Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access
Hello Mark, Sorry for this belated response. On Thu, Jan 04, 2007 at 11:59:34AM -0700, Mark Senior wrote: Well, that sure was informative. My questions to what the advisory means are below. Can anyone answer or correct this at all? I am the person who wrote this advisory so maybe I can help here. Unchangeable Shared Secret +- In order for Cisco Clean Access Manager (CAM) to authenticate to a Cisco Clean Access Server (CAS), both CAM and CAS must have the same shared secret. The shared secret is configured during the initial CAM and CAS setup. Due to this vulnerability the shared secret can not be properly set nor be changed, and it will be the same across all affected devices. In order to exploit this vulnerability the adversary must be able to establish a TCP connection to CAS. So, other than making a TCP connection to the box, what does the attacker need? Do they need to get the shared secret off some other box in the same administrative domain? How is that shared secret protected, is it stored anywhere else an attacker might have easier access to (e.g. on Clean Access-managed clients, on the 'readable snapshots' below)? Being able to establish a TCP connection is the first requirement. After doing so the attacker will be able to talk to CAS and instruct it to do whatever (s)he wants it to do. Just finishing three way handshake is not sufficent to exploit this. I do not have answer if this is also stored in clients. Will verify and get back to you later. Unchangeable Shared Secret +- Successful exploitation of the vulnerability may enable a malicious user to effectively take administrative control of a CAS. After that, every aspect of CAS can be changed including its configuration and setup. For may, presumably we should read would, unless the he suddenly fell asleep at the last minute? Or are there some additional barriers to taking advantage of a successful exploit? It is may because if you run software release 3.6.1 then your passwords are encrypted but you are still affected by both of these issues. On the other hand, if you are using version 3.5.8 then your passwords are not stored encrypted. Readable Snapshots +- The snapshot contains sensitive information that can aide in the attempts, or be used to compromise the CAM. Among other things, the snapshot can contain passwords in cleartext. Starting with the release 3.6.0, passwords are no longer stored in cleartext in the snapshot files. So, I read this to mean, the snapshot files are still downloadable without authentication, still have easily guessable names, and still contain Not quite. You can not read snapshot files without authentication if you are running fixed software (3.5.10 and 3.6.2 and onwards). sensitive information that can aid in an attack (what sensitive information?), but now the attacker has password hashes against which he has Information like web server version can aide in an attempt to compromise a device. to do a three hour offline brute force, or perhaps a twenty second rainbow table lookup, rather than getting the plaintext straight off. You are assuming that we are using the same format as LM. If we would do so, then you would be correct that the hash can be cracked in few seconds by using rainbow tables. We do not use LM format. It is alwasy possible to crack the password using brute force but we hope that users are using passwords sufficently long to make this process too time consuming. Regards, Gaus == Damir Rajnovic [EMAIL PROTECTED], PSIRT Incident Manager, Cisco Systems http://www.cisco.com/go/psirt Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB == There are no insolvable problems. The question is can you accept the solution? pgpQ0Ban96Jmc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ChiSUG January Meeting
Happy New Year ChiSUG members -- it looks like we get to start 2007 with a bang. For our January meeting, noted security researcher and consultant, Raven Alder, will present to the Chicago Snort Users Group Secure your spot now by sending your name (for security check-in) to: rwagner [a t] transunion {d o t} com. Don't keep the pig all to yourselves – pass this invite on to other security minded peers (no loose cannons, please). Details Who:Raven Alder What: Managing Snort in a Large Environment When: Thursday, January 18th at 5:00 PM. Where: Nexum, Inc. 190 S. LaSalle St. Chicago, IL ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Clean Access
Hello Gaus Thanks for the response, it was quite helpful. I have a few questions comments inline below. Perhaps you can't comment, which I respect, but I wonder - is there a general Cisco policy on vulnerability announcements being short on technical detail like this? This advisory seemed pretty much standard for advisories coming from Cisco, which is to say that the reader is often left to draw inferences, which are not always correct (though perhaps mine were more incorrect than the average reader's). Regards Mark On 1/9/07, Damir Rajnovic wrote: Hello Mark, Sorry for this belated response. On Thu, Jan 04, 2007 at 11:59:34AM -0700, Mark Senior wrote: Well, that sure was informative. My questions to what the advisory means are below. Can anyone answer or correct this at all? I am the person who wrote this advisory so maybe I can help here. Unchangeable Shared Secret +- In order for Cisco Clean Access Manager (CAM) to authenticate to a Cisco Clean Access Server (CAS), both CAM and CAS must have the same shared secret. The shared secret is configured during the initial CAM and CAS setup. Due to this vulnerability the shared secret can not be properly set nor be changed, and it will be the same across all affected devices. In order to exploit this vulnerability the adversary must be able to establish a TCP connection to CAS. So, other than making a TCP connection to the box, what does the attacker need? Do they need to get the shared secret off some other box in the same administrative domain? How is that shared secret protected, is it stored anywhere else an attacker might have easier access to (e.g. on Clean Access-managed clients, on the 'readable snapshots' below)? Being able to establish a TCP connection is the first requirement. After doing so the attacker will be able to talk to CAS and instruct it to do whatever (s)he wants it to do. Just finishing three way handshake is not sufficent to exploit this. Just to make sure I'm understanding this - would the attacker need the shared secret in order to get the CAS to do anything - i.e. are we talking about a compromise of (the shared secret from) one Clean Access box in an admin domain being expandable to all the Clean Access boxes in that admin domain? Or, is the ability to carry on a TCP conversation sufficient, no prior access to a shared secret required? I do not have answer if this is also stored in clients. Will verify and get back to you later. Unchangeable Shared Secret +- Successful exploitation of the vulnerability may enable a malicious user to effectively take administrative control of a CAS. After that, every aspect of CAS can be changed including its configuration and setup. For may, presumably we should read would, unless the he suddenly fell asleep at the last minute? Or are there some additional barriers to taking advantage of a successful exploit? It is may because if you run software release 3.6.1 then your passwords are encrypted but you are still affected by both of these issues. On the other hand, if you are using version 3.5.8 then your passwords are not stored