[ MDVSA-2012:042 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:042 http://www.mandriva.com/security/ ___ Package : wireshark Date: March 28, 2012 Affected: 2011. ___ Problem Description: Multiple vulnerabilities was found and corrected in Wireshark: * The ANSI A dissector could dereference a NULL pointer and crash. * The IEEE 802.11 dissector could go into an infinite loop. * The pcap and pcap-ng file parsers could crash trying to read ERF data. * The MP2T dissector could try to allocate too much memory and crash. This advisory provides the latest version of Wireshark (1.6.6) which is not vulnerable to these issues. ___ References: http://www.wireshark.org/security/wnpa-sec-2012-04.html http://www.wireshark.org/security/wnpa-sec-2012-05.html http://www.wireshark.org/security/wnpa-sec-2012-06.html http://www.wireshark.org/security/wnpa-sec-2012-07.html ___ Updated Packages: Mandriva Linux 2011: ea021ca036ceb38f1530e5387df5dcc5 2011/i586/dumpcap-1.6.6-0.1-mdv2011.0.i586.rpm 9cfa609402a364a43128893c75ac3e65 2011/i586/libwireshark1-1.6.6-0.1-mdv2011.0.i586.rpm c1247647ebcb69eaced064db72fec93d 2011/i586/libwireshark-devel-1.6.6-0.1-mdv2011.0.i586.rpm c3cd964180dc7a64083c6d1b94ff4f46 2011/i586/rawshark-1.6.6-0.1-mdv2011.0.i586.rpm 387e8977955d381243f66709e80cc586 2011/i586/tshark-1.6.6-0.1-mdv2011.0.i586.rpm 03bcfb73c00cd43d34f9edeceea2f571 2011/i586/wireshark-1.6.6-0.1-mdv2011.0.i586.rpm 2bd6ffb92d2b8251fad0b7b22c93f37e 2011/i586/wireshark-tools-1.6.6-0.1-mdv2011.0.i586.rpm ab444f989bf59113ff0e900a7087dbd5 2011/SRPMS/wireshark-1.6.6-0.1.src.rpm Mandriva Linux 2011/X86_64: e474457135acb1652912a4f1b0afab19 2011/x86_64/dumpcap-1.6.6-0.1-mdv2011.0.x86_64.rpm 630b3f5e05d4361181f0af5502c3a35e 2011/x86_64/lib64wireshark1-1.6.6-0.1-mdv2011.0.x86_64.rpm e6c12c75778ee83283abf9bec3beb435 2011/x86_64/lib64wireshark-devel-1.6.6-0.1-mdv2011.0.x86_64.rpm f67c069153d5a1959343b072b936ea5c 2011/x86_64/rawshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 878a5fa2fed2df8f58f5242c9745 2011/x86_64/tshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 406544bfb3241f6f02e52761e0b30fd1 2011/x86_64/wireshark-1.6.6-0.1-mdv2011.0.x86_64.rpm 32eb71abbd26ca7a68a2a9b8a66b9fd8 2011/x86_64/wireshark-tools-1.6.6-0.1-mdv2011.0.x86_64.rpm ab444f989bf59113ff0e900a7087dbd5 2011/SRPMS/wireshark-1.6.6-0.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPcurMmqjQ0CJFipgRAiERAKC8XoWF9RE0GBQEsnn79s5/dlyUAQCfT1yC O9926o+K6ALAdK3jC2VqnBw= =qAaT -END PGP SIGNATURE-
[security bulletin] HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache Tomcat, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03231290 Version: 1 HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache Tomcat, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache Tomcat. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS). References: CVE-2012-0022, CVE-2011-4858 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0022(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-4858(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a hotfix to resolve the vulnerability. The SSRT100771 hotfix is available by contacting the normal HP Services support channel. MANUAL ACTIONS: Yes - NonUpdate Install the hotfix for SSRT100771. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX OV NNM 7.53 HP-UX B.11.31 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 = OVNNMgr.OVNNM-RUN,fr=B.07.50.00 action: install the hotfix for SSRT100771 END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 27 March 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk9xzvoACgkQ4B86/C0qfVkxnwCfdMnKaD1xMTP0Y/kvlgBOExuL iPAAnAkQrExylafaMMM6BD+/uRFoAFfS =CxxM -END PGP SIGNATURE-
[security bulletin] HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denia
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03231301 Version: 1 HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote unauthorized disclosure of information, unauthorized modification, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache HTTP Server. The vulnerabilities could be exploited remotely resulting in unauthorized disclosure of information, unauthorized modification, or Denial of Service (DoS). References: CVE-2012-0053, CVE-2012-0031, CVE-2012-0021, CVE-2011-4317, CVE-2011-3607, CVE-2011-3368 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0053(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0031(AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6 CVE-2012-0021(AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6 CVE-2011-4317(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-3607(AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4 CVE-2011-3368(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a hotfix to resolve the vulnerabilities. The SSRT100772 hotfix is available by contacting the normal HP Services support channel. MANUAL ACTIONS: Yes - NonUpdate Install the hotfix for SSRT100772. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX OV NNM 7.53 HP-UX B.11.31 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 = OVNNMgr.OVNNM-RUN,fr=B.07.50.00 action: install the hotfix for SSRT100772 END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 27 March 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice.
[security bulletin] HPSBMU02744 SSRT100776 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03223954 Version: 2 HPSBMU02744 SSRT100776 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-07 Last Updated: 2012-03-27 Potential Security Impact: Remote unauthorized disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized disclosure of information. References: CVE-2007-1858 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager i (NNMi) v8.x, v9.0x, v9.1x for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2007-1858(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following procedure available to resolve the vulnerability. Backup the appropriate file to another directory. %NnmInstallDir%\nonOV\jboss\nms\server\nms\deploy\jboss-web.deployer\server.xml [Windows] $NnmInstallDir/nonOV/jboss/nms/server/nms/deploy/jboss-web.deployer/server.xml [HP-UX, Linux, Solaris] Edit the original server.xml file. Add the following to the end of the SSL Connector entry. The entry must be one continuous string with no line breaks. ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA For example, in NNMi v9.10 the entry would be: Connector port=${jboss.https.port} ... ciphers=.../ Save and verify Save the file. Stop and restart NNMi. Bring up the UI to verify that NNMi is still functioning correctly. MANUAL ACTIONS: Yes - NonUpdate Edit the server.xml file as described above. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPNMSJBOSS action: edit the server.xml file as described in the Resolution END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 7 March 2012 Initial release Version:2 (rev.2) - 27 March 2012 Corrected Windows path Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for
[security bulletin] HPSBUX02755 SSRT100667 rev.1 - HP-UX WBEM, Remote Unauthorized Access to Diagnostic Data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03221589 Version: 1 HPSBUX02755 SSRT100667 rev.1 - HP-UX WBEM, Remote Unauthorized Access to Diagnostic Data NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Unauthorized access to diagnostic data Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP-UX WBEM components. The vulnerability could be exploited remotely in HP-UX 11.11 and HP-UX 11.23 to gain unauthorized access to diagnostic data. The vulnerability could be exploited locally in HP-UX 11.31 to gain unauthorized access to diagnostic data. References: CVE-2012-0125 (HP-UX 31), CVE-2012-0126 (HP-UX 11.11 and HP-UX 11.23) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX 11.31 ProviderSvcsBase before C.07.00.08.02 HP-UX 11.31 SysFaultMgmt before C.07.06.03.01 HP-UX 11.31 DASProvider before B.11.31.1203.07.02 HP-UX 11.31 FCProvider before B.11.31.1203.06.02 HP-UX 11.31 RAIDSAProvider before B.11.31.1203.06.02 HP-UX 11.31 SASProvider before B.11.31.1203.05.02 HP-UX 11.23 SysFaultMgmt before B.07.06.01.02 HP-UX 11.11 SysFaultMgmt before A.04.04.03.02 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0125(AV:L/AC:M/Au:S/C:P/I:P/A:N) 3.0 CVE-2012-0126(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 Note: The root cause of the vulnerability is the same for HP-UX 11.11, 11.23, and 11.31. However, the vulnerable feature cannot be accessed remotely in HP-UX 11.31. RESOLUTION HP has provided the following to resolve the vulnerability. HP-UX 11i v3 (HP-UX 11.31) WBEMMgmtBundle C.03.01 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=WBEMMgmtBundle HP-UX 11i v2 (HP-UX 11.23) SysFaultMgmt B.07.06.01.02 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SysFaultMgmt HP-UX 11i v1 (HP-UX 11.11) SysFaultMgmt A.04.04.03.02 or subsequent is available for download here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SysFaultMgmt MANUAL ACTIONS: Yes - Update Install the update as listed above. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) HP-UX B.11.31 == SFM-CORE.SFM_PRO_PA SFM-CORE.SFM_PRO_IA SFM-CORE.CPU-TEST-IA SFM-CORE.CTR_PRO_COMM SFM-CORE.CTR_PRO_COREIA SFM-CORE.CTR_PRO_COREPA SFM-CORE.EMT_COREIA SFM-CORE.EMT_COREPA SFM-CORE.EMT_DOC SFM-CORE.EVM_PRO_COMM SFM-CORE.EVM_PRO_COREIA SFM-CORE.EVM_PRO_COREPA SFM-CORE.EVWEB_COMM SFM-CORE.EVWEB_COREIA SFM-CORE.EVWEB_COREPA SFM-CORE.EVWEB_DOC SFM-CORE.EVWEB_GUI_COMM SFM-CORE.EVWEB_GUI_IA SFM-CORE.EVWEB_GUI_PA SFM-CORE.FMD_PRO_COMM SFM-CORE.FMD_PRO_COREIA SFM-CORE.FMD_PRO_COREPA action: install revision C.07.06.03 or subsequent HP-UX B.11.31 == SFM-JOEM-CORE.SFM_PRO_JOEM SFM-JOEM-CORE.CTR_PRO_JOEM SFM-JOEM-CORE.EMT_CORE_JOEM SFM-JOEM-CORE.EMT_DOC_JOEM SFM-JOEM-CORE.EMT_MAN_JOEM SFM-JOEM-CORE.EVM_PRO_JOEM SFM-JOEM-CORE.EVWEB_COR_JOEM SFM-JOEM-CORE.EVWEB_DOC_JOEM SFM-JOEM-CORE.EVWEB_GUI_JOEM SFM-JOEM-CORE.EVWEB_MAN_JOEM SFM-JOEM-CORE.FMD_PRO_JOEM SFM-JOEM-CORE.GS_JOEM SFM-JOEM-CORE.MISC_CORE_JOEM SFM-JOEM-CORE.SFM_JOEM_MAN SFM-JOEM-CORE.SFM_PRO_JOEM SFM-JOEM-CORE.SFM_PRO_JOEM action: install revision C.07.06.03 or subsequent HP-UX B.11.31 == RAIDSA-PROVIDER.RAIDSA-PROV-RUN action: install revision B.11.31.1203.06.02 or subsequent HP-UX B.11.31 == WBEMP-Storage.STORAGE-IP-LIB WBEMP-Storage.STORAGE-IP-RUN WBEMP-Storage.STORAGE-LWE-RUN WBEMP-Storage.STORAGE-PROV-LIB WBEMP-Storage.STORAGE-PROV-RUN action: install revision B.11.31.1203.07.02 or subsequent HP-UX B.11.31 WBEMP-FCP.CSP-LIB WBEMP-FCP.CSP-LIB WBEMP-FCP.CSP-RUN WBEMP-FCP.FCP-IP-LIB WBEMP-FCP.FCP-IP-LIB WBEMP-FCP.FCP-IP-RUN WBEMP-FCP.FCP-IP-RUN WBEMP-FCP.FCP-LIB WBEMP-FCP.FCP-LIB WBEMP-FCP.FCP-NIP-LIB WBEMP-FCP.FCP-NIP-RUN WBEMP-FCP.FCP-RUN action: install revision B.11.31.1203.06.02 or subsequent HP-UX B.11.31
[security bulletin] HPSBMU02756 SSRT100596 rev.1 - HP Performance Manager Running on HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03255321 Version: 1 HPSBMU02756 SSRT100596 rev.1 - HP Performance Manager Running on HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-03-27 Last Updated: 2012-03-27 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Performance Manager running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to execute arbitrary code and to create a Denial of Service (DoS). References: CVE-2012-0127, ZDI-CAN-1340 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Performance Manager v9.00 running on HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-0127(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Luigi Auriemma for working with the TippingPoint Zero Day Initiative to report this vulnerability to security-al...@hp.com. RESOLUTION HP has provided the following patches to resolve the vulnerability. The patches are available here: http://support.openview.hp.com/selfsolve/patches Operating System Patch Document ID HP-UX PHSS_42753 or subsequent KM1323069 Linux HPPM9L_2 or subsequent KM1323071 Solaris HPPM9S_2 or subsequent KM1323068 Windows HPPM9W_2 or subsequent KM1323075 MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.31 HP-UX B.11.23 == HPOvGC.HPOVGC HPOvPM.HPOVPM action: install PHSS_42753 or subsequent END AFFECTED VERSIONS HISTORY: Version:1 (rev.1) - 27 March 2012 Initial Release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein
Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-rsvp Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +- Summary === Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A workaround is available to mitigate this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured with RSVP and also have one or more VRF interfaces. A device is vulnerable if both the following criteria are met: * At least one VRF is configured without RSVP * At least one other interface (physical or virtual), not in the same VRF, is configured with RSVP Some example scenarios are as follows: * RSVP-Traffic Engineering (RSVP-TE) in Multiprotocol Label Switching (MPLS) infrastructures * Multi-VRF infrastructures * VRF-Lite infrastructures To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable + Cisco IOS-XR software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A device is vulnerable if it is configured with VRF and none of the interfaces in that VRF have RSVP enabled, but any other interface (physical or virtual) does have RSVP enabled. An attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending RSVP packets to vulnerable devices. Successful exploitation of the vulnerability could allow an attacker to wedge the receive queue of any RSVP ingress interface. A workaround is available to mitigate this vulnerability. In devices that meet the vulnerable configuration criteria, valid RSVP packets could trigger this vulnerability. An attacker with knowledge
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features Advisory ID: cisco-sa-20120328-mace Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) + Summary === Cisco IOS Software contains a denial of service (DoS) vulnerability in the Wide Area Application Services (WAAS) Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Cisco IOS Software also contains a DoS vulnerability in the Measurement, Aggregation, and Correlation Engine (MACE) feature that could allow an unauthenticated, remote attacker to cause the router to reload. An attacker could exploit these vulnerabilities by sending transit traffic through a router configured with WAAS Express or MACE. Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-mace Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/ Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Cisco devices that are running Cisco IOS Software are vulnerable when they are configured with the mace enable or waas enable interface configuration commands on one or more interfaces. Additional configuration is required for WAAS Express or MACE to be configured; more details follow. Note: Cisco IOS Software is vulnerable only when configured for WAAS Express or MACE. Cisco IOS Software configured for WAAS, not WAAS Express, is not vulnerable. For more information on WAAS Express, see http://www.cisco.com/en/US/products/ps11211/index.html. For more information about MACE, see http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps11709/ps11671/guide_c07-664643.html. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Wide Area Application Services (WAAS) Express feature allows optimization of the WAN bandwidth required to access centrally located applications. WAAS Express allows the traffic to be optimized by a Cisco Integrated Services Router (ISR G2), with no other devices required. The Cisco Measurement, Aggregation, and Correlation Engine (MACE) is a Cisco IOS feature that is used for measurement and analysis of network traffic. The feature may be used with WAAS Express to give details of optimized traffic or used by itself to help measure application performance. Cisco IOS Software contains a DoS vulnerability in the WAAS Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. This vulnerability is documented in Cisco bug ID CSCtt45381 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-1314. Cisco IOS Software
Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability Advisory ID: cisco-sa-20120328-nat Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) + Summary === The Cisco IOS Software Network Address Translation (NAT) feature contains a denial of service (DoS) vulnerability in the translation of Session Initiation Protocol (SIP) packets. The vulnerability is caused when packets in transit on the vulnerable device require translation on the SIP payload. Cisco has released free software updates that address this vulnerability. A workaround that mitigates the vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products = Vulnerable Products +-- Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT and contain support for NAT for Session Initiation Protocol. There are two methods to determine if a device is configured for NAT: * Determine if NAT is active on a running device. * Determine if NAT commands are included in the device configuration. Determine if NAT is Active on a Running Device +- The preferred method to verify whether NAT is enabled on a Cisco IOS device is to log in to the device and issue the show ip nat statistics command. If NAT is active, the sections Outside interfaces and Inside interfaces will each include at least one interface. The following example shows a device on which the NAT feature is active: Router#show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Depending on the Cisco IOS Software release, the interface lists can be in the lines following the Outside interfaces and Inside interfaces. In releases that support the section filter on show commands, the administrator can determine whether NAT is active by using the show ip nat statistics | section interfaces command, as illustrated in the following example: Router show ip nat statistics | section interfaces Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Router Determine if NAT Commands are Included in the Device Configuration +- Alternatively, to determine whether NAT has been enabled in the Cisco IOS Software configuration, either the ip nat inside or ip nat outside commands must be present in different interfaces, or in the case of the NAT Virtual Interface, the ip nat enable interface command will be present. Determine the Cisco IOS Software Release +--- To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest Background: The mentioned product, when browsing the device web interface, asks to install an ActiveX control to stream video content. It has the following settings: File version: 1, 1, 52, 18 Product name: UltraMJCam device ActiveX Control Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx ProgID: UltraMJCam.UltraMJCam.1 CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} Implements IObjectSafety: yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True Vulnerability: This ActiveX control exposed the vulnerable OpenFileDlg() method, see typelib: .. /* DISPID=101 */ /* VT_BSTR [8] */ function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ) { /* method OpenFileDlg */ } .. By invoking this method with an overlong argument is possible to overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx: Call stack of main thread AddressStack Procedure / arguments Called from Frame 001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C 00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C 00127A14 0003 CodePage = 3 00127A18 Options = 0 00127A1C 03835C5C WideCharStr = 00127A20 WideCharCount = (-1.) 00127A24 00127A50 MultiByteStr = 00127A50 00127A28 7532 MultiByteCount = 7532 (30002.) 00127A2C pDefaultChar = NULL 00127A30 pDefaultCharUsed = NULL 00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38 .. 0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8] 0299F937 C600 00 mov byte ptr ds:[eax],0 0299F93A 6A 00push 0 0299F93C 6A 00push 0 0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10] 0299F941 51 push ecx 0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8] 0299F945 52 push edx 0299F946 6A FFpush -1 0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C] 0299F94B 50 push eax 0299F94C 6A 00push 0 0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14] 0299F951 51 push ecx 0299F952 FF15 20319F02call dword ptr ds:[KERNEL32.WideCharTo; kernel32.WideCharToMultiByte .. The result is that critical structures are overwritten (SEH) allowing to execute arbitrary code against the target browser. As attachment, basic proof of concept code. original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution homepage: http://www.quest.com/intrust/ description: InTrust securely collects, stores, reports and alerts on event log data from Windows, Unix and Linux systems, helping you comply with external regulations, internal policies and security best practices. download url of a test version: http://www.quest.com/downloads/ file tested: Quest_InTrust---Full-Package_104.zip Background: The mentioned product installs an ActiveX control with the following settings: binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True According to the IObjectSafety interface it is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. Vulnerability: By invoking the Add() method is possible to call inside a memory region of choice set by the attacker through ex. heap spray or other tecniques. Example code: object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' / /object script obj.Add(0x76767676,1); /script .. eax=76767676 ebx=4401e51c ecx=01f85340 edx= esi=01f85340 edi=0001 eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 ANNOTA_1+0xae62: 4400ae62 ff1485504a0244 calldword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428= .. You are in control of eax: fully exploitable. As attachment, proof of concept code. original url: http://retrogod.altervista.org/9sg_quest_adv.htm poc: http://retrogod.altervista.org/9sg_quest_poc.htm
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Internet Explorer 7/8 Live demo: http://203.125.227.70/eng/index.cgi username: dlink password: dlink product homepage: http://www.d-link.com/products/?pid=771 product description: The DCS-5605 is a high performance camera for professional surveillance and remote monitoring. This network camera features motorized pan, tilt, and optical/digital zoom for ultimate versatility. The 10x optical zoom lens delivers the level of detail necessary to identify faces, license plate numbers, and other important details that are difficult to clearly distinguish using digital zoom alone background: When browsing the device web interface, the user is asked to install an ActiveX control to stream video content. This control has the following settings: Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True Vulnerability: the ActiveX control exposes the SelectDirectory() method which supports one optional argument. See typelib: .. /* DISPID=22 */ /* VT_BSTR [8] */ function SelectDirectory( /* VT_VARIANT [12] [in] */ $varDefPath ) { /* method SelectDirectory */ } .. This method suffers of a stack based buffer overflow vulnerability because an unsafe lstrcpyW() call inside DcsCliCtrl.dll: .. 100712E0 81EC 3404sub esp,434 100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C] 100712EB 33C4 xor eax,esp 100712ED 898424 3004 mov dword ptr ss:[esp+430],eax 100712F4 53 push ebx 100712F5 8B9C24 4804 mov ebx,dword ptr ss:[esp+448] 100712FC 55 push ebp 100712FD 8BAC24 4004 mov ebp,dword ptr ss:[esp+440] 10071304 56 push esi 10071305 8BB424 4C04 mov esi,dword ptr ss:[esp+44C] 1007130C 57 push edi 1007130D 8BBC24 4C04 mov edi,dword ptr ss:[esp+44C] 10071314 68 0802 push 208 10071319 8D4424 34lea eax,dword ptr ss:[esp+34] 1007131D 6A 00push 0 1007131F 50 push eax 10071320 E8 0BC40300 call DcsCliCt.100AD730 10071325 83C4 0C add esp,0C 10071328 85F6 test esi,esi 1007132A 74 0Cje short DcsCliCt.10071338 1007132C 56 push esi 1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34] 10071331 51 push ecx 10071332 FF15 D4D20C10call dword ptr ds:[KERNEL32.lstrcpyW] ; kernel32.lstrcpyW - .. An attacker could entice a remote user to browse a web page to gain control of the victim browser, by passing an overlong string to the mentioned method and overwriting critical structures (SEH). As attachment proof of concept code. Note, to reproduce the wanted crash: when the SelectDirectory() method is called the user is asked to select a destination folder for the stream recorder. To set EIP to 0x0c0c0c0c select a folder of choice, then proceed. When clicking Cancel you have an unuseful crash, however it could be possible that modifying the poc you will have EIP overwritten aswell. I think that it is also possible that other products might carry this dll, I could post an update if I find more. Additional note: 0:029 lm -vm DcsCliCtrl startendmodule name 0845 0859e000 DcsCliCtrl (deferred) Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll Image name: DcsCliCtrl.dll Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF) CheckSum: 001325EC ImageSize:0014E000 File version: 1.0.0.4519 Product version: 1.0.0.1 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type:2.0 Dll File date:. Translations: 0409.04e4 ProductName: Camera Streaming Client InternalName: DcsCliCtrl.dll OriginalFilename: DcsCliCtrl.dll ProductVersion: 1.0.0.1 FileVersion: 1.0.0.4519 FileDescription: Camera Stream Client Control LegalCopyright: Copyright: (c) All rights reserved. original url: http://retrogod.altervista.org/9sg_dlink_adv.htm poc: http://retrogod.altervista.org/9sg_dlink_poc.htm