This set of tools will enable you to delve into iPhone Binary Reversing.

* The iPhone Debugger allows you to debug running or newly-created
native processes inside iPhone (iphonedbg).
* The Library Loader Patcher will allow to debug iPhone libraries
(dyld_patcher).
* You can also build a tunnel from your PC to your iPhone through
USB (iphone_tunnel.exe).

Thanks!
Nicolas (*)

Open Source Software
Core Security Technologies

-
(*) I am a semi-senior exploit writer at Core Security Technologies.
I've being working in computer security for 3 years and I am specialized
in Windows exploits, mostly, and the development of exploit writing
tools. I also developed some exploits for Linux and MacOS X.

fetchmail security announcement fetchmail-SA-2007-02 (CVE-2007-4565)

[ma+bt]

fetchmail-SA-2007-02: Crash when a local warning message is rejected

Topics: Crash when a fetchmail-generated warning message is rejected

Author: Matthias Andree
Version:1.1
Announced:  2007-08-28
Type:   NULL pointer dereference trigged by outside circumstances
Impact: denial of service possible
Danger: low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)

Credits:Earl Chew
CVE Name:   CVE-2007-4565
URL:http://www.fetchmail.info/fetchmail-SA-2007-02.txt
Project URL:http://www.fetchmail.info/

Affects:fetchmail release < 6.3.9 exclusively

Not affected:   fetchmail release 6.3.9 and newer
fetchmail releases < 4.6.8 exclusively

Corrected:  2007-07-29 fetchmail SVN (rev 5119)


0. Release history
==

2007-07-29 1.0  first draft for MITRE/CVE (visible in SVN)
2007-08-28 1.1  reworked, added fix, official release


1. Background
=

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=

fetchmail will generate warning messages in certain circumstances and 
send them to the local postmaster or the user starting it. Such warning 
messages can be generated, for instance, if logging into an upstream 
server fails repeatedly or if messages beyond the size limit (if 
configured, default: no limit) are left on the server.

If this warning message is then refused by the SMTP listener that 
fetchmail is forwarding the message to, fetchmail attempts to 
dereference a NULL pointer when trying to find out if it should allow a 
bounce message to be sent.

This causes fetchmail to crash and not collect further messages until it 
is restarted.

Risk assessment: low. In default configuration, fetchmail will talk 
through the loopback interface, that means to the SMTP server on the same 
computer as it is running on. Otherwise, it will commonly be configured 
to talk to trusted SMTP servers, so a compromise or misconfiguration of 
a trusted or the same computer is required to exploit this problem - 
which usually opens up much easier ways of denying service, or worse.


3. Solution
===

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
   recompile and reinstall it.

b. Install fetchmail 6.3.9 or newer when it becomes available.  The 
   fetchmail source code is available from 
   .

Note there are no workarounds presented here since all known workarounds 
are more intrusive than the actual solution.


A. Copyright, License and Warranty
==

(C) Copyright 2007 by Matthias Andree, <[EMAIL PROTECTED]>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.



B. Patch to remedy the problem
==

Index: sink.c
===
--- sink.c  (revision 5118)
+++ sink.c  (revision 5119)
@@ -262,7 +262,7 @@
 const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@";
 
 /* don't bounce in reply to undeliverable bounces */
-if (!msg->return_path[0] ||
+if (!msg || !msg->return_path[0] ||
strcmp(msg->return_path, "<>") == 0 ||
strcasecmp(msg->return_path, md1) == 0 ||
strncasecmp(msg->return_path, md2, strlen(md2)) == 0)

END OF fetchmail-SA-2007-02.txt

[ GLSA 200806-05 ] cbrPager: User-assisted execution of arbitrary code

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200806-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: cbrPager: User-assisted execution of arbitrary code
  Date: June 16, 2008
  Bugs: #223657
ID: 200806-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Insecure filename usage in cbrPager may allow for the remote execution
of arbitrary code.

Background
==

cbrPager is a comic book pager.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  app-misc/cbrpager  < 0.9.17 >= 0.9.17

Description
===

Mamoru Tasaka discovered that filenames of the image archives are not
properly sanitized before being passed to decompression utilities like
unrar and unzip, which use the system() libc library call.

Impact
==

A remote attacker could entice a user to open an archive with a
specially crafted filename, resulting in arbitrary code execution with
the privileges of the user running the application.

Workaround
==

There is no known workaround at this time.

Resolution
==

All cbrPager users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-misc/cbrpager-0.9.17"

References
==

  [ 1 ] CVE-2008-2575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2575

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200806-05.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIVtD9uhJ+ozIKI5gRAhnrAJ0e3tbErRZNeoeL17yN1PYaJrScMgCdFdDh
LEbfordjXkqswcRxZkjYYpQ=
=idMe
-END PGP SIGNATURE-

fetchmail security announcement fetchmail-SA-2008-01 (CVE-2008-2711)

[ma+bt]

fetchmail-SA-2008-01: Crash on large log messages in verbose mode

Topics: Crash in large log messages in verbose mode.