encrypted. Readable Snapshots +- The snapshot contains sensitive information that can aide in the attempts, or be used to compromise the CAM. Among other things, the snapshot can contain passwords in cleartext. Starting with the release 3.6.0, passwords are no longer stored in cleartext in the snapshot files. So, I read this to mean, the snapshot files are still downloadable without authentication, still have easily guessable names, and still contain Not quite. You can not read snapshot files without authentication if you are running fixed software (3.5.10 and 3.6.2 and onwards). Ah, that makes more sense! I'd missed the fact that 3.6.1 and 3.6.2 were both mentioned. sensitive information that can aid in an attack (what sensitive information?), but now the attacker has password hashes against which he has Information like web server version can aide in an attempt to compromise a device. to do a three hour offline brute force, or perhaps a twenty second rainbow table lookup, rather than getting the plaintext straight off. You are assuming that we are using the same format as LM. If we would do so, then you would be correct that the hash can be cracked in few seconds by using rainbow tables. We do not use LM format. Strictly speaking, I'm only assuming that the hashes are in a format for which rainbowtables exist or could be pregenerated - essentially, anything without a salt (rainbowtables.com has an nice collection). It is alwasy possible to crack the password using brute force but we hope that users are using passwords sufficently long to make this process too time consuming. In practice, I suspect that if the attacker has downloaded the hashes, the damage is done. The best you can realistically expect of
Re: [Full-disclosure] 0trace - traceroute on established connections
Hi, am I wrong or the mechanism that you implement is similar to the one implemented in lft (Layer Four Traceroute http://pwhois.org/lft/ ) ? From the homepage: LFT is the all-in-one traceroute tool because it can launch a variety of different probes using both UDP and TCP layer-4 protocols. For example, rather than only launching UDP probes in an attempt to elicit ICMP TTL exceeded from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. Then, LFT listens for TTL exceeded messages, TCP RST (reset), and various other interesting heuristics from firewalls or other gateways in the path. LFT also distinguishes between TCP-based protocols (source and destination), which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 (IP) hops. With LFT's verbose output, much can be discovered about a target network. Ciao, Alessandro On Jan 7, 2007, at 12:53 AM, Michal Zalewski wrote: I'd like to announce the availability of a free security reconnaissance / firewall bypassing tool called 0trace. This tool enables the user to perform hop enumeration (traceroute) within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table). I'm not aware of any public implementations of this technique, even though the concept itself is making rounds since 2000 or so; because of this, I thought it might be a good idea to give it a try. [ Of course, I might be wrong, but Google seems to agree with my assessment. A related use of this idea is 'firewalk' by Schiffman and Goldsmith, a tool to probe firewall ACLs; another utility called 'tcptraceroute' by Michael C. Toren implements TCP SYN probes, but since the tool does not ride an existing connection, it is less likely to succeed (sometimes a handshake must be completed with the NAT device before any traffic is forwarded). ] A good example of the difference is www.ebay.com (66.135.192.124) - a regular UDP/ICMP traceroute and tcptraceroute both end like this: 14 as-0-0.bbr1.SanJose1.Level3.net (64.159.1.133) ... 15 ae-12-53.car2.SanJose1.Level3.net (4.68.123.80) ... 16 * * * 17 * * * 18 * * * Let's do the same using 0trace: we first manually telnet to 66.135.192.124 to port 80, then execute: './0trace.sh eth0 66.135.192.124', and finally enter 'GET / HTTP/1.0' (followed by a single, not two newlines) to solicit some client-server traffic but keep the session alive for the couple of seconds 0trace needs to complete the probe. The output is as follows: 10 80.91.249.14 11 213.248.65.210 12 213.248.83.66 13 4.68.110.81 14 4.68.97.33 15 64.159.1.130 16 4.68.123.48 17 166.90.140.134 --- 18 10.6.1.166 --- new data 19 10.6.1.70 --- Target reached. The last three lines reveal firewalled infrastructure, including private addresses used on the inside of the company. This is obviously an important piece of information as far as penetration testing is concerned. Of course, 0trace won't work everywhere and all the time. The tool will not produce interesting results in the following situations: - Target's firewall drops all outgoing ICMP messages, - Target's firewall does TTL or full-packet rewriting, - There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc), - There's no notable layer 3 infrastructure behind the firewall. The tool also has a fairly distinctive TCP signature, and as such, it can be detected by IDS/IPS systems. Enough chatter - the tool is available here (Linux version): http://lcamtuf.coredump.cx/soft/0trace.tgz Note: this is a 30-minute hack that involves C code coupled with a cheesy shellscript. It may not work on non-Linux systems, and may fail on some Linuxes, too. It could be improved in a number of ways - so if you like it, rewrite it. Many thanks for Robert Swiecki (www.swiecki.net) for forcing me to finally give this idea some thought and develop this piece. Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0trace - traceroute on established connections
LFT is similar to tcptraceroute in that it uses TCP SYN probes. As Michal stated in his original message, 0trace is different as it piggybacks on an already established TCP connection. Regards, Jon Oberheide On Tue, 2007-01-09 at 09:03 +0100, Alessandro Dellavedova wrote: Hi, am I wrong or the mechanism that you implement is similar to the one implemented in lft (Layer Four Traceroute http://pwhois.org/lft/ ) ? From the homepage: LFT is the all-in-one traceroute tool because it can launch a variety of different probes using both UDP and TCP layer-4 protocols. For example, rather than only launching UDP probes in an attempt to elicit ICMP TTL exceeded from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. Then, LFT listens for TTL exceeded messages, TCP RST (reset), and various other interesting heuristics from firewalls or other gateways in the path. LFT also distinguishes between TCP-based protocols (source and destination), which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 (IP) hops. With LFT's verbose output, much can be discovered about a target network. Ciao, Alessandro On Jan 7, 2007, at 12:53 AM, Michal Zalewski wrote: I'd like to announce the availability of a free security reconnaissance / firewall bypassing tool called 0trace. This tool enables the user to perform hop enumeration (traceroute) within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table). I'm not aware of any public implementations of this technique, even though the concept itself is making rounds since 2000 or so; because of this, I thought it might be a good idea to give it a try. [ Of course, I might be wrong, but Google seems to agree with my assessment. A related use of this idea is 'firewalk' by Schiffman and Goldsmith, a tool to probe firewall ACLs; another utility called 'tcptraceroute' by Michael C. Toren implements TCP SYN probes, but since the tool does not ride an existing connection, it is less likely to succeed (sometimes a handshake must be completed with the NAT device before any traffic is forwarded). ] A good example of the difference is www.ebay.com (66.135.192.124) - a regular UDP/ICMP traceroute and tcptraceroute both end like this: 14 as-0-0.bbr1.SanJose1.Level3.net (64.159.1.133) ... 