[Full-disclosure] [USN-1009-2] GNU C Library vulnerability
=== Ubuntu Security Notice USN-1009-2 January 12, 2011 eglibc, glibc vulnerability https://launchpad.net/bugs/701783 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libc6 2.7-10ubuntu8 Ubuntu 9.10: libc6 2.10.1-0ubuntu19 Ubuntu 10.04 LTS: libc6 2.11.1-0ubuntu7.7 Ubuntu 10.10: libc6 2.12.1-0ubuntu10.1 In general, a standard system update will make all the necessary changes. Details follow: USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watson discovered that the fixes were incomplete and introduced flaws with setuid programs loading libraries that used dynamic string tokens in their RPATH. If the "man" program was installed setuid, a local attacker could exploit this to gain "man" user privileges, potentially leading to further privilege escalations. Default Ubuntu installations were not affected. Original advisory details: Tavis Ormandy discovered multiple flaws in the GNU C Library's handling of the LD_AUDIT environment variable when running a privileged binary. A local attacker could exploit this to gain root privileges. (CVE-2010-3847, CVE-2010-3856) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.7-10ubuntu8.diff.gz Size/MD5: 806135 8014a9d37196a83c1c8ed9538719e77b http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.7-10ubuntu8.dsc Size/MD5: 2373 86d4615bc4b3b29284558a17ce436d9a http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.7.orig.tar.gz Size/MD5: 15983612 eda64bfa0bcad46fe7d7d7fecfc23bfd Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc-doc_2.7-10ubuntu8_all.deb Size/MD5: 3474440 271942f12ef40da50d2c0b68e9851134 http://security.ubuntu.com/ubuntu/pool/universe/g/glibc/glibc-source_2.7-10ubuntu8_all.deb Size/MD5: 16589722 47d20cfa8420852640bfba7bd2c02c83 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.7-10ubuntu8_amd64.deb Size/MD5: 5324104 26d197d8688b9a2588f7f1d998009f52 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev-i386_2.7-10ubuntu8_amd64.deb Size/MD5: 1493860 7d3854cb1582226fe0b58af71a2a213a http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.7-10ubuntu8_amd64.deb Size/MD5: 2539124 ef6f6d1a08ec003f38f6ad27bd37cf3c http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-i386_2.7-10ubuntu8_amd64.deb Size/MD5: 3698918 cf339a3deb52c4baf10687d7e2e250ad http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-pic_2.7-10ubuntu8_amd64.deb Size/MD5: 1496024 23f5c2c2d218f4b1ba2f951d1e31cb80 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-prof_2.7-10ubuntu8_amd64.deb Size/MD5: 1973898 a6229265f6419fc584b361e5e4303418 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-udeb_2.7-10ubuntu8_amd64.udeb Size/MD5: 1131914 7aead55d58f4e7ba5575d23f673abf5e http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.7-10ubuntu8_amd64.deb Size/MD5: 4754924 7c5658bbee0b2ffade75bf1c02a4b095 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-dns-udeb_2.7-10ubuntu8_amd64.udeb Size/MD5: 9856 4625708ab85a0b762bc7f1e934fd83bf http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-files-udeb_2.7-10ubuntu8_amd64.udeb Size/MD5:18162 c0700a520623da3916d742ebbf023844 http://security.ubuntu.com/ubuntu/pool/universe/g/glibc/nscd_2.7-10ubuntu8_amd64.deb Size/MD5: 182228 c442c5f6a6c56f6dd69792d93ee0585e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-amd64_2.7-10ubuntu8_i386.deb Size/MD5: 3983322 1ed9c24a6c36ace55385f30176d07d1b http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.7-10ubuntu8_i386.deb Size/MD5: 5095302 76dbbfb8daae3e50d7b651c4e7725984 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev-amd64_2.7-10ubuntu8_i386.deb Size/MD5: 1974424 31590d553ae8f0599c76f7ff83fd0529 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.7-10ubuntu8_i386.deb Size/MD5: 3345366 a9bfee3cb59b530927786553c5e136a2 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-i686_2.7-10ubuntu8_i386.deb Size/MD5: 1243840 e3fc2aba821d2a815ff1ee91b30c4a66 http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-pi
[Full-disclosure] ZDI-11-012: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe Remote Code Execution Vulnerability
ZDI-11-012: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-012 January 10, 2011 -- CVE ID: CVE-2011-270 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10769. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within nnmRptConfig.exe CGI which is exposed by the webserver which listens by default on TCP port 80. When parsing an invalid template name the application uses user supplied data as a format specifier during creation of an error message. An attacker can exploit this vulnerability by supplying a specially crafted and invalid template name to execute arbitrary code under the context of the user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-22 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-011: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe schd_select1 Remote Code Execution Vulnerability
