[Full-disclosure] Secunia Research: BearShare NCTAudioFile2 ActiveX Control Buffer Overflow
== Secunia Research 09/05/2007 - BearShare NCTAudioFile2 ActiveX Control Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software BearShare 6.0.2.26789 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Share, Discover and Download music and videos. Product Link: http://www.bearshare.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in BearShare, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the NCTAudioFile2.AudioFile ActiveX control when handling the SetFormatLikeSample() method. This can be exploited to cause a stack-based buffer overflow by passing an overly long string (about 4124 bytes) as argument to the affected method. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website. == 5) Solution Set the kill-bit for the affected ActiveX control. == 6) Time Table 30/04/2007 - Vendor notified. 09/05/2007 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2007-0018 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-50/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Internet Explorer HTML Objects Memory Corruption Vulnerability
== Secunia Research 09/05/2007 - Internet Explorer HTML Objects Memory Corruption Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Internet Explorer 7 == 2) Severity Rating: Moderately Critical Impact: System Access Where: Remote == 3) Vendor's Description of Software Internet Explorer 7 provides improved navigation through tabbed browsing, web search right from the toolbar, advanced printing, easy discovery, reading and subscription to RSS feeds, and much more. http://www.microsoft.com/windows/products/winfamily/ie/default.mspx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of HTML objects as a CMarkup object is used in certain cases after it has been freed. This can be exploited to corrupt memory via a specially crafted web page. Successful exploitation allows execution of arbitrary code. == 5) Solution Apply patches (see the Microsoft security bulletin for details). == 6) Time Table 18/01/2007 - Vendor notified. 19/01/2007 - Vendor response. 09/05/2007 - Public disclosure. == 7) Credits Discovered by JJ Reyes, Secunia Research. == 8) References MS07-027 (KB931768): http://www.microsoft.com/technet/security/Bulletin/MS07-027.mspx The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2007-0947 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-36/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 27, Issue 16
0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGQjuFmqjQ0CJFipgRAgaPAKDq9k/P25VQ4erXuk8cznuJrsSbTACg8kLE 6u+Od503dEYQxrf63PILWMc= =jk4Z -END PGP SIGNATURE- -- Message: 2 Date: Thu, 10 May 2007 01:52:19 +0100 From: Jeroen Massar [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [ MDKSA-2007:101 ] - Updated bind packages fixvulnerability To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 [EMAIL PROTECTED] wrote: ___ Mandriva Linux Security Advisory MDKSA-2007:101 http://www.mandriva.com/security/ ___ Package : vim Date: May 9, 2007 Affected: 2007.0, 2007.1 But the subject line reads: [ MDKSA-2007:101 ] - Updated bind packages fix vulnerability So is this a spoof or is this a spoof? Or did somebody make a booboo at Mandriva. The PGP key seems to at least check out for the fact that the signature on the part of the message that is signed is correct. As the PGP key is not in the strong set it can't be really trusted of course. Greets, Jeroen -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 311 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070510/5d4e910c/attachment-0001.bin -- Message: 3 Date: Thu, 10 May 2007 01:54:20 +0100 From: Jeroen Massar [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [ MDKSA-2007:101 ] - Updated bind packages fixvulnerability To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Jeroen Massar wrote: [EMAIL PROTECTED] wrote: ___ Mandriva Linux Security Advisory MDKSA-2007:101 http://www.mandriva.com/security/ ___ Package : vim Date: May 9, 2007 Affected: 2007.0, 2007.1 But the subject line reads: [ MDKSA-2007:101 ] - Updated bind packages fix vulnerability So is this a spoof or is this a spoof? Or did somebody make a booboo at Mandriva. The PGP key seems to at least check out for the fact that the signature on the part of the message that is signed is correct. As the PGP key is not in the strong set it can't be really trusted of course. Also setting a Reply-To: to a broken [EMAIL PROTECTED] absolutely doesn't make any sense (unless you want to partially overcome the problem of vacation messages getting bounced back, but hey those people will nicely ignore your Reply-To anyway) -- This is the Postfix program at host imap.mandriva.com. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program [EMAIL PROTECTED]: host /var/lib/imap/socket/lmtp[/var/lib/imap/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 311 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070510/b3c3d277/attachment-0001.bin -- Message: 4 Date: Thu, 10 May 2007 07:12:09 +0200 From: Secunia Research [EMAIL PROTECTED] Subject: [Full-disclosure] Secunia Research: BearShare NCTAudioFile2 ActiveX Control Buffer Overflow To: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain == Secunia Research 09/05/2007 - BearShare NCTAudioFile2 ActiveX Control Buffer Overflow - == Table of Contents Affected Software
