[USN-1067-1] Telepathy Gabble vulnerability
=== Ubuntu Security Notice USN-1067-1 February 17, 2011 telepathy-gabble vulnerability https://launchpad.net/bugs/720201 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: telepathy-gabble0.8.7-1ubuntu1.1 Ubuntu 10.04 LTS: telepathy-gabble0.8.12-0ubuntu1.1 Ubuntu 10.10: telepathy-gabble0.10.0-1ubuntu0.1 After a standard system update you need to restart your session to make all the necessary changes. Details follow: It was discovered that Gabble did not verify the from field of google jingleinfo updates. This could allow a remote attacker to perform man in the middle attacks (MITM) on streamed media. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1.diff.gz Size/MD5:13990 351f08742f5f0ef7f90e8a750578e4e6 http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1.dsc Size/MD5: 2553 6eac46deafcf04a43accfc7fb1a07b3a http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7.orig.tar.gz Size/MD5: 1480819 1ab5505b5410f79438a886097db7c16e amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_amd64.deb Size/MD5: 649224 9a4782cfa2df697de06fa11eb9151e87 http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_amd64.deb Size/MD5: 365310 3c03bc122de9118996c8c6d70f6609f7 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_i386.deb Size/MD5: 628852 55d4d2714a44cf52a54b525528dbea1d http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_i386.deb Size/MD5: 337922 bfec94d872420b6fac30c01477497a09 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_armel.deb Size/MD5: 628220 a615df74072df46b513da927f31ee019 http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_armel.deb Size/MD5: 346390 7e527b84cc82934ef364827625c0677e lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_lpia.deb Size/MD5: 643428 482b5341331957a169a1bf41366c840f http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_lpia.deb Size/MD5: 328280 c04413760c8c1d0d5c522e0b80218166 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_powerpc.deb Size/MD5: 655522 47807b94c25c2e3c294b178c05cdf847 http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_powerpc.deb Size/MD5: 345494 45e6da12c8d0e66946550515d701bfd5 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.7-1ubuntu1.1_sparc.deb Size/MD5: 583200 96d0f25f7d139fab0ea9efcaff56d2e2 http://ports.ubuntu.com/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.7-1ubuntu1.1_sparc.deb Size/MD5: 331466 514a0c9dce3af6e618330fa221b00c4f Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.12-0ubuntu1.1.diff.gz Size/MD5:10969 bced372df48c20f3c8f19a61c5511057 http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.12-0ubuntu1.1.dsc Size/MD5: 2580 7b16f1de82f1577bf264330c17d164a2 http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.12.orig.tar.gz Size/MD5: 1520808 c344165154fe1642bd176e9a38e9ecce amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.12-0ubuntu1.1_amd64.deb Size/MD5: 658714 7456b882950cd45d3cfd9c438aec4a31 http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble_0.8.12-0ubuntu1.1_amd64.deb Size/MD5: 374550 7cc95dfcbdd3dedce37fc42559cf9bc6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/telepathy-gabble/telepathy-gabble-dbg_0.8.12-0ubuntu1.1_i386.deb
[ MDVSA-2011:029 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:029 http://www.mandriva.com/security/ ___ Package : kernel Date: February 17, 2011 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in the Linux 2.6 kernel: The X.25 implementation does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed data, a different vulnerability than CVE-2010-4164. (CVE-2010-3873) The bcm_connect function Broadcast Manager in the Controller Area Network (CAN) implementation in the Linux creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename. (CVE-2010-4565) The install_special_mapping function in mm/mmap.c does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. (CVE-2010-4346) The sk_run_filter function does not check whether a certain memory location has been initialized before executing a BPF_S_LD_MEM or BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. (CVE-2010-4158) Heap-based buffer overflow in the bcm_connect function the Broadcast Manager in the Controller Area Network (CAN)on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation. (CVE-2010-3874) The blk_rq_map_user_iov function in block/blk-map.c allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device. (CVE-2010-4163) Multiple integer underflows in the x25_parse_facilities function in allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data. (CVE-2010-4164) Race condition in the do_setlk function allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case. (CVE-2009-4307) Multiple