Author: Matthias Andree
Version:1.0
Announced:  2008-06-17
Type:   Dereferencing garbage pointer trigged by outside circumstances
Impact: denial of service possible
Danger: low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)

Credits:Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report)
CVE Name:   CVE-2008-2711
URL:http://www.fetchmail.info/fetchmail-SA-2008-01.txt
Project URL:http://www.fetchmail.info/

Affects:fetchmail release < 6.3.9 exclusively

Not affected:   fetchmail release 6.3.9 and newer
systems without varargs (stdargs.h) support.

Corrected:  2008-06-13 fetchmail SVN (rev 5193)

References: 




0. Release history
==

2008-06-13 1.0  first draft for MITRE/CVE (visible in SVN,
posted to oss-security)
2008-06-17 1.0  published on http://www.fetchmail.info/


1. Background
=

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=

Gunter Nau reported fetchmail crashing on some messages; further
debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
dug up that this happened when fetchmail was trying to print, in -v -v
verbose level, headers exceeding 2048 bytes. In this situation,
fetchmail would resize the buffer and fill in further parts of the
message, but forget to reinitialize its va_list typed source pointer,
thus reading data from a garbage address found on the stack at
addresses above the function arguments the caller passed in; usually
that would be the caller's stack frame.

It is unknown whether code can be injected remotely, but given that
the segmentation fault is caused by read accesses, the relevant data
is not under the remote attacker's control and no buffer overrun
situation is present that would allow altering program /flow/, it is
deemed rather unlikely that code can be injected.

Note that the required -vv configuration at hand is both non-default
and also not common in automated (cron job) setups, but usually used
in manual debugging, so not many systems would be affected by the
problem. Nonetheless, in vulnerable configurations, it is remotely
exploitable to effect a denial of service attack.



3. Solution
===

There are two alternatives, either of them by itself is sufficient:

a. Apply the patch found in section B of this announcement to
   fetchmail 6.3.8, recompile and reinstall it.

b. Install fetchmail 6.3.9 or newer after it will have become available.
   The fetchmail source code is always available from
   .


4. Workaround
=

Run fetchmail at low verbosity, avoid using two or three -v arguments;
internal messages are short and do not contain external message
sources so they do not cause buffer resizing. It is recommended to
replace the vulnerable code by a fixed version (see previous
section 3. Solution) as soon as reasonably possible.


A. Copyright, License and Warranty
==

(C) Copyright 2008 by Matthias Andree, <[EMAIL PROTECTED]>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.



B. Patch to remedy the problem
==

diff --git a/report.c b/report.c
index 31d4e48..2a731ac 100644
--- a/report.c
+++ b/report.c
@@ -238,11 +238,17 @@ report_build (FILE *errfp, message, va_alist)
 rep_ensuresize();
 
 #if defined(VA_START)
-VA_START (args, message);
 for ( ; ; )
 {
+   /*
+* args has to be initialized before every call of vsnprintf(), 
+* because vsnprintf() invokes va_arg macro and thus args is 
+* undefined after the call.
+*/
+   VA_START(args, message);
n = vsnprintf (partial_message + partial_message_size_used, 
partial_message_size - partial_message_size_used,
   message, args);
+   va_end (args);
 
if (n >= 0
&& (unsigned)n < partial_message_

S21SEC-044-en:OpenDocMan Cross Site Scripting (XSS)

[S21sec labs]

##

 - S21Sec Advisory -

##

  Title:  OpenDocMan Cross Site Scripting (XSS)
 ID:  S21sec-044-en
   Severity:  Low
History:  15.Apr.2008 Vulnerability discovered
16.Apr.2008 Vendor contacted
27.May.2008 Patch available
  Scope:  Cross Site Scripting XSS
  Platforms:  Any
 Author:  Sergi Roselló ([EMAIL PROTECTED])
URL:  http://www.s21sec.com/avisos/s21sec-044-en.txt
Release:  Public


[ SUMMARY ]

OpenDocMan is a free document management system (DMS) designed to
comply with ISO 17025 and OIE standard for document management. It
features web based access, fine grained control of access to files,
and automated install and upgrades.


[ AFFECTED VERSIONS ]

This vulnerability has been tested in version v1.2.5 (March, 2nd 2007).


[ DESCRIPTION ]

An insufficient input validation allows code injection in the
parameter 'last_message'. Example:
http://server/opendocman-1.2.5/out.php?last_message=%3Cscript%3Ealert(document.cookie)%3C/script%3E


[ WORKAROUND ]

There is  patch available in the following url:
https://sourceforge.net/tracker/index.php?func=detail&aid=1975163&group_id=69505&atid=524753


[ ACKNOWLEDGMENTS ]

This vulnerability has been found and researched by:

- Sergi Roselló <[EMAIL PROTECTED]> S21sec


[ REFERENCES ]

* OpenDocman
  http://opendocman.com/

* S21sec
   http://www.s21sec.com

* S21sec Blog
   http://blog.s21sec.com

Server freezed in Skulltag 0.97d2-RC2

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  Skulltag
  http://www.skulltag.com
Versions: <= 0.97d2-RC2
Platforms:Windows, Linux and FreeBSD
Bug:  loop during the parsing of the packets
Exploitation: remote, versus server
Date: 16 Jun 2008
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bug
3) The Code
4) Fix


###

===
1) Introduction
===


Skulltag is a port of the original Doom mainly focused on multiplayer
gaming.