ZDI-11-011: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe schd_select1 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-011 January 10, 2011 -- CVE ID: CVE-2011-269 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10682. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nnmRptConfig.exe module exposed by the webserver that listens by default on TCP port 80. A remote user can send an oversized schd_select1 parameter via a POST request to one of the CGI functions of NNM to trigger a buffer overflow in this module. Exploitation of this issue leads to remote code execution under the context of the target service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway AT gmail DOT com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-010: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe nameParams/text1 Remote Code Execution Vulnerability
ZDI-11-010: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe nameParams/text1 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-010 January 10, 2011 -- CVE ID: CVE-2011-268 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10529. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nnmRptConfig.exe module exposed by the webserver that listens by default on TCP port 80. A remote user can send an oversized text1 parameter via a POST request to one of the CGI functions of NNM to trigger a buffer overflow in this module. Exploitation of this issue leads to remote code execution under the context of the target service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway AT gmail DOT com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-009: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe schdParams/nameParams Remote Code Execution Vulnerability
ZDI-11-009: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe schdParams/nameParams Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-009 January 10, 2011 -- CVE ID: CVE-2011-267 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10772. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nnmRptConfig.exe module exposed by the webserver that listens by default on TCP port 80. A remote user can send an oversized schdParams or nameParams parameter via a POST request to one of the CGI functions of NNM to trigger a buffer overflow in this module. Exploitation of this issue leads to remote code execution under the context of the target service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway AT gmail DOT com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-008: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe nameParams Remote Code Execution Vulnerability
ZDI-11-008: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe nameParams Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-008 January 10, 2011 -- CVE ID: CVE-2011-266 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10773. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nnmRptConfig.exe module exposed by the webserver that listens by default on TCP port 80. A remote user can send an oversized nameParams parameter via a POST request to one of the CGI functions of NNM to trigger a buffer overflow in this module. Exploitation of this issue leads to remote code execution under the context of the target service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway AT gmail DOT com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-007: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe data_select1 Remote Code Execution Vulnerability
ZDI-11-007: Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe data_select1 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-007 January 10, 2011 -- CVE ID: CVE-2011-265 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10682. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Network Node Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the nnmRptConfig.exe module exposed by the webserver that listens by default on TCP port 80. A remote user can send an oversized data_select1 parameter via a POST request to one of the CGI functions of NNM to trigger a buffer overflow in this module. Exploitation of this issue leads to remote code execution under the context of the target service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aniway (Aniway.Anyway AT gmail DOT com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-006: Hewlett-Packard Network Node Manager OVutil.dll Remote Code Execution Vulnerability
ZDI-11-006: Hewlett-Packard Network Node Manager OVutil.dll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-006 January 10, 2011 -- CVE ID: CVE-2011-264 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10768. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The flaw exists within the ovutil.dll component which is loaded by the webserver listening by default on TCP port 80. When handling the COOKIE variable passed through a GET request, the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-22 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * SilentSignal -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-005: HP OpenView Network Node Manager ovas.exe Remote Code Execution Vulnerability