[Full-disclosure] iDefense Security Advisory 05.09.07: Computer Associates eTrust InoTask.exe Antivirus Buffer Overflow Vulnerability
Computer Associates eTrust InoTask.exe Antivirus Buffer Overflow Vulnerability iDefense Security Advisory 05.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 09, 2007 I. BACKGROUND Computer Associates' eTrust Antivirus is a client antivirus scanner. It is distributed in standalone packages and also as part of the Internet Security Suite. More information can be found on the vendor's website at the following URL. http://www3.ca.com/solutions/product.aspx?ID=156 II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in Computer Associates International Inc.'s (CA) eTrust Antivirus allows attackers to execute arbitrary code with SYSTEM privileges. The Task Service component of eTrust Antivirus, InoTask.exe, is used to schedule and execute tasks such as scanning the system for virii. The service uses a shared file mapping to share information about scheduled tasks. The file mapping has a NULL security descriptor, which allows any user to modify its contents. By modifying a string inside of this mapping an attacker can trigger a stack based overflow in the InoTask process. III. ANALYSIS Exploitation allows an attacker to elevate privileges to SYSTEM on the targeted host. A local user account is required to exploit this vulnerability; it can not be triggered remotely. When exploiting this vulnerability, an attacker can cause the copy operation to write past the end of the stack. This triggers an exception, and results in execution of attacker supplied code when calling the SEH function. IV. DETECTION iDefense confirmed that CA eTrust Antivirus r8 on Windows is vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE CA has issued an update to address the vulnerabilities. The patched files are available as part of the product's automatic content update. For more information consult Computer Associates' Security Notice at the following URL. http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-2523 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/07/2007 Initial vendor notification 02/07/2007 Initial vendor response 05/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by binagres. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
J. Oquendo wrote: Enjoy||Complain [P]ure sensationalism and an extremely contrived example of which you can do the exact same in a Windows environment. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200705-12 ] PostgreSQL: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PostgreSQL: Privilege escalation Date: May 10, 2007 Bugs: #175791 ID: 200705-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis PostgreSQL contains a vulnerability that could result in SQL privilege escalation. Background == PostgreSQL is an open source object-relational database management system. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-db/postgresql 8.0.13 = 8.0.13 *= 7.4.17 *= 7.3.19 Description === An error involving insecure search_path settings in the SECURITY DEFINER functions has been reported in PostgreSQL. Impact == If allowed to call a SECURITY DEFINER function, an attacker could gain the SQL privileges of the owner of the called function. Workaround == There is no known workaround at this time. Resolution == All PostgreSQL users should upgrade to the latest version and fix their SECURITY DEFINER functions: # emerge --sync # emerge --ask --oneshot --verbose dev-db/postgresql In order to fix the SECURITY DEFINER functions, PostgreSQL users are advised to refer to the PostgreSQL documentation: http://www.postgresql.org/docs/techdocs.77 References == [ 1 ] CVE-2007-2138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2138 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpCfTOFTYMI5.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200705-13 ] ImageMagick: Multiple buffer overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ImageMagick: Multiple buffer overflows Date: May 10, 2007 Bugs: #159567, #173186 ID: 200705-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows have been discovered in ImageMagick allowing for the execution of arbitrary code. Background == ImageMagick is a collection of tools allowing various manipulations on image files. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-gfx/imagemagick6.3.3 = 6.3.3 Description === iDefense Labs has discovered multiple integer overflows in ImageMagick in the functions ReadDCMImage() and ReadXWDImage(), that are used to process DCM and XWD files. Impact == An attacker could entice a user to open specially crafted XWD or DCM file, resulting in heap-based buffer overflows and possibly the execution of arbitrary code with the privileges of the user running ImageMagick. Note that this user may be httpd or any other account used by applications relying on the ImageMagick tools to automatically process images. Workaround == There is no known workaround at this time. Resolution == All ImageMagick users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-gfx/imagemagick-6.3.3 References == [ 1 ] CVE-2007-1797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1797 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpQphabXkDJK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