15 ae-12-53.car2.SanJose1.Level3.net (4.68.123.80) ... 16 * * * 17 * * * 18 * * * Let's do the same using 0trace: we first manually telnet to 66.135.192.124 to port 80, then execute: './0trace.sh eth0 66.135.192.124', and finally enter 'GET / HTTP/1.0' (followed by a single, not two newlines) to solicit some client-server traffic but keep the session alive for the couple of seconds 0trace needs to complete the probe. The output is as follows: 10 80.91.249.14 11 213.248.65.210 12 213.248.83.66 13 4.68.110.81 14 4.68.97.33 15 64.159.1.130 16 4.68.123.48 17 166.90.140.134 --- 18 10.6.1.166 --- new data 19 10.6.1.70 --- Target reached. The last three lines reveal firewalled infrastructure, including private addresses used on the inside of the company. This is obviously an important piece of information as far as penetration testing is concerned. Of course, 0trace won't work everywhere and all the time. The tool will not produce interesting results in the following situations: - Target's firewall drops all outgoing ICMP messages, - Target's firewall does TTL or full-packet rewriting, - There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc), - There's no notable layer 3 infrastructure behind the firewall. The tool also has a fairly distinctive TCP signature, and as such, it can be detected by IDS/IPS systems. Enough chatter - the tool is available here (Linux version): http://lcamtuf.coredump.cx/soft/0trace.tgz Note: this is a 30-minute hack that involves C code coupled with a cheesy shellscript. It may not work on non-Linux systems, and may fail on some Linuxes, too. It could be improved in a number of ways - so if you like it, rewrite it. Many thanks for Robert Swiecki (www.swiecki.net) for forcing me to finally give this idea some thought and develop this piece. Cheers, /mz ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] 0trace - traceroute on established connections
On Tue, 9 Jan 2007, Alessandro Dellavedova wrote: am I wrong or the mechanism that you implement is similar to the one implemented in lft (Layer Four Traceroute http://pwhois.org/lft/ ) ? No, what you describe is similar to tcptraceroute, from what I understand (they use stray SYNs or RSTs or other TCP packets to do a regular traceroute). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [DCC SPAM] 0trace - traceroute on established connections
Michal Zalewski wrote: I'd like to announce the availability of a free security reconnaissance / firewall bypassing tool called 0trace. This tool enables the user to perform hop enumeration (traceroute) within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table). I'm not aware of any public implementations of this technique, even though the concept itself is making rounds since 2000 or so; because of this, I thought it might be a good idea to give it a try. I believe that paketto keiretsu package (Dan Kaminsky) performs this technique - but we could use more tools and more improvements on the matter! [ Of course, I might be wrong, but Google seems to agree with my assessment. A related use of this idea is 'firewalk' by Schiffman and Goldsmith, a tool to probe firewall ACLs; another utility called 'tcptraceroute' by Michael C. Toren implements TCP SYN probes, but since the tool does not ride an existing connection, it is less likely to succeed (sometimes a handshake must be completed with the NAT device before any traffic is forwarded). ] A good example of the difference is www.ebay.com (66.135.192.124) - a regular UDP/ICMP traceroute and tcptraceroute both end like this: 14 as-0-0.bbr1.SanJose1.Level3.net (64.159.1.133) ... 15 ae-12-53.car2.SanJose1.Level3.net (4.68.123.80) ... 16 * * * 17 * * * 18 * * * Let's do the same using 0trace: we first manually telnet to 66.135.192.124 to port 80, then execute: './0trace.sh eth0 66.135.192.124', and finally enter 'GET / HTTP/1.0' (followed by a single, not two newlines) to solicit some client-server traffic but keep the session alive for the couple of seconds 0trace needs to complete the probe. The output is as follows: 10 80.91.249.14 11 213.248.65.210 12 213.248.83.66 13 4.68.110.81 14 4.68.97.33 15 64.159.1.130 16 4.68.123.48 17 166.90.140.134 --- 18 10.6.1.166 --- new data 19 10.6.1.70 --- Target reached. The last three lines reveal firewalled infrastructure, including private addresses used on the inside of the company. This is obviously an important piece of information as far as penetration testing is concerned. Of course, 0trace won't work everywhere and all the time. The tool will not produce interesting results in the following situations: - Target's firewall drops all outgoing ICMP messages, - Target's firewall does TTL or full-packet rewriting, - There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc), - There's no notable layer 3 infrastructure behind the firewall. The tool also has a fairly distinctive TCP signature, and as such, it can be detected by IDS/IPS systems. Enough chatter - the tool is available here (Linux version): http://lcamtuf.coredump.cx/soft/0trace.tgz Note: this is a 30-minute hack that involves C code coupled with a cheesy shellscript. It may not work on non-Linux systems, and may fail on some Linuxes, too. It could be improved in a number of ways - so if you like it, rewrite it. Many thanks for Robert Swiecki (www.swiecki.net) for forcing me to finally give this idea some thought and develop this piece. Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous
this is client-side stuff. Yes, but server-side changes can defend against this vulnerability. For my Java/J2EE apps, I took OWASP's suggestion at : http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE And all is well in my world. - Jim PS: And you are right of course about CSRF :) M.B.Jr. wrote: On 1/3/07, Jim Manico [EMAIL PROTECTED] wrote: I'm most worried about the CSRF vector. how come? this is client-side stuff. -- Best Regards, Jim Manico GIAC GSEC Professional, Sun Certified Java Programmer [EMAIL PROTECTED] 808.652.3805 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-403-1] X.org vulnerabilities
=== Ubuntu Security Notice USN-403-1 January 09, 2007 xorg, xorg-server vulnerabilities CVE-2006-6101, CVE-2006-6102, CVE-2006-6103 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: xserver-xorg-core6.8.2-77.2 Ubuntu 6.06 LTS: xserver-xorg-core1:1.0.2-0ubuntu10.5 Ubuntu 6.10: xserver-xorg-core1:1.1.1-0ubuntu12.