[ MDVSA-2012:121 ] libjpeg-turbo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:121 http://www.mandriva.com/security/ ___ Package : libjpeg-turbo Date: August 1, 2012 Affected: 2011. ___ Problem Description: A vulnerability has been discovered and corrected in libjpeg-turbo: A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-2806). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2806 ___ Updated Packages: Mandriva Linux 2011: 22126edfc4b866b219f44ba286d7bec7 2011/i586/jpeg-progs-1.1.1-1.1-mdv2011.0.i586.rpm 983947719c5d2d72affaa12d7a212673 2011/i586/libjpeg62-1.1.1-1.1-mdv2011.0.i586.rpm 855f23b907f2f2a20ec582668802af3b 2011/i586/libjpeg8-1.1.1-1.1-mdv2011.0.i586.rpm 3713a686dd32c348b04f489b687671e0 2011/i586/libjpeg-devel-1.1.1-1.1-mdv2011.0.i586.rpm af33ccf8296bd218d364b5557c1284a9 2011/i586/libjpeg-static-devel-1.1.1-1.1-mdv2011.0.i586.rpm ec0ff59b860f30b96311e76e06c7e57f 2011/SRPMS/libjpeg-turbo-1.1.1-1.1.src.rpm Mandriva Linux 2011/X86_64: ffa20228c1de0d40df4ecab727c8826f 2011/x86_64/jpeg-progs-1.1.1-1.1-mdv2011.0.x86_64.rpm 3d9e34e8e4250f9aa3a940d05b139acf 2011/x86_64/lib64jpeg62-1.1.1-1.1-mdv2011.0.x86_64.rpm eb25c0134c64bc23e92fff9b532c30ad 2011/x86_64/lib64jpeg8-1.1.1-1.1-mdv2011.0.x86_64.rpm 0ccc1fefcf0320c387de3b6ab73ae91c 2011/x86_64/lib64jpeg-devel-1.1.1-1.1-mdv2011.0.x86_64.rpm f08cddd88a7eff5fe3bee4d5066ed605 2011/x86_64/lib64jpeg-static-devel-1.1.1-1.1-mdv2011.0.x86_64.rpm ec0ff59b860f30b96311e76e06c7e57f 2011/SRPMS/libjpeg-turbo-1.1.1-1.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQGXj+mqjQ0CJFipgRAuxPAKCGyQ5p4qifJ6qaFT7t0MRd3E5ZhwCfS+kb iL34KoF66YEphT3u4ebV7ok= =WI3g -END PGP SIGNATURE-
[security bulletin] HPSBMU02796 SSRT100594 rev.3 - HP Operations Agent and HP Performance Agent for AIX, HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03397769 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03397769 Version: 3 HPSBMU02796 SSRT100594 rev.3 - HP Operations Agent and HP Performance Agent for AIX, HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-07-09 Last Updated: 2012-07-23 Potential Security Impact: Remote execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Operations Agent and HP Performance Agent for AIX, HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in the execution of arbitrary code. References: SSRT100594, ZDI-CAN-1325, ZDI-12-114, CVE-2012-2019, SSRT100595, ZDI-CAN-1326, ZDI-12-115, CVE-2012-2020 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Operations Agent for AIX, HP-UX, Linux, Solaris, and Windows prior to v11.02 HP Operations Agent (classic) for AIX, HP-UX, Linux, Solaris, and Windows v8.6 HP Performance Agent (classic) for AIX, HP-UX, Linux, Solaris, and Windows v5.x BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-2019(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-2020(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Luigi Auriemma for working with the TippingPoint Zero Day Initiative to report this vulnerability to security-al...@hp.com. RESOLUTION For HP Operations Agent v11 (includes HP Performance Agent) before v11.02 Note: As of v11 HP Operations Agent and HP Performance Agent are combined into a single product: HP Operations Agent. HP has made patches available to resolve these vulnerabilities for HP Operations Agent v11. The patches can be downloaded from http://support.openview.hp.com/selfsolve/patches Product Patch Agent AIX OAAIX_3 or subsequent Agent HPUX OAHPUX_3 or subsequent Agent LINUX OALIN_3 or subsequent Agent SOLARIS OASOL_00301 or subsequent Agent WINDOWS OAWIN_3 or subsequent Note: The table above lists the earliest patches that resolve the vulnerability. Later patches are available. For HP Operations Agent v8.6 and HP Performance Agent 5.x HP has made a hotfix available to resolve these vulnerabilities for HP Operations Agent v8.6 and HP Performance Agent 5.x. To obtain the hotfix, please contact HP Customer Support and request HOTFIX_CODA_2011-10-21_1. MANUAL ACTIONS: Yes - NonUpdate For HP Operations Agent v11 - Update to HP Operations Agent 11.02 or subsequent For HP Operations Agent v8.6 and HP Performance Agent v5.x - Install HOTFIX_CODA_2011-10-21_1 PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For HP Operations Agent v11 HP-UX B.11.31 HP-UX B.11.23 HP-UX B.11.11 == HPOvLcore.HPOVBBC HPOvEa.HPOVAGTLC HPOvLcore.HPOVCONF HPOvLcore.HPOVCTRL HPOvLcore.HPOVDEPL HPOvEa.HPOVEAAGT HPOvPerf.HPOVGLANC HPOvPerf.HPOVPACC HPOvPerf.HPOVPERFAGT HPOvPerf.HPOVPERFMI HPOvLcore.HPOVSECCC HPOvLcore.HPOVSECCO HPOvLcore.HPOVXPL action: install OAHPUX_3 or subsequent For HP Operations Agent v8.6 and HP Performance Agent v5.x HP-UX B.11.31 HP-UX B.11.23 HP-UX B.11.11 == HPOvLcore.HPOVBBC HPOvEa.HPOVAGTLC HPOvLcore.HPOVCONF HPOvLcore.HPOVCTRL HPOvLcore.HPOVDEPL HPOvEa.HPOVEAAGT HPOvPerf.HPOVGLANC HPOvPerf.HPOVPACC HPOvPerf.HPOVPERFAGT HPOvPerf.HPOVPERFMI HPOvLcore.HPOVSECCC HPOvLcore.HPOVSECCO HPOvLcore.HPOVXPL action: install HOTFIX_CODA_2011-10-21_1 END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 9 July 2012 Initial release Version:2 (rev.2) - 12 July 2012 Added hotfix for v8.6, v11.02 is not vulnerable Version:3 (rev.3) - 23 July 2012 Added HP Performance Agent Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support
Tekno.Portal v0.1b 'link.php' Blind SQL Injection Vulnerability
== Tekno.Portal v0.1b - Blind SQL Injection in link.php == # Exploit Title: Tekno.Portal v0.1b 'link.php' Blind SQL Injection Vulnerability # Date: [08-01-2012] # Author: Socket_0x03 (Alvaro J. Gene) # Email: Socket_0x03 (at) teraexe (dot) com # Website: www.teraexe.com # Software Link: http://sourceforge.net/projects/teknoportal # Vulnerable Application: Tekno.Portal # Version: 0.1b # Vulnerable File: link.php (kat parameter) # Language: This application is available only in turkish language. # Product Description: Tekno.Portal is a content management system (CMS) developed in PHP; furthermore, a webmaster can use this application to manage files, store data, and more. # Blind SQL Injection: http://www.website.com/teknoportal/link.php?kat=[Blind SQL Injection]
Kaspersky Password Manager 5.0.0.164 - Software Filter Vulnerability
Title: == Kaspersky PM 5.0.0.164 - Software Filter Vulnerability Date: = 2012-07-12 References: === http://www.vulnerability-lab.com/get_content.php?id=612 VL-ID: = 612 Common Vulnerability Scoring System: 3 Introduction: = Kaspersky Password Manager is an indispensable tool for the active Internet user. It fully automates the process of entering passwords and other data into websites and saves the user going to the trouble of creating and remembering multiple passwords. When you use Kaspersky Password Manager to log in, you can rest assured that your data is safe. The software creates exceptionally strong passwords and prevents your login information from being stolen. All confidential data is encrypted and kept in a dedicated database on your computer. Kaspersky Password Manager makes your web experience safer, quicker and more convenient. (Copy of the Vendor Homepage: www.kaspersky.com/us/kaspersky-password-manager ) Abstract: = The Vulnerability Laboratory Research Team discovered a software filter validation vulnerability in Kasperskys Password Manager v5.0.0.164. Report-Timeline: 2012-07-12: Public or Non-Public Disclosure Status: Published Affected Products: == Kaspersky Labs Product: Kaspersky Password Manager v5.0.0.164 older versions Exploitation-Technique: === Remote Severity: = Medium Details: A software filter validation vulnerability is detected in Kasperskys Password Manager v5.0.0.164 Software. The bug allows an attacker (local) to implement/inject malicious script code when processing to export a manipulated Kaspersky Password Manager database. The vulnerability is located in the validation of the html/xml export function/module the bound vulnerable name, domain, url, comment (listing) parameters. URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser. Exploitation of the vulnerabilitiy requires a manipulated url with malicious script code, a logging server with chmod 777, a listing file (random) a kaspersky PM v5.0.0.164 user. The bug will be injected on the remote way (Autofill Engine), affects the local validation (html/xml) on exports and change the technic back when remote transfering the password lists. The injection of the malicious url/domain context can be done via automatic imports/plugins (KPM AutoFill Engine v5.0.0.164) as victim or manually (reproduce) by including. Successful exploitation of the vulnerability lead to stable (persistent) context manipulation, persistent phishing, execution of malware or stealing plain password lists. Medium user inter action is required to exploit the vulnerability. Normally Kaspersky Password Manager exports the html xml backup with a secure clean template like ... tbodytr class=``MySplitterRow``td colspan=``2`` /td/tr tr class=``MyAccountNameRow`` td align=``right`` width=``150px``Name des Benutzerkontos: /td tdbtest1/b/td /tr trtd align=``right`` valign=``top``Link: /td td valign=``top``test4/td/tr tr class=``MySplitterRowLight``td colspan=``2``/td/tr trtd align=``right`` valign=``top``Benutzername: brKennwort: /tdtd valign=``top``test2brtest3/td/tr tr class=``MySplitterRowLight``td colspan=``2``/td/tr trtd align=``right`` valign=``top``Kommentar/tdtd valign=``top``test5/td/tr tr class=``MySplitterRow``td colspan=``2`` /td/tr tr class=``MySplitterRowWhite``td colspan=``2`` /td/tr /tbody/table/body/html The local attacker manipulate the database with malicious strings (script code) in the category item profile name input fields. Kaspersky password manager generates the clean html or xml template but after the persistent script code inject in the database profile name items, the persistent code is getting execute direct out the clean exported xml or html template file. tr class=``MyAccountNameRow`` td align=``right`` width=``150px``Name des Benutzerkontos: /td tdb``iframe src=``http://vulnerability-lab.com`` onload=alert(`VL`) =`` b=``/td /tr Vulnerable Section(s): [+] Export Import - Database Categories Vulnerable Module(s): [+] HTML XML Vulnerable Parameter(s): [+] Benutzername [+] Kommentar [+] Vorname, Zweiter Vorname Nachname [+] Email, Stdt Addresse [+] Abteilung, Beruf Webseite [+] Link/Website/URL Exploitation (RemoteLocalLocalRemote) Scenario: 1. Remote Attacker is sending the victim a manipulated login page (MITM/Browser or as Link) with script
My ROP mitigation
I have made some ROP mitigation method and share my idea to security researcher. This method is not perfect mitigation. but it will annoy exploit writer. I think that the part of this document may be similar to some feature of ROPGuard which is idea of 2nd winner of Bluehat Prize contest. ( I was also Bluehat Prize contest attendant. but i am not a winner ^^ ) This document will help reader understand some ROP mitigation feature. I correct some words and add comments from original entry sent to Bluehat Prize contest. * I have intellectual property about ideas of below document. do not use without permission. http://ohojang.blogspot.com document Author: Young Jun Ko ( ohoj...@gmail.com ) Hardening WINAPI function calling for anti exploiting 1. Prohibit direct WINAPI function calling via Return Address Checking - backgrond and algorithm Almost shellcode used by exploiting has WINAPI function calling such as GetProcAddress() , CreateProcess(). Firstly, the shellcode is usually located on data memory region. Typically, then call memory attribute changing function such as VirtualProtect() via ROP, some memory region get executable attribute. Then, jump to shellcode. So, Any memory region getting executable attribute at run-time may be shellcode. Of course, JIT and loading library at run-time need executable memory region. Concerning JIT, JIT is different from shellcode in respect of WINAPI function calling method. JIT call WINAPI function not directly but indirectly. For example, JIT doesn't call GetProcAddress() directly. But almost shellcode call GetProcAddress() directly. So, return address of WINAPI function is not of JIT memory region. And concerning loading library at run-time, loaded address is typically above 0x7000. This address is higher than usual data memory region address.( heap ) Simply, If a WINAPI function has return address above 0x7000, we can assume calling is made by loaded library. If library loading address is below 0x7000, in this case, return address of WINAPI function is below 0x7000. Then misunderstanded that calling is not made by loaded library. But this error can be corrected easily by searching Ldr entry in PEB. Considering above facts, simple mitigation can be made. a. Choose some WINAPI function used by almost shellocde. ( For example , GetProcAddress() , CreateProcess(), OpenFile() ) I named these choosed WINAPI function Return-Check function b. keep track of all memory region getting executable attribute at runtime. VirtualProtect() ,VirtualAlloc() , CreateFileMapping() function can be used to accomplish this objective. c. when a Return-Check function is called, it checks return address. if return address is not library or module address, the calling is illegal function calling. - effect and bypassing bypassing this mitigation is relatively easy. indirect WINAPI function calling can be made by using payload code already inside. But this means that shellcode must be dependent of victim program. Attacker must build calling chain similar to ROP's. So universal and simple shellcode can not be made. - proof of concept code return-check.cpp ( must compile and execute in VisualStudio 2010 premium Debug Mode !!! ) Comment This concept is useful for call-chain restriction also. Suppose that there is restriction that check() must call API() during execution and API() must return to check(), API() checks itself return address whether the return address is check()'s address range. In this case, check() can be some security check function, and API() can be some system api function. Malicious code can't call API() function directly. But More smarter attacker can use ROP chaining for bypassing above case. (without check() call, call API(), and return to somewhere of check().) Neverthless, If check(), API() function is written specially , ROP attack will fail too. (I thnik that there are many possible ways besides my method .it is up to you. ) 2. Hardening ROP chaining - background and algorithm Preventing ROP made by compiler is relatively easy. But without compiler supporting ROP detecting is very difficult. Execution flow by ROP chain can make a WINAPI function call. Recently, almost exploit code uses ROP method for calling VirtualProtect(). But ROP chaining after WINAPI function calling can be made harder. By making ROP chaining harder, shellcode development costs more. Assume that VirtualProtect()'s function address is 0x7000 For calling 0x7000 function via ROP, stack must be prepared like below 0x7000--- sp ( stack pointer just before executing RET ) After executing RET , stack layout changes lke below. --- sp ( stack pointer ) 0x7000 VirtualProtect()'s function address can be found at stack above case. By checking stack value at just