CA20101209-01: Security Notice for CA XOsoft
-BEGIN PGP SIGNED MESSAGE- CA20101209-01: Security Notice for CA XOsoft Issued: December 9, 2010 CA Technologies support is alerting customers to a security risk with CA XOsoft. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued a patch to address the vulnerability for each affected release. The vulnerability, CVE-2010-3984, is due to insufficient bounds checking with a SOAP request. A remote attacker can make a SOAP request to cause a buffer overflow and potentially compromise the system. Risk Rating High Platform Windows Affected Products CA XOsoft Replication r12.0 sp1 CA XOsoft High Availability r12.0 sp1 CA XOsoft Content Distribution r12.0 sp1 CA XOsoft Replication r12.5 sp2 rollup CA XOsoft High Availability r12.5 sp2 rollup CA XOsoft Content Distribution r12.5 sp2 rollup CA ARCserve Replication and High Availability r15.0 sp1 Non-Affected Products CA ARCserve Replication and High Availability r15.2 How to determine if the installation is affected 1. Using Windows Explorer, locate the file "mng_core_com.dll". By default in r12.0 and r12.5, the file is located in the "C:\Program Files\CA\XOsoft\Manager" directory. For r15.0 sp1, the file is located in the "C:\Program Files\CA\ARCserve RHA\Manager" directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable. Product File Name Timestamp File Size XOsoft 12.0 sp1 mng_core_com.dll 10/09/2010 2,007,040 bytes XOsoft 12.5 sp2 rollup mng_core_com.dll 10/13/2010 2,396,160 bytes ARCserve RHA 15.0 sp1 mng_core_com.dll 10/13/2010 2,990,080 bytes Solution CA issued the following patch to address the vulnerability. CA ARCserve Replication and High Availability r15.0 sp1: RO24455 CA XOsoft Replication r12.5 sp2 rollup, CA XOsoft High Availability r12.5 sp2 rollup, CA XOsoft Content Distribution r12.5 sp2 rollup: RO24313 CA XOsoft Replication r12.0 sp1, CA XOsoft High Availability r12.0 sp1, CA XOsoft Content Distribution r12.0 sp1: RO24314 References CVE-2010-3984 - XOsoft buffer overflow CA20101209-01: Security Notice for CA XOsoft (line wraps) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7 bFEB41CE8-5023-46DF-B257-5299F492BF23%7d Acknowledgement CVE-2010-3984 - AbdulAziz Hariri through the TippingPoint ZDI program Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/. If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Kevin Kotas CA Technologies Product Vulnerability Response Team -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBTQEo4pI1FvIeMomJAQFI3gf+PpMhF3fHNJq2Fk/7eYyxFdiG3OC6fHBR BU2b/bkZyI4xG31tQrPTqXt7+ne7a9sTLeH34QPfqur7nV3bVzqgCk891KWEgp98 J42wQYC35w5JVwibVxh82qggd5Cjpd4xNmpE7f+8Rg+dv5K+8xsBU+lTKWd5DusF H5z87Ux7BS1kDKg4W51XIJk1i81iSKWcTaDxx/ztRKCpyKHgLgpy6pLavOi5LzMH 5yqvSwtM2gYQ+8ciBGCnYDWY+TOSHGAGMpE0ZBpyY7K9CodlJEgV7oiD7VVb3x92 wgnBQHrUm5tACtsMMtMYjnd0H0x00u1BOy+smP6B+QsnnLXy/i7eUg== =YEMX -END PGP SIGNATURE-
Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)
Hi folks, Firefox 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them. These documents are normally expected to inherit the context from their parent, or be assigned a unique one. This didn't work as expected in Firefox, apparently due to a code refactoring in 2008. The vulnerability permits malicious websites to access and modify the contents of special pages such as about:neterror or about:config, which has consequences ranging from content spoofing to complete subversion of the browser security model. More info: http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/ PS. I posted a couple of probably interesting browser security write-ups on my blog of recent, recapping the status quo in areas such as HTTP cookie security. Some readers might find them interesting / useful - say: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html Cheers, /mz
Re: [Full-disclosure] Linux kernel exploit
$ ./nelson [*] Failed to open file descriptors. $ uname -r 2.6.35.6-48.fc14.x86_64 $ cat /etc/redhat-release Fedora release 14 (Laughlin) But I updated a couple of days ago. -- Best regards, Vadim
[ MDVSA-2010:250 ] perl-CGI-Simple
