[Full-disclosure] CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls *Advisory Information* Title: Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls Advisory ID: CORE-2008-0320 Advisory URL: http://www.coresecurity.com/?action=item&id=2249 Date published: 2008-04-28 Date of last update: 2008-04-28 Vendors contacted: BitDefender, Comodo, Sophos and Rising Release mode: Coordinated release (BitDefender, Comodo, Rising), User release (Sophos) *Vulnerability Information* Class: Invalid memory reference Remotely Exploitable: No Locally Exploitable: Yes Bugtraq ID: 28741, 28742, 28743, 28744 CVE Name: CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008-1738 *Vulnerability Description* Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2], Sophos Antivirus [3] and Rising Antivirus [4]) have been found that could lead to a Denial of Service (DoS) and possibly to code execution attacks. An attacker, utilizing these flaws, could be able to locally reboot the whole system shutting down the firewall or anti-virus protection. However, in some cases it may be possible to extend the impact of these bugs, and they could lead to the execution of arbitrary code in the privileged kernel mode. *Vulnerable Packages* . BitDefender Antivirus 2008 Build 11.0.11 . Comodo Firewall Pro 2.4.18.184 . Sophos Antivirus 7.0.5 . Rising Antivirus 19.60.0.0 and 19.66.0.0 . Older versions may be affected, but were not checked. *Non-vulnerable Packages* . BitDefender Antivirus 2008 builds available through automatic updates, posterior to January 18th. . Comodo Firewall Pro 3.0 . Rising Antivirus 20.38.20 *Vendor Information, Solutions and Workarounds* 1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735) According to BitDefender, the flaw was not exploited by any malicious application, and it was corrected through automatic updates. Information on this issue can be found on BitDefender website at this location: http://kb.bitdefender.com/KB419-en--Security-vulnerability-in-BitDefender-2008.html. 2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736) The vulnerability is fixed in Comodo Firewall Pro 3.0, available at: http://www.personalfirewall.comodo.com/download_firewall.html 3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737) Vendor statement: "Sophos Anti-Virus 7.x for Windows 2000, 2003 and XP is affected by this vulnerability. Non-vulnerable products from Sophos are earlier versions of Sophos Anti-Virus for Windows, Sophos Anti-Virus for non-Windows platforms and all other Sophos products. The vulnerability is only exploitable if Runtime Behavioural Analysis is switched on. Even then the exploit will only be effective if the end user is using security settings that are lower than the defaults for most web browsers today, or if the end user agrees to activate an ActiveX or Java Applet from the webpage hosting the exploit. Workarounds to avoid this vulnerability include: a. Using the default security settings or higher on the latest version of your chosen web browser. In line with general security best practice we would also encourage end users not to download ActiveX or Java Applets unless confident about their content. b. Turning off the Runtime Behavioural Analysis functionality within Sophos Anti-Virus (customers will still benefit from Sophos Behavioural Genotype protection and other means of protecting endpoints against malware). N.B. Should an exploit be released into the wild, Sophos will deploy protection against that exploit. The fix for this vulnerability requires customers to reboot their endpoints. Given the low severity of the vulnerability, to minimise disruption to our customers Sophos will release the fix at the earliest opportunity that coincides with a necessary reboot of the product." 4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738) A fixed version of Rising Antivirus can be downloaded from: http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe All Rising customers can also update up to a patched version through automatic updates. *Credits* These vulnerabilities (except the Rising one) were discovered by Damian Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blanco y Rodrigo Carvalho from Core Security Technologies, during Bugweek 2007. The Rising vulnerability was discovered by Anibal Sacco from Core Security Technologies exploit writers team. These vulnerabilities were researched by Anibal Sacco and Damian Saura from Core Security Technologies. *Technical Description / Proof of Concept Code* We have found that BitDefender Antivirus, Rising Antivirus, Comodo Firewall and Sophos Antivirus have hooks that do not properly validate the argum
