[Full-disclosure] MOCA 2008: a dream come true
Many hoped, few believed, the rumors conflicting, the souls aflame, cats and dogs sleeping together, but in the end we made it! Four years after the celebration of the 10th birthday of Metro Olografix, at fans' request, the summer camp will come back to let us spend a few hot August days together again, among arrosticini and glasses of wine and swims and talks - oh my! - in neat little Pescara. Ardetec li cannilicchie! The second edition of the Metro Olografix Camp will take place August 21st to 24th 2008, at the ex Caserma Di Cocco Park. MOCA is a hacker camp in north-European style, free admittance, open to all, to meet and have fun sharing information and knowledge. Just like four years ago, it will be a chance to meet old and new friends, all those who populated the computer underground so far since that infamous 1994, ready to live it in the coming years, together with those who have only just begun peeking into a telematic world made increasingly more worrisome by technologic and legal implications. See you in Pescara, you, your tent, your computer: to hack, experiment, play, chat, do whatever will ultimately send us thinking once again, it was really worth it! all the way back home. The Call For Papers deadline is August 1st 2008: propose your thematic area, your activity, your talk. We'll be happy to help you do something for the event and, especially, for all who'll spend together four - we hope - unforgettable days of their lives. Everyone's invited, see you in Pescara, to share experiences and knowledge in the spirit of pure hacker ethics. Information wants to be free! For info: http://camp.olografix.org/home.php?lng=en Submit your proposals to: [EMAIL PROTECTED] Mailing list for attendees: [EMAIL PROTECTED] a need some nicotine mayhem -- Key on pgp.mit.edu ID B88FE057 -- http://mayhem.hk - Key on pgp.mit.edu ID B88FE057 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] avira update.exe
Thanks for reply, sergio. I had this problem 2 weeks ago for 3 days. I thought that they fixed the updater because it was working fine then. yesterday the problem appears again. so may be, it's reproducable. I will send it to to avira. a.t. orginal message: Hi Tuttle, If you read carefully what screenshot that you sent you'll realize it very easyly...it's trying to write into a NULL pointer, that means it's trying to write to the address 0x which in this case is not allowed and therefore it's ending in an ACCESS VIOLARION exception. The cause of that may be a couple (and not all of them belonging to the AV software), just forward your problem to the AV company and they would figure out how to fix that misbehavior. It you want a quick fix to that..hehe well I would download and reinstall it from the scratch again. Cheers, Sergio Archibald Tuttle wrote: hi. today my avira's updater fails again. olly started and i made a screenshot: http://grospolina.org/img/avira3.gif any ideas? what happend? thank you, a.t. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Apple QuickTime PICT Image Parsing Buffer Overflow
== Secunia Research 10/06/2008 - Apple QuickTime PICT Image Parsing Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Apple QuickTime 7.4.5 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software Whether you are creating content for delivery on cell phones, broadcast or the Internet, or a software developer looking to take your application to the next level, QuickTime provides the most comprehensive platform in the industry. Product Link: http://www.apple.com/quicktime/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Apple Quicktime which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error when parsing packed scanlines from a PixData structure in a PICT file and can be exploited to cause a heap-based buffer overflow via e.g. viewing a specially crafted image file. Successful exploitation may allow execution of arbitrary code. == 5) Solution Update to QuickTime 7.5. == 6) Time Table 10/03/2008 - Vendor notified. 13/03/2008 - Vendor response. 10/06/2008 - Public disclosure. == 7) Credits Discovered by Dyon Balding, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-1581 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-9/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit
So to perform this 'bypass' you need the password in the first place? You absolute fucking morons, the security scene is not for you. I hope someone stabs you over a food stamp. Faggots. Halabaluza Team Halabaluza Team halabaluza.team at gmail.com Sun Jun 8 12:29:56 BST 2008 * Previous message: [Full-disclosure] avira update.exe * Next message: [Full-disclosure] [ GLSA 200806-03 ] Imlib 2: User-assisted execution of arbitrary code * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] for mambo = 4.5.5 and = 4.6.2 maybe others GET http://[TARGET]/index.php Host: [TARGET] User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Connection: keep-alive Cookie: usercookie[username]=[USERNAME];usercookie[password]=[MD5] Cache-Control: max-age=0 FREE TIBET! -- Smart Girls Secret Weapon Read Unbiased Beauty Product Reviews, Get Helpful Tips, Tricks and Sam http://tagline.hushmail.com/fc/JKFkuIjyaUM3E9zcp2f7ppavbouTIiiPdCquThperfoYTGho1dzYFq/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 And situations involving social interaction are not for you. Please avoid them at all costs until social skills improve. Oh, and please read the list charter that was recently distributed. On it, you will see that offensive language and personal attacks are disallowed. G - - Original Message - From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Cc: [EMAIL PROTECTED] Sent: Tuesday, June 10, 2008 3:05 AM Subject: Re: [Full-disclosure] Mambo Cookie Authentication Bypass Exploit So to perform this 'bypass' you need the password in the first place? You absolute fucking morons, the security scene is not for you. I hope someone stabs you over a food stamp. Faggots. Halabaluza Team Halabaluza Team halabaluza.team at gmail.com Sun Jun 8 12:29:56 BST 2008 * Previous message: [Full-disclosure] avira update.exe * Next message: [Full-disclosure] [ GLSA 200806-03 ] Imlib 2: User-assisted execution of arbitrary code * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] for mambo = 4.5.5 and = 4.6.2 maybe others GET http://[TARGET]/index.php Host: [TARGET] User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008050509 Firefox/3.0b5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/ plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Connection: keep-alive Cookie: usercookie[username]=[USERNAME];usercookie[password]=[MD5] Cache-Control: max-age=0 FREE TIBET! -- Smart Girls Secret Weapon Read Unbiased Beauty Product Reviews, Get Helpful Tips, Tricks and Sam http://tagline.hushmail.com/fc/JKFkuIjyaUM3E9zcp2f7ppavbouTIiiPdCquThperf oYTGho1dzYFq/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) - not licensed for commercial use: www.pgp.com Charset: utf-8 wj8DBQFITn9RSGIRT5oVahwRAvPpAKCG3E5/0eqUAqXDy/+wMucj4JqtkQCeICbU R106Zq59OTfeb8s0RFcXY10= =FPM3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Who's Behind the GPcode Ransomware?
Hello, The following is an OSINT analysis aiming to assist in tracking down the malware authors behind GPcode who seem be to be building custom decryptors, next to issuing a universal one which can be used to decrypt anything ever encrypted by them. Who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication. http://ddanchev.blogspot.com/2008/06/whos-behind-gpcode-ransomware.html http://blogs.zdnet.com/security/?p=1259 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Technical Details of Security Issues Regarding Safari for Windows
The first issue is the one described in Microsoft Security Advisory 953818. It's worked out by Aviv Raff: http://www.microsoft.com/technet/security/advisory/953818.mspx http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx It's covered by news but Aviv Raff has not published technical details yet. News stories say Microsoft are going to handle this: The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani http://news.cnet.com/8301-10789_3-9959752-57.html?part=rsssubj=newstag=2547-1_3-0-20 (It should be Aviv Raff instead of Nitesh Dhanjani, as suggested in the Microsoft security advisory and Aviv Raff's blog.) Also it sounds unnatural that Microsoft provide remediation for Safari vulnerability, and that remediation is distributed in IE patch. I provide the technical details of this issue for those who are interested: http://liudieyu0.blog124.fc2.com/blog-entry-1.html In my personal opinion this issue is rooted in IE wrongly loading DLL from desktop(instead of WINDOWS\SYSTEM32). The second issue is about the possibility that Safari can download malicious content that has confusing file name and icon which might be launched later by unknowing user. Details are here: A New Security Issue in Safari for Windows, NOT the Blended Threat Described in Microsoft Security Advisory 953818 http://liudieyu0.blog124.fc2.com/blog-entry-3.html In the post I say the main concern comes from LNK(shortcut file). Of course EXE can also be a concern if file name extension is hidden. But most people I know do have file name extension displayed in Windows. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Who's Behind the GPcode Ransomware?