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:250 http://www.mandriva.com/security/ ___ Package : perl-CGI-Simple Date: December 9, 2010 Affected: Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in perl-CGI-Simple: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172 (CVE-2010-2761). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761 ___ Updated Packages: Corporate 4.0: b2e5ffba685cf732133e42fe1b82791d corporate/4.0/i586/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5231722e821a5478827e17293dd0836b corporate/4.0/x86_64/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 04f4b7381ba21a1ba14845a06b680fb1 mes5/i586/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: bf81ab1b1798bb141b74c6f8e6d59630 mes5/x86_64/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNAMpimqjQ0CJFipgRAsKPAJ9gy8D5blvchEFe/KRmwMEFYtjWZQCgzSmG 3t2bZiJcPZFuhFYF28NTyJ0= =Xkba -END PGP SIGNATURE-
Follow-up on HTTP Parameter Pollution
Hi all, I have just blogged about a research we recently did on HTTP Parameter Pollution [1]. I would like to share it with you. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. To the best of our knowledge, no tools have been presented to date for the detection of this sort of vulnerabilities and no studies have been published on the topic. The most effective means of discovering HPP vulnerabilities in websites is via manual inspection. At the same time, it is unclear how common and significant a threat HPP vulnerabilities are in existing web applications. We, therefore, decided to dig deeper into the detection problem and create the first automated system for the detection of HPP vulnerabilities in web applications. We then tested more than 5,000 popular web sites (taken from Alexa) and we discovered that 1499 of them contained at least one vulnerable page. That is, the tool was able to automatically inject an encoded parameter inside one of the existing parameters, and was then able to verify that its URL-decoded version was included in one of the URLs (links or forms) of the resulting page. The problems we identified affected many important and well-known websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..). After we notified them, we had the problems acknowledged and some patched. We are now came online with a free service to test web applications (called PAPAS) and the PDF of the paper. -link is below- Cheers. [1] http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/ -- bash$ :(){ :|:&};: Computer Science belongs to all Humanity! Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)
www.eVuln.com : Non-persistent XSS in WWWThreads (perl version)
www.eVuln.com advisory: Non-persistent XSS in WWWThreads (perl version) Summary: http://evuln.com/vulns/157/summary.html Details: http://evuln.com/vulns/157/description.html ---Summary--- eVuln ID: EV0157 Software: n/a Vendor: WWWThreads Version: v5.0.8 Pro (perl version) Critical Level: low Type: Cross Site Scripting Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description It is possible to inject xss code into view parameter in showflat.pl script. Parameter view is not sanitized before being used in HTML code PoC/Exploit PoC code is available at: http://evuln.com/vulns/157/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/malicious-site.html - recent eVuln article
Re: [Full-disclosure] Linux kernel exploit
Debian lenny: nik...@sandbox:~$ uname -a Linux sandbox 2.6.26-2-amd64 #1 SMP Thu Sep 16 15:56:38 UTC 2010 x86_64 GNU/Linux nik...@sandbox:~$ make full-nelson cc full-nelson.c -o full-nelson nik...@sandbox:~$ ./full-nelson [*] Resolving kernel addresses... [+] Resolved econet_ioctl to 0xa01d319b [+] Resolved econet_ops to 0xa01d41e0 [*] Failed to resolve kernel symbols. On Wed, 2010-12-08 at 00:44 +0300, Kai wrote: > > Anyone tested this in sandbox yet? > > 00:37 linups:../expl/kernel > cat /etc/*release* > openSUSE 11.3 (i586) > VERSION = 11.3 > 00:37 linups:../expl/kernel > uname -r > 2.6.34.4-0.1-desktop > 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test > 00:37 linups:../expl/kernel > ./test > [*] Failed to open file descriptors. >