On Thu, 10 May 2007 13:24:24 EDT, J. Oquendo said: If you were an attacker what would you rather have? 10k Linux machines 10k Windows machines Depends on the goals. A Linux box is probably easier to use remotely. However, your presence on the Windows box is far less likely to be noticed. And if I was doing a targeted attack on an organization, I'd probably trade 10K of *any* machine out on the open Internet for that old VMS machine in the target's DMZ pgpuOYEEJZ1BN.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
J. Oquendo wrote: You're mistaking the foundation of why I wrote it... If you were an attacker what would you rather have? 10k Linux machines 10k Windows machines why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. Your attacker seems to be some kind of space alien hacker (or possibly the Unamomber), as detached and... alienated as it is from this world. You hint at a sci-fi epic scenario, with an unstoppable army of Linux bots targetting vital points of the Internet infrastructure with aimed attacks. Even putting your nonsensical premises aside (like the wishful assumption that operating systems are *not* commodities, and to add to the absurdity we are talking about zombies here!), you are still left with an one-man fuck-the-world scheme with no winner. Why would anyone do that? So bravo and yay, a shell script trojan and vague threats of MD5 collisions, history books here you come! Now all you need is a(n) hero's death. I can already see the epitaph: Nobody was faster in the awk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
J. Oquendo wrote: You're mistaking the foundation of why I wrote it... If you were an attacker what would you rather have? 10k Linux machines 10k Windows machines why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. Your attacker seems to be some kind of space alien hacker (or possibly the Unamomber), as detached and... alienated as it is from this world. You hint at a sci-fi epic scenario, with an unstoppable army of Linux bots targetting vital points of the Internet infrastructure with aimed attacks. Even putting your nonsensical premises aside (like the wishful assumption that operating systems are *not* commodities, and to add to the absurdity we are talking about zombies here!), you are still left with an one-man fuck-the-world scheme with no winner. Why would anyone do that? So bravo and yay, a shell script trojan and vague threats of MD5 collisions, history books here you come! Now all you need is a(n) hero's death. I can already see the epitaph: Nobody was faster in the awk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
KJKHyperion wrote: why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. I don't know about your logics on economics, but if I were the attacker and I was looking for a constant steady stream of revenue, I would go the Linux route. And if you think for a second that Boohoo Linux users are more inclined to be security conscious then you are the fool here. Of the couple of thousand of brute force bots I see, none are on Windows. Whatever though, to each their own mechanisms of thought. If you truly believe its all fine and dandy and things won't get progressively worse by giving Linux to inexperienced users, you are in for a rude awakening. If you haven't stopped to read the facts that malware, *ware creators are getting more savvy, then you seem to be stuck somewhere in a world of fantasy. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
So many people aren't real UNIX sysadmins. Those that are, care about security and do an adequate job of protecting their systems. Give Linux to others and it may be more risky then giving them Windows. With Windows, root kits may be easier for an average user to detect, given the availability of numerous tools. I would assume the novice Linux users are less prone to deploying some sort of protection besides maybe updating it and having a firewall running. If I was going to have an army of hosts I'd hopefully have a bunch of different kinds, using different kinds of root kits, in order to minimize losses if one kind of setup was discovered. -Derek http://www.syrex.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. Oquendo Sent: Thursday, May 10, 2007 12:12 PM To: KJKHyperion; full-disclosure Subject: Re: [Full-disclosure] Linux big bang theory KJKHyperion wrote: why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. I don't know about your logics on economics, but if I were the attacker and I was looking for a constant steady stream of revenue, I would go the Linux route. And if you think for a second that Boohoo Linux users are more inclined to be security conscious then you are the fool here. Of the couple of thousand of brute force bots I see, none are on Windows. Whatever though, to each their own mechanisms of thought. If you truly believe its all fine and dandy and things won't get progressively worse by giving Linux to inexperienced users, you are in for a rude awakening. If you haven't stopped to read the facts that malware, *ware creators are getting more savvy, then you seem to be stuck somewhere in a world of fantasy. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 05.10.07: Novell NetMail NMDMC Buffer Overflow Vulnerability