ZDI-11-005: HP OpenView Network Node Manager ovas.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-005 January 10, 2011 -- CVE ID: CVE-2011-263 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10770. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The flaw exists within the ovas.exe component which listens by default on TCP port 7510. When handling the Source Node or Destination Node name POST variables the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the OVAS service. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-14 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * SilentSignal -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-004: HP OpenView Network Node Manager ovutil.dll stringToSeconds Remote Code Execution Vulnerability
ZDI-11-004: HP OpenView Network Node Manager ovutil.dll stringToSeconds Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-004 January 11, 2011 -- CVE ID: CVE-2011-262 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10771. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The exploit would require a crafted HTTP request to the target host. The specific flaw exists within the ovutil.dll module which is loaded by the ovwebsnmpsrv.exe process which in turn can be reached remotely through the jovgraph.exe CGI program. By supplying overly large values to variables passed through an HTTP request a sscanf can be made to overflow a static buffer. An attacker can leverage this to execute arbitrary code under the context of the user running the webserver. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-14 - Vulnerability reported to vendor 2011-01-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-003: HP OpenView Network Node Manager jovgraph.exe displayWidth Remote Code Execution Vulnerability
ZDI-11-003: HP OpenView Network Node Manager jovgraph.exe displayWidth Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-003 January 10, 2011 -- CVE ID: CVE-2011-261 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Network Node Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10771. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Network Node Manager. Authentication is not required to exploit this vulnerability. The exploit would require a crafted HTTP request to the target host. The specific flaw exists within jovgraph.exe, a Java-based grapher that extends the SNMP Data Presenter to include xnmgraph-like applications created by the application builder. The vulnerability occurs within jovgraph when processing malformed displayWidth option passed from the arg parameter to the CGI program. A remote unauthenticated attacker can send a crafted HTTP request to the target host to exploit this vulnerability. Successful attack could allow for arbitrary code being injected and executed with the privileges of the affected process, normally Internet Guest Account on Windows platforms. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501 -- Disclosure Timeline: 2010-09-14 - Vulnerability reported to vendor 2011-01-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2122-2] New glibc packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2122-2 secur...@debian.org http://www.debian.org/security/Florian Weimer January 11, 2011 http://www.debian.org/security/faq - - Package: glibc Vulnerability : missing input sanitization Problem type : local Debian-specific: no CVE ID : CVE-2010-3847 CVE-2010-3856 Colin Watson discovered that the update for stable relased in DSA-2122-1 did not complete address the underlying security issue in all possible scenarios. For the stable distribution (lenny), this problem has been fixed in version 2.7-18lenny7. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your glibc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJNLLcQAAoJEL97/wQC1SS+WSMH/A6KQXibz6fGS2TfjwjVkYnz hvnosvc27MJkZCA1t25DuCweeLJXWdgLTu1SloIga5TiA/F09C6TK4ve9inEvlfq nJ5Ccod6UdPoPAkgYFVMgwV654LBPVhLMy4yWwObI5r75i03XkluMaQYLFazzlu3 PlEdsxSGZ0A2aMiZS7EVW38Xg2HzfPlcseQQ8/v2wnvG34svlviZQiA01OJxEqHc mhNOCWKyCEskl50qI29/O6BiN0ZrujMkmiIlE4FaUwomHJlxXFlzv93ud/vZkzGY wyefjykfpWZFiLJ8oW9eA9w0K/0/V+PugB5C7ub2kvMR1FeVfwnO2hcZe4NJSBM= =h05m -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-002: Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability
ZDI-11-002: Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-002 January 11, 2011 -- CVE ID: CVE-2011-0027 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer 8 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10761. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. This vulnerability was submitted to the ZDI via at the annual Pwn2Own competition at CanSecWest. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the MSADO component. When handling the a user specified CacheSize property the process uses this value to calculate the 'real' cache size. This value is used without proper validation. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS11-002.mspx -- Disclosure Timeline: 2010-12-07 - Vulnerability reported to vendor 2011-01-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-001: Microsoft Data Access Components DSN Overflow Code Execution Vulnerability
ZDI-11-001: Microsoft Data Access Components DSN Overflow Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-001 January 11, 2011 -- CVE ID: CVE-2011-0026 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Microsoft -- Affected Products: Microsoft Data Access Components -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10763. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Data Access Components. The vulnerability is present in an API call and as such successful exploitation will depend on an application's implementation of this call. The specific flaw exists within the SQLConnectW call in the odbc32.dll component. When calculating the size of a user provided szDSN, the result of a call to lstrlenW is used in a signed comparison to SQL_MAX_DSN_LENGTH to verify the destination buffer size. This value is later used to copy user supplied data to a fixed length stack buffer. A malicious szDSN length could be used to exploit this signedness bug and execute arbitrary code. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS11-002.mspx -- Disclosure Timeline: 2010-06-23 - Vulnerability reported to vendor 2011-01-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
> Now imagine if you can properly sandbox XYZ.net - at that point you don't > *care* if a security patch comes out. You can choose to only push the patches > out to your users if a patch comes along that actually affects your site. Then > you're only spending that 2 hours doing regression testing once every 6 or 8 > months or so. Sure, that sandboxing may take the first guy a solid man-month > or > two of time. But then he can package it, and you can then get the package, > spend 8 or 10 hours deploying it, and after a few months you've got 2 hours > per > month back. Yeah, sounds good in theory. What about when vulnerabilities (and presumably patches) come out for your "sandbox" or other security software? IMO, adding more software to a system rarely results in overall management gains. This is because most software, including security software, sucks. If you find yourself patching too often, or you can't trust that the patches won't break your environment, then you probably need to find a software vendor that invests more in QA. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/11/2011 04:33 PM, halfdog wrote: > > Nice find, but not the first one, look at: > > https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894 > > I just reported the issue to ubuntu so see how their bug tracking team > was performing on an issue where a standard byte-array-fuzzer just > needed 2secs to find it. I wanted to know, if they could detect a > misclassified issue (was not reported as security bug) and bring it to a > fix. I would have bet, that they would be faster than you, but it seems > that you made the race. What I learned from the excercise (see bug > report date March 2009), is that the ubuntu launchpad platform is an > invaluable source of exploits when used together with google mining. I agree with you but in my opinion ubuntu tracking team has here nothing to do. Main problem exists in the GNU libc code so this team should fix the problem. Just compare the regcomp(3)/BSD and regcomp (3)/linux. In my opinion the GNU libc implementation is the worst in terms of safety. Probably vulnerability in glob(3) (CVE-2010-2632) can be used to resource exhasusion in GNU inetutils ftp server. - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) sub 4096R/58BA663C 2010-09-19 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJNLKCKAAoJEIO8+dzW5bUw3JcP/jnau2AewihKbwSjQB5x3Civ fDL/LS2i+HRP+lMsmVsGqMpZN3kebdhm4M4/ZqTxQsVdAkBA9Ky5qL61nvz/BnVq IAU/JYd+5pt5NX4y3Qlcbwrcv1DgleZen4X7zP6hpQ2OuJd2iGvsTFqv7gq1g2pr CXhurbGP4v+ANZZJIq60D1LvKxjZ/lFAfkhJP5gTIF/l1QK0CmGTbWQdKxcxh4Rl ECT+k5LUNVA6dWSmnRzf+npKaIuEcxE5ckrkoRqccIyEYQJNLRImczSkmvATB5fi 1RaY7dFW135xrVZnYukJrq02lTGZHNfyQH6oVY8gzSATAJiM8ax59H37hV/6KNyN N5khIGHbgufoVF6n1R4LAbLlIVLzyJnlenMRS7HRFfYIJghYxwgNUhSop3q2ShRq qxfSaPsw0SihDP/bw5Y1XGsUIbk/sWbp4V1+TyROmO9sfW9+Ye7SC6yGV0kqghxc OkZSpWzT/Mj+MZZNc3FLj2qPspbC22tuapL0Bp6Ywe7KpSrVcf5NAc2BOxEsqYr9 2D21u4trRzUaNe/Aw7PGqZoWM9abvFKN74kLGJ1UOhgTNjziX4HZHMZf2c5laUDu LYYEfvUWASR/lT4xJiK/VvS320175rRPLq6MRpQNu7M+mwcLvKOfDeSVxLT9lsXx /biFVUcPpSviVnPNTn1W =xmsD -END PGP SIGNATURE- 0xD6E5B530.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASPR #2011-01-11-1: Remote Binary Planting in Multiple F-Secure Products