###

==
2) Bug
==


Skulltag is affected by a problem in the parsing of some packets with
the result of freezing the entine server for some seconds through the
sending of a single big malformed packet which is parsed multiple
times.
This Denial of Service can be made endless using multiple malformed
packets at regular intervals.


###

===
3) The Code
===


http://aluigi.org/poc/skulltagloop.zip


###

==
4) Fix
==


Version 0.97d2-RC3


###


--- 
Luigi Auriemma
http://aluigi.org

[ GLSA 200806-06 ] Evolution: User-assisted execution of arbitrary code

[Pierre-Yves Rofes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200806-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Evolution: User-assisted execution of arbitrary code
  Date: June 16, 2008
  Bugs: #223963
ID: 200806-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Evolution may allow for user-assisted
execution of arbitrary code.

Background
==

Evolution is the mail client of the GNOME desktop environment.

Affected packages
=

---
 Package/   Vulnerable   /  Unaffected
---
  1  mail-client/evolution  < 2.12.3-r2   >= 2.12.3-r2

Description
===

Alin Rad Pop (Secunia Research) reported two vulnerabilities in
Evolution:

* A boundary error exists when parsing overly long timezone strings
  contained within iCalendar attachments and when the ITip formatter is
  disabled (CVE-2008-1108).

* A boundary error exists when replying to an iCalendar request with
  an overly long "DESCRIPTION" property while in calendar view
  (CVE-2008-1109).

Impact
==

A remote attacker could entice a user to open a specially crafted
iCalendar attachment, resulting in the execution of arbitrary code with
the privileges of the user running Evolution.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Evolution users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=mail-client/evolution-2.12.3-r2"

References
==

  [ 1 ] CVE-2008-1108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1108
  [ 2 ] CVE-2008-1109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1109

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200806-06.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIVtNluhJ+ozIKI5gRAqwwAJ97oBXp0GtliSqRL/lh10E7gePmIgCggkL8
g6VvPANFxhxWuQnDw4K3UGI=
=B7py
-END PGP SIGNATURE-

Hacking Coffee Makers.

[Craig Wright]

Hi All,
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea 
is to:

"Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal 
taste.
If there's a problem, the engineers can run diagnostic tests and advise on the 
solution without your machine ever leaving the kitchen."

Guess what - it can not be patched as far as I can tell ;) It also has a few 
software vulnerabilities.

Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a 
puddle
3. Break it by engineering settings that are not compatible (and making it 
require a service)

The connectivity kit uses the connectivity of the PC it is running on to 
connect the coffee machine to the internet. This allows a remote coffee machine 
"engineer" to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows 
XP system it is running on at the level of the user.

Compromise by Coffee.

Regards,
Craig Wright GSE-Compliance

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
[EMAIL PROTECTED]
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are 
not the named addressee you must not read, print, copy, distribute, or use in 
any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all 
copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not 
necessarily endorsed by BDO Kendalls. You may not rely on this message as 
advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication 
and any files attached for computer viruses and other defects. BDO Kendalls 
does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO 
Kendalls disclaimer, and our Privacy statement, can be found on the BDO 
Kendalls website at http://www.bdo.com.au/ or by emailing mailto:[EMAIL 
PROTECTED]

BDO Kendalls is a national association of separate partnerships and entities. 
Liability limited by a scheme approved under Professional Standards Legislation.

NULL pointer in the HTTP/XML-RPC service of Crysis 1.21

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  Crysis
  http://www.ea.com/crysis/home.jsp
Versions: <= 1.21 (1.1.1.6156 showed as gamever)
Platforms:Windows
Bug:  NULL pointer in the HTTP/XML-RPC service
Exploitation: remote, versus server
Date: 16 Jun 2008
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:aluigi.org


###


1) Introduction
2) Bug
3) The Code
4) Fix


###

===
1) Introduction
===


Crysis is a recent FPS game developed by Crytek (http://www.crytek.com)
and released at November 2007.
This game is well known for being a "computer killer" due to its high
hardware requirements but also for having various problems with
cheaters.


###

==
2) Bug
==


Crysis has a small internal HTTP/XML-RPC server which must be activated
with the http_startserver command (manually or through server.cfg) and
allows to receive rcon commands.

This service works on port 80 if no port is specified but usually the
admins choose a custom port or just the same of the game (64087, the
service is easily distinguishable due to the "Bad Request" title
visible with a web browser).

If an attacker uses an HTTP request with a total length major than 4096
bytes the server will crash due to a NULL pointer.


###

===
3) The Code
===


http://aluigi.org/poc/dontcrysis.txt

  nc SERVER HTTPPORT -v -v < dontcrysis.txt


###

==
4) Fix
==


No fix


###


--- 
Luigi Auriemma
http://aluigi.org