Novell NetMail NMDMC Buffer Overflow Vulnerability iDefense Security Advisory 05.10.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 10, 2007 I. BACKGROUND Novell Inc.'s NetMail is an e-mail and calendar system that is based on standard Internet protocols. More information can be found at the URL shown below. http://www.novell.com/products/netmail/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability within Novell Inc.'s NetMail allows attackers to execute arbitrary code with the privileges of the service. This vulnerability specifically exists within the SSL version of the NMDMC.EXE service. The application does not perform sufficient input validation when copying data into a fixed size stack buffer. When processing a specially crafted request made to this service, a stack-based buffer overflow occurs leading to corruption of program control registers saved on the stack. III. ANALYSIS Exploitation allows attackers to execute code in the context of the running service. By default this service runs with the privileges of NetMailService. No authentication is required to reach the vulnerable code. Additionally, this is an SSL based service which complicates writing IDS signatures. It appears that the non-SSL version of this service is not vulnerable. IV. DETECTION iDefense has confirmed the existence of this vulnerability within version 3.52e_FTF2 of Novell Inc's NetMail. Older versions are suspected to be vulnerable. V. WORKAROUND Employ firewalls to minimize the exposure of this service. VI. VENDOR RESPONSE Novell has addressed this vulnerability in the beta release of Novell NetMail 3.52f. For more information, consult the document located at the following URL. http://download.novell.com/Download?buildid=Ad2xk29hHTg~ VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 02/07/2007 Initial vendor notification 02/08/2007 Initial vendor response 05/10/2007 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 05.10.07: Apple Darwin Streaming Proxy Multiple Vulnerabilities
Apple Darwin Streaming Proxy Multiple Vulnerabilities iDefense Security Advisory 05.10.07 http://labs.idefense.com/intelligence/vulnerabilities/ May 10, 2007 I. BACKGROUND Darwin Streaming Server is a server technology that facilitates streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. The Darwin Streaming Proxy is an application-specific proxy which would normally be run in a border zone or perimeter network. It is used to give client machines, within a protected network, access to streaming servers where the firewall blocks RTSP connections or RTP/UDP data flow. For more information, please visit the product website at via following URL. http://developer.apple.com/opensource/server/streaming/index.html II. DESCRIPTION Remote exploitation of multiple buffer overflow vulnerabilities in Apple Inc.'s Darwin Streaming Proxy allows attackers to execute arbitrary code with the privileges of running service, usually root. Due to insufficient sanity checking, a stack-based buffer overflow could occur while trying to extract commands from the request buffer. The is_command function, located in proxy.c, lacks bounds checking when filling the 'cmd' and 'server' buffers. Additionally, a heap-based buffer overflow could occur while processing the trackID values contained within a SETUP request. If a request with more than 32 values is encountered, memory corruption will occur. III. ANALYSIS Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the running service, usually root. No credentials are required for accessing the vulnerable code. The stack-based buffer overflow vulnerability relies on compiler optimizations. iDefense has verified the Darwin Streaming Proxy 4.1 binary release for Fedora Core is not vulnerable. The binary produced from a out-of-the-box compile on Fedora was confirmed vulnerable. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in Darwin Streaming Server 5.5.4 and Darwin Streaming Proxy 4.1. It is suspected that earlier versions are also vulnerable. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems and services. VI. VENDOR RESPONSE Apple has addressed this vulnerability by releasing version 5.5.5 of Darwin Streaming Server. More information can be found from Apple's Security Update page or the Darwin Streaming Server advisory page at the respective URLs below. http://docs.info.apple.com/article.html?artnum=61798 http://docs.info.apple.com/article.html?artnum=305495 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0748 to the heap-based buffer overflow and CVE-2007-0749 to stack-based buffer overflow. These names are a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/09/2007 Initial vendor notification 04/09/2007 Initial vendor response 05/10/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