RE: [Full-disclosure] Linux kernel exploit
> I've included here a proof-of-concept local privilege escalation exploit > for Linux. Please read the header for an explanation of what's going > on. Without further ado, I present full-nelson.c: Hello Dan, is this exploitation not mitigated by best practice defense-in-depth strategies such as preventing the CAP_SYS_MODULE capability or '/sbin/sysctl -w kernel.modules_disabled=1' respectively? It seems it'd certainly stop the Econet/Acorn issue. Curious to hear your input as I fear too many rely solely on errata updates and not a good defense-in-depth approach. > Happy hacking, > Dan Cheers, John Jacobs
[security bulletin] HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02579879 Version: 1 HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-12-07 Last Updated: 2010-12-06 -- Potential Security Impact: Local information disclosure, increase of privilege, remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Apache-based Web Server. These vulnerabilities could be exploited locally to disclose information, increase privilege or remotely create a Denial of Service (DoS). References: CVE-2010-1452, CVE-2009-1956, CVE-2009-1955, CVE-2009-1891, CVE-2009-1890, CVE-2009-1195, CVE-2009-0023, CVE-2007-6203, CVE-2006-3918 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and B.11.31 running Apache-based Web Server prior to v2.0.63.01 Note: HP-UX Apache-based Web Server v2.0.63.01 is contained in HP-UX Web Server Suite v.2.32 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-1452(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-1956(AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4 CVE-2009-1955(AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2009-1891(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2009-1890(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-1195(AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9 CVE-2009-0023(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2007-6203(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2006-3918(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerabilities. The updates are available for download from http://software.hp.com Note: HP-UX Web Server Suite v.2.32 contains HP-UX Apache-based Web Server v2.0.63.01 Web Server Suite Version / Apache Depot name HP-UX Web Server Suite v.2.32 HP-UX 11i PA-RISC with IPv6 HP-UX 11i version 2 PA-RISC/IPF 64-bit HP-UX 11i version 2 PA-RISC/IPF 32-bit HP-UX 11i version 3 PA-RISC/IPF 64-bit HP-UX 11i version 3 PA-RISC/IPF 32-bit MANUAL ACTIONS: Yes - Update Install Apache-based Web Server v2.0.63.01 or subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX Web Server Suite v2.32 HP-UX B.11.11 == hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY action: install revision B.2.0.63.01 or subsequent HP-UX B.11.23 == hpuxwsAPCH32.APACHE hpuxwsAPCH32.APACHE2 hpuxwsAPCH32.AUTH_LDAP hpuxwsAPCH32.AUTH_LDAP2 hpuxwsAPCH32.MOD_JK hpuxwsAPCH32.MOD_JK2 hpuxwsAPCH32.MOD_PERL hpuxwsAPCH32.MOD_PERL2 hpuxwsAPCH32.PHP hpuxwsAPCH32.PHP2 hpuxwsAPCH32.WEBPROXY hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY action: install revision B.2.0.63.01 or subsequent HP-UX B.11.31 == hpuxwsAPCH32.APACHE hpuxwsAPCH32.APACHE2 hpuxwsAPCH32.AUTH_LDAP hpuxwsAPCH32.AUTH_LDAP2 hpuxwsAPCH32.MOD_JK hpuxwsAPCH32.MOD_JK2 hpuxwsAPCH32.MOD_PERL hpuxwsAPCH32.MOD_PERL2 hpuxwsAPCH32.PHP hpuxwsAPCH32.PHP2 hpuxwsAPCH32.WEBPROXY hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY action: install revision B.2.0.63.01 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 7 December 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact norma
Google Website Optimizer security issue reportedly fixed
Google has acknowledged information about fixed versions of Website Optimizer control scripts. A potential XSS was reported by unnamed person. More details at http://websiteoptimizer.blogspot.com/2010/12/update-your-website-optimizer-scripts.html including link to Help Center page with update instructions. Juha-Matti