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: The DBE and Render extensions in X.org were vulnerable to integer overflows, which could lead to memory overwrites. An authenticated user could make a specially crafted request and execute arbitrary code with root privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xorg_6.8.2-77.2.diff.gz Size/MD5: 2490806 2a587ab4faa5c0b96098ecf0395717bd http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xorg_6.8.2-77.2.dsc Size/MD5: 3728 cf402a7487717a3ac504c8d0b93b51ac http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xorg_6.8.2.orig.tar.gz Size/MD5: 49471925 34cba217afe2c547e3a72657a3a27e37 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xbase-clients_6.8.2-77.2_all.deb Size/MD5:65732 d18aed6ef1479efd9f8f1f5d78b4ab4f http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xlibs-data_6.8.2-77.2_all.deb Size/MD5:72378 9841650e11bfdeac03c92b87c17efee0 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xlibs-dev_6.8.2-77.2_all.deb Size/MD5:65510 c733f51ac0729dd1cfaf0713f4d9a237 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xlibs_6.8.2-77.2_all.deb Size/MD5:92018 8ae9ea382bdb470da912d2f5a2b377f3 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xorg-common_6.8.2-77.2_all.deb Size/MD5: 715548 60723ed653e0d4d29d6b865390cbf840 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xutils_6.8.2-77.2_all.deb Size/MD5:65484 c095fc85feb3bd71a96109c33186d72b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xorg/x-window-system-core_6.8.2-77.2_amd64.deb Size/MD5:65694 31ea4a5f0fa2b7f030680412bee0e0bc http://security.ubuntu.com/ubuntu/pool/main/x/xorg/x-window-system-dev_6.8.2-77.2_amd64.deb Size/MD5:65722 514388d56c965ea623021166f80ec81a http://security.ubuntu.com/ubuntu/pool/universe/x/xorg/xdmx_6.8.2-77.2_amd64.deb Size/MD5: 1029656 cc61680c6dcd33551a8f4726b5634a08 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xlibs-static-dev_6.8.2-77.2_amd64.deb Size/MD5: 117332 78367540adcbd0e807519b5702ad7fd4 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xlibs-static-pic_6.8.2-77.2_amd64.deb Size/MD5: 113638 626a8e34f70e264ec86fc51dee849dbc http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xnest_6.8.2-77.2_amd64.deb Size/MD5: 1526558 084f0cd717fb09c8bb144e70c59d921d http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-common_6.8.2-77.2_amd64.deb Size/MD5: 123262 207de9f2e67c768e3ad2d4e3203a625b http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-core_6.8.2-77.2_amd64.deb Size/MD5: 3993028 75a6d2f0f562b42b5b6eba55d3c7644b http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-dbg_6.8.2-77.2_amd64.deb Size/MD5: 4773678 dbea940509eaa6dc2d08c717d6c7509a http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-apm_6.8.2-77.2_amd64.deb Size/MD5: 126304 257c7adb3a09ad119f7c6212b73e735a http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-ark_6.8.2-77.2_amd64.deb Size/MD5:73822 2511d8fd5866ea2d1798485406625634 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-ati_6.8.2-77.2_amd64.deb Size/MD5: 324174 f32e9c3ad524cdfdfb5af8ace4f999d0 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-chips_6.8.2-77.2_amd64.deb Size/MD5: 152182 faf76db96a1fbd62e00e294575216c3b http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-cirrus_6.8.2-77.2_amd64.deb Size/MD5: 101634 d83dda3ee9f29101a18b23855580c86a http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-cyrix_6.8.2-77.2_amd64.deb Size/MD5:80978 4df04925502f28adaa045de5a67f5231 http://security.ubuntu.com/ubuntu/pool/main/x/xorg/xserver-xorg-driver-dummy_6.8.2-77.2_amd64.deb Size/MD5:70608
[Full-disclosure] iDefense Security Advisory 01.09.07: Multiple Microsoft Products VML 'recolorinfo' Element Integer Overflow Vulnerability
Microsoft Windows VML Element Integer Overflow Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND VML is a component of the Extensible Markup Language (XML) that specifies vector images (e.g., rectangles and ovals). This functionality is implemented by the library vgx.dll in Microsoft Windows. More information is available at the following web site. http://www.w3.org/TR/NOTE-VML II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in the Vector Markup Language (VML) support in multiple Microsoft products allows attackers to execute arbitrary code within the context of the user running the vulnerable application. This vulnerability exists due to insufficient input validation within vgx.dll. Two integer properties are multiplied together and no overflow check is performed. This could allow an attacker to force a memory allocation of a smaller amount of memory than is required. When copying user supplied data into the newly allocated memory, it is possible to overwrite a function pointer stored on the heap, which leads to the execution of arbitrary code. III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user running the vulnerable application. Exploitation would require an attacker to persuade a user to visit a malicious website using Internet Explorer, read a specially crafted e- mail message with Microsoft Outlook, or open a specially crafted document using an affected Microsoft Office application. It is important to note that this vulnerability could be exploited without user interaction via an e-mail message when rendered within Outlook. For example, if a user with the reading pane turned on had Outlook open to an empty in-box when an attack e-mail arrived, exploitation could occur automatically. IV. DETECTION iDefense testing shows that Internet Explorer 6.0 bundled with Windows XP SP2 with all available security patches is vulnerable. Other versions of Internet Explorer, including those with all security updates applied, are also vulnerable. Older versions of Internet Explorer may also vulnerable. Microsoft Outlook with all available updates has been found to be vulnerable. iDefense has identified Microsoft Office products, including Outlook, going back as far as Office 2000 may also vulnerable. V. WORKAROUND iDefense Labs has developed the following workaround: The following registry entry defines the library that implements the vulnerable functionality: [HKEY_CLASSES_ROOT\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32] Changing 'InprocServer32' in this registry entry to 'InprocServer32 -disabled' causes the control that handles InprocServer32 not to load. Completely removing the key also provides the same protection. iDefense strongly recommends that users back up the registry before changing or removing this key. It should also be noted that since the vulnerable component is not an ActiveX control, setting the kill bit does not disable the vulnerable DLL. As a result, setting the kill bit provides no protection against exploitation. For previous vulnerabilities in this component, Microsoft suggested unregistering 'vgx.dll' on Windows XP SP1 and SP2 and Windows 2003 and 2003 SP1 systems. Using the RegSvr32 program to unregister the dll in question with the following command also unregisters Vgx.dll: regsvr32 -u %ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll Alternatively, system administrators can deny Full Access to the file %ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll. The preceding workarounds will provide complete protection, but may prevent proper rendering of documents that rely on VML, such as Microsoft Word, Excel, and PowerPoint documents when saved in HTML format and viewed in IE or another application that uses the affected component. These documents can still be opened in the respective applications and will render correctly. To mitigate the e-mail attack vector, Microsoft recommends that system administrators configure Outlook to view all e-mail messages in plain-text, including those from digitally signed trusted sources. Applying this workaround will prevent the rendering or rich content such as images and special formatting. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-004. A link to this bulletin can be found below. http://www.microsoft.com/technet/security/bulletin/ms07-004.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0024 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/03/2006 Initial vendor notification 10/03/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT
[Full-disclosure] iDefense Security Advisory 01.09.07: Microsoft Excel Invalid Column Heap Corruption Vulnerability