J. Oquendo wrote: KJKHyperion wrote: why, Windows machines of course, I'm an attacker, not a fool! If you were a terrorist, what would you rather do? Crash the Twin Towers Crash the dollar There is no such thing as an attacker. All actions, even such an individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. So many misconceptions, so little time. First of all, I meant economical in not just a monetary sense, but the wider sense of balancing conflict in everyone's interest. And well, I got the impression you were thinking of outlandish lose-lose (hence anti-economical) scenarios where some loose cannon shuts down the whole internet, but on second thought I might have been wrong on that account. The idea was that, as effective an enemy-killer crashing the dollar would be, it would prove counterproductive, damaging irreparably the very currency that puts bread on your table and AK-47 on your shoulder. So a purely economical evaluation will bring you to choose, instead, the option causing the lesser evil (i.e. the virtual death of the airline terrorism market). Second, don't kid yourself, the market of security suites for Windows is, at best, an open-air fish marketplace (a terrible stink, a lot of yelling and products with an inherently short freshness timespan the first similarities that come to mind, but I'm sure the mental picture will evoke you many others). I have written Windows attack software for a living, and there's one thing I can write down and undersign in my own blood: Windows cannot be secured. Which is very bad news for the whole industry, Windows being the system with the highest security/feature richness ratio, or in other words the culmination of the state of the art of software engineering as we know it. We lack the semantic tools to even express *what* Windows does, much less how, much less to tell right from wrong [The feeble-minded, confronted with this, retreat in the virtualization hugbox, forgetting the historic lesson that the Titanic sank because the flooding bypassed the (insufficiently fine-grained, at that) waterproof compartments by reaching *over* them -- and let's leave it at that, before runaway metaphorization makes me say something about how Leonardo Di Caprio fits that I will regret] There is nothing, absolutely nothing you can do to isolate applications, or tell malicious from normal behavior. Hell, you can hardly tell apart applications from each other. An application is often just an EXE, but sometimes it's an EXE and a bunch of DLLs, and sometimes one of the DLLs is loaded in all active processes, and sometimes the EXEs are two or more, and sometimes a driver is thrown in the mix, and yet sometimes all you have is a single DLL, a DLL that, sometimes, must *necessarily* be loaded at random times in an arbitrary process (see: IMEs). Not that it matters at all, since the biggest names in security suites fail even the most basic, trivial tests (god is my witness in how often I overengineered some protection routine, only to discover that expensive security suites that shall go unnamed didn't notice the whole trojan in the first place), but it's kind of comforting to know that the problem is unsolvable in principle, now isn't it? So stop shelling out money to the snake oil salesmen or even giving them any credit. When humanity's flagship software product is in such a sorry state, you know there is nothing a random moron like you can do. Let the scientists discover the obvious, let the engineers put it in practice, and until then, for the love of god and all that is holy, _just_ _don't_ _swallow_. [Microsoft being Microsoft, the most important software engineering proof-of-concept, ever, they have developed will probably become a product in ten years from now, if ever, be a huge flop at it and be forgotten soon. It's called Singularity, it's an operating system 99.999% based on .NET, it will make your CPU simpler and faster and your software safer, it's sort of like what Inferno would be if it was actually meant to be used by human beings, *and* if your irrational racist hate of .NET or other kind of short-sightedness makes it seem any less than the... singularity that will take the world by storm and change it forever I see it as, *then* to me you are dead from the inside; http://research.microsoft.com/os/singularity/ for more information] And if you think for a second that Boohoo Linux users are more inclined to be security conscious then you are the fool here. Haha, yes they are, according to their self-assessment. As for delusions of security consciousness, though, my favorite have to be the
[Full-disclosure] TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability
TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-07 May 10, 2007 -- CVE ID: CVE-2007-0754 -- Affected Vendor: Apple -- Affected Products: QuickTime Player 7.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 31, 2006 by Digital Vaccine protection filter ID 4109. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of malformed Sample Table Sample Descriptor (STSD) atoms. Specifying a malicious atom size can result in an under allocated heap chunk and subsequently an exploitable heap corruption. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=304357 -- Disclosure Timeline: 2006.06.16 - Vulnerability reported to vendor 2006.01.31 - Digital Vaccine released to TippingPoint customers 2007.05.10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Ganesh Devarajan, TippingPoint DVLabs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow Vulnerability
ZDI-07-028: CA eTrust AntiVirus Server inoweb Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-028.html May 9, 2007 -- CVE ID: CVE-2007-2522 -- Affected Vendor: Computer Associates -- Affected Products: eTrust AntiVirus Server v8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 20, 2006 by Digital Vaccine protection filter ID 4861. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates AntiVirus Server. User interaction is not required to exploit this vulnerability. The specific flaw exists in the authentication function of the inoweb service that listens by default on TCP port 12168. The function copies both the username and password into fixed-length stack buffers. If an attacker provides overly long values for these parameters, an exploitable buffer overflow occurs. -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp -- Disclosure Timeline: 2006.11.06 - Vulnerability reported to vendor 2006.11.20 - Digital Vaccine released to TippingPoint customers 2007.05.09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Tenable Network Security. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:102 ] - Updated php packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:102 http://www.mandriva.com/security/ ___ Package : php Date: May 10, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 ___ Problem Description: A heap buffer overflow flaw was found in the xmlrpc extension for PHP. A script that implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the apache user. This flaw does not, however, affect PHP applications using the pure-PHP XML_RPC class provided via PEAR (CVE-2007-1864). A flaw was found in the ftp extension for PHP. A script using this extension to provide access to a private FTP server and which passed untrusted script input directly to any function provided by this extension could allow a remote attacker to send arbitrary FTP commands to the server (CVE-2007-2509). A buffer overflow flaw was found in the soap extension for PHP in the handling of an HTTP redirect response when using the SOAP client provided by the extension with an untrusted SOAP server (CVE-2007-2510). A buffer overflow in the user_filter_factory_create() function has unknown impact and local attack vectors (CVE-2007-2511). Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2511 ___ Updated Packages: Mandriva Linux 2007.0: 9e0a7c06446b813079775e0b21113c35 2007.0/i586/libphp5_common5-5.1.6-1.8mdv2007.0.i586.rpm a9fbb8f3a69749c14794f25ed9c4fb4a 2007.0/i586/php-cgi-5.1.6-1.8mdv2007.0.i586.rpm 343800759b3f2c748e902b578c983b31 2007.0/i586/php-cli-5.1.6-1.8mdv2007.0.i586.rpm f144fe50b14fe959782ee648bc5ac9c3 2007.0/i586/php-devel-5.1.6-1.8mdv2007.0.i586.rpm 1ab27ba607339b5da160f4222e4785f2 2007.0/i586/php-fcgi-5.1.6-1.8mdv2007.0.i586.rpm fe0bb39c1ab53cf83b39c58714247b3f 2007.0/i586/php-ftp-5.1.6-1.1mdv2007.0.i586.rpm 930f34d92678a52b2ce6e83cb28a693f 2007.0/i586/php-soap-5.1.6-1.1mdv2007.0.i586.rpm 4469d5f7cdec688feba83a30698a7e9a 2007.0/i586/php-xmlrpc-5.1.6-1.1mdv2007.0.i586.rpm d7102292c93885b089d35caaff6005b7 2007.0/SRPMS/php-5.1.6-1.8mdv2007.0.src.rpm 239e5928d8a53c749c128e8ddc75746f 2007.0/SRPMS/php-ftp-5.1.6-1.1mdv2007.0.src.rpm ef26d693f275ba3755dcebd89f2f0d54 2007.0/SRPMS/php-soap-5.1.6-1.1mdv2007.0.src.rpm 51fdcfb1821296eb9b69cefd136faf5e 2007.0/SRPMS/php-xmlrpc-5.1.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 4d514769b03d199a1f96982e6d2887e2 2007.0/x86_64/lib64php5_common5-5.1.6-1.8mdv2007.0.x86_64.rpm dcb785c5dc18be7817c3c6e5c22c4156 2007.0/x86_64/php-cgi-5.1.6-1.8mdv2007.0.x86_64.rpm c9d3851f0b201e1ac248fc448b507a70 2007.0/x86_64/php-cli-5.1.6-1.8mdv2007.0.x86_64.rpm c56837be9c8e4850bc15082c2ea6b7f6 2007.0/x86_64/php-devel-5.1.6-1.8mdv2007.0.x86_64.rpm 50c8b6228670b93318e4db01f464f327 2007.0/x86_64/php-fcgi-5.1.6-1.8mdv2007.0.x86_64.rpm e8878dab282186a60846fa79c6a7ff12 2007.0/x86_64/php-ftp-5.1.6-1.1mdv2007.0.x86_64.rpm 0c700664f8b9eabb6889247f63b8a2ff 2007.0/x86_64/php-soap-5.1.6-1.1mdv2007.0.x86_64.rpm d8159dcb23ebd35ec65e9988c51e8077 2007.0/x86_64/php-xmlrpc-5.1.6-1.1mdv2007.0.x86_64.rpm d7102292c93885b089d35caaff6005b7 2007.0/SRPMS/php-5.1.6-1.8mdv2007.0.src.rpm 239e5928d8a53c749c128e8ddc75746f 2007.0/SRPMS/php-ftp-5.1.6-1.1mdv2007.0.src.rpm ef26d693f275ba3755dcebd89f2f0d54 2007.0/SRPMS/php-soap-5.1.6-1.1mdv2007.0.src.rpm 51fdcfb1821296eb9b69cefd136faf5e 2007.0/SRPMS/php-xmlrpc-5.1.6-1.