integer overflows in fs/bio.c allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device. (CVE-2010-4162) Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. (CVE-2010-3015) The do_exit function in kernel/exit.c does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call. (CVE-2010-4258) The ax25_getname function in net/ax25/af_ax25.c does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3875) Integer overflow in the do_io_submit function in fs/aio.c allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067) Race condition in the __exit_signal function in kernel/exit.c allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. (CVE-2010-4248) Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437) The get_name function in net/tipc/socket.c does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3877) Stack-based buffer overflow
www.eVuln.com : wsnuser Cookie SQL Injection vulnerability in WSN Guest
www.eVuln.com advisory: wsnuser Cookie SQL Injection vulnerability in WSN Guest ---Summary--- http://evuln.com/vulns/174/summary.html eVuln ID: EV0174 Software: WSN Guest Vendor: n/a Version: 1.24 Critical Level: medium Type: SQL Injection Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description http://evuln.com/vulns/174/description.html SQL Injection in wsnuser Cookie It is possible to inject arbitrary SQL query using wsnuser cookie parameter in the index.php script. Parameter wsnuser is used in SQL query without proper sanitation. PoC/Exploit PoC code is available at: http://evuln.com/vulns/174/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/penetration-test.html - website manual penetration testing
Re: DC4420 - London DEFCON - February meet - Tuesday 22nd February 2011
*** REMINDER *** This is next Tuesday! If it ain't in your diary already, make sure it is now... THC talk promises to be a stonker, and Christer is, well Christer!!! This month we have a spectacular start to the year with a stellar guest speaker from The Hacker's Choice presenting new and devastating StuffYouDon'tWantToMiss(tm): THC - 'Advances in understanding DoS' - it's not about lots of traffic anymore - DDoS Amazon from your DSL. Read it again: Amazon. DSL. Need I say more? Oh, and there will be tools. =:O Also, bringing back our popular 'one serious, one fun' talk format, we've got in the fun slot: Christer - linux kernel 0days are obsolete (you can now get them for free) and finally, this will be Dominic's (of Bluetooth fame) last dc4420 for the forseeable future, so we intend to get him really really drunk and then allow him to spew into the mic... Could be interesting^wdisgusting... Important stuff: Meeting is *** DOWNSTAIRS *** Room is ours from 17:30 If you arrive early (and, for that matter, if you arrive late), please make sure you order food drink at the downstairs bar. If you create a tab, create it at the downstairs bar. Basically, once you arrive, you belong to the downstairs bar!!! This is important if we are to keep this space - we need to be able to show that we are bringing in decent food drink spend (peeing is free, however... you can do that upstairs). Venue is here: http://www.phoenixcavendishsquare.co.uk/ 2 minutes walk from Oxford Circus tube. Date: Tuesday 22nd Febraury 2011 Time: 17:30 till kicking out Place: The Phoenix 37 Cavendish Square London W1G 0PP All this year's dates are posted on the website: http://www.dc4420.org See you there! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones...
ZDI-11-089: Novell ZenWorks TFTPD Remote Code Execution Vulnerability
ZDI-11-089: Novell ZenWorks TFTPD Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-089 February 17, 2011 -- CVE ID: CVE-2010-4323 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell Zenworks -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 2132. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Zenworks Configuration Manager. Authentication is not required to exploit this vulnerability. The flaw exists within the novell-tftp.exe component which listens by default on UDP port 69. When handling a request the process blindly copies user supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the ZenWorks user. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/php/search.do?cmd=displayKCamp;docType=kcamp;externalId=7007896amp;sliceId=2amp;docTypeID=DT_TID_1_1amp;dialogID=205671351amp;stateId=0%200%20205669596 -- Disclosure Timeline: 2010-08-23 - Vulnerability reported to vendor 2011-02-17 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Francis Provencher for Protek Researchh Lab#39;s * AbdulAziz Hariri of ThirdEyeTesters * SilentSignal -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi