[ MDVSA-2012:121 ] libjpeg-turbo

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2012:121
 http://www.mandriva.com/security/
 ___

 Package : libjpeg-turbo
 Date: August 1, 2012
 Affected: 2011.
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in libjpeg-turbo:
 
 A Heap-based buffer overflow was found in the way libjpeg-turbo
 decompressed certain corrupt JPEG images in which the component
 count was erroneously set to a large value. An attacker could create
 a specially-crafted JPEG image that, when opened, could cause an
 application using libpng to crash or, possibly, execute arbitrary
 code with the privileges of the user running the application
 (CVE-2012-2806).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2806
 ___

 Updated Packages:

 Mandriva Linux 2011:
 22126edfc4b866b219f44ba286d7bec7  
2011/i586/jpeg-progs-1.1.1-1.1-mdv2011.0.i586.rpm
 983947719c5d2d72affaa12d7a212673  
2011/i586/libjpeg62-1.1.1-1.1-mdv2011.0.i586.rpm
 855f23b907f2f2a20ec582668802af3b  
2011/i586/libjpeg8-1.1.1-1.1-mdv2011.0.i586.rpm
 3713a686dd32c348b04f489b687671e0  
2011/i586/libjpeg-devel-1.1.1-1.1-mdv2011.0.i586.rpm
 af33ccf8296bd218d364b5557c1284a9  
2011/i586/libjpeg-static-devel-1.1.1-1.1-mdv2011.0.i586.rpm 
 ec0ff59b860f30b96311e76e06c7e57f  2011/SRPMS/libjpeg-turbo-1.1.1-1.1.src.rpm

 Mandriva Linux 2011/X86_64:
 ffa20228c1de0d40df4ecab727c8826f  
2011/x86_64/jpeg-progs-1.1.1-1.1-mdv2011.0.x86_64.rpm
 3d9e34e8e4250f9aa3a940d05b139acf  
2011/x86_64/lib64jpeg62-1.1.1-1.1-mdv2011.0.x86_64.rpm
 eb25c0134c64bc23e92fff9b532c30ad  
2011/x86_64/lib64jpeg8-1.1.1-1.1-mdv2011.0.x86_64.rpm
 0ccc1fefcf0320c387de3b6ab73ae91c  
2011/x86_64/lib64jpeg-devel-1.1.1-1.1-mdv2011.0.x86_64.rpm
 f08cddd88a7eff5fe3bee4d5066ed605  
2011/x86_64/lib64jpeg-static-devel-1.1.1-1.1-mdv2011.0.x86_64.rpm 
 ec0ff59b860f30b96311e76e06c7e57f  2011/SRPMS/libjpeg-turbo-1.1.1-1.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQGXj+mqjQ0CJFipgRAuxPAKCGyQ5p4qifJ6qaFT7t0MRd3E5ZhwCfS+kb
iL34KoF66YEphT3u4ebV7ok=
=WI3g
-END PGP SIGNATURE-

[security bulletin] HPSBMU02796 SSRT100594 rev.3 - HP Operations Agent and HP Performance Agent for AIX, HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary Code

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03397769

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03397769
Version: 3

HPSBMU02796 SSRT100594 rev.3 - HP Operations Agent and HP Performance Agent
for AIX, HP-UX, Linux, Solaris and Windows, Remote Execution of Arbitrary
Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-07-09
Last Updated: 2012-07-23

Potential Security Impact: Remote execution of arbitrary code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Operations
Agent and HP Performance Agent for AIX, HP-UX, Linux, Solaris, and Windows.
The vulnerabilities could be remotely exploited resulting in the execution of
arbitrary code.

References: SSRT100594, ZDI-CAN-1325, ZDI-12-114, CVE-2012-2019,
SSRT100595, ZDI-CAN-1326, ZDI-12-115, CVE-2012-2020

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Agent for AIX, HP-UX, Linux, Solaris, and Windows prior to
v11.02
HP Operations Agent (classic) for AIX, HP-UX, Linux, Solaris, and Windows
v8.6
HP Performance Agent (classic) for AIX, HP-UX, Linux, Solaris, and Windows
v5.x

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2012-2019(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
CVE-2012-2020(AV:N/AC:L/Au:N/C:C/I:C/A:C)   10.0
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Luigi Auriemma for working with the
TippingPoint Zero Day Initiative to report this vulnerability to
security-al...@hp.com.

RESOLUTION

For HP Operations Agent v11 (includes HP Performance Agent) before v11.02

Note: As of v11 HP Operations Agent and HP Performance Agent are combined
into a single product: HP Operations Agent.

HP has made patches available to resolve these vulnerabilities for HP
Operations Agent v11. The patches can be downloaded from
http://support.openview.hp.com/selfsolve/patches

Product
 Patch

Agent AIX
 OAAIX_3 or subsequent

Agent HPUX
 OAHPUX_3 or subsequent

Agent LINUX
 OALIN_3 or subsequent

Agent SOLARIS
 OASOL_00301 or subsequent

Agent WINDOWS
 OAWIN_3 or subsequent

Note: The table above lists the earliest patches that resolve the
vulnerability. Later patches are available.

For HP Operations Agent v8.6 and HP Performance Agent 5.x

HP has made a hotfix available to resolve these vulnerabilities for HP
Operations Agent v8.6 and HP Performance Agent 5.x. To obtain the hotfix,
please contact HP Customer Support and request HOTFIX_CODA_2011-10-21_1.

MANUAL ACTIONS: Yes - NonUpdate
For HP Operations Agent v11 - Update to HP Operations Agent 11.02 or
subsequent
For HP Operations Agent v8.6 and HP Performance Agent v5.x - Install
HOTFIX_CODA_2011-10-21_1

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

For HP Operations Agent v11

HP-UX B.11.31
HP-UX B.11.23
HP-UX B.11.11
==
HPOvLcore.HPOVBBC
HPOvEa.HPOVAGTLC
HPOvLcore.HPOVCONF
HPOvLcore.HPOVCTRL
HPOvLcore.HPOVDEPL
HPOvEa.HPOVEAAGT
HPOvPerf.HPOVGLANC
HPOvPerf.HPOVPACC
HPOvPerf.HPOVPERFAGT
HPOvPerf.HPOVPERFMI
HPOvLcore.HPOVSECCC
HPOvLcore.HPOVSECCO
HPOvLcore.HPOVXPL
action: install OAHPUX_3 or subsequent

For HP Operations Agent v8.6 and HP Performance Agent v5.x

HP-UX B.11.31
HP-UX B.11.23
HP-UX B.11.11
==
HPOvLcore.HPOVBBC
HPOvEa.HPOVAGTLC
HPOvLcore.HPOVCONF
HPOvLcore.HPOVCTRL
HPOvLcore.HPOVDEPL
HPOvEa.HPOVEAAGT
HPOvPerf.HPOVGLANC
HPOvPerf.HPOVPACC
HPOvPerf.HPOVPERFAGT
HPOvPerf.HPOVPERFMI
HPOvLcore.HPOVSECCC
HPOvLcore.HPOVSECCO
HPOvLcore.HPOVXPL
action: install HOTFIX_CODA_2011-10-21_1

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 9 July 2012 Initial release
Version:2 (rev.2) - 12 July 2012 Added hotfix for v8.6, v11.02 is not
vulnerable
Version:3 (rev.3) - 23 July 2012 Added HP Performance Agent

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support 

Tekno.Portal v0.1b 'link.php' Blind SQL Injection Vulnerability

[Socket_0x03]

   ==
   Tekno.Portal v0.1b - Blind SQL Injection in link.php 
   ==





 # Exploit Title: Tekno.Portal v0.1b 'link.php' Blind SQL Injection 
Vulnerability

 # Date: [08-01-2012]

 # Author: Socket_0x03 (Alvaro J. Gene)

 # Email: Socket_0x03 (at) teraexe (dot) com

 # Website: www.teraexe.com 



 # Software Link: http://sourceforge.net/projects/teknoportal

 # Vulnerable Application: Tekno.Portal

 # Version: 0.1b

 # Vulnerable File: link.php (kat parameter)

 # Language: This application is available only in turkish language.

 # Product Description: Tekno.Portal is a content management system (CMS) 
developed 
   in PHP; furthermore, a webmaster can use this application to manage files, 
store
   data, and more. 
   



 # Blind SQL Injection: 
 
   http://www.website.com/teknoportal/link.php?kat=[Blind SQL Injection]

Kaspersky Password Manager 5.0.0.164 - Software Filter Vulnerability

[Vulnerability Lab]

Title:
==
Kaspersky PM 5.0.0.164 - Software Filter Vulnerability


Date:
=
2012-07-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=612


VL-ID:
=
612


Common Vulnerability Scoring System:

3


Introduction:
=
Kaspersky Password Manager is an indispensable tool for the active Internet 
user. It fully automates 
the process of entering passwords and other data into websites and saves the 
user going to the trouble 
of creating and remembering multiple passwords. When you use Kaspersky Password 
Manager to log in, you 
can rest assured that your data is safe. The software creates exceptionally 
strong passwords and prevents 
your login information from being stolen. All confidential data is encrypted 
and kept in a dedicated database 
on your computer. Kaspersky Password Manager makes your web experience safer, 
quicker and more convenient.

(Copy of the Vendor Homepage: www.kaspersky.com/us/kaspersky-password-manager )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a software filter  
validation vulnerability in Kasperskys Password Manager v5.0.0.164.


Report-Timeline:

2012-07-12: Public or Non-Public Disclosure


Status:

Published


Affected Products:
==
Kaspersky Labs
Product: Kaspersky Password Manager v5.0.0.164  older versions


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

A software filter  validation vulnerability is detected in Kasperskys Password 
Manager v5.0.0.164 Software.
The bug allows an attacker (local) to implement/inject malicious script code 
when processing to export a manipulated
Kaspersky Password Manager database. The vulnerability is located in the 
validation of the html/xml export 
function/module  the bound vulnerable name, domain, url, comment (listing) 
parameters. URLs of entries are embedded 
in the exported HTML file without encoding XML special characters, when the URL 
(domain) field of an entry contains 
a malicious script code, this will be executed when the exported HTML file is 
opened in a browser.

Exploitation of the vulnerabilitiy requires a manipulated url with malicious 
script code, a logging server with chmod 
777, a listing file (random)  a kaspersky PM v5.0.0.164 user. The bug will be 
injected on the remote way (Autofill Engine), 
affects the local validation (html/xml) on exports and change the technic back 
when remote transfering the password lists. 
The injection of the malicious url/domain context can be done via automatic 
imports/plugins (KPM AutoFill Engine v5.0.0.164) 
as victim or manually (reproduce) by including. Successful exploitation of the 
vulnerability lead to stable (persistent) 
context manipulation, persistent phishing, execution of malware or stealing 
plain password lists. Medium user inter action is 
required to exploit the vulnerability.


Normally Kaspersky Password Manager exports the html  xml backup with a secure 
clean template like ...

tbodytr class=``MySplitterRow``td colspan=``2`` /td/tr
tr class=``MyAccountNameRow``
 td align=``right`` width=``150px``Name des Benutzerkontos: /td
 tdbtest1/b/td
/tr
trtd align=``right`` valign=``top``Link: /td
td valign=``top``test4/td/tr
tr class=``MySplitterRowLight``td colspan=``2``/td/tr
trtd align=``right`` valign=``top``Benutzername: brKennwort: /tdtd 
valign=``top``test2brtest3/td/tr
tr class=``MySplitterRowLight``td colspan=``2``/td/tr
trtd align=``right`` valign=``top``Kommentar/tdtd 
valign=``top``test5/td/tr
tr class=``MySplitterRow``td colspan=``2`` /td/tr
tr class=``MySplitterRowWhite``td colspan=``2`` /td/tr
/tbody/table/body/html

The local attacker manipulate the database with malicious strings (script code) 
in the category item profile name input fields.
Kaspersky password manager generates the clean html or xml template but after 
the persistent script code inject in the database
profile name items, the persistent code is getting execute direct out the clean 
exported xml or html template file.

tr class=``MyAccountNameRow``
 td align=``right`` width=``150px``Name des Benutzerkontos: /td
 tdb``iframe src=``http://vulnerability-lab.com`` onload=alert(`VL`) 
=`` b=``/td
/tr


Vulnerable Section(s):
[+] Export  Import - Database  Categories

Vulnerable Module(s):
[+] HTML  XML


Vulnerable Parameter(s):
[+] Benutzername
[+] Kommentar
[+] Vorname, Zweiter Vorname  Nachname
[+] Email, Stdt  Addresse
[+] Abteilung, Beruf  Webseite
[+] Link/Website/URL



Exploitation (RemoteLocalLocalRemote) Scenario:

1. Remote
Attacker is sending the victim a manipulated login page (MITM/Browser or as 
Link) with script 

My ROP mitigation

[Young Jun Ko]

I have made some ROP mitigation method and share my idea to security researcher.
This method is not perfect mitigation. but it will annoy exploit writer.
I think that the part of this document may be similar to some feature
of  ROPGuard which is
idea of 2nd winner of Bluehat Prize contest.  (  I was also Bluehat
Prize contest attendant. but i am not a winner ^^ )
This document will help reader understand some ROP mitigation feature.
I correct some words and add comments from original entry sent to
Bluehat Prize contest.

* I have intellectual property about ideas of  below document. do not
use without permission.
  http://ohojang.blogspot.com

document
 Author: Young Jun Ko ( ohoj...@gmail.com )

 Hardening WINAPI function calling for anti exploiting

 1. Prohibit direct WINAPI function calling via Return Address Checking

 - backgrond and algorithm

 Almost shellcode used by exploiting has WINAPI function calling such as
GetProcAddress() , CreateProcess().
 Firstly, the shellcode is usually located on data memory region.
 Typically, then call memory attribute changing function such as
VirtualProtect() via ROP, some memory region get executable attribute.
 Then, jump to shellcode.
 So, Any memory region getting executable attribute at run-time
may be shellcode.
 Of course, JIT and loading library at run-time need executable memory
region.
 Concerning JIT, JIT is different from shellcode in respect of WINAPI
function calling method.
 JIT call WINAPI function not directly but indirectly.
 For example, JIT doesn't call GetProcAddress() directly. But almost
shellcode call GetProcAddress() directly.
 So, return address of WINAPI function is not of JIT memory region.
 And concerning loading library at run-time, loaded address is typically
above 0x7000.
 This address is higher than usual data memory region address.( heap )
 Simply, If a WINAPI function has return address above 0x7000, we
can assume calling is made by loaded library.
 If library loading address is below 0x7000, in this case, return
address of WINAPI function is below 0x7000.
 Then misunderstanded that calling is not made by loaded library.
 But this error can be corrected easily by searching Ldr entry in PEB.
 Considering above facts, simple mitigation can be made.

 a. Choose some WINAPI function used by almost shellocde.
( For example , GetProcAddress() , CreateProcess(), OpenFile() )
I named these choosed WINAPI function Return-Check function

 b. keep track of all memory region getting executable attribute at
runtime.
VirtualProtect() ,VirtualAlloc() , CreateFileMapping() function
can be used to accomplish this objective.

 c. when a Return-Check function is called, it checks return address.
if return address is not library or module address, the calling is
illegal function calling.

 - effect and bypassing

 bypassing this mitigation is relatively easy. indirect WINAPI function
calling can be made by using payload code already inside.
 But this means that shellcode must be dependent of victim program.
 Attacker must build calling chain similar to ROP's.
 So universal and simple shellcode can not be made.

 - proof of concept code

 return-check.cpp  ( must compile and execute in VisualStudio 2010 premium
 Debug Mode  !!! )

 Comment
 This concept is useful for call-chain restriction also.
 Suppose that there is restriction that check() must call API() during
execution and API() must return to check(),
 API() checks itself return address whether the return address is
check()'s address range.
 In this case, check() can be some security check function, and API()
can be some system api function.
 Malicious code can't call API() function directly.
 But More smarter attacker can use ROP chaining for bypassing above case.
 (without check() call, call API(), and return to somewhere of check().)
 Neverthless, If check(), API() function is written specially , ROP
attack will fail too.
 (I thnik that there are many possible ways besides my method .it is
up to you. )


 2. Hardening ROP chaining

 - background and algorithm

 Preventing ROP made by compiler is relatively easy.
 But without compiler supporting ROP detecting is very difficult.
 Execution flow by ROP chain can make a WINAPI function call.
 Recently, almost exploit code uses ROP method for calling VirtualProtect().
 But ROP chaining after WINAPI function calling can be made harder.
 By making ROP chaining harder, shellcode development costs more.

 Assume that VirtualProtect()'s function address is 0x7000
 For calling 0x7000 function via ROP, stack must be prepared like below

 
 
 0x7000--- sp ( stack pointer just before executing RET )
 
 

 After executing RET , stack layout changes lke below.

 
   --- sp ( stack pointer )
 0x7000
 
 

 VirtualProtect()'s function address can be found at stack above case.
 By checking stack value at just