Microsoft Excel Invalid Column Heap Corruption Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND Microsoft Excel is the spreadsheet application from the Microsoft Office System. More information is available at the following link: http://office.microsoft.com/ II. DESCRIPTION Remote exploitation of an input validation error in Microsoft Corp.'s Excel spreadsheet application may allow the execution of arbitrary code. The vulnerability specifically exists in the handling of out of range values in the column field in several BIFF8 record types. By supplying an invalid Column field to one of these records, it is possible to cause the system to reference arbitrary memory. This can be exploited to gain control of the application. III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user who opened the document. In order exploit this vulnerability, an attacker would need to convince the target to open an Excel spreadsheet file. Likely attack vectors include sending the file as an attachment in an email or linking to the file on a website. Systems with a default install of Office 2000 will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows an attacker to exploit this vulnerability without user interaction beyond visiting a website. Later versions of Office will not open these documents automatically unless the user has chosen this behavior. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Excel 2003 with all available service packs and security patches. Previous versions of Excel are also likely to be affected. V. WORKAROUND Do not follow links or open files from unknown sources or that you were not expecting to receive. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-002. A link to this bulletin can be found below. http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0030 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/14/2006 Initial vendor notification 09/15/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 01.09.07: Microsoft Excel Long Palette Heap Overflow Vulnerability
Microsoft Excel Long Palette Heap Overflow Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND Microsoft Excel is the spreadsheet application from the Microsoft Office System. More information is available at the following link: http://office.microsoft.com/ II. DESCRIPTION Remote exploitation of an heap-based buffer overflow vulnerability in Microsoft Corp.'s Excel spreadsheet application format could allow an attacker to execute arbitrary code in the context of the user who started Excel. The vulnerability specifically exists in the handling of the PALETTE record in BIFF8 format spreadsheet files. By supplying a record with too many entries, an exploitable buffer overflow condition can occur. III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user who opened the document. In order exploit this vulnerability, an attacker would need to convince the target to open an Excel spreadsheet file. Likely attack vectors include sending the file as an attachment in an email or linking to the file on a website. Systems with a default install of Office 2000 will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows an attacker to exploit this vulnerability without user interaction beyond visiting a website. Later versions of Office will not open these documents automatically unless the user has chosen this behavior. IV. DETECTION iDefense Labs have confirmed the existence of this vulnerability in Microsoft Excel 2003 with all service packs and security updates. Previous versions of Excel are also likely to be affected. V. WORKAROUND Do not follow links or open files from unknown sources or that you were not expecting to receive. VI. VENDOR RESPONSE Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-002. A link to this bulletin can be found below. http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0031 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/25/2006 Initial vendor notification 09/22/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-404-1] MadWifi vulnerability
=== Ubuntu Security Notice USN-404-1 January 09, 2007 linux-restricted-modules-2.6.17 vulnerability CVE-2006-6332 === A security issue affects the following Ubuntu releases: Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: linux-restricted-modules-2.6.17-10-3862.6.17.7-10.1 linux-restricted-modules-2.6.17-10-generic2.6.17.7-10.1 linux-restricted-modules-2.6.17-10-powerpc2.6.17.7-10.1 linux-restricted-modules-2.6.17-10-powerpc-smp2.6.17.7-10.1 linux-restricted-modules-2.6.17-10-powerpc64-smp 2.6.17.7-10.1 linux-restricted-modules-2.6.17-10-sparc642.6.17.7-10.1 linux-restricted-modules-2.6.17-10-sparc64-smp2.6.17.7-10.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Laurent Butti, Jerome Razniewski, and Julien Tinnes discovered that the MadWifi wireless driver did not correctly check packet contents when receiving scan replies. A remote attacker could send a specially crafted packet and execute arbitrary code with root privileges. Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-10.1.diff.gz Size/MD5:91232 214d9eb16acbaf284a8f82c11bd5d8b3 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7-10.1.dsc Size/MD5: 2615 0901f5c273c79ec85bf56572899e335a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17_2.6.17.7.orig.tar.gz Size/MD5: 94289230 283efe66f46b478dea207dac92b7e4e2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-common_2.6.17.7-10.1_all.deb Size/MD5:20046 fc9e08b82d203697e6edeb174e014d56 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/avm-fritz-firmware-2.6.17-10_3.11+2.6.17.7-10.1_amd64.deb Size/MD5: 476644 7dba162a9ea3618779d49ea813b39e63 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/avm-fritz-kernel-source_3.11+2.6.17.7-10.1_amd64.deb Size/MD5: 2128978 ddc1bc92aad390084f44851eba7f8f13 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/fglrx-control_8.28.8+2.6.17.7-10.1_amd64.deb Size/MD5:77440 eb2d37f10a80e8e60cc4764e3e0830b9 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/fglrx-kernel-source_8.28.8+2.6.17.7-10.1_amd64.deb Size/MD5: 547416 df147ff036fc1778579e31c65ceee8b4 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/linux-restricted-modules-2.6.17-10-generic_2.6.17.7-10.1_amd64.deb Size/MD5: 6652168 5ab3b414242000d991cfdd26fe0ca790 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-firmware-2.6.17-10-generic-di_2.6.17.7-10.1_amd64.udeb Size/MD5: 965684 9e8cc8f48186cdba5062946036503c0e http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nic-restricted-modules-2.6.17-10-generic-di_2.6.17.7-10.1_amd64.udeb Size/MD5: 319162 ca1b9585da5679f8244355249b0478e9 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx-dev_1.0.8776+2.6.17.7-10.1_amd64.deb Size/MD5: 168346 e820ff635b29d1aeaecc773c12f3ee72 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy-dev_1.0.7184+2.6.17.7-10.1_amd64.deb Size/MD5: 162282 cef82a40001c27a3327c840580f5cb52 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-glx-legacy_1.0.7184+2.6.17.7-10.1_amd64.deb Size/MD5: 6082192 ff3111d4c7ed1fc6c6b4c35867d9430a http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.17/nvidia-glx_1.0.8776+2.6.17.7-10.1_amd64.deb Size/MD5: 7330456 4c2e0fdc8bd60681f60474ddf26061d6 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-kernel-source_1.0.8776+2.6.17.7-10.1_amd64.deb Size/MD5: 1755814 ac114a0980fafa0cf57c0756d9fd9527 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.17/nvidia-legacy-kernel-source_1.0.7184+2.6.17.7-10.1_amd64.deb Size/MD5: 1383436 f67a1ee6614974b13237733b78645c62