Hoi, but in fact their businessmodel will fail, if one would resell the decryptor. alternatively (if got to much money) buy it and allow free download. greets, kat orginal message: Hello, The following is an OSINT analysis aiming to assist in tracking down the malware authors behind GPcode who seem be to be building custom decryptors, next to issuing a universal one which can be used to decrypt anything ever encrypted by them. Who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication. http://ddanchev.blogspot.com/2008/06/whos-behind-gpcode-ransomware.html http://blogs.zdnet.com/security/?p=1259 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.10.08: Multiple Vendor OpenOffice rtl_allocateMemory() Integer Overflow Vulnerability
iDefense Security Advisory 06.10.08
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 10, 2008
I. BACKGROUND
OpenOffice is an open-source desktop office suite for many of today's
popular operating systems. For more information, see the vendor's site
found at the following URL.
http://www.openoffice.org/
II. DESCRIPTION
Remote exploitation of an integer overflow vulnerability in OpenOffice,
as included in various vendors' operating system distributions, allows
attackers to execute arbitrary code with the privileges of the
logged-in user.
The vulnerability exists due to the rtl_allocateMemory() function
rounding up allocation requests to be aligned on an 8 byte boundary
without checking if this rounding results in an integer overflow
condition. The vulnerable code is as follows, taken from
sal/rtl/source/alloc_global.c:
191 void *
192 SAL_CALL rtl_allocateMemory (sal_Size n)
193 {
194 void * p = 0;
195 if (n 0)
196 {
197 char * addr;
198 sal_Size size = RTL_MEMORY_ALIGN(n +
RTL_MEMALIGN, RTL_MEMALIGN);
199
200 int index = (size - 1) RTL_MEMALIGN_SHIFT;
201 OSL_ASSERT(RTL_MEMALIGN = sizeof(sal_Size));
202
203 try_alloc:
204 if (index RTL_MEMORY_CACHED_LIMIT
RTL_MEMALIGN_SHIFT)
205 addr =
(char*)rtl_cache_alloc(g_alloc_table[index]);
206 else
207 addr = (char*)rtl_arena_alloc
(gp_alloc_arena, size);
208
The problem occurs at line 198. The n + RTL_MEMALIGN calculation can
overflow if n UINT_MAX - RTL_MEMALIGN. This results in an undersized
buffer being allocated at try_alloc. This buffer is then passed back to
the calling function, which assumes that the buffer is much larger than
it actually is. This results in a heap overflow.
As this vulnerability occurs in the core memory allocator, there are
numerous ways to trigger the vulnerable code using a wide variety of
different file types.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. After opening the file, no further interaction is needed.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in OpenOffice
version 2.4. Previous versions may also be affected.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue. Since
the vulnerability can be triggered by so many different file types,
disabling access to certain file types is not a valid workaround. As
such, avoid opening files from untrusted parties and unexpected files
from trusted parties.
VI. VENDOR RESPONSE
OpenOffice.Org has addressed this vulnerability by releasing version
2.4.1 of their product. For more information, consult the OOo Security
Bulletin at the following URL.
http://www.openoffice.org/security/cves/CVE-2008-2152.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2152 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
05/08/2008 Initial vendor notification
05/09/2008 Initial vendor response
06/10/2008 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Sean Larsson, iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.10.08: Multiple Vendor FreeType2 PFB Memory Corruption Vulnerability
iDefense Security Advisory 06.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 10, 2008 I. BACKGROUND FreeType2 is an open source library for parsing fonts that is used by many applications. This includes projects such as X.Org, Second Life, and the Sun Java JRE. For more information, please see the vendor's website at the following URL. http://freetype.sourceforge.net/freetype2/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. By providing an invalid 'number of axes' in the file, it is possible to cause the code to call the free() function on areas of memory that were not dynamically allocated. This can lead to memory corruption, which can allow for the execution of arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local privilege escalation was possible via the X.Org Xserver. IV. DETECTION iDefense has confirmed the existence of this vulnerability in FreeType2 version 2.3.5. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. Changing the permissions on the freetype.so library may not always be effective since applications that run with root privileges are not restricted by file permissions. VI. VENDOR RESPONSE The FreeType maintainers addressed this vulnerability with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157release_id=605780 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1807 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/03/2008 Initial vendor notification 06/04/2008 Initial vendor response 06/10/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.10.08: Multiple Vendor FreeType2 PFB Integer Overflow Vulnerability