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 888da0d6a1c570e006b70d3d61b74118 2007.1/i586/libphp5_common5-5.2.1-4.2mdv2007.1.i586.rpm c398e10582eece4b5620c4f63ce0 2007.1/i586/php-cgi-5.2.1-4.2mdv2007.1.i586.rpm 83ed8f228e65da902f2e2fe701af9775 2007.1/i586/php-cli-5.2.1-4.2mdv2007.1.i586.rpm b492372b2e170b529cf9594b2471098b 2007.1/i586/php-devel-5.2.1-4.2mdv2007.1.i586.rpm a075fce9b55f9eee29f407adcd85 2007.1/i586/php-fcgi-5.2.1-4.2mdv2007.1.i586.rpm e2c50d2aec5905cf36199b51a3fc9996 2007.1/i586/php-ftp-5.2.1-1.1mdv2007.1.i586.rpm 283e088a1a51b05203c819da3628a215 2007.1/i586/php-openssl-5.2.1-4.2mdv2007.1.i586.rpm b573393fee439ad07f7a171d7f19fcc9 2007.1/i586/php-soap-5.2.1-1.1mdv2007.1.i586.rpm 879268bc4d99891f35cc51dc48509693 2007.1/i586/php-xmlrpc-5.2.1-1.1mdv2007.1.i586.rpm 0801e43d083f307ca9647ee7f956c418 2007.1/i586/php-zlib-5.2.1-4.2mdv2007.1.i586.rpm
[Full-disclosure] [ MDKSA-2007:103 ] - Updated php packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:103 http://www.mandriva.com/security/ ___ Package : php4 Date: May 10, 2007 Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: A heap buffer overflow flaw was found in the xmlrpc extension for PHP. A script that implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the apache user. This flaw does not, however, affect PHP applications using the pure-PHP XML_RPC class provided via PEAR (CVE-2007-1864). A flaw was found in the ftp extension for PHP. A script using this extension to provide access to a private FTP server and which passed untrusted script input directly to any function provided by this extension could allow a remote attacker to send arbitrary FTP commands to the server (CVE-2007-2509). Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509 ___ Updated Packages: Corporate 3.0: 166f0495b9bd984fc4b887a8920fe111 corporate/3.0/i586/libphp_common432-4.3.4-4.26.C30mdk.i586.rpm eba86c8d3254e046b3d065f4db7c0714 corporate/3.0/i586/php-cgi-4.3.4-4.26.C30mdk.i586.rpm 44248cbc77edc7772b36c1d95d78f7f4 corporate/3.0/i586/php-cli-4.3.4-4.26.C30mdk.i586.rpm 6c9425c5cdbd25d6ee6bdab6a102f96d corporate/3.0/i586/php-xmlrpc-4.3.4-1.1.C30mdk.i586.rpm bb4d89124e91f1aa872ad7f960210937 corporate/3.0/i586/php432-devel-4.3.4-4.26.C30mdk.i586.rpm 7964e9c606307c9af6c1a51160d41caa corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm 0e31d73b03b41014917630a78edd4055 corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: de5cd7123835dbe8d58d519661621b92 corporate/3.0/x86_64/lib64php_common432-4.3.4-4.26.C30mdk.x86_64.rpm bc7a35cb5360cf4a301a2f514ff1002d corporate/3.0/x86_64/php-cgi-4.3.4-4.26.C30mdk.x86_64.rpm 6fe331363e03e221bbbe8ddac95b24b7 corporate/3.0/x86_64/php-cli-4.3.4-4.26.C30mdk.x86_64.rpm d27234ec751507f56297eb7ad00246b2 corporate/3.0/x86_64/php-xmlrpc-4.3.4-1.1.C30mdk.x86_64.rpm b3717d84991db4ad6bc162b5713421a4 corporate/3.0/x86_64/php432-devel-4.3.4-4.26.C30mdk.x86_64.rpm 7964e9c606307c9af6c1a51160d41caa corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm 0e31d73b03b41014917630a78edd4055 corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm Corporate 4.0: 21652b2fb396cce7991e6929bf4b7d87 corporate/4.0/i586/libphp4_common4-4.4.4-1.6.20060mlcs4.i586.rpm d93cc1f82bb7cea14228feeaf097d5ec corporate/4.0/i586/php4-cgi-4.4.4-1.6.20060mlcs4.i586.rpm 130c70025d28c6a5cdb4e198a0b3ae4f corporate/4.0/i586/php4-cli-4.4.4-1.6.20060mlcs4.i586.rpm 2892ae379e430c22a48724e46e1e74be corporate/4.0/i586/php4-devel-4.4.4-1.6.20060mlcs4.i586.rpm dcd1d9a26a05d0c2ec2f44f7312966cd corporate/4.0/i586/php4-xmlrpc-4.4.4-1.1.20060mlcs4.i586.rpm a30f364c6dcf21387dc2ccbe759053ee corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm b4e817698d4ea91c75cb1c0709b9ca5e corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5e357a0f8a1c458b708904417ad1a758 corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.6.20060mlcs4.x86_64.rpm 3256c4130a3f0004027ee817cb85902e corporate/4.0/x86_64/php4-cgi-4.4.4-1.6.20060mlcs4.x86_64.rpm a29fe77e87c30df6f910340923d6c21c corporate/4.0/x86_64/php4-cli-4.4.4-1.6.20060mlcs4.x86_64.rpm d14a7f38f36e4331107215a8f45d1b67 corporate/4.0/x86_64/php4-devel-4.4.4-1.6.20060mlcs4.x86_64.rpm ad13c17cc2de7783913e77114361e639 corporate/4.0/x86_64/php4-xmlrpc-4.4.4-1.1.20060mlcs4.x86_64.rpm a30f364c6dcf21387dc2ccbe759053ee corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm b4e817698d4ea91c75cb1c0709b9ca5e corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm Multi Network Firewall 2.0: 35dd2191d078e31f6c6da7b2025413bb mnf/2.0/i586/libphp_common432-4.3.4-4.26.M20mdk.i586.rpm a7f9e65aa53dfb437255840c0f98122d mnf/2.0/i586/php-cgi-4.3.4-4.26.M20mdk.i586.rpm e9337d663c42d7532ccaaa60905ee00d mnf/2.0/i586/php-cli-4.3.4-4.26.M20mdk.i586.rpm 74078881402c3e5066572779b8c49a66 mnf/2.0/i586/php432-devel-4.3.4-4.26.M20mdk.i586.rpm 738549167401da8b180447dfa41aa190 mnf/2.0/SRPMS/php-4.3.4-4.26.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by
Re: [Full-disclosure] Linux big bang theory....
On Thu, 10 May 2007 15:12:01 EDT, J. Oquendo said: be security conscious then you are the fool here. Of the couple of thousand of brute force bots I see, none are on Windows. Meanwhile, Vint Cerf was estimating 140 *million* compromised hosts, and they're sure as hell not all Linux boxes. Those several thousand ssh-pounders are insignificant compared to the overall problem. In fact, if you estimate that Linux has even a 1% market share, if Linux was equally heavily exploited, you'd expect to see 1.4 million pwned Linux boxes, rather than just a couple of thousand. pgpQHxRllbv4R.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities
Title: [CAID 35330, 35331]: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities CA Vuln ID (CAID): 35330, 35331 CA Advisory Date: 2007-05-09 Reported By: ZDI, iDefense Impact: Attackers can cause a denial of service or potentially execute arbitrary code. Summary: CA Anti-Virus for the Enterprise, CA Threat Manager, and CA Anti-Spyware contain multiple vulnerabilities that can allow an attacker to cause a denial of service or possibly execute arbitrary code. CA has issued patches to address the vulnerabilities. The first vulnerability, CVE-2007-2522, is due to insufficient bounds checking on Console Server login credentials. A remote attacker can use carefully constructed authentication credentials to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. The second vulnerability, CVE-2007-2523, is due to insufficient bounds checking in InoCore.dll. A local attacker can modify the contents of a file mapping to cause a stack based buffer overflow, which can potentially result in arbitrary code execution. This issue only affects CA Anti-Virus for the Enterprise and CA Threat Manager. Mitigating Factors: For CVE-2007-2522, the vulnerability applies only to an installation on the x86 platform with the Console Server installed. Severity: CA has given these vulnerabilities a combined High risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Threat Manager (formerly eTrust Integrated Threat Management) r8 CA Anti-Spyware for the Enterprise (formerly eTrust PestPatrol) r8 CA Protection Suites r3 Affected Platforms: Windows Status and Recommendation: CA has issued an update to address the vulnerabilities. The patched files are available as part of the product's automatic content update. The following components must be enabled in order to receive these updates: eTrust ITM Console Server must be enabled to receive InoWeb.exe updates, and eTrust ITM Common must be enabled to receive InoCore.dll updates. How to determine if the installation is affected: 1. Using Windows Explorer, locate the files InoWeb.exe and InoCore.dll. By default, the files are located in the C:\Program Files\CA\eTrustITM directory. 2. Right click on each of the files and select Properties. 3. Select the Version tab (or the Details tab if you are using Windows Vista). 4. If either file version is earlier than indicated below, the installation is vulnerable. File NameFile Version InoWeb.exe 8.0.448.0 InoTask.dll 8.0.448.0 Workaround: In situations where updating the product is not immediately feasible, the following workaround can be used as a temporary measure to reduce exposure. For CVE-2007-2522, filter access to TCP port 12168. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect Security Notice for this vulnerability: Security Notice for CA Anti-Virus for the Enterprise, CA Threat Manager, and CA Anti-Spyware http://supportconnectw.ca.com/public/antivirus/infodocs/caav-secnotice050807.asp CA Security Advisor posting: CA Anti-Virus, CA Threat Manager, and CA Anti-Spyware Console Login and File Mapping Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=139626 CAID: 35330, 35331 CAID Advisory links: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35330 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35331 Reported By: iDefense iDefense Advisory: 05.09.07 : Computer Associates eTrust InoTask.exe Antivirus Buffer Overflow Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=530 Reported By: ZDI ZDI Advisory: ZDI-07-028 http://www.zerodayinitiative.com/advisories/ZDI-07-028.html CVE References: CVE-2007-2522, CVE-2007-2523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2523 OSVDB References: OSVDB-34585, OSVDB-34586 http://osvdb.org/34585 http://osvdb.org/34586 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our Submit a Vulnerability form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: