[security bulletin] HPSBMA02647 SSRT100383 rev.1 - HP Discovery & Dependency Mapping Inventory (DDMI) Running on Windows, Insecure SNMP Configuration

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02757867
Version: 1

HPSBMA02647 SSRT100383 rev.1 - HP Discovery & Dependency Mapping Inventory 
(DDMI) Running on Windows, Insecure SNMP Configuration

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2011-03-21
Last Updated: 2011-03-21

Potential Security Impact: Insecure SNMP configuration

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Discovery & 
Dependency Mapping Inventory (DDMI) running on Windows. The vulnerability could 
be exploited remotely to allow unauthorized read-only access to the data 
available via the SNMP protocol.

References: CVE-2011-0890

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Discovery & Dependency Mapping Inventory (DDMI) running on Windows v7.50, 
v7.51, v7.60, v7.61, v7.70 and v9.30

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-0890(AV:N/AC:L/Au:N/C:P/I:N/A:P)   4.9
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

The vulnerability can be resolved by insuring that the SNMP read community 
string is set to a secure value.

Securing the Windows SNMP service

DDMI requires the Windows SNMP service for its operation. If necessary DDMI 
will install and configure the Windows SNMP service using the Windows default 
security settings. As a result the SNMP read community string may be set to 
public .

To modify the default security configuration of the of the Windows SNMP service:

Open the Windows Services Control Panel applet, select Administrative Tools and 
then select Services.
Select the SNMP Service, right click on it and select Properties and navigate 
to the Security tab.
Amend the security settings as required to change the default read community 
string to a value other than public.
Add the updated read community string to the appropriate DDM Inventory SNMP 
profile.

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-al...@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.

To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
i

Apple HFS+ Information Disclosure Vulnerability

[VSR Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


 VSR Security Advisory
   http://www.vsecurity.com/

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: Apple HFS+ Information Disclosure Vulnerability
 Release Date: 2011-03-22
  Application: Apple OS X kernel (XNU)
 Versions: All versions <= xnu-1504.7.4
 Severity: Medium
   Author: Dan Rosenberg  
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-0180
Reference: http://www.vsecurity.com/resources/advisory/20110322-1/

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- ---
- From [1]:

 "Beneath the appealing, easy-to-use interface of Mac OS X is a rock-solid,
  UNIX-based foundation that is engineered for stability, reliability, and
  performance.  The kernel environment is built on top of Mach 3.0 and provides
  high-performance networking facilities and support for multiple, integrated
  file systems."


Vulnerability Overview
- --

On June 30th, VSR identified a vulnerability in HFS+, a filesystem implemented
in the OS X XNU kernel.  HFS+ is the default filesystem in use on many
installations of the Mac OS X operating system.  By exploiting this
vulnerability, an unprivileged user with local access to a machine using HFS+
may be able to read raw filesystem data, bypassing file permissions and
resulting in information disclosure.


Vulnerability Details
- -

Users may interact with the filesystem using the standard ioctl interface.
HFS+ features an ioctl called F_READBOOTSTRAP that allows unprivileged users to
read raw data from an HFS+ filesystem.  The ioctl intends to ensure that this
data is restricted to the first 1024 bytes, where bootstrap information is
stored.  However, due to an integer overflow in the code that attempts to
enforce this restriction, it is possible for an unprivileged user to use this
ioctl to read large portions of filesystem data outside of this byte range,
leading to an information disclosure vulnerability.

The vulnerable check reads as follows, in bsd/hfs/hfs_readwrite.c:

if (user_bootstrapp->fbt_offset + user_bootstrapp->fbt_length > 1024)
return EINVAL;

If a user provides values for the fbt_offset and fbt_length members such that
their sum overflows and wraps around to an integer less than 1024, portions of
filesystem data outside the intended range will be read and returned to the
user.


Proof-of-Concept Exploit
- 

VSR has developed a proof-of-concept exploit [3] to both demonstrate the
severity of this issue as well as allow users and administrators to verify the
existence of the vulnerability. The exploit leverages the integer overflow to
read arbitrary amounts of filesystem data at a negative offset from the end of
the filesystem.


Versions Affected
- -
Testing was performed on Darwin Kernel Version 10.4.0, xnu-1504.7.4~1, but
review of older source code suggests that all versions of OS X may be affected.


Vendor Response
- ---
The following timeline details Apple's response to the reported issue:

2010-07-01Apple was provided a draft advisory
2010-07-02Apple acknowledges receipt of advisory
2010-07-22Request for confirmation of issue
2010-07-25Apple confirms issue under investigation
2010-09-02Request for status update
2010-09-02Apple confirms fix is being tested
2010-10-13Request for status update
2010-10-14Apple confirms fix is planned for undetermined date
2010-11-16Request for status update
2010-11-16Apple confirms ship date is set for early 2011
2011-01-18Request for status update
2011-01-18Apple confirms ship date for early April
2011-03-21Apple publishes fix

Apple's advisory may be obtained at:
   http://support.apple.com/kb/HT4581


Recommendation
- --
Apply the fix provided by Apple's OS X security update [2].


Common Vulnerabilities and Exposures (CVE) Information
- --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2011-0180 to this issue.  This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Darwin and Core Technologies 
   
http://developer.apple.com/mac/library/documentation/MacOSX/Conceptual/OSX_Technology_Overview/SystemTechnology/SystemTechnology.html
 

2. Apple Security Update 2011-001
   http://support.apple.com/kb/HT4581

3. HFS+ F_READBOOTSTRAP information disclosure exploit
   http://www.vsecurity.com/download/tools/hfs-dump.c

- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educa

ZDI-11-109: (Pwn2Own) Apple Safari OfficeArtBlip Parsing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-109: (Pwn2Own) Apple Safari OfficeArtBlip Parsing Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-109

March 22, 2011

-- CVE ID:
CVE-2011-1417

-- CVSS:
9.7, (AV:N/AC:L/Au:N/C:C/I:C/A:P)

-- Affected Vendors:
Apple

-- Affected Products:
Apple Safari

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10639. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari on the iPhone. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.

The specific flaw exists within the support for parsing Office files.
When handling the OfficeArtMetafileHeader the process trusts the cbSize
field and performs arithmetic on it before making an allocation. As the
result is not checked for overflow, the subsequent allocation can be
undersized. Later when copying into this buffer, memory can be corrupted
leading to arbitrary code execution under the context of the mobile user
on the iPhone.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT4581

-- Disclosure Timeline:
2011-03-09 - Vulnerability reported to vendor
2011-03-22 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Charlie Miller and Dion Blazakis

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

ZDI-11-108: Mac OS X Compact Font Format Decoder Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-108: Mac OS X Compact Font Format Decoder Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-108

March 22, 2011

-- CVE ID:
CVE-2011-0176 

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Apple

-- Affected Products:
Apple Preview

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10952. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mac OS X's CFF Decoder. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within how the Type1Scaler library processes a
specially formatted compact font file. When processing this file, the
application will corrupt memory outside the bounds of an allocated
buffer. This can lead to code execution under the context of the
application that utilizes the library.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT4581

-- Disclosure Timeline:
2010-12-01 - Vulnerability reported to vendor
2011-03-22 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* geekable

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

NGS00052 Patch Notification: Apple Mac OS X Image RAW Multiple Buffer Overflows

[Research@NGSSecure]

Apple Mac OS X Image RAW Multiple Buffer Overflows

22/03/2011

Paul Harrington of NGS Secure has discovered a High risk vulnerability in Mac 
OS X Image RAW. Multiple buffer overflow issues existed in Image RAW's handling 
of Canon RAW images. Viewing a maliciously crafted Canon RAW image may result 
in an unexpected application termination or arbitrary code execution.

Versions affected include:

Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6 with 
RawCamera.bundle < 3.6

Apple has released a patches that addresses the issue. The announcement of the 
patches can be found here:

http://support.apple.com/kb/DL1357
http://support.apple.com/kb/HT4581

NGS Secure is going to withhold details of this flaw for three months. This 
three month window will allow users the time needed to apply the patch before 
the details are released to the general public. This reflects the NGS Secure 
approach to responsible disclosure.

NGS Secure Research
http://www.ngssecure.com


Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com
Email:  resea...@ngssecure.com
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  



This email is sent for and on behalf of NGS Secure Limited (Registered in 
England CRN: 04474600). The ultimate holding company is NCC Group plc 
(Registered in England CRN: 4627044). Registered Office: Manchester Technology 
Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of 
which may be confidential and/or legally privileged. It is for the intended 
recipient only. If an addressing or transmission error has misdirected this 
e-mail, please notify the author by replying to this e-mail and then delete the 
original. If you are not the intended recipient you may not use, disclose, 
distribute, copy, print or rely on any information contained in this e-mail. 
You must not inform any other person other than NCC Group or the sender of its 
existence.