[Full-disclosure] CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA BrightStor ARCserve Backup Tape Engine Exploit Security Notice CA is aware that exploit code for a vulnerability in the Tape Engine component of CA BrightStor ARCserve Backup was posted on several security web sites and mailing lists on January 5, 2007. This vulnerability is fixed in BrightStor ARCserve Backup r11.5 Service Pack 2, and a patch for earlier versions of ARCserve will be available shortly. CA recommends that customers employ best practices in securing their networks and in this case use filtering to block unauthorized access to port 6502 on hosts running the Tape Engine. Tape Engine is part of BrightStor ARCserve Backup server install. BrightStor ARCserve Backup client systems are not affected by this vulnerability. CA customers with questions or concerns should contact CA Technical Support. Reference (URL may wrap): http://supportconnectw.ca.com/public/storage/infodocs/basbrtapeeng-sec notice.asp Regards, Ken Ken Williams ; 0xE2941985 Director, CA Vulnerability Research -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRaQHAHklkd/ilBmFEQIrBgCeJH6v/J9ROx0nNWmDKRnhAUeaqagAn0Qi KQw+NFhmm8wDXzN6WNdXt0iP =rSaQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IisShield 2.2 released
All, KodeIT is proud to announce the new release of IisShield 2.2 with support for IIS 4.0, IIS 5.x and IIS 6.0. Some new features include the ability to define zones with specific rules. With this feature, rules can be split into zones allowing the filtering process to be applied in a per-zone scope versus a per-server scope. Zones are used to specify which requests are included or excluded requests from the filtering engine. Available http://www.kodeit.org/products/iisshield Detailed info http://www.kodeit.org/products/iisshield/iisshield.pdf Comments and suggestions are certainly welcome at kodeit (at) gmail dot com. Cheers, Tiago Halm KodeIT Development Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007-005 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007-005 http://www.mandriva.com/security/ ___ Package : xorg-x11 Date: January 9, 2007 Affected: 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: Sean Larsson of iDefense Labs discovered several vulnerabilities in X.Org/XFree86: Local exploitation of a memory corruption vulnerability in the 'ProcRenderAddGlyphs()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. (CVE-2006-6101) Local exploitation of a memory corruption vulnerability in the 'ProcDbeGetVisualInfo()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. (CVE-2006-6102) Local exploitation of a memory corruption vulnerability in the 'ProcDbeSwapBuffers()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. (CVE-2006-6103) Updated packages are patched to address these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103 ___ Updated Packages: Mandriva Linux 2007.0: e9cfeae65ae50e767d8ccb1771eb 2007.0/i586/x11-server-1.1.1-11.2mdv2007.0.i586.rpm 863a88c753a9d2d221fbac1b3310a65c 2007.0/i586/x11-server-common-1.1.1-11.2mdv2007.0.i586.rpm 52a30990b2bb31c6409c2d8d54bf86d3 2007.0/i586/x11-server-devel-1.1.1-11.2mdv2007.0.i586.rpm 3e1b9a8ddadf5096fff9dac82c578b1c 2007.0/i586/x11-server-xati-1.1.1-11.2mdv2007.0.i586.rpm e99acd2df14c8328bc995433fad93324 2007.0/i586/x11-server-xchips-1.1.1-11.2mdv2007.0.i586.rpm 243ff8044e9c0e0770d736b2e2ffbdcd 2007.0/i586/x11-server-xdmx-1.1.1-11.2mdv2007.0.i586.rpm 2046ca8e10b87e2c357484c62d7ec745 2007.0/i586/x11-server-xephyr-1.1.1-11.2mdv2007.0.i586.rpm 3eaeb966c8a4484704efa87b470e9459 2007.0/i586/x11-server-xepson-1.1.1-11.2mdv2007.0.i586.rpm 9bf052af77fe144ee1b7b317f5c3bf94 2007.0/i586/x11-server-xfake-1.1.1-11.2mdv2007.0.i586.rpm 50012156051dd4080a42a2d3620d9623 2007.0/i586/x11-server-xfbdev-1.1.1-11.2mdv2007.0.i586.rpm 27e32328d5f2b4d6ad3ba8e72ade0b4b 2007.0/i586/x11-server-xi810-1.1.1-11.2mdv2007.0.i586.rpm 1739591ec6d79eeaa99216e1d1f5f50e 2007.0/i586/x11-server-xmach64-1.1.1-11.2mdv2007.0.i586.rpm 8f4c2520f8d5d046a23deff082ab301c 2007.0/i586/x11-server-xmga-1.1.1-11.2mdv2007.0.i586.rpm 64209b3e7013c2acee4c6dfe13688d03 2007.0/i586/x11-server-xneomagic-1.1.1-11.2mdv2007.0.i586.rpm 5a69978a79ba5893fcfabf779c877163 2007.0/i586/x11-server-xnest-1.1.1-11.2mdv2007.0.i586.rpm 857b758e0b246cc42824166e5f37c1e2 2007.0/i586/x11-server-xnvidia-1.1.1-11.2mdv2007.0.i586.rpm b2ad469ef5e89b71b8ecef82d2272ebe 2007.0/i586/x11-server-xorg-1.1.1-11.2mdv2007.0.i586.rpm 2aeba4167d8668a01910b91553f9ae71 2007.0/i586/x11-server-xpm2-1.1.1-11.2mdv2007.0.i586.rpm 169b0ac813d81830f52e7b8e9b1cc639 2007.0/i586/x11-server-xprt-1.1.1-11.2mdv2007.0.i586.rpm feeb76d3b0f116ee7dfe3ac0391ad050 2007.0/i586/x11-server-xr128-1.1.1-11.2mdv2007.0.i586.rpm 50167c3c324a2dd52a9eb4213f437d43 2007.0/i586/x11-server-xsdl-1.1.1-11.2mdv2007.0.i586.rpm 1623181b5bd6a0abf68929b9bd12b70f 2007.0/i586/x11-server-xsmi-1.1.1-11.2mdv2007.0.i586.rpm 6a8b39a6f4c0f10d2ec6e5cb217f56a2 2007.0/i586/x11-server-xvesa-1.1.1-11.2mdv2007.0.i586.rpm 37d90882ac4864086a54f619cd037b9e 2007.0/i586/x11-server-xvfb-1.1.1-11.2mdv2007.0.i586.rpm 7622c3a9b1ab0a62d6046324081f1e46 2007.0/i586/x11-server-xvia-1.1.1-11.2mdv2007.0.i586.rpm 991736d620094e091cd09658881fd7f8 2007.0/SRPMS/x11-server-1.1.1-11.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 624a8b074db6605206d0a7b16cb01892 2007.0/x86_64/x11-server-1.1.1-11.2mdv2007.0.x86_64.rpm 52f61bd6297e082b93d42492dc7c9920 2007.0/x86_64/x11-server-common-1.1.1-11.2mdv2007.0.x86_64.rpm 843eeac61cba5d88654c24e1464e94c6 2007.0/x86_64/x11-server-devel-1.1.1-11.2mdv2007.0.x86_64.rpm b3aeed35380974bd01c4078ee0b2b687 2007.0/x86_64/x11-server-xdmx-1.1.1-11.2mdv2007.0.x86_64.rpm 4de253b9405097c7bad41b7842a2827a 2007.0/x86_64/x11-server-xephyr-1.1.1-11.2mdv2007.0.x86_64.rpm ddeeaf830dce542cfbef3f8e236e9216 2007.0/x86_64/x11-server-xfake-1.1.1-11.2mdv2007.0.x86_64.rpm 88e5e3f7c453ab113705a3b3b528862f 2007.0/x86_64/x11-server-xfbdev-1.1.1-11.2mdv2007.0.x86_64.rpm f0aea95d2330be1619434a6ca97ac6a0
[Full-disclosure] rPSA-2007-0003-1 fetchmail
rPath Security Advisory: 2007-0003-1 Published: 2007-01-09 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Indirect User Information Exposure Updated Versions: fetchmail=/[EMAIL PROTECTED]:devel//1/6.3.6-0.1-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867 https://issues.rpath.com/browse/RPL-919 Description: Previous versions of the fetchmail package inappropriately send passwords in clear text rather than encrypted, allowing attackers to read the password from network traffic. They also may not detect man-in-the-middle attacks. Because email passwords are often the same as login passwords, this may indirectly enable remote unauthorized access. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 01.09.07: Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability
Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. More information about about The X Window system is available at the following links. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of a memory corruption vulnerability in the ProcRenderAddGlyphs function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. This vulnerability specifically lies within the Render extension. Insufficient input validation exists when allocating memory for glyph management data structures. By sending a specially crafted X protocol request to the Render extension, an attacker can cause an exploitable memory corruption condition. III. ANALYSIS Successful exploitation allows an attacker to execute arbitrary as the root user. In order to exploit this vulnerability an attacker would require the ability to send commands to an affected X server. This typically requires access to the console, or access to the same account as a user who is on the console. One method of gaining the required access would be to remotely exploit a vulnerability in, for example, a graphical web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the X.Org server version 7.1-1.1.0. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented when the Render extension is not built into the X binary. This can be accomplished by removing the entry for the Render extension from your X server's configuration file, often stored in /etc/X11 and named xorg.conf or XF86Config-4. To do this, remove the following line from the 'Module' section: Load render This will prevent the Render extension from loading, which may affect the appearance or operation of some applications. VI. VENDOR RESPONSE The X.Org foundation has addressed this vulnerability within version 7.2 RC3 of X.Org's X server. Additionally, patches have been made available for older releases. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-6101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/04/2006 Initial vendor notification 12/05/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 01.09.07: Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability
Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. More information about about The X Window system is available at the following link: http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of a memory corruption vulnerability in the ProcDbeGetVisualInfo function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. This vulnerability specifically lies within the DBE extension. Insufficient input validation exists when allocating memory for data structures. By sending a specially crafted X protocol request to the DBE extension, an attacker can cause an exploitable memory corruption condition. III. ANALYSIS Successful exploitation allows an attacker to execute arbitrary as the root user. In order to exploit this vulnerability an attacker would require the ability to send commands to an affected X server. This typically requires access to the console, or access to the same account as a user who is on the console. One method of gaining the required access would be to remotely exploit a vulnerability in, for example, a graphical web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the X.Org server version 7.1-1.1.0. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented when the DBE extension is not built into the X binary. This can be accomplished by removing the entry for the DBE extension from your X server's configuration file, often stored in /etc/X11 and named xorg.conf or XF86Config-4. To do this, remove the following line from the 'Module' section: Load DBE This will prevent the render extension from loading, which may affect the appearance or operation of some applications. VI. VENDOR RESPONSE The X.Org foundation has addressed this vulnerability within version 7.2 RC3 of X.Org's X server. Additionally, patches have been made available for older releases. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-6102 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/04/2006 Initial vendor notification 12/05/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 01.09.07: Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability
Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND The X Window System is a graphical windowing system based on a client/server model. More information about about The X Window system is available at the following link: http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of a memory corruption vulnerability in the ProcDbeSwapBuffers function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. This vulnerability specifically lies within the DBE extension. Insufficient input validation exists when allocating memory for data structures. By sending a specially crafted X protocol request to the DBE extension, an attacker can cause an exploitable memory corruption condition. III. ANALYSIS Successful exploitation allows an attacker to execute arbitrary as the root user. In order to exploit this vulnerability an attacker would require the ability to send commands to an affected X server. This typically requires access to the console, or access to the same account as a user who is on the console. One method of gaining the required access would be to remotely exploit a vulnerability in, for example, a graphical web browser. This would then allow an attacker to exploit this vulnerability and elevate their privileges to root. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the X.Org server version 7.1-1.1.0. Previous versions may also be affected. V. WORKAROUND Access to the vulnerable code can be prevented when the DBE extension is not built into the X binary. This can be accomplished by removing the entry for the DBE extension from your X server's configuration file, often stored in /etc/X11 and named xorg.conf or XF86Config-4. To do this, remove the following line from the 'Module' section: Load DBE This will prevent the render extension from loading, which may affect the appearance or operation of some applications. VI. VENDOR RESPONSE The X.Org foundation has addressed this vulnerability within version 7.2 RC3 of X.Org's X server. Additionally, patches have been made available for older releases. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-6103 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/04/2006 Initial vendor notification 12/05/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0004-1 bzip2
rPath Security Advisory: 2007-0004-1 Published: 2007-01-09 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Non-deterministic Unauthorized Access Updated Versions: bzip2=/[EMAIL PROTECTED]:devel//1/1.0.4-1-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953 https://issues.rpath.com/browse/RPL-921 Description: Previous versions of the bzip2 package are vulnerable to a race condition that allows local users to modify permissions on arbitrary files that the user running bzip2 is allowed to change. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0005-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
rPath Security Advisory: 2007-0005-1 Published: 2007-01-09 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Local Deterministic Denial of Service Updated Versions: xorg-x11=/[EMAIL PROTECTED]:devel//1/6.8.2-30.3-1 xorg-x11-fonts=/[EMAIL PROTECTED]:devel//1/6.8.2-30.3-1 xorg-x11-tools=/[EMAIL PROTECTED]:devel//1/6.8.2-30.3-1 xorg-x11-xfs=/[EMAIL PROTECTED]:devel//1/6.8.2-30.3-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103 https://issues.rpath.com/browse/RPL-920 Description: Previous versions of the xorg-x11 package are vulnerable to an attack which allows authenticated X connections to provide intentionally malformed data which the X server does not fully validate before using. This vulnerability is known to enable a Denial of Service attack; any process with an authenticated connection to the X server can cause the entire X server process to crash. (It may enable other attacks as well; the full extent of vulnerabilities created by these faults is not completely analyzed.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMware ESX server security updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- VMware Security Advisory Advisory ID: VMSA-2007-0001 Synopsis: VMware ESX server security updates Issue date:2007-01-09 Updated on:2007-01-09 CVE: CVE-2006-3589 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-4980 - --- 1. Summary: Updated ESX Patches address several security issues. 