CA20101209-01: Security Notice for CA XOsoft

[Kotas, Kevin J]

-BEGIN PGP SIGNED MESSAGE-

CA20101209-01: Security Notice for CA XOsoft

Issued: December 9, 2010

CA Technologies support is alerting customers to a security risk with
CA XOsoft. A vulnerability exists that can allow a remote attacker to
execute arbitrary code.  CA has issued a patch to address the
vulnerability for each affected release.

The vulnerability, CVE-2010-3984, is due to insufficient bounds
checking with a SOAP request. A remote attacker can make a SOAP
request to cause a buffer overflow and potentially compromise the
system.

Risk Rating

High

Platform

Windows

Affected Products

CA XOsoft Replication r12.0 sp1
CA XOsoft High Availability r12.0 sp1
CA XOsoft Content Distribution r12.0 sp1
CA XOsoft Replication r12.5 sp2 rollup
CA XOsoft High Availability r12.5 sp2 rollup
CA XOsoft Content Distribution r12.5 sp2 rollup
CA ARCserve Replication and High Availability r15.0 sp1

Non-Affected Products

CA ARCserve Replication and High Availability r15.2

How to determine if the installation is affected

1. Using Windows Explorer, locate the file "mng_core_com.dll". By
default in r12.0 and r12.5, the file is located in the
"C:\Program Files\CA\XOsoft\Manager" directory. For r15.0 sp1, the
file is located in the "C:\Program Files\CA\ARCserve RHA\Manager"
directory.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below
table, the installation is vulnerable.

Product
File Name
Timestamp
File Size

XOsoft 12.0 sp1
mng_core_com.dll
10/09/2010
2,007,040 bytes

XOsoft 12.5 sp2 rollup
mng_core_com.dll
10/13/2010
2,396,160 bytes

ARCserve RHA 15.0 sp1
mng_core_com.dll
10/13/2010
2,990,080 bytes

Solution

CA issued the following patch to address the vulnerability.

CA ARCserve Replication and High Availability r15.0 sp1:
RO24455

CA XOsoft Replication r12.5 sp2 rollup,
CA XOsoft High Availability r12.5 sp2 rollup,
CA XOsoft Content Distribution r12.5 sp2 rollup:
RO24313

CA XOsoft Replication r12.0 sp1,
CA XOsoft High Availability r12.0 sp1,
CA XOsoft Content Distribution r12.0 sp1:
RO24314

References

CVE-2010-3984 - XOsoft buffer overflow

CA20101209-01: Security Notice for CA XOsoft
(line wraps)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7
bFEB41CE8-5023-46DF-B257-5299F492BF23%7d

Acknowledgement

CVE-2010-3984 - AbdulAziz Hariri through the TippingPoint ZDI program

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at http://support.ca.com/.

If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx

Kevin Kotas
CA Technologies Product Vulnerability Response Team

-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQEVAwUBTQEo4pI1FvIeMomJAQFI3gf+PpMhF3fHNJq2Fk/7eYyxFdiG3OC6fHBR
BU2b/bkZyI4xG31tQrPTqXt7+ne7a9sTLeH34QPfqur7nV3bVzqgCk891KWEgp98
J42wQYC35w5JVwibVxh82qggd5Cjpd4xNmpE7f+8Rg+dv5K+8xsBU+lTKWd5DusF
H5z87Ux7BS1kDKg4W51XIJk1i81iSKWcTaDxx/ztRKCpyKHgLgpy6pLavOi5LzMH
5yqvSwtM2gYQ+8ciBGCnYDWY+TOSHGAGMpE0ZBpyY7K9CodlJEgV7oiD7VVb3x92
wgnBQHrUm5tACtsMMtMYjnd0H0x00u1BOy+smP6B+QsnnLXy/i7eUg==
=YEMX
-END PGP SIGNATURE-

Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)

[Michal Zalewski]

Hi folks,

Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected in Firefox, apparently due to a code refactoring in
2008. The vulnerability permits malicious websites to access and
modify the contents of special pages such as about:neterror or
about:config, which has consequences ranging from content spoofing to
complete subversion of the browser security model.

More info: 
http://lcamtuf.blogspot.com/2010/12/firefox-3613-damn-you-corner-cases.html
Whimsical PoC: http://lcamtuf.coredump.cx/ffabout/

PS. I posted a couple of probably interesting browser security
write-ups on my blog of recent, recapping the status quo in areas such
as HTTP cookie security. Some readers might find them interesting /
useful - say: 
http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

Cheers,
/mz

Re: [Full-disclosure] Linux kernel exploit

[Vadim Grinco]

$ ./nelson
[*] Failed to open file descriptors.
$ uname -r
2.6.35.6-48.fc14.x86_64
$ cat /etc/redhat-release
Fedora release 14 (Laughlin)

But I updated a couple of days ago.

-- 
Best regards,
Vadim

[ MDVSA-2010:250 ] perl-CGI-Simple

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:250
 http://www.mandriva.com/security/
 ___

 Package : perl-CGI-Simple
 Date: December 9, 2010
 Affected: Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability was discovered and corrected in perl-CGI-Simple:
 
 The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm
 in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME
 boundary string in multipart/x-mixed-replace content, which allows
 remote attackers to inject arbitrary HTTP headers and conduct HTTP
 response splitting attacks via crafted input that contains this value,
 a different vulnerability than CVE-2010-3172 (CVE-2010-2761).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761
 ___

 Updated Packages:

 Corporate 4.0:
 b2e5ffba685cf732133e42fe1b82791d  
corporate/4.0/i586/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm 
 e37ee0869e2fd9f4e875354edca20c6f  
corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 5231722e821a5478827e17293dd0836b  
corporate/4.0/x86_64/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm 
 e37ee0869e2fd9f4e875354edca20c6f  
corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 04f4b7381ba21a1ba14845a06b680fb1  
mes5/i586/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 
 15d6dc30e4dbf78a7371c1715386f552  
mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 bf81ab1b1798bb141b74c6f8e6d59630  
mes5/x86_64/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 
 15d6dc30e4dbf78a7371c1715386f552  
mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNAMpimqjQ0CJFipgRAsKPAJ9gy8D5blvchEFe/KRmwMEFYtjWZQCgzSmG
3t2bZiJcPZFuhFYF28NTyJ0=
=Xkba
-END PGP SIGNATURE-

Follow-up on HTTP Parameter Pollution

[embyte]

Hi all,

I have just blogged about a research we recently did on HTTP Parameter
Pollution [1]. I would like to share it with you.

HPP attacks consist of injecting encoded query string delimiters into
other existing parameters. If a web application does not properly
sanitize the user input, a malicious user can compromise the logic of
the application to perform either client-side or server-side attacks.
One consequence of HPP attacks is that the attacker can potentially
override existing hard-coded HTTP parameters to modify the behavior of
an application, bypass input validation checkpoints, and access and
possibly exploit variables that may be out of direct reach.

To the best of our knowledge, no tools have been presented to date for
the detection of this sort of vulnerabilities and no studies have been
published on the topic. The most effective means of discovering HPP
vulnerabilities in websites is via manual inspection. At the same time,
it is unclear how common and significant a threat HPP vulnerabilities
are in existing web applications.

We, therefore,  decided to dig deeper into the detection problem and
create the first automated system for the detection of HPP
vulnerabilities in web applications. We then tested more than 5,000
popular web sites (taken from Alexa) and we discovered that 1499 of
them contained at least one vulnerable page.  That is, the tool was
able to automatically inject an encoded parameter inside one of the
existing parameters, and was then able to verify that its URL-decoded
version was included in one of the URLs (links or forms) of the
resulting page.

The problems we identified affected many important and well-known
websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..).
After we notified them, we had the problems acknowledged and some
patched.

We are now came online with a free service to test web applications
(called PAPAS) and the PDF of the paper. -link is below- 

Cheers.

[1]
http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/

-- 
bash$ :(){ :|:&};: Computer Science belongs to all Humanity! 
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)

www.eVuln.com : Non-persistent XSS in WWWThreads (perl version)

[bt]

www.eVuln.com advisory:

Non-persistent XSS in WWWThreads (perl version)

Summary: http://evuln.com/vulns/157/summary.html 

Details: http://evuln.com/vulns/157/description.html 



---Summary---

eVuln ID: EV0157

Software: n/a

Vendor: WWWThreads

Version: v5.0.8 Pro (perl version)

Critical Level: low

Type: Cross Site Scripting

Status: Unpatched. No reply from developer(s)

PoC: Available

Solution: Not available

Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )

Description

It is possible to inject xss code into view parameter in showflat.pl script.

Parameter view is not sanitized before being used in HTML code

PoC/Exploit

PoC code is available at:

http://evuln.com/vulns/157/exploit.html 

-Solution--

Not available

--Credit---

Vulnerability discovered by Aliaksandr Hartsuyeu

http://evuln.com/malicious-site.html - recent eVuln article

Re: [Full-disclosure] Linux kernel exploit

[niklas|brueckenschlaeger]

Debian lenny:

  nik...@sandbox:~$ uname -a
  Linux sandbox 2.6.26-2-amd64 #1 SMP Thu Sep 16 15:56:38 UTC 2010
x86_64 GNU/Linux
  nik...@sandbox:~$ make full-nelson
  cc full-nelson.c   -o full-nelson
  nik...@sandbox:~$ ./full-nelson
  [*] Resolving kernel addresses...
   [+] Resolved econet_ioctl to 0xa01d319b
   [+] Resolved econet_ops to 0xa01d41e0
  [*] Failed to resolve kernel symbols.


On Wed, 2010-12-08 at 00:44 +0300, Kai wrote:
> > Anyone tested this in sandbox yet?
> 
> 00:37 linups:../expl/kernel > cat /etc/*release*
> openSUSE 11.3 (i586)
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.local.c -o test
> 00:37 linups:../expl/kernel > ./test
> [*] Failed to open file descriptors.
> 

RE: [Full-disclosure] Linux kernel exploit

[John Jacobs]

> I've included here a proof-of-concept local privilege escalation exploit
> for Linux.  Please read the header for an explanation of what's going
> on.  Without further ado, I present full-nelson.c:

Hello Dan, is this exploitation not mitigated by best practice 
defense-in-depth strategies such as preventing the CAP_SYS_MODULE 
capability or '/sbin/sysctl -w kernel.modules_disabled=1' respectively? 
 It seems it'd certainly stop the Econet/Acorn issue.

Curious to hear your input as I fear too many rely solely on errata updates and 
not a good defense-in-depth approach.

> Happy hacking,
> Dan

Cheers,
John Jacobs
  

[security bulletin] HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02579879
Version: 1

HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information 
Disclosure, Increase of Privilege, Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2010-12-07
Last Updated: 2010-12-06

 --

Potential Security Impact: Local information disclosure, increase of privilege, 
remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache-based 
Web Server. These vulnerabilities could be exploited locally to disclose 
information, increase privilege or remotely create a Denial of Service (DoS).

References: CVE-2010-1452, CVE-2009-1956, CVE-2009-1955, CVE-2009-1891, 
CVE-2009-1890, CVE-2009-1195, CVE-2009-0023, CVE-2007-6203, CVE-2006-3918

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23 and B.11.31 running Apache-based Web Server prior to 
v2.0.63.01
Note: HP-UX Apache-based Web Server v2.0.63.01 is contained in HP-UX Web Server 
Suite v.2.32

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2010-1452(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2009-1956(AV:N/AC:L/Au:N/C:P/I:N/A:P)   6.4
CVE-2009-1955(AV:N/AC:L/Au:N/C:N/I:N/A:C)   7.8
CVE-2009-1891(AV:N/AC:M/Au:N/C:N/I:N/A:P)   4.3
CVE-2009-1890(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2009-1195(AV:L/AC:L/Au:N/C:N/I:N/A:C)   4.9
CVE-2009-0023(AV:N/AC:M/Au:N/C:N/I:N/A:P)   4.3
CVE-2007-6203(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
CVE-2006-3918(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following software updates to resolve the vulnerabilities.
The updates are available for download from http://software.hp.com
Note: HP-UX Web Server Suite v.2.32 contains HP-UX Apache-based Web Server 
v2.0.63.01

Web Server Suite Version / Apache Depot name

HP-UX Web Server Suite v.2.32
 HP-UX 11i PA-RISC with IPv6

 HP-UX 11i version 2 PA-RISC/IPF 64-bit

 HP-UX 11i version 2 PA-RISC/IPF 32-bit

 HP-UX 11i version 3 PA-RISC/IPF 64-bit

 HP-UX 11i version 3 PA-RISC/IPF 32-bit

MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server v2.0.63.01 or subsequent.

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins 
issued by HP and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX Web Server Suite v2.32
HP-UX B.11.11
==
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent

HP-UX B.11.23
==
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent

HP-UX B.11.31
==
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.63.01 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 7 December 2010 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact norma

Google Website Optimizer security issue reportedly fixed

[Juha-Matti Laurio]

Google has acknowledged information about fixed versions of Website Optimizer 
control scripts.
A potential XSS was reported by unnamed person.

More details at
http://websiteoptimizer.blogspot.com/2010/12/update-your-website-optimizer-scripts.html

including link to Help Center page with update instructions.

Juha-Matti