For more information about NGS Secure please visit 
www.ngssecure.com

P Before you print think about the ENVIRONMENT

NGS00016 Technical Advisory: Immunity Debugger Buffer Overflow

[Research@NGSSecure]

===
Summary
===
Name: Immunity Debugger Buffer Overflow
Release Date: 22 March 2011
Reference: NGS00016
Discoverer: Paul Harrington
Vendor: Immunity Inc
Vendor Reference: Support #3171
Systems Affected: Windows
Risk: Low
Status: Fixed


TimeLine

Discovered: 28 October 2010
Released: 28 October 2010
Approved: 28 October 2010
Reported: 28 October 2010
Fixed:  6 December 2010
Published: 22 March 2011

===
Description
===
Immunity Debugger V1.73 contains a  buffer overflow vulnerability in its HTTP 
update mechanism

=
Technical Details
=
It is possible to spoof communications between the Immunity Debugger and its 
update servers at immunityinc.com.
By sending a specially crafted large HTTP reply it is possible to cause the 
Immunity Debugger to trigger the buffer overflow:

00487161  EB 02   JMP SHORT Immunity.00487165
00487163  8BD8MOV EBX,EAX
00487165  8B83 2C06   MOV EAX,DWORD PTR DS:[EBX+62C]<--- crash occurs 
here, EBX = 0x42424242
0048716B  85C0TEST EAX,EAX

Care should be taken if using the Immunity Debugger as your JIT debugger not to 
get into a crash/debug/crash loop!
Various CPU Registers are overwritten, which could potentially result in remote 
code execution.

===
Fix Information
===
Immunity Inc has released an updated version of the debugger, which can be 
downloaded from the following URL:

http://debugger.immunityinc.com/


NGS Secure Research
http://www.ngssecure.com


Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com
Email:  resea...@ngssecure.com
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  



This email is sent for and on behalf of NGS Secure Limited (Registered in 
England CRN: 04474600). The ultimate holding company is NCC Group plc 
(Registered in England CRN: 4627044). Registered Office: Manchester Technology 
Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of 
which may be confidential and/or legally privileged. It is for the intended 
recipient only. If an addressing or transmission error has misdirected this 
e-mail, please notify the author by replying to this e-mail and then delete the 
original. If you are not the intended recipient you may not use, disclose, 
distribute, copy, print or rely on any information contained in this e-mail. 
You must not inform any other person other than NCC Group or the sender of its 
existence.

For more information about NGS Secure please visit 
www.ngssecure.com

P Before you print think about the ENVIRONMENT

CMS Balitbang 3.3 Arbitary File Upload Vulnerability

[eidelweiss]

===
CMS Balitbang v.3.3 Arbitary file upload vulnerability
===
   
Software:   CMS Balitbang
Vendor: www.kajianwebsite.org
Vuln Type:  Arbitary file upload
Download link:  http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
Author: eidelweiss
contact:eidelweiss[at]windowslive[dot]com
Home:   www.eidelweiss.info
Gratz:  xx_user , kuris , and YOU !!!
   
References: 
http://eidelweiss-advisories.blogspot.com/2011/03/cms-balitbang-v-33-arbitary-file-upload.html
   
   
===
 
description:
CMS balitbang is content management system for educational website.
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh 
Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS 
Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama 
untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan 
Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi 
Berbasis Website yang bisa diakses oleh banyak orang.
 
--
Vulnerability details:
 
CMS Balitbang is using the old version of FCKeditor for upload file to all 
user.And all know the old version of FCKeditor have a vulnerability and 
attacker might be able to upload arbitrary files containing malicious PHP code 
due to multiple file extensions isn't properly checked.
Here is the code:
 
/webtemp/functions/editor/filemanager/connectors/php/config.php
 
global $Config ;
 
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that 
only
//  authenticated users can access this file or use some kind of session 
checking.
$Config['Enabled'] = true ; // <= 1
 
---
 
// Path to user files relative to the document root.
$Config['UserFilesPath'] = 'http://localhost/webtemp/userfiles/' ;  // <= here 
is the path of attacker file or shell backdoor will be placed.
 