=[BEGIN-ACROS-REPORT]= PUBLIC === ACROS Security Problem Report #2011-01-11-1 - ASPR #2011-01-11-1: Remote Binary Planting in Multiple F-Secure Products === Document ID: ASPR #2011-01-11-1-PUB Vendor: F-Secure Corp. (http://www.f-secure.com) Target: F-Secure Internet Security 2010 and 2011 F-Secure Anti-Virus 2010 and 2011 (and multiple other F-Secure products) Impact: Remote execution of arbitrary code Severity:Very high Status: Official patch available, workarounds available Discovered by: Simon Raner of ACROS Security CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE ID: (unknown) CWE ID: CWE-426: Untrusted Search Path Current version http://www.acrossecurity.com/aspr/ASPR-2011-01-11-1-PUB.txt Summary === A "binary planting" [1] vulnerability in F-Secure Internet Security 2010 and 2011, F-Secure Anti-Virus 2010 and 2011 and multiple other F-Secure products allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users. Product Coverage - Solutions based on F-Secure Protection Service for Consumers version 9 - Solutions based on F-Secure Protection Service for Business - Workstation security version 9 - Solutions based on F-Secure Protection Service for Business - Email and Server Security version 9 - Solutions based on F-Secure Protection Service for Business - Server Security version 9 - F-Secure Internet Security 2010 and 2011 - F-Secure Anti-Virus 2010 and 2011 - F-Secure Client Security 9.00-9.01 - F-Secure Anti-Virus for Workstations 9.00-9.01 - F-Secure Anti-Virus for Windows Servers 9.00 - F-Secure Anti-Virus for Citrix Servers 9.00 Analysis As a result of an incorrect dynamic link library loading in affected F-Secure products, an attacker can cause her malicious DLL to be loaded and executed on users' computers from local drives, remote Windows shares, and even shares located on Internet. This vulnerability is exploitable through other products that F-Secure products integrate with, most notably web browsers. One such example is a combination of Mozilla Firefox and F-Secure Internet Security 2011. When launched by double-clicking an .HTML file via Windows Explorer (or most any other popular file manager), Firefox is started with the current working directory (CWD) set to the folder where this file resides. If F- Secure Internet Security is installed, Firefox displays its toolbar and allows the user to view and edit the "Browsing protection" settings. These get launched by Firefox and inherit its CWD, but they also integrate a vulnerable 3rd party library QtCore4.dll, which blindly tries to load wintab32.dll whether this library is present on the system or not. In the latter case (i.e., on most systems), this DLL is not found in either the Firefox folder (%PROGRAMFILES%\Mozilla Firefox\) or any one of the Windows system folders as specified by the search path, and is then looked for in the CWD. If found there, wintab32.dll (planted by the attacker) is loaded and executed. (Note that Firefox is doing nothing wrong here. Its CWD is set automatically by Windows Explorer upon user's double-clicking the HTML file, as is the case with any other application.) All a remote attacker has to do is plant a malicious DLL with a specific name (wintab32.dll) on a network share and get the user to open any .HTML file with Firefox from this network location - which should require minimal social engineering. Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, thus the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet. A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm. Visit http://www.binaryplanting.com/ for more information on binary planting vulnerabilities and attacks. Mitigating Factors == - A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack. - Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based exploitation of this vulnerability. Solution F-Secure has issued a security bulletin [3] and published an update for all affected products that fixes this issue. Workaround == - Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound
Re: [Full-disclosure] GNU libc/regcomp(3) Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 aksymilian Arciemowicz wrote: > [ GNU libc/regcomp(3) Multiple Vulnerabilities ] > > Author: Maksymilian Arciemowicz > http://securityreason.com/ > http://cxib.net/ > Date: > - Dis.: 01.10.2010 > - Pub.: 07.01.2011 > > CERT: VU#912279 > CVE: > CVE-2010-4051 > CVE-2010-4052 Nice find, but not the first one, look at: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894 I just reported the issue to ubuntu so see how their bug tracking team was performing on an issue where a standard byte-array-fuzzer just needed 2secs to find it. I wanted to know, if they could detect a misclassified issue (was not reported as security bug) and bring it to a fix. I would have bet, that they would be faster than you, but it seems that you made the race. What I learned from the excercise (see bug report date March 2009), is that the ubuntu launchpad platform is an invaluable source of exploits when used together with google mining. As to the regexes: If you want to start collecting CVEs, many other programs are also vulnerable to regex resource exhaustion, e.g. using postgres extended regulars. As for the segfaults: The problem with memory-allocation errors is quite common in many programs and not only restricted to regular expressions. Even many suid-binaries have quite funny behavior when limiting resources, e.g. to trigger null-pointer deref in sudoedit on lucid, (gdb) bt #0 __tsearch (key=0xbfb3e4e0, vrootp=0x1c, compar=0xb14490 ) at tsearch.c:251 #1 0x00b1407e in *__GI___nss_lookup_function (ni=0x0, fct_name=0xb691bb "setpwent") at nsswitch.c:342 See http://www.halfdog.net/Security/LowMemoryProgramCrashing/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFNLHisxFmThv7tq+4RAjcXAKCDfYYFfZnSsMbiOg9r3rx62K5tqQCfUHc2 rKfqZKcJnG6KifMjFfXgUMM= =5JXJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
On Tue, 11 Jan 2011 05:53:44 PST, Zach C said: > change, who knows. I see you mention the time it takes to test patches and > their > effect on your workflow, but I would figure an equal or greater amount of time > would then need to be spent on other solutions as well The trick is to choose other solutions that don't take as much time on an ongoing basis. Let's say for example, you spend 2 hours every month doing regression testing on the patches against XYZ.net that came out on Patch Tuesday. Now imagine if you can properly sandbox XYZ.net - at that point you don't *care* if a security patch comes out. You can choose to only push the patches out to your users if a patch comes along that actually affects your site. Then you're only spending that 2 hours doing regression testing once every 6 or 8 months or so. Sure, that sandboxing may take the first guy a solid man-month or two of time. But then he can package it, and you can then get the package, spend 8 or 10 hours deploying it, and after a few months you've got 2 hours per month back. (Yes, I know "properly sandbox" is a lot of hand-waving. The point is that if you don't do this sort of "what if we do something different" analysis, you're doomed to keep spending time every Patch Tuesday. Also, doing a proper "what would it take?" analysis can be a good thing even if it turns out the new idea is infeasible, because you'll be much more familiar with the innards of the package, which will almost certainly pay off in decreased debugging time down the road, and your overall security knowledge will also increase, which is also a good thing...) pgpK5sHHxeBnw.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
Hmm. So you propose other measures of security as a way of circumventing the requirement of patching vulnerable software. That's nice, but it occurs to me that the vulnerable software is still vulnerable, and sandboxing (as you mentioned in an example) isn't always possible or feasible -- maybe it requires a code change, who knows. I see you mention the time it takes to test patches and their effect on your workflow, but I would figure an equal or greater amount of time would then need to be spent on other solutions as well -- and even when those other solutions are implemented, the software that you're doing all this to is still vulnerable, and likely in a way that such measures can't really prevent all that well (code theft, etc). Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, granted (it's on my to-do list), but I would think that it's still worth doing all that -- just that disregarding patches entirely in favor of this isn't the solution either, which is probably not what you're saying. :) On Jan 10, 2011, at 11:41 AM, Pete Herzog wrote: > Hi, > > Here's a new article on how and why you may want to stop patching your > software and take a new approach to your security. > > "So if patching is a tactic towards a particular security strategy, > how can that be bad? I never said it was all bad. There are reasons > where patching makes sense just like there are reasons to get a kick > from a cup of coffee, get kicked by a shot of tequila, or spray stuff > up your nose to breathe easier for 1.5 seconds. Yes, for the record, I > am comparing patching to nasal spray." > > Read it here: > > https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html > > Sincerely, > -pete. > > -- > Pete Herzog - Managing Director - p...@isecom.org > ISECOM - Institute for Security and Open Methodologies > www.isecom.org - www.osstmm.org > www.hackerhighschool.org - www.badpeopleproject.org > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclos...@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Getting Off the Patch
Hi, Here's a new article on how and why you may want to stop patching your software and take a new approach to your security. "So if patching is a tactic towards a particular security strategy, how can that be bad? I never said it was all bad. There are reasons where patching makes sense just like there are reasons to get a kick from a cup of coffee, get kicked by a shot of tequila, or spray stuff up your nose to breathe easier for 1.5 seconds. Yes, for the record, I am comparing patching to nasal spray." Read it here: https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/