iDefense Security Advisory 06.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 10, 2008 I. BACKGROUND FreeType2 is an open source library for parsing fonts that is used by many applications. This includes projects such as X.Org, Second Life, and the Sun Java JRE. For more information, please see the vendor's website at the following URL. http://freetype.sourceforge.net/freetype2/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. The vulnerability exists within the code responsible for parsing Printer Font Binary (PFB) format font files. PFB files contain a section known as the Private dictionary table which is used to describe how characters are constructed. When parsing this data structure, a series of 16-bit length values are read in from the file. These values are added together and used to allocate a dynamic buffer. The addition can result in an integer overflow, which subsequently leads to a heap overflow. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local privilege escalation was possible via the X.Org Xserver. IV. DETECTION iDefense has confirmed the existence of this vulnerability in FreeType2 version 2.3.5. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. Changing the permissions on the freetype.so library may not always be effective since applications that run with root privileges are not restricted by file permissions. VI. VENDOR RESPONSE The FreeType maintainers addressed this vulnerability with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157release_id=605780 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1806 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/03/2008 Initial vendor notification 06/04/2008 Initial vendor response 06/10/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 06.10.08: Multiple Vendor FreeType2 Multiple Heap Overflow Vulnerabilities
iDefense Security Advisory 06.10.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 10, 2008 I. BACKGROUND FreeType2 is an open source library for parsing fonts that is used by many applications. This includes projects such as X.Org, Second Life, and the Sun Java JRE. For more information, please see the vendor's website at the following URL. http://freetype.sourceforge.net/freetype2/ II. DESCRIPTION Remote exploitation of multiple heap overflow vulnerabilities in the FreeType2 library, as included in various vendors' operating systems, could allow an attacker to execute arbitrary code with the privileges of the affected application. Two vulnerabilities exist within the code responsible for parsing font files. The first vulnerability occurs when parsing Printer Font Binary (PFB) format font files. PFB files contain various data structures, some of which are stored in a tabular format. When parsing tables, the code doesn't correctly validate a value used as an array index into a heap buffer. The calculation contains an off-by-one error, which can result in a heap overflow. The second vulnerability occurs when parsing TrueType Font (TTF) font files. TrueType font files contain font programs that are executed in a TrueType virtual machine. One of the instructions in the instruction set is 'SHC', which is used to shift a contour in the font by a specified value. When parsing this instruction, the code doesn't correctly validate an array index, which leads to an off-by-one heap overflow. III. ANALYSIS Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the application using the library. Since FreeType2 is a library and not a standalone application, the exploitation vector will vary. iDefense Labs verified that local privilege escalation was possible via the X.Org Xserver. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in FreeType2 version 2.3.5. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for these issues. Changing the permissions on the freetype.so library may not always be effective since applications that run with root privileges are not restricted by file permissions. VI. VENDOR RESPONSE The FreeType maintainers addressed these vulnerabilities with the release of version 2.3.6. For more information, refer to the release notes at the following URL. http://sourceforge.net/project/shownotes.php?group_id=3157release_id=605780 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1808 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/03/2008 Initial vendor notification 06/04/2008 Initial vendor response 06/10/2008 Coordinated public disclosure IX. CREDIT These vulnerabilities were reported to iDefense by regenrecht. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-08-038: QuickTime SMIL qtnext Redirect File Execution
ZDI-08-038: QuickTime SMIL qtnext Redirect File Execution http://www.zerodayinitiative.com/advisories/ZDI-08-038 June 10, 2008 -- CVE ID: CVE-2008-1585 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6119. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must open a malicious file. The specific flaw exists in the handling of SMIL text embedded in video formats. No sanity checking is performed on values of the qt:next attribute. When the URI for this attribute is a file type not recognized by QuickTime, it is passed to url.dll!FileProtocolHandler which will allow explorer.exe handle non-http filetypes. Successful exploitation can result in the execution of arbitrary code. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 -- Disclosure Timeline: 2008-05-08 - Vulnerability reported to vendor 2008-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Petko D. (pdp) Petkov | GNUCITIZEN -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-08-037: Apple QuickTime Indeo Video Buffer Overflow Vulnerability
ZDI-08-037: Apple QuickTime Indeo Video Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-037 June 10, 2008 -- CVE ID: CVE-2008-1584 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5997. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Quicktime files that utilize the Indeo video codec. A lack of proper bounds checking withing Indeo.qtx can result in a stack based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-08-039: Microsoft Internet Explorer DOM Ojbect substringData() Heap Overflow Vulnerability
ZDI-08-039: Microsoft Internet Explorer DOM Ojbect substringData() Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-039 June 10, 2008 -- CVE ID: CVE-2008-1442 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6155. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of various Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the substringData() method when called on a DOM object that has been manipulated in a special way. The attack results in an exploitable heap buffer allowing for code execution under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Peter Vreugdenhil * Sebastian Apelt ([EMAIL PROTECTED]) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:111 ] - Updated Evolution packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:111 http://www.mandriva.com/security/ ___ Package : evolution Date: June 10, 2008 Affected: 2008.0, 2008.1 ___ Problem Description: Alan Rad Pop of Secunia Research discovered the following two vulnerabilities in Evolution: Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the Itip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or potentially execute arbitrary code with the user's privileges (CVE-2008-1108). Evolution also did not properly validate the DESCRIPTION field when processing iCalendar attachments. If a user were tricked into accepting a crafted iCalendar attachment and replied to it from the calendar window, an attacker could cause a denial of service or potentially execute arbitrary code with the user's privileges (CVE-2008-1109). In addition, Matej Cepl found that Evolution did not properly validate date fields when processing iCalendar attachments, which could lead to a denial of service if the user viewed a crafted iCalendar attachment with the Itip Formatter plugin disabled. Mandriva Linux has the Itip Formatter plugin enabled by default. The updated packages have been patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1109 ___ Updated Packages: Mandriva Linux 2008.0: 86861fcbce9b5751c2f4c8f4e6076027 2008.0/i586/evolution-2.12.3-1.3mdv2008.0.i586.rpm 51304a01de8a3fdc8709a7ebefa419f5 2008.0/i586/evolution-devel-2.12.3-1.3mdv2008.0.i586.rpm 54309a365e4230d17af985752328c59e 2008.0/i586/evolution-mono-2.12.3-1.3mdv2008.0.i586.rpm e8c0063772b787f3cff03d4f228535ad 2008.0/i586/evolution-pilot-2.12.3-1.3mdv2008.0.i586.rpm ea799209d02c990b4ae47a44d3f8e941 2008.0/SRPMS/evolution-2.12.3-1.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 342ef5c0e26207769e028e0c2d1e29fe 2008.0/x86_64/evolution-2.12.3-1.3mdv2008.0.x86_64.rpm 248c1d3c025775153305e61dbd933c73 2008.0/x86_64/evolution-devel-2.12.3-1.3mdv2008.0.x86_64.rpm 82f92a5998acf3dc78712bbe4ccae782 2008.0/x86_64/evolution-mono-2.12.3-1.3mdv2008.0.x86_64.rpm 1a65442d809e03ed76b8f176d78a3c03 2008.0/x86_64/evolution-pilot-2.12.3-1.3mdv2008.0.x86_64.rpm ea799209d02c990b4ae47a44d3f8e941 2008.0/SRPMS/evolution-2.12.3-1.3mdv2008.0.src.rpm Mandriva Linux 2008.1: 90239c10aa2d019b3c576b41e01877c2 2008.1/i586/evolution-2.22.0-4.1mdv2008.1.i586.rpm 4fc0d51dd6dcfc4cf0c1e34ebbb5d795 2008.1/i586/evolution-devel-2.22.0-4.1mdv2008.1.i586.rpm 81588eabd76768bd283e8d8aecb00713 2008.1/i586/evolution-mono-2.22.0-4.1mdv2008.1.i586.rpm 9489207c3cec4c6faea8dcfcb036b75a 2008.1/i586/evolution-pilot-2.22.0-4.1mdv2008.1.i586.rpm 0ba6833324e7f3953552a1f1a2e7f253 2008.1/SRPMS/evolution-2.22.0-4.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: afb8093f30cb8b0f382fa6369bcaabcc 2008.1/x86_64/evolution-2.22.0-4.1mdv2008.1.x86_64.rpm 78951187acaa837e2f38bb7d505f24e0 2008.1/x86_64/evolution-devel-2.22.0-4.1mdv2008.1.x86_64.rpm f47238cf692dd3af540f5c66e0b8366e 2008.1/x86_64/evolution-mono-2.22.0-4.1mdv2008.1.x86_64.rpm 761533971e87da6da4d66b6fc968c652 2008.1/x86_64/evolution-pilot-2.22.0-4.1mdv2008.1.x86_64.rpm 0ba6833324e7f3953552a1f1a2e7f253 2008.1/SRPMS/evolution-2.22.0-4.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFITrGImqjQ0CJFipgRArtmAKC0tZqKlJc7dqZe0z3wnLUar2JS5QCfb2nt y5sRT3yVe4jW44KIhO03esU= =uYZO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter:
