[SE-2012-01] An issue with new Java SE 7 security features
Hello All, According to Oracle's Java security head, the company has recently made very significant security improvements to Java, such as to prevent silent exploits. The problem is that people don't understand those features yet [1]. Starting from Java SE 7 Update 10 released in Oct 2012, a user may control the level of security that will be used when running unsigned Java apps in a web browser [2][3]. Apart from being able to completely disable Java content in the browser, the following four security levels can be used for the configuration of unsigned Java applications: - Low Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version of JRE or to protected resources on the system. - Medium Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. User will be prompted if an unsigned app requests to run on an old version of Java. - High User will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, user will be given an option to update. - Very High Unsigned (sandboxed) apps will not run. Unfortunately, the above is only a theory. In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel. What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with Very High Java Control Panel security settings. That said, recently made security improvements to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit. Thank you. Best Regards Adam Gowdiak - Security Explorations http://www.security-explorations.com We bring security research to the new level - References: [1] Oracle's Java security head: We will 'fix Java,' communicate better http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better [2] Setting the Security Level of the Java Client http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html [3] Understanding the new security in Java 7 Update 11 by Michael Horowitz http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11
[ MDVSA-2013:005 ] perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:005 http://www.mandriva.com/security/ ___ Package : perl Date: January 28, 2013 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in perl: Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the #039;x#039; string repeat operator (CVE-2012-5195). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195 ___ Updated Packages: Mandriva Linux 2011: 2cd2f62ef4fd1fa7d765c5a0fb1292fb 2011/i586/perl-5.12.3-8.2-mdv2011.0.i586.rpm a87fedc92aa16e3eb09d3db9c37e1b01 2011/i586/perl-base-5.12.3-8.2-mdv2011.0.i586.rpm 4dcef0206296645560413e267dd131fe 2011/i586/perl-devel-5.12.3-8.2-mdv2011.0.i586.rpm 9df0bdda99e7e843943c5e77fba15036 2011/i586/perl-doc-5.12.3-8.2-mdv2011.0.noarch.rpm b3daf9e368021a94048bf6f97a129a15 2011/SRPMS/perl-5.12.3-8.2.src.rpm Mandriva Linux 2011/X86_64: 3b6ab1c60e98b72d7a2ab4fa1ef8f9eb 2011/x86_64/perl-5.12.3-8.2-mdv2011.0.x86_64.rpm 38a74f3b9dc65b77c3e2a1ce2b7bf6d5 2011/x86_64/perl-base-5.12.3-8.2-mdv2011.0.x86_64.rpm f6e421797d0f1fbf064b59569e06e50a 2011/x86_64/perl-devel-5.12.3-8.2-mdv2011.0.x86_64.rpm 58844f4e30df7e9962a9eb40ea0fbf29 2011/x86_64/perl-doc-5.12.3-8.2-mdv2011.0.noarch.rpm b3daf9e368021a94048bf6f97a129a15 2011/SRPMS/perl-5.12.3-8.2.src.rpm Mandriva Enterprise Server 5: 817cd182ec870213e66404c801de1338 mes5/i586/perl-5.10.0-25.5mdvmes5.2.i586.rpm 19b31597c4116e2dd524ea3b324f58c4 mes5/i586/perl-base-5.10.0-25.5mdvmes5.2.i586.rpm ebe2a75601e9fb4ee43ce346abeea2ee mes5/i586/perl-devel-5.10.0-25.5mdvmes5.2.i586.rpm 60bc0e4584b2f8ca1b7a9cb1ee6c0d49 mes5/i586/perl-doc-5.10.0-25.5mdvmes5.2.i586.rpm bca381efbda683e01a473e4cd04de078 mes5/i586/perl-suid-5.10.0-25.5mdvmes5.2.i586.rpm 72c15bdff31cc3fc342a0f580fbea56b mes5/SRPMS/perl-5.10.0-25.5mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 43baa4703a41bc31774b0c91b97d3021 mes5/x86_64/perl-5.10.0-25.5mdvmes5.2.x86_64.rpm 44202ed5538712a00e47cea9a045ab3d mes5/x86_64/perl-base-5.10.0-25.5mdvmes5.2.x86_64.rpm e07f48bf12258cf760ef662d8e08d137 mes5/x86_64/perl-devel-5.10.0-25.5mdvmes5.2.x86_64.rpm 789fc82249d411994197f325086a7279 mes5/x86_64/perl-doc-5.10.0-25.5mdvmes5.2.x86_64.rpm 5f2c518cc2497ef2ba1799579a99f581 mes5/x86_64/perl-suid-5.10.0-25.5mdvmes5.2.x86_64.rpm 72c15bdff31cc3fc342a0f580fbea56b mes5/SRPMS/perl-5.10.0-25.5mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRBm/CmqjQ0CJFipgRAnJKAJ91CDFCbmDVoGbyLdDZzp9BkVCe2ACgyNvv I7lNiPK5bRvw59R2Cbc6J30= =MD8F -END PGP SIGNATURE-
nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities
Title: == nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities Date: = 2013-01-28 References: === http://www.vulnerability-lab.com/get_content.php?id=795 nCircle Tracking ID: 20130117-US11337 VL-ID: = 795 Common Vulnerability Scoring System: 4.1 Introduction: = nCircle PureCloud is brought to you by nCircle, the leading provider of information risk and security performance management solutions. PureCloud delivers an enterprise-class vulnerability scanner with more than double the coverage of other providers covering thousands of conditions and prioritized risk assessments – all in a cloud-based solution. nCircle PureCloud is the world’s first security scanning technology that requires no scanning infrastructure on the customer network. PureCloud eliminates the need for firewall changes and software or hardware deployment on a customer`s internal network.. Requiring only a Web browser, PureCloud securely scans a private network to identify a broad range of vulnerabilities and risks, and provides detailed guidance on the steps necessary to reduce or eliminate those risks. With PureCloud, small businesses and home offices benefit from nCircle’s most advanced enterprise class security scanning solution, without the complexity or maintenance associated with traditional SaaS or on-premise scanning products. PureCloud is delivered as a software service in the Cloud, making it cost-effective, efficient and widely accessible. (Copy of the Vendor Homepage: https://purecloud.ncircle.com/about_purecloud/ ) Abstract: = The Vulnerability-Laboratory Research Team discovered a web vulnerability in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application. Report-Timeline: 2012-12-24: Researcher Notification Coordination 2012-12-25: Vendor Notification 2012-01-16: Vendor Response/Feedback 2012-01-28: Vendor Fix/Patch by nCricle Dev 2012-01-28: Public Disclosure Status: Published Affected Products: == nCircle Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4 Exploitation-Technique: === Remote Severity: = Medium Details: A persistent and client side POST Injection web vulnerability is detected in the in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application. The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). 1.1 The first vulnerability is located in the Scan Now Scan Type Perimeter Scan Scan section when processing to request via the `Scan Specific Devices - [Add Devices]` module and the bound vulnerable formErrorContent exception-handling application parameters. The persistent injected script code will be executed out of the `invalid networks` web application exception-handling. To bypass the standard validation of the application filter the attacker need to provoke the specific invalid networks exception-handling error. In the secound step the attacker splits the request of the invalid filter context to execute after it the not parsed malicious script code. The vulnerability can be exploited on client side via force manipulated link as malicious request with medium user interaction but also via server side by a post injection in the later affected add server listing module. 1.2 The secound vulnerability is bound to the first issue and located in the IP Name output listing of the scan index after processing to add a network/server/ip. The code will be executed out of the main ip name listing after an evil inject via add module. To bypass the ip restriction filter it is required to split the request like in the first issue with a valid ip. The remote attacker includes a valid ip+split(%20)`+own_scriptcode to pass through the system validation filter and execute the script code out of the device name and ip listing. The vulnerability can be exploited with privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation. Vulnerable Service(s): [+] nCircle PureCloud (cloud-based) Vulnerability Scanner [https://purecloud.ncircle.com/index/] Vulnerable Section(s): [+] Scan Now Scan Type Perimeter Scan Scan Vulnerable Module(s): [+] Scan Specific Devices - [Add Devices] [+] Scan IP (Index) Vulnerable Parameter(s): [+] formErrorContent [+] ip - name Affected Module(s):
Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities
Title: == Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities Date: = 2013-01-23 References: === http://www.vulnerability-lab.com/get_content.php?id=701 VL-ID: = 701 Common Vulnerability Scoring System: 7.1 Introduction: = The FortiMail family of appliances is a proven, powerful messaging security platform for any size organization, from small businesses to carriers, service providers, and large enterprises. Purpose-built for the most demanding messaging systems, the FortiMail appliances utilize Fortinet’s years of experience in protecting networks against spam, malware, and other message-borne threats. You can prevent your messaging system from becoming a threat delivery system with FortiMail. Its inbound filtering engine blocks spam and malware before it can clog your network and affect users. Its outbound inspection technology prevents outbound spam or malware (including 3G mobile traffic) from causing other antispam gateways to blacklist your users. Three deployment modes offer maximum versatility while minimizing infrastructure changes or service disruptions: transparent mode for seamless integration into existing networks with no changes to your existing mail server, gateway mode as a proxy MTA for existing messaging gateways, or full messaging server functionality for remote locations. FortiMail provides Identity-Based Encryption (IBE), in addition to S/MIME and TLS, as email encryption option to enforce policy-based encryption for secure content delivery. Furthermore, the FortiMail customizable and predefined dictionaries prevent accidental or intentional loss of confidential and regulated data. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortimail/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Fortinets FortiMail IBE 400Appliance Application. Report-Timeline: 2012-09-16: Researcher Notification Coordination 2012-09-18: Vendor Notification 2012-10-08: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch (NO RESPONSE BY PSIRT) 2013-01-23: Public Disclosure Status: Published Affected Products: == Fortinet Product: FortiMail Appliance Series 400 IBE Exploitation-Technique: === Remote Severity: = High Details: An exception-handling and input filter bypass vulnerability is detected in the Fortinets FortiMail IBE Appliance Application 200D,400C, VM2K, 2000B and 5002B. The first vulnerability is located in the parse module with the bound vulnerable exception-handling and vulnerable effect on all input fields. The vulnerability allows an attacker to bypass the input parse routine by an implement of 2 close tags, which results in the execution of the secound injected script code with a space between. The secound vulnerability is located in the import/upload certificate module with the bound vulnerable certificate name and information parameters. An attacker can implement own certificates with script code in the malicious name and information values. After the upload the persistent code get executed out of the certificate listing main module. Successful exploitation of the vulnerabilities allows to hijack admin/customer sessions, can lead to information disclosure or result in stable manipulation of web context (persistent non-persistent). Vulnerable Module(s): [+] Invalid - Exception Handling Vulnerable Parameter(s): [+] ipmask [+] username [+] address [+] url Proof of Concept: = 1.1 The exception handling and filter bypass vulnerability can be exploited by remote attackers and local low privileged user account. For demonstration or reproduce ... Module: IPAddressMask - ext-mb-text, ext-gen4185 ext-gen7196 INJECT: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection div id=ext-gen4183div id=ext-gen4184 class=ext-mb-icon ext-mb-error/divdiv id=ext-gen7197 class=ext-mb-contentspan id=ext-gen4185 class=ext-mb- textError:IPAddressMask( 2 ) , IPAddressMask.cpp:14, Invalid mask: iframe id=ext-gen7196 [PERSISTENT INJECTED SCRIPT CODE!];) = =[PERSISTENT INJECTED SCRIPT CODE!]) [PERSISTENT INJECTED SCRIPT CODE!]) /0/iframe/span AFFECTED: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection Module: Whitelist Blacklist - Address URL: https://209.87.230.132:1443/admin/FEAdmin.html#PersonalBlackWhiteList div id=ext-gen10562 class=ext-mb-contentspan id=ext-gen5714 class=ext-mb-text Invalid address: [PERSISTENT INJECTED SCRIPT CODE!];) = -= =[PERSISTENT INJECTED SCRIPT CODE!]) /iframe/span AFFECTED:
ESA-2013-010: EMC AlphaStor Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2013-010: EMC AlphaStor Buffer Overflow Vulnerability EMC Identifier: ESA-2013-010 EMC Identifier: NW147263 CVE Identifier: CVE-2013-0930 Severity Rating: CVSS v2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected product: EMC AlphaStor 4.0 prior to build 814 (All platforms) Summary: A buffer overflow vulnerability exists in EMC AlphaStor that could potentially be exploited by a malicious user to create a denial of service condition or execute arbitrary code. Details: A vulnerability in AlphaStor Drive Control Program (DCP) can cause a buffer overflow during creation of a device name. This vulnerability could be exploited by unauthenticated remote user to create a denial of service condition or execute arbitrary code. Resolution: The following EMC AlphaStor product contains a resolution to this issue: EMC AlphaStor 4.0 build 814 and later EMC strongly recommends all customers upgrade to above build at the earliest opportunity. Link to remedies: Registered EMC Online Support customers can download software from support.emc.com. Select Support by Product and type AlphaStor. From this page select Downloads, Documentation or Advisories as required. Credits: EMC would like to thank aniway.any...@gmail.com working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com) for reporting this issue. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (Cygwin) iEYEARECAAYFAlEGo1IACgkQtjd2rKp+ALyRHwCgrBGmAkiqLkfjlS81px9W6JKh 7m4AoLMVO/owyjuKB6VYEaUCdy9wQqd0 =b94x -END PGP SIGNATURE-
Kohana Framework v2.3.3 - Directory Traversal Vulnerability
Title:
==
Kohana Framework v2.3.3 - Directory Traversal Vulnerability
Date:
=
2013-01-27
References:
===
http://www.vulnerability-lab.com/get_content.php?id=841
VL-ID:
=
837
Common Vulnerability Scoring System:
7.1
Introduction:
=
Kohana is an open source, object oriented MVC web framework built using PHP5 by
a team of volunteers that aims to be
swift, secure, and small. (copy from vendor website) This is an OOP framework
that is extremely DRY. Everything is built
using strict PHP 5 classes and objects. Many common components are included:
translation tools, database access, code
profiling, encryption, validation, and more.
Extending existing components and adding new libraries is very easy. Uses the
BSD license, so you can use and modify it for
commercial purposes. Benchmarking a framework is hard and rarely reflects the
real world, but Kohana is very efficient and
carefully optimized for real world usage. Very well commented code and a simple
routing structure makes it easy to understand
what is happening. Simple and effective tools help identify and solve
performance issues quickly.
(Copy of the Vendor Homepage: http://kohanaframework.org/ )
Abstract:
=
The Vulnerability Laboratory Research Team discovered a Directory Traversal web
vulnerability in the Kohana v2.3.3 Content Management System.
Report-Timeline:
2013-01-27: Public Disclosure
Status:
Published
Affected Products:
==
Kohana
Product: Framework - Content Management System 2.3.3
Exploitation-Technique:
===
Remote
Severity:
=
High
Details:
A Directory Traversal web vulnerability is detected in the Kohana Content
Management System web application.
The vulnerability allows remote attackers to request local directories and
files of the web server application system.
The vulnerability is located in the `master/classes/Kohana/Filebrowser.php`
file in line 90 when processing to request
the path dir via replace. The filter replaces `../` by null and it applies on
file reading requests.
Review: Kohana/Filebrowser.php
$thumb = Route::get('wysiwyg/filebrowser')
-uri(array(
'action' = 'thumb',
'path' = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'),
$filename)
));
Remote attackers can bypass the validation with the vulnerable replace function
in the file browser to read local
web server files via directory (path) traversal attack.
Exploitaton of the vulnerability requires no privileged application user
account and no user interaction.
Successful exploitation of the vulnerability results in read of arbitrary
system files to compromise web server.
Vulnerable Module(s):
[+] Filebrowser
Vulnerable Function(s):
[+] str_replace dir
Vulnerable Parameter(s):
[+] ?path
Proof of Concept:
=
The vulnerability can be exploited by remote attackers without privileged
application user account and without required user interaction.
For demonstration or reproduce ...
Review: Kohana/Filebrowser.php
$thumb = Route::get('wysiwyg/filebrowser')
-uri(array(
'action' = 'thumb',
'path' = str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'),
$filename)
));
Review: GET Request
GET http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..
%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd
HTTP/1.0
Host: media.[server].com
User-Agent: Kami VL
PoC:
http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd
Risk:
=
The security risk of the directory traversal web vulnerability is estimated as
high(+).
Credits:
Vulnerability Laboratory [Research Team] - Karim B.
(k...@vulnerability-lab.com)
Disclaimer:
===
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains:www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact:
[KIS-2013-01] DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
--
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
--
• Software Link:
http://dleviet.com/
• Affected Version:
9.7 only.
• Vulnerability Description:
The vulnerable code is located in the /engine/preview.php script:
246.$c_list = implode (',', $_REQUEST['catlist']);
247.
248.if( strpos( $tpl-copy_template, [catlist= ) !== false ) {
249. $tpl-copy_template = preg_replace(
#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies, check_category('\\1',
'\\2', '{$c_list}'), $tpl-copy_template );
250.}
251.
252.if( strpos( $tpl-copy_template, [not-catlist= ) !== false ) {
253. $tpl-copy_template = preg_replace(
#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies,
check_category('\\1', '\\2', '{$c_list}', false), $tpl-copy_template
);
254.}
User supplied input passed through the $_REQUEST['catlist'] parameter
is not properly
sanitized before being used in a preg_replace() call with the e
modifier at lines 249 and 253.
This can be exploited to inject and execute arbitrary PHP code.
Successful exploitation of
this vulnerability requires a template which contains a “catlist” (or a
“not-catlist”) tag.
• Solution:
Apply the vendor patch:
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
• Disclosure Timeline:
[16/01/2013] – Vendor notified
[19/01/2013] – Vendor patch released
[20/01/2013] – CVE number requested
[21/01/2013] – CVE number assigned
[28/01/2013] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.
• Original Advisory:
http://karmainsecurity.com/KIS-2013-01
APPLE-SA-2013-01-28-1 iOS 6.1 Software Update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2013-01-28-1 iOS 6.1 Software Update iOS 6.1 Software Update is now available and addresses the following: Identity Services Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Authentication relying on certificate-based Apple ID authentication may be bypassed Description: An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. CVE-ID CVE-2013-0963 International Components for Unicode Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. CVE-ID CVE-2011-3058 : Masato Kinugawa Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A user-mode process may be able to access the first page of kernel memory Description: The iOS kernel has checks to validate that the user- mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout. CVE-ID CVE-2013-0964 : Mark Dowd of Azimuth Security Security Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates. StoreKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: JavaScript may be enabled in Mobile Safari without user interaction Description: If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user. This issue was addressed by not enabling JavaScript when visiting a site with a Smart App Banner. CVE-ID CVE-2013-0974 : Andrew Plotkin of Zarfhome Software Consulting, Ben Madison of BitCloud, Marek Durcek WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2012-2824 : miaubiz CVE-2012-2857 : Arthur Gerkis CVE-2012-3606 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3607 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3632 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2012-3687 : kuzzcc CVE-2012-3701 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0948 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0949 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0950 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0951 : Apple CVE-2013-0952 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0953 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0954 : Dominic Cooney of Google and Martin Barbella of the Google Chrome Security Team CVE-2013-0955 : Apple CVE-2013-0956 : Apple Product Security CVE-2013-0958 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0959 : Abhishek Arya (Inferno) of the Google Chrome Security Team CVE-2013-0968 : Aaron Nelson WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. This issue was addressed through additional validation of pasted content. CVE-ID CVE-2013-0962 : Mario Heiderich of Cure53 WebKit Available for: iPhone 3GS
APPLE-SA-2013-01-28-2 Apple TV 5.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2013-01-28-2 Apple TV 5.2 Apple TV 5.2 is now available and addresses the following: Apple TV Available for: Apple TV 2nd generation and later Impact: A user-mode process may be able to access the first page of kernel memory Description: The kernel has checks to validate that the user-mode pointer and length passed to the copyin and copyout functions would not result in a user-mode process being able to directly access kernel memory. The checks were not being used if the length was smaller than one page. This issue was addressed through additional validation of the arguments to copyin and copyout. CVE-ID CVE-2013-0964 : Mark Dowd of Azimuth Security Apple TV Available for: Apple TV 2nd generation Impact: A remote attacker on the same WiFi network may be able to cause an unexpected system termination Description: An out of bounds read issue exists in Broadcom's BCM4325 and BCM4329 firmware's handling of 802.11i information elements. This issue was addressed through additional validation of 802.11i information elements. CVE-ID CVE-2012-2619 : Andres Blanco and Matias Eissler of Core Security Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting Settings - General - Update Software. To check the current version of software, select Settings - General - About. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRBfhmAAoJEPefwLHPlZEwNmIP/R3GjFNdGg5UJ6cmb2eC8Ayz 3qzNZqVpjKdABZ3ra8TpZpR2Lh6Z6iKa4ZFecFqLIZXXcYiC3154zOZOQHcY5n/9 yw+mHL/UaKbwpT4rexD16WNiixha5+TQffd7gSyjeYah5g6uDz03prU8wrpM3mWv 7wRuNWuRJu5ndB7yt4zCRnfDrkLBxoarEX6YNo5aIjFfP3fFZYXrXgeaUeyZnhXY FeO/Cu0TWgUOJgZnBeyTmWsNpt1IuFB0M+6zNUAEyWYBUjtdiGK0tmmFOQ5YjmV+ pBHDTyec+W589igwnXZs4Y27/7LHRd4jfYwA1ZhuwDdRmKvDWSsEVlApaH8nmMFs jV8d2p5le1IdZaED9mBtkt26VCHYYowtSN05LKiKjLfSChNCtQo0ndaC7Z9Uosh7 8PE1yIC6698h4/SaNS+bmwjUI7Q/6EoQkgXQP2xUMjaPdx2Z6I9/AiIR65jCupZr txvcg2nNxzexGsavGvALwFoRJiKdp0IHqU+Vyasept8jwHqC9ZuB8gQXP5yQSHGG lPTKutwk3/bCaYrXhNADFtOXSsAWw0v4GtOQphfJEdZNO0JCR+gYfq0o2oVp9UG8 7w+BgEJX5uzJekQ/sSM2BCbR1kJV/j00W2n+O3SncwoEOK+UDpoYcRWcCEBRXoTf K/prxlVAFp+wzvcT6GVP =fPxD -END PGP SIGNATURE-
XSS in Elgg 1.8.12, 1.7.16 (core module Twitter widget)
Hello dear XSS bored audience, the PHP based social networking engine Elgg [1], versions 1.8.12 and 1.7.16 and earlier, bears a persistent script injection vulnerability in its core module Twitter widget, which allows for XSS attacks. On installations which have the Twitter widget activated (disabled by default, but in use on many installations), any authenticated user may add the Twitter to their activity / dashboard page. Editing its configuration allows the user to set the twitter_username parameter. The value stored in this parameter will be echoed without sanitation [2] when this page is viewed by any other user, authenticated or not. For mitigation, the Twitter widget can be disabled by a site admin (in the admin backend's plugin configuration area). According to changes committed [3] to their Git repository Elgg developers will provide a fix for this issue in the upcoming (?) 1.8.13 release. This was originally reported by Moritz Naumann http://moritz-naumann.com on January 17, to security[at]elgg.org, and got me a prompt vendor reply. Coordination of advisory release is something to improve upon next time. A CVE ID has, to my knowledge, not yet been assigned. Secunia has assigned it SA52007. Have fun, Moritz [1] http://elgg.org/ [2] http://github.com/Elgg/Elgg/commit/a74a88501c41e89c8bcd7fc650ae2f8cc0a5003d#L2L21 [3] http://github.com/Elgg/Elgg/commit/19dc507c2fccb378be2a44a762edf6c1e7afa334#L0R11
Adobe Reader XI versions are vulnerable to a heap overflow
1. OVERVIEW Adobe Reader XI versions are vulnerable to a heap overflow 2. BACKGROUND Adobe Reader software is the free trusted standard for reliably viewing, printing, and annotating PDF documents. It's the only PDF file viewer that can open and interact with all types of PDF content, including forms and multimedia. 3. VULNERABILITY DESCRIPTION A specially crafted PDF file may result in a heap overflow, corrupting the heap and potentially allowing code execution. The flaw is due to allocating predefined heap space for an object in the PDF format, which may be bigger than anticipated. 4. VERSIONS AFFECTED 11.x 5. SOLUTION The vendor is fixing this issue 6. CREDIT Nisso Kalim ~~~DEMO hackers~~~