2. Relevant releases: VMware ESX 3.0.1 without patch ESX-9986131 VMware ESX 3.0.0 without patch ESX-3069097 VMware ESX 2.5.4 prior to upgrade patch 3 VMware ESX 2.5.3 prior to upgrade patch 6 VMware ESX 2.1.3 prior to upgrade patch 4 VMware ESX 2.0.2 prior to upgrade patch 4 3. Problem description: Problems addressed by these patches: a. Incorrect permissions on SSL key files generated by vmware-config (CVE-2006-3589): ESX 3.0.1: does not have this problem ESX 3.0.0: does not have this problem ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801) A possible security issue with the configuration program vmware-config which could set incorrect permissions on SSL key files. Local users may be able to obtain access to the SSL key files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3589 to this issue. b. OpenSSL library vulnerabilities: ESX 3.0.1: corrected by ESX 3.0.1 Patch ESX-9986131 ESX 3.0.0: corrected by ESX 3.0.0 Patch ESX-3069097 ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801) (CVE-2006-2937) OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. (CVE-2006-2940) OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) public exponent or (2) public modulus values in X.509 certificates that require extra time to process when using RSA signature verification. (CVE-2006-4339) OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. (CVE-2006-4343) The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339, and CVE-2006-4343 to these issues. c. Updated OpenSSH package addresses the following possible security issues: ESX 3.0.1: corrected by Patch ESX-9986131 ESX 3.0.0: corrected by Patch ESX-3069097 ESX 2.5.4: does not have these problems ESX 2.5.3: does not have these problems ESX 2.1.3: does not have these problems ESX 2.0.2: does not have these problems (CVE-2004-2069) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). (CVE-2006-0225) scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2003-0386) OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass from= and [EMAIL PROTECTED] address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2006-4924) sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers
[Full-disclosure] iDefense Security Advisory 01.09.07: Adobe Macromedia ColdFusion Source Code Disclosure Vulnerability
Adobe Macromedia ColdFusion Source Code Disclosure Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND Adobe Macromedia ColdFusion is an application server and development framework for websites. More information is available at the following URL. http://www.adobe.com/products/coldfusion/ II. DESCRIPTION Remote exploitation of an input validation vulnerability in Adobe Systems Inc.'s Macromedia ColdFusion MX 7 may allow an attacker to view file contents on the server. The vulnerability specifically exists in that URL encoded filenames will be decoded by the IIS process and then again by the ColdFusion process. By supplying a URL containing a double encoded null byte and an extension handled by ColdFusion, such as '.cfm', it is possible to view the contents of any file which is not interpreted by ColdFusion. III. ANALYSIS Successful exploitation would allow a remote attacker to view the contents of a file on the affected server. Depending on the layout of the files on the server, this could include configuration files, source code written in another scripting language, log files or other data files. Although this vulnerability does not in itself allow execution of code on the server, it may allow an attacker to discover sensitive information such as passwords or to discover vulnerabilities in other scripts on the system or potentially bypass some security restrictions. IV. DETECTION iDefense has confirmed this vulnerability exists in Adobe Macromedia ColdFusion MX 7.0.2, with all available fixes, running on Microsoft IIS vulnerable. V. WORKAROUND iDefense is unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Adobe has released a patch for this issue. For more information consult their advisory at the link below. http://www.adobe.com/support/security/bulletins/apsb07-02.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-5858 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/08/2006 Initial vendor notification 11/09/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Inge Henriksen. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite
Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite by Piotr Bania [EMAIL PROTECTED] http://www.piotrbania.com Orginal url:http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt Severity: Critical - Possible remote code execution. CVE ID: CVE-2006-5857 Time line: 03/09/2006 - Advisory sent to ADOBE PSIRT 03/09/2006 - Initial Vendor Response 11/09/2006 - Vendor confirms the vulnerability. 09/01/2007 - Security Bulletin ready, advisory released. Software affected: Adobe Reader 7.0.8 and earlier - all platforms. Tested on: * Adobe Reader 7.0.8 and 7.0.3 (Windows) * Adobe Reader 7.0.8 on (LINUX ) I. BACKGROUND Adobe Reader is the most popular program for viewing documents in Adobe Portable Document Format (PDF). More information at: http://www.adobe.com/products/acrobat/. II. DESCRIPTION The problem exists when the Adobe product is trying to render a specially crafted PDF file. Take a look a this code snipet: // SNIP SNIP //- 0:000 u 08009d3f CoolType+0x9d3f: 08009d3f 83e904 sub ecx,0x4 08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b 081d7aa0)],ecx 08009d48 ffb49070fe pushdword ptr [eax+edx*4-0x190] 08009d4f 8b09 mov ecx,[ecx] 08009d51 51 pushecx 08009d52 ff506c calldword ptr [eax+0x6c] ; (*) 08009d55 59 pop ecx 08009d56 59 pop ecx // SNIP SNIP //- Instruction at 0x08009d52 call the location which address is stored at [eax+0x6c]. Value of the eax points somewhere inside the allocated heap memory block, as shown here: // SNIP SNIP //- ... K: 199 - [*] HeapAlloc(0x3E,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC K: 200 - [*] HeapAlloc(0x3E,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C K: 201 - [*] HeapAlloc(0x3E,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88 K: 202 - [*] HeapAlloc(0x3E,0x0,0x304(772))=0x1706C90 end at: 0x1706F94 K: 203 - [*] HeapAlloc(0x3E,0x0,0xFE24(65060))=0x1706FA0 end at: 0x1716DC4 - THIS ONE // SNIP SNIP //- [EAX+0x6c] points to 0x222C offset from begining of the last heap memory block. When specially badly created PDF file is being render, there exist a possibility to cause a memory corruption, which leads to the overwrite of the subroutine address stored at [eax+0x6c]. Here's the debugger snipet, after calling overwritten [eax+0x6c] (note the heap base block is different then previously mentioned, its just another independent session): // SNIP SNIP //- (25a0.2170): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=016f4320 ebx= ecx=baadf00d edx=0069 esi=016f4ab9 edi=016f14b4 eip=baadf00d esp=0012deec ebp=0012df80 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll - baadf00d ?? ??? // SNIP SNIP //- The attacker can control EIP register, this may lead to a potencial code exection in context of current user. III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running Adobe Reader. IV. VENDOR RESPONSE All pathes are available, via auto-update or http://www.adobe.com/go/getreader/ V. POC CODE Due to severity of this vulnerability i will not disclose any POC codes. best regards, pb -- Piotr Bania - [EMAIL PROTECTED] - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 - The more I learn about men, the more I love dogs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/