// following setting enabled.
$Config['ForceSingleExtension'] = true ;// <= 2
 
$Config['AllowedExtensions']['File']= array('7z', 'aiff', 'asf', 'avi', 
'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 
'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 
'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 
'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 
'xls', 'xml', 'zip') ;   // <= 3
 
---
 
with a default configuration of this script, an attacker might be able to 
upload arbitrary files containing malicious PHP code due to multiple file 
extensions isn't properly checked
 
 
--
 
exploit & p0c
   
[!] 
http://host//webtemp/functions/editor/filemanager/connectors/uploadtest.html
// upload your file here
or
[!] 
http://host/path_to_CMSBalitbang/functions/editor/filemanager/connectors/uploadtest.html
 
your shell or file will be placed here
 
[!] http://localhost/webtemp/userfiles/ <= here
   
   

   
Nothing Impossible In This World Even Nobody`s Perfect
   
===
   
==| -=[ E0F ]=- |==

NGS00014 Technical Advisory: Cisco IPSec VPN Implementation Group Name Enumeration

[Research@NGSSecure]

===
Summary
===
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 
Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 
3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published


TimeLine

Discovered: 20 March 2009
Released:  8 November 2010
Approved:  8 November 2010
Reported:  8 November 2010
Fixed:  1 December 2010
Published: 22 March 2011

===
Description
===
Due to the device(s) returning differing responses to IKE requests it is 
possible to enumerate valid group names from the VPN device(s).  With the 
correct group name the pre-shared key can then be captured and a brute-force 
attack carried out off-line.

=
Technical Details
=
This output shows an aggressive query against the device specifying an invalid 
group:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)

10.1.0.1   Aggressive Mode Handshake returned
 HDR=(CKY-R=d508a1efacad8015)
 SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
 KeyExchange(128 bytes)
 Nonce(20 bytes)
 ID(Type=ID_FQDN, Value=Pix.domain.com)
 Hash(20 bytes)
 VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
 VID=09002689dfd6b712 (XAUTH)
 VID=4048b7d56ebce88525e7de7f00d6c2d3c000 (IKE Fragmentation)
 VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec).  1
returned handshake; 0 returned notify

The above request is then repeated with a valid group name and as can be seen 
the response is different:

Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1   Aggressive Mode Handshake returned
 HDR=(CKY-R=4fa4cf45d5039335)
 SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
 KeyExchange(128 bytes)
 Nonce(20 bytes)
 ID(Type=ID_FQDN, Value=Pix.domain.com)
 Hash(20 bytes)
 VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
 VID=09002689dfd6b712 (XAUTH)
 VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
 VID=4048b7d56ebce88525e7de7f00d6c2d3c000 (IKE Fragmentation)
 VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec).  1
returned handshake; 0 returned notify

As can be seen above, the request with the valid group name has an additional 
field contained in the response:

VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

By checking the responses for this additional VID it is possible to enumerate 
the valid group name.

This has been replicated in testing against a number of PIX based devices and 
with the valid group name the PSK can then be collected and cracked using 
psk-crack.

===
Fix Information
===
Cisco has released a patch that addresses the issue. The announcement of this 
patch can be found here:

http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html

Patches can be downloaded from Cisco's online support portal at:

http://www.cisco.com


NGS Secure Research
http://www.ngssecure.com


Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com
Email:  resea...@ngssecure.com
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  



This email is sent for and on behalf of NGS Secure Limited (Registered in 
England CRN: 04474600). The ultimate holding company is NCC Group plc 
(Registered in England CRN: 4627044). Registered Office: Manchester Technology 
Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of 
which may be confidential and/or legally privileged. It is for the intended 
recipient only. If an addressing or transmission error has misdirected this 
e-mail, please notify the author by replying to this e-mail and then delete the 
original. If you are not the intended recipient you may not use, disclose, 
distribute, copy, print or rely on any information contained in this e-mail. 
You must not inform any other person other than NCC Group or the sender of its 
existence.

For more information about NGS Secure please visit 
www.ngssecure.com

P Before you print think about the ENVIRONMENT

iDefense Security Advisory 03.21.11: Apple OfficeImport Framework Excel Memory Corruption Vulnerability

[labs-no-reply]

iDefense Security Advisory 03.21.11
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 21, 2011

I. BACKGROUND

The OfficeImport framework is an API used by Apple's mobile devices,
including the iPod Touch, iPhone, and iPad. The framework is used to
parse and display Microsoft Office file formats, such as Excel, Word,
and PowerPoint. The OfficeImport framework is used by several
applications, including MobileMail and MobileSafari. Both of these
applications are attack vectors for this vulnerability. For more
information, see the vendor's site found at the following link.

http://www.apple.com/iphone/softwareupdate/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in Apple Inc.'s
OfficeImport framework could allow an attacker to execute arbitrary code
with the privileges of the current user.

The vulnerability occurs when parsing an Excel file with a certain
maliciously constructed record. This record is used to describe a
formula that is shared between multiple cells. In this record, the
'formula' field is used to specify the formula used. By corrupting
certain opcodes within this formula it is possible to trigger a memory
corruption vulnerability. This can lead to the execution of arbitrary
code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker has several attack vectors. The most
dangerous vector is through MobileSafari, which will automatically open
and parse Office files embedded in Web pages. This behavior is similar
to Microsoft Office 2000 in that it enables drive-by style attacks
without any user-interaction beyond visiting a Web page (no file open
dialog is displayed, the file is simply opened). Additionally, an
attacker can e-mail a targeted user and attach a malicious file. The
user will then have to view the e-mail and attachment with MobileMail
to trigger the vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in
OfficeFramework running on the following devices:

iPod Touch, IOS 3.1.3 iPad, IOS 3.2.2

Apple has reported Mac OS X and OS X Server 10.6 through 10.6.6
vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

Apple Inc. has released patches which addresses this issue. For more
information, consult their advisory at the following URL:

http://support.apple.com/kb/HT4581

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0184 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/07/2011  Initial Vendor Notification
01/07/2011  Initial Vendor Reply
03/21/2011  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Tobias Klein.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2011 Verisign

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

ZDI-11-107: Libtiff ThunderCode Decoder THUNDER_2BITDELTAS Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-107: Libtiff ThunderCode Decoder THUNDER_2BITDELTAS Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-107

March 21, 2011

-- CVE ID:
CVE-2011-1167 

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Libtiff

-- Affected Products:
Libtiff libtiff

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10729. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of libtiff. User interaction is required to
exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.

The specific flaw exists within the implementation of the ThunderDecode
codec. While decoding a particular code within a row, the decoder will
fail to accommodate for the total expanded size of the row. This can
cause a heap-based buffer overflow which can lead to code execution
under the context of the application utilizing the library.

-- Vendor Response:
Libtiff has issued an update to correct this vulnerability. More
details can be found at:

http://bugzilla.maptools.org/show_bug.cgi?id=2300

-- Disclosure Timeline:
2011-01-21 - Vulnerability reported to vendor
2011-03-21 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Martin Barbella

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

NGS00057 Patch Notification: Apple Mac OS X ImageIO Integer Overflow

[Research@NGSSecure]

Apple Mac OS X ImageIO Integer Overflow

22/03/2011

Dominic Chell of NGS Secure has discovered a High risk vulnerability in Mac OS 
X ImageIO. An integer overflow issue exists in ImageIO's handling of 
JPEG-encoded TIFF images. Viewing a maliciously crafted TIFF image may result 
in an unexpected application termination or arbitrary code execution

Versions affected include:

Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This 
issue does not affect systems prior to Mac OS X v10.6

Apple has released a patch that addresses the issue. The announcement of this 
patch can be found here:

http://support.apple.com/kb/HT4581

NGS Secure is going to withhold details of this flaw for three months. This 
three month window will allow users the time needed to apply the patch before 
the details are released to the general public. This reflects the NGS Secure 
approach to responsible disclosure.

NGS Secure Research
http://www.ngssecure.com






Research@NGSSecure

NGS Secure

,

Telephone:
Mobile:
Fax:
Website: www.ngssecure.com
Email:  resea...@ngssecure.com
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg]  



This email is sent for and on behalf of NGS Secure Limited (Registered in 
England CRN: 04474600). The ultimate holding company is NCC Group plc 
(Registered in England CRN: 4627044). Registered Office: Manchester Technology 
Centre, Oxford Road, Manchester, M1 7EF

Confidentiality: This e-mail contains proprietary information, some or all of 
which may be confidential and/or legally privileged. It is for the intended 
recipient only. If an addressing or transmission error has misdirected this 
e-mail, please notify the author by replying to this e-mail and then delete the 
original. If you are not the intended recipient you may not use, disclose, 
distribute, copy, print or rely on any information contained in this e-mail. 
You must not inform any other person other than NCC Group or the sender of its 
existence.

For more information about NGS Secure please visit 
www.ngssecure.com

P Before you print think about the ENVIRONMENT

[SECURITY] [DSA 2197-1] quagga security update

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2197-1   secur...@debian.org
http://www.debian.org/security/Florian Weimer
March 21, 2011 http://www.debian.org/security/faq
- -

Package: quagga
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2010-1674 CVE-2010-1675

It has been discovered that the Quagga routing daemon contains two
denial-of-service vulnerabilities in its BGP implementation:

CVE-2010-1674
A crafted Extended Communities attribute triggers a null
pointer dereference which causes the BGP daemon to crash.
The crafted attributes are not propagated by the Internet
core, so only explicitly configured direct peers are able
to exploit this vulnerability in typical configurations.

CVE-2010-1675
The BGP daemon resets BGP sessions when it encounters
malformed AS_PATHLIMIT attributes, introducing a distributed
BGP session reset vulnerability which disrupts packet
forwarding.  Such malformed attributes are propagated by the
Internet core, and exploitation of this vulnerability is not
restricted to directly configured BGP peers.

This security update removes AS_PATHLIMIT processing from the BGP
implementation, preserving the configuration statements for backwards
compatibility.  (Standardization of this BGP extension was abandoned
long ago.)

For the oldstable distribution (lenny), these problems have been fixed
in version 0.99.10-1lenny5.

For the stable distribution (squeeze), these problems have been fixed
in version 0.99.17-2+squeeze2.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems will fixed soon.

We recommend that you upgrade your quagga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNh6YIAAoJEL97/wQC1SS+NM8IAKIkTfjywBL7reUL+qfnDQuE
Lp7/0vs/NpT3X4emH8dJiALXQkjzfr1CmyeCB+ZHxhuctr4lTCmJbcng6NPv9bxq
m3RmwgBuawsqZhkAjqXJQd72zNftrGgt6kYnCk9SkgezeRkfUxZTa6QMwm/ykLAW
2WzkdXkb9CqPVIOD7Drr6gz077u3qqIAsJjgbtExNPWAgYszjCMMDb+idcI9jfAZ
GdSQwsGZxqlqKbYp0DTkv7a8Q59cS8bLMZzNag+mY3wlJq1u+eAVuvplDDhU6/cx
Nr6Y14LkiRGiZJ8a4j52XfJ/69HsX1TeedVDf5Z6icBa+FIoL252da0Lo1lGNgw=
=5Ue5
-END PGP SIGNATURE-

Re: Vulnerabilities in some SCADA server softwares

[Luigi Auriemma]

> At what point in time did you try contacting any of the vendors for
> these issues?

the vendors of the affected softwares have not been contacted.


> How do you propose a manufacturer fix an issue?

in the security field a public vulnerability is a dead vulnerability,
anyone who has found and released at least one security bug in his life
knows it and knows to what I refer.

90% of the job of fixing a bug is just finding it first, I have even
showed the details, the causes and the ways to replicate them.


> Where in any of your advisories did you take the time to let a company
> know: "hey you guys have some potential issues, here they are!!!"

I have done it in the exact moment that I have uploaded my advisories on
my website making anyone aware of the problems, included the same
vendors that now can fix them.


--- 
Luigi Auriemma
http://aluigi.org

Re: Vulnerabilities in some SCADA server softwares

[J. Oquendo]

On 3/21/2011 12:16 PM, Luigi Auriemma wrote:
> The following are almost all the vulnerabilities I found for a quick
> experiment some months ago in certain well known server-side SCADA
> softwares still vulnerable in this moment.

At what point in time did you try contacting any of the vendors for
these issues?

Analogy: Car owner has his car speed up ending up in almost near
catastrophe. Car owner goes to media outlets condemning the
manufacturer: "How could you be so reckless! Thousand of lives..."
Reality: Car manufacturer was never made aware of the issue. How do you
propose a manufacturer fix an issue?

Where in any of your advisories did you take the time to let a company
know: "hey you guys have some potential issues, here they are!!!"


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF