CORE-2013-0705 - XnView Buffer Overflow Vulnerability
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ XnView Buffer Overflow Vulnerability 1. *Advisory Information* Title: XnView Buffer Overflow Vulnerability Advisory ID: CORE-2013-0705 Advisory URL: http://www.coresecurity.com/advisories/xnview-buffer-overflow-vulnerability Date published: 2013-07-22 Date of last update: 2013-07-22 Vendors contacted: XnView Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2577 3. *Vulnerability Description* XnView [1], [2] is prone to a security vulnerability when processing PCT files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine, by enticing the user of XnView to open a specially crafted file. 4. *Vulnerable Packages* . XnView v2.03 for Windows. . Older versions are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* . XnView v2.04. 6. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Below is shown the result of opening the maliciously crafted file 'CORE-2013-0705-xnview-poc-4895a357a242d3c78.PCT'[3]: /- 7C9108F38902MOV DWORD PTR DS:[EDX],EAX 7C9108F58941 04 MOV DWORD PTR DS:[ECX+4],EAX 7C9108F856 PUSH ESI 7C9108F98B75 C8 MOV ESI,DWORD PTR SS:[EBP-38] 7C9108FC56 PUSH ESI 7C9108FDE8 BAFD CALL ntdll.7C9106BC << CRASH EAX 00EC3008 ECX 003C95B0 EDX 41424344 EBX 003C0178 ESP 0013E708 EBP 0013E7C4 ESI 00EC3000 EDI 003C EIP 7C9108F3 ntdll.7C9108F3 C 1 ES 0023 32bit 0() P 0 CS 001B 32bit 0() A 1 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 1 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_NO_SCROLLBARS (05A7) EFL 00010293 (NO,B,NE,BE,S,PO,L,LE) ST0 empty +UNORM 043E 7C910435 0007DC88 ST1 empty +UNORM 0002 0007DB84 00020024 ST2 empty -UNORM DA40 7C901000 7FFDE000 ST3 empty +UNORM 0460 7C90E920 0007DB14 ST4 empty +UNORM 0208 7C913F85 7C913F92 ST5 empty +UNORM 0044 77DDE250 0007DE54 ST6 empty 0.0006002 ST7 empty 0.0006002 3 2 1 0 E S P U O Z D I FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 -/ As a result, the address 0x41424344 (controlled by the attacker) can be overwritten and the normal execution flow can be altered in order to execute arbitrary code. /- 003C95B0 32 32 33 34 44 43 42 41 AA AA AA AA 34 35 36 37 2234DCBA4567 003C95C0 38 90 91 26 32 32 26 3C 36 32 36 36 32 36 3C 3C 8??&22&<626626<< 003C95D0 54 65 6D 73 82 82 87 90 90 99 9A 9B 9E A1 A6 AA Tems?¡¦ª 003C95E0 AE AF B3 B5 B5 B6 BB BC BD BD BE BF C1 C3 C7 CB ®¯³µµ¶»¼½½¾¿ÁÃÇË -/ 8. *Report Timeline* . 2013-07-04: Core Security Technologies notifies the XnView team of the vulnerability. Publication date is set for July 31st, 2013. . 2013-07-09: Vendor asks for a report with technical information. . 2013-07-10: Technical details sent to XnView team. . 2013-07-11: Vendor notifies that the issue will be fixed in the next product release. . 2013-07-15: Core asks when the next release has been scheduled. . 2013-07-16: Vendor notifies that the next product release is scheduled for next week. . 2013-07-17: Core re-schedules the advisory publication for Monday 22nd. . 2013-07-22: Advisory CORE-2013-0705 released. 9. *References* [1] http://www.xnview.com/. [2] http://www.xnview.com/en/xnview/. [3] http://www.coresecurity.com/system/files/attachments/2013/07/CORE-2013-0705-xnview-poc-4895a357a242d3c78.zip 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effecti
CORE-2013-0701 - Artweaver Buffer Overflow Vulnerability
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Artweaver Buffer Overflow Vulnerability 1. *Advisory Information* Title: Artweaver Buffer Overflow Vulnerability Advisory ID: CORE-2013-0701 Advisory URL: http://www.coresecurity.com/advisories/artweaver-buffer-overflow-vulnerability Date published: 2013-07-22 Date of last update: 2013-07-22 Vendors contacted: Artweaver Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2576 3. *Vulnerability Description* Artweaver [1], [2] is prone to a security vulnerability when processing AWD files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing Artweaver users to open a specially crafted file. 4. *Vulnerable Packages* . Artweaver v3.1.5. . Older versions are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* . Artweaver v3.1.6. . Artweaver v4.0. 6. *Vendor Information, Solutions and Workarounds* Vendor notifies that Artweaver v3.1.6 and v4.0 are available and fix the reported vulnerability. Vendor encourages all Artweaver users to update to the latest version: 1. http://www.artweaver.de/en/help/68 2. Artweaver Plus - http://www.artweaver.de/en/help/80 3. Artweaver Free - http://www.artweaver.de/en/help/81 7. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* Below is shown the result of opening the maliciously crafted file 'CORE-2013-0701-artweaver-poc-28ab190b137f3.AWD'[3], which means the normal execution flow can be altered in order to execute arbitrary code. /- 004F32658B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004F32688B40 28 MOV EAX,DWORD PTR DS:[EAX+28] 004F326B8B10MOV EDX,DWORD PTR DS:[EAX] 004F326DFF12CALL DWORD PTR DS:[EDX] ; <--- crash DS:[45454545]=??? EAX 030F9C48 ASCII "EE ECX 019983F0 EDX 45454545 EBX 019983F0 ESP 0012FB7C EBP 0012FB90 ESI EDI 0013 EIP 004F326D Artweave.004F326D C 0 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) ST0 empty -??? 5FEE 0F0566FB ST1 empty -??? 0F05070D ST2 empty -??? 00060010 ST3 empty -??? 002C006F ST4 empty -NAN 8F669BF5 EFE5EDFD ST5 empty 6.0925232094539560960e+16 ST6 empty -7.8331661972355807100e+18 ST7 empty 5.8691123250627328000e+16 3 2 1 0 E S P U O Z D I FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT) FCW 1372 Prec NEAR,64 Mask1 1 0 0 1 0 -/ 9. *Report Timeline* . 2013-07-04: Core Security Technologies notifies the Artweaver team of the vulnerability. . 2013-07-05: Vendor asks for a report with technical information. . 2013-07-05: Technical details sent to Artweaver team. Core notifies that the publication date is scheduled for the end of July. . 2013-07-06: Vendor reproduces the buffer overrun and notifies that they are looking for the cause of the problem. . 2013-07-10: Vendor notifies that this vulnerability will be fixed with the next Artweaver update v3.1.6, scheduled for July 20th. . 2013-07-10: Core re-schedules the advisory publication for Monday 22nd. . 2013-07-20: Vendor notifies patched versions were released and aditional information for Artweaver users. [Sec. 6] . 2013-07-22: Advisory CORE-2013-0701 released. 10. *References* [1] http://www.artweaver.de. [2] http://www.b-e-soft.com/products#artweaver. [3] http://www.coresecurity.com/system/files/attachments/2013/07/CORE-2013-0701-artweaver-poc-28ab190b137f3.zip 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security
[ MDVSA-2013:197 ] mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:197 http://www.mandriva.com/en/support/security/ ___ Package : mysql Date: July 23, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in mysql: MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error (CVE-2013-1861). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search (CVE-2013-3802). Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer (CVE-2013-3804). The updated packages have been upgraded to the 5.1.70 version which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3804 http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-70.html ___ Updated Packages: Mandriva Enterprise Server 5: d50025f407efd92277e1ce69b498932a mes5/i586/libmysql16-5.1.70-0.1mdvmes5.2.i586.rpm 9f0cb96b3e3cc6d9217d4d58a90304c5 mes5/i586/libmysql-devel-5.1.70-0.1mdvmes5.2.i586.rpm 51943d180dd136175e303a7629e8ece2 mes5/i586/libmysql-static-devel-5.1.70-0.1mdvmes5.2.i586.rpm 11f429a294ce0a1f0a3b760ea5e36392 mes5/i586/mysql-5.1.70-0.1mdvmes5.2.i586.rpm e581dea7bbd3ec979ecebe2fb03fdecf mes5/i586/mysql-bench-5.1.70-0.1mdvmes5.2.i586.rpm e8c4be68e730ed3f4b854cbfb2ef62d1 mes5/i586/mysql-client-5.1.70-0.1mdvmes5.2.i586.rpm 58e82a0beaf27e4d4dd0a8680550242d mes5/i586/mysql-common-5.1.70-0.1mdvmes5.2.i586.rpm ef5290b2cec153e8529a9a2475536541 mes5/SRPMS/mysql-5.1.70-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: aa18a4827c59c6b87c9d7b2972e7724c mes5/x86_64/lib64mysql16-5.1.70-0.1mdvmes5.2.x86_64.rpm efecce077f18b14d3864a455d98fd962 mes5/x86_64/lib64mysql-devel-5.1.70-0.1mdvmes5.2.x86_64.rpm 612305725f5081095e839911eab31f92 mes5/x86_64/lib64mysql-static-devel-5.1.70-0.1mdvmes5.2.x86_64.rpm 2d12d3c1ebc247a49c70074ac00044cd mes5/x86_64/mysql-5.1.70-0.1mdvmes5.2.x86_64.rpm 5330a94f0a81648e0610d8fb051be165 mes5/x86_64/mysql-bench-5.1.70-0.1mdvmes5.2.x86_64.rpm 87b0f4a48768c3f97fd391101dff0f70 mes5/x86_64/mysql-client-5.1.70-0.1mdvmes5.2.x86_64.rpm 43ad98e628ae21a2d8c825096ff35f4f mes5/x86_64/mysql-common-5.1.70-0.1mdvmes5.2.x86_64.rpm ef5290b2cec153e8529a9a2475536541 mes5/SRPMS/mysql-5.1.70-0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFR7h76mqjQ0CJFipgRAilqAJ4s0yqFPFdT0sOYj20pYbQni9KHcgCgu6As M44JAmrkDXcyeRhgdxkZszI= =KbxN -END PGP SIGNATURE-
Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!
Subject: Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions! Brief: == Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices into a SYN Flooder. It is found that as soon as orbit downloader launches itself, it starts sending very high amount of SYN traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging in networks and abrupt ceases to respond to commands, especially with gateway devices/network switches. The immediate rise in traffic also leads to severe bandwidth crunch. The article intends to throw further light on the issue. Read on to know more. Impact: === Orbit Downloader is creating very high amount of SYN traffic with random source IP addresses to create DDOS attack that immediately hangs Gateway Devices/network switches completely and breaks down the entire network operation along with network security devices exposing networks to higher vulnerabilities. The issue was noticed on various computers with the latest versions of Orbit Downloader, leading to immediate and high bandwidth usage. Detail: === As per the content on the official website of Orbit Downloader, it is the . most popular YouTube Downloader chosen by millions of people. most popular Flash video Downloader chosen by millions of people. most popular Metacafe Downloader chosen by millions of people. most popular Veoh Downloader chosen by millions of people. These comments clearly highlight the large number of users of Orbit Downloader. Apart from this, the official forum of Orbit Downloader states that the Total number of registered users: 1003785. These figures are alarming. The more the number of users, the wider the range of the impact. About Orbit Downloader Orbit Downloader is a leader of download manager revolution, is devoted to new generation web downloading, such as video, music, streaming media from MySpace, YouTube, Imeem, Pandora, Rapidshare, support RTMP and to make general downloading easier and faster. Technical Details An attempt to check the latest version of Orbit downloader on Virustotal clearly indicates that it is considered as healthy binary by almost all Anti-virus engines. md5sum: a14d5266da3325bf96e7c73eede18c26 Version: 4.1.1.18 Result: https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/ Behaviour: == As soon as the orbit downloader launches, it starts sending very high amount of SYN traffic (50K-70K PPS) with random source IP addresses along-with forged Source MAC address: 0a:0a:0a:0a:0a:0a. This program has more than 1300 connections open at any given time opening over 40 connections per second. Effectively it is launching a SYN flood attack against a set of servers, but has an adverse effect on every piece of hardware from this computer to the servers at the destination addresses. Mostly observed on 118.69.172.122, 118.69.169.103, 118.69.169.95, 118.69.172.247 IPs. While checking the TCP SYNC packets in depth, its been observed that the packet comes with some dummy public IP, which is new in the network. Also the Source IP changes after each THREE Sync Packets that causes this DDOS flooding. Such a flooding will remarkably increase CPU/memory resources on Gateway Devices/network switches performing continuous stateful inspection, leading to a state of system experiencing a complete hang or unresponsiveness to legitimate traffic. Apart from this, this tool intelligently changes the source MAC Address in Packets which makes impossible to identify the source of this flooder by looking at the MAC Address in packets. All the packets has source MAC set as 0a:0a:0a:0a:0a:0a. The main issue is that one cannot directly pin point the culprit machine until and unless one has a manageable switch, where you can locate the hardware port you have this MAC address, making detection a tedious process. About SYN flooding: === A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a targets system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A SYN flood attack works by not sending an expected ACK code to the server. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address which will not send an ACK because it knows that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Solution: = Cyberoam customers shou
CORE-2013-0613 - FOSCAM IP-Cameras Improper Access Restrictions
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ FOSCAM IP-Cameras Improper Access Restrictions 1. *Advisory Information* Title: FOSCAM IP-Cameras Improper Access Restrictions Advisory ID: CORE-2013-0613 Advisory URL: http://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions Date published: 2013-07-23 Date of last update: 2013-07-23 Vendors contacted: Foscam Release mode: User release 2. *Vulnerability Information* Class: Information Exposure [CWE-200] Impact: Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2574 3. *Vulnerability Description* Due to improper access restriction the FOSCAM FI8620 device [1] allows a remote attacker to browse and access arbitrary files from the following directories '/tmpfs/' and '/log/' without requiring authentication. This could allow a remote attacker to obtain valuable information such as access credentials, Wi-Fi configuration and other sensitive information in plain text. The list of affected files includes, but is not limited to, the following: . 'http:///tmpfs/config_backup.bin' . 'http:///tmpfs/config_restore.bin' . 'http:///tmpfs/ddns.conf' . 'http:///tmpfs/syslog.txt' . 'http:///log/syslog.txt' 4. *Vulnerable Packages* . FOSCAM FI8620 PTZ Camera. . Other Foscam devices based on the same firmware are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* Vendor did not provide details. Contact Foscam for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Foscam after several attempts (see [Sec. 9]); contact vendor for further information. Some mitigation actions may be do not expose the camera to internet unless absolutely necessary and have at least one proxy filtering HTTP requests to the following resources: . '/tmpfs/config_backup.bin' . '/tmpfs/config_restore.bin' . '/tmpfs/ddns.conf' . '/tmpfs/syslog.txt' . '/log/syslog.txt' 7. *Credits* This vulnerability was discovered by Flavio de Cristofaro and researched with the help of Andres Blanco from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Accessing Manufacturer DDNS configuration* By requesting the following URL using your default web browser: /- http:///tmpfs/ddns.conf -/ you will see something like this: /- [LoginInfo] HostName=ddns.myfoscam.org HostIP=113.105.65.47 Port=8080 UserName= Password= [Domain] Domain=.myfoscam.org; -/ 8.2. *Access Credentials Stored in Backup Files* When a configuration backup is required by an operator/administrator, the backup is generated in the local folder 'tmpfs' named as 'config_backup.bin'. The binary file is just a dump of the whole configuration packed as Gzip and can be accessed by accessing the following URL: /- http:///tmpfs/config_backup.bin -/ The presence of this temporary file enables an unauthenticated attacker to download the configuration files which contain usernames, plaintext passwords (including admin passwords), Wifi configuration including plain PSK, among other interesting stuff as shown below: /- username = "admin " password = "admin " authtype = "15 " authgroup= "" [user1] username = "user" password = "user" authtype = "3 " authgroup= "" [user2] username = "guest " password = "guest " authtype = "1 " authgroup= "" -/ It is important to mention that, in order to access the configuration file previously mentioned, an operator and/or administrator should have executed the backup process in advance. 9. *Report Timeline* . 2013-06-12: Core Security Technologies notifies the Foscam team of the vulnerability. . 2013-06-12: Vendor acknowledges the receipt of the email and asks for technical details. . 2013-06-13: A draft report with technical details and a PoC is sent to vendor. Publication date is set for Jul 3rd, 2013. . 2013-06-17: Core asks if the vulnerabilities are confirmed. . 2013-06-17: Foscam product team notifies that they have checked CORE's website [2], but there is no Foscam info. . 2013-06-18: Core notifies that the advisory has not been published yet and re-sends technical details and proof of concept. . 2013-06-26: CORE asks for a reply. . 2013-07-03: First release date missed. . 2013-07-03: Core asks for a reply. . 2013-07-11: Core notifies that the issues were reported 1 month ago and there was no reply since [2013-06-18]. . 2013-07-23: Core releases the advisory CORE-2013-0613 tagged as user-release. 10. *Re