[Full-disclosure] [SECURITY] [DSA 1562-1] New iceape packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1562-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff April 28, 2008http://www.debian.org/security/faq - Package: iceape Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1380 It was discovered that crashes in the Javascript engine of Iceape, an unbranded version of the Seamonkey internet suite could potentially lead to the execution of arbitrary code. For the stable distribution (etch), this problem has been fixed in version 1.0.13~pre080323b-0etch3. For the unstable distribution (sid), this problem has been fixed in version 1.1.9-2. We recommend that you upgrade your iceape packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch3.diff.gz Size/MD5 checksum: 272290 65a6cc900463ab3324a42250ce39c10b http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b.orig.tar.gz Size/MD5 checksum: 4299 f2a3c50d814f6e7015f779b10494fac8 http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch3.dsc Size/MD5 checksum: 1439 7e71d648dcc53a64aa9e8675c09021f8 Architecture independent packages: http://security.debian.org/pool/updates/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27638 9ea252e567314297df273d1d0565c081 http://security.debian.org/pool/updates/main/i/iceape/mozilla_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27636 19e71b334df21b23b2f511830972a0d4 http://security.debian.org/pool/updates/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27682 7bfcf10a1034eefac22ae8657dee9bd2 http://security.debian.org/pool/updates/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27772 36a3464a2d8fd4fc3847039b82dd1f5f http://security.debian.org/pool/updates/main/i/iceape/iceape_1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:29034 a9f31dc27b4b17c63b783f07c3f8fd2c http://security.debian.org/pool/updates/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27650 6894ea2d406646086f60a29c1aba9cbe http://security.debian.org/pool/updates/main/i/iceape/iceape-dev_1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum: 3928844 9a28456f31b2b5a06c6e69b175183ab9 http://security.debian.org/pool/updates/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:28606 6e89267d545052a9b053c0b17b02d265 http://security.debian.org/pool/updates/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27676 fed0fa97fb88ec0c975c432003dffaea http://security.debian.org/pool/updates/main/i/iceape/iceape-chatzilla_1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum: 282388 f6e5876a2562123eb182f44a9d28c0f5 http://security.debian.org/pool/updates/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27644 97fd6c82d0386ed6f1ed8c2b45391634 http://security.debian.org/pool/updates/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080323b-0etch3_all.deb Size/MD5 checksum:27658 67afa911887af3df5a081d9bcaeb9e7b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/iceape/iceape-mailnews_1.0.13~pre080323b-0etch3_alpha.deb Size/MD5 checksum: 2281694 6688ce20712749da04e7bc0e1f63b531 http://security.debian.org/pool/updates/main/i/iceape/iceape-gnome-support_1.0.13~pre080323b-0etch3_alpha.deb Size/MD5 checksum:55052 d14150e730a8357b0e2ef81542eb604b http://security.debian.org/pool/updates/main/i/iceape/iceape-dbg_1.0.13~pre080323b-0etch3_alpha.deb Size/MD5 checksum: 60657374 ebc2656e676b129223a0d7b060205d32 http://security.debian.org/pool/updates/main/i/iceape/iceape-browser_1.0.13~pre080323b-0etch3_alpha.deb Size/MD5 checksum: 12886440 aa35edb178dc8812275a005cb0449e7b http://security.debian.org/pool/updates/main/i/iceape/iceape-calendar_1.0.13~pre0
Re: [Full-disclosure] R.I.P rgod - :(
You're not dead...you don't want to go on the cart... you feel fine...you might go for a walk...you feel happy? :) Shirkdog ' or 1=1-- http://www.shirkdog.us From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Date: Mon, 28 Apr 2008 19:32:57 +0430 Subject: [Full-disclosure] R.I.P rgod - :( I am *not* dead. :( http://retrogods.blogspot.com/ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it! _ Spell a grand slam in this game where word skill meets World Series. Get in the game. http://club.live.com/word_slugger.aspx?icid=word_slugger_wlhm_admod_april08___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] R.I.P rgod - :(
I am *not* dead. :( http://retrogods.blogspot.com/ -- rgod _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] R.I.P rgod - :(
I am *not* dead. :( http://retrogods.blogspot.com/ _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1561-1] New ldm packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1561-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst April 28, 2008http://www.debian.org/security/faq - Package: ldm Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1293 Debian Bug : 469462 Christian Herzog discovered that within the Linux Terminal Server Project, it was possible to connect to X on any LTSP client from any host on the network, making client windows and keystrokes visible to that host. NOTE: most ldm installs are likely to be in a chroot environment exported over NFS, and will not be upgraded merely by upgrading the server itself. For example, on the i386 architecture, to upgrade ldm will likely require: chroot /opt/ltsp/i386 apt-get update chroot /opt/ltsp/i386 apt-get dist-upgrade For the stable distribution (etch), this problem has been fixed in version 0.99debian11+etch1. For the unstable distribution (sid), this problem has been fixed in version 2:0.1~bzr20080308-1. We recommend that you upgrade your ldm package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/ltsp/ltsp_0.99debian11+etch1.tar.gz Size/MD5 checksum: 183019 c97fa50f7a30f213742be6466a7817fc http://security.debian.org/pool/updates/main/l/ltsp/ltsp_0.99debian11+etch1.dsc Size/MD5 checksum: 1243 c8d0f83f26c580a9fcf5079d303c1958 Architecture independent packages: http://security.debian.org/pool/updates/main/l/ltsp/ltsp-server-standalone_0.99debian11+etch1_all.deb Size/MD5 checksum:22346 edf27d69321dc6db44cb252719aad12b http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client-builder_0.99debian11+etch1_all.udeb Size/MD5 checksum: 2278 bd0856196c64cfcabc1c0f47808b5f4c http://security.debian.org/pool/updates/main/l/ltsp/ltsp-server_0.99debian11+etch1_all.deb Size/MD5 checksum:53332 70be96c089a449a543cfb678e55a0f1e http://security.debian.org/pool/updates/main/l/ltsp/ldm_0.99debian11+etch1_all.deb Size/MD5 checksum: 116452 51fa6e495db54926e77aa7f62a251dff alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_alpha.deb Size/MD5 checksum:50686 145f4579f02af33e644674b0a2ecff67 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_amd64.deb Size/MD5 checksum:50638 9ea8d9f916b011a9f5379ed31f8a7cc7 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_arm.deb Size/MD5 checksum:49608 8c1b8f8908b2099c8f97946144dd7ca0 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_hppa.deb Size/MD5 checksum:50448 08ca2c9cdc6bc5a274bb7114495e0e7d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_i386.deb Size/MD5 checksum:49302 b20a0740d53c1c6aeffdab69b2bb14bf ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_ia64.deb Size/MD5 checksum:55934 b614ff92f4cb3dcea9329ea219f77a60 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_mips.deb Size/MD5 checksum:50166 298ad47e264bf2b3e3b69fd52f772df1 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_mipsel.deb Size/MD5 checksum:50914 770ee6fa07216c0a2a0da7922d820ea7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_powerpc.deb Size/MD5 checksum:50602 3b30a76ae56aedbfdc67c2bd975eefd6 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/l/ltsp/ltsp-client_0.99debian11+etch1_s390.deb Size/MD5 checksum:51558 9c2f6986508538205f6e5d937a9bc8d7 These files will probably be moved into the stable distribution on its next update. - -
[Full-disclosure] [SECURITY] [DSA 1560-1] New kronolith2 packages fix cross site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1560-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst April 28, 2008http://www.debian.org/security/faq - Package: kronolith2 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no Debian Bug : 478121 "The-0utl4w" discovered that the Kronolith, calendar component for the Horde Framework, didn't properly sanitise URL input, leading to a cross-site scripting vulnerability in the add event screen. For the stable distribution (etch), this problem has been fixed in version 2.1.4-1etch1. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your kronolith2 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/k/kronolith2/kronolith2_2.1.4-1etch1.dsc Size/MD5 checksum: 988 bed4712a2341c3a5043c6e69ad6e8309 http://security.debian.org/pool/updates/main/k/kronolith2/kronolith2_2.1.4-1etch1.diff.gz Size/MD5 checksum: 5388 580890a3d47459f77dd89aa664ca4a44 http://security.debian.org/pool/updates/main/k/kronolith2/kronolith2_2.1.4.orig.tar.gz Size/MD5 checksum: 1691114 df6d6fc99012865b18b089212c7544ad Architecture independent packages: http://security.debian.org/pool/updates/main/k/kronolith2/kronolith2_2.1.4-1etch1_all.deb Size/MD5 checksum: 1694916 d93492c52a99397b76f862705b7fd24e These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSBWjomz0hbPcukPfAQKbIwf/blXd6XfVLmgZa2b2+XoMgnX0Cs/7xzBd oEkgySKljK/xg5F3A5zgutiC1BMu/EQY0mQy8IdeltKlI4NkNLCcY4HFhWwQwdrJ EHYsP0WLH5AitXxRaa6zkKUBK2y/8aYZ+Xy+xfOSS05uJ/1UTwO++wPBlzEHl094 VShXlRG1NrCF4bi9Ud/GAHq0tbTMlRj0ltcFGeoP/eCiqjOtWcFci0Zb/0nTpHkr eJVhx5e2kxiW9i7zN12hdh8fOHyUTPsAFhHAZ72pCMpv25fed2ObuXW1n/oaL6Fd OkpEWo92b6PD75vYN2bzDtPGSFttCAFF5aBuRk082IX1WUYyhSu+Zw== =i6rS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Its time to take rick rolling seriously
On Sat, Apr 26, 2008 at 12:48 AM, n3td3v <[EMAIL PROTECTED]> wrote: > -- Forwarded message > I see a new craze of "cyber rolling" coming which hackers can exploit > and i'm not sure if I like it very much, its fun and games at the > moment, but just wait to the hackers catch on and things develop with > the rick roll trend. Can you define what you mean by the term "cyber rolling" and how this differs from the phishing attacks we see regularly already? Are you meaning a dry-run expedition before a more targeted malicious attack? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Its time to take rick rolling seriously
I don't agree at all -- being rickrolled is one thing (passive), typing authentication credentials (active) is something very different. I mean Somebody could want to to learn more about that blessed pokemon mudkip they might visit: http://so.i.herd.u.liek.mudki.ps/ > i actually agree with this thread. but its not just rick rolling. > its any link that anayone sends. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
