[Full-disclosure] TPTI-07-21: Adobe Flash Player JPG Processing Heap Overflow Vulnerability
TPTI-07-21: Adobe Flash Player JPG Processing Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-21 December 19, 2007 -- CVE ID: CVE-2007-6242 -- Affected Vendor: Adobe -- Affected Products: Flash Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5846. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Adobe Flash Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the Flash Player's parsing of JPG images embedded in SWF files. The Flash Player trusts the signed X and Y densities specified in the JPG header and makes memory allocations accordingly. A processing loop later treats these values as unsigned, leading to excessive loop iterations and heap corruption while decoding the rest of the image. -- Vendor Response: http://www.adobe.com/support/security/bulletins/apsb07-20.html -- Disclosure Timeline: 2007.11.02 - Vulnerability reported to vendor 2007.12.19 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-18: EMC RepliStor Server Heap Overflow Vulnerability
TPTI-07-18: EMC RepliStor Server Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-18 October 10, 2007 -- CVE ID: CVE-2007-5323 -- Affected Vendor: EMC -- Affected Products: Replistor 6.1.3 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 9, 2007 by Digital Vaccine protection filter ID 5623. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of EMC RepliStor Server. User interaction is not required to exploit this vulnerability. The specific flaw exists in the RepliStor Server Service that listens by default on TCP port 7144. The vulnerable function trusts a user-supplied size value allowing an attacker to create an undersized buffer. A later call to recv() overflows that buffer allowing for arbitrary code execution in the context of the SYSTEM user. -- Vendor Response: EMC has issued updates to correct this vulnerability. More details can be found in knowledge base article emc168869 available from powerlink.emc.com. EMC customers can further contact EMC Software Technical Support at 1-877-534-2867. -- Disclosure Timeline: 2007.07.20 - Vulnerability reported to vendor 2007.10.09 - Digital Vaccine released to TippingPoint customers 2007.10.10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-16: CA BrightStor Hierarchical Storage Manager Buffer Overflow Vulnerabilities
TPTI-07-16: CA BrightStor Hierarchical Storage Manager Buffer Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-16.html October 2, 2007 -- CVE ID: CVE-2007-5082 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor Hierarchical Storage Manager r11.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 2, 2007 by Digital Vaccine protection filter ID 4922. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow a remote attacker to execute arbitrary code on vulnerable installations of Computer Associates' BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. A user-supplied DWORD size value is assumed by the vulnerable agent to contain the correct length of the subsequent data and is passed directly to memory allocation routines. At least 26 out of the available 68 opcodes are vulnerable to various overflows that allow for remote code execution due to insecure data copy operations, including: 0x01, 0x06 - 0x09, 0x0d, 0x10, 0x16 - 0x18, 0x1E, 0x1F, 0x21, 0x22, 0x26, 0x27, 0x29, 0x32, 0x36, 0x38, 0x3A - 0x3C, 0x3E and 0x40. -- Vendor Response: http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp -- Disclosure Timeline: 2006.11.01 - Vulnerability reported to vendor 2007.10.02 - Digital Vaccine released to TippingPoint customers 2007.10.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities
TPTI-07-17: CA BrightStor Hierarchical Storage Manager SQL Injection Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-17.html October 2, 2007 -- CVE ID: CVE-2007-5084 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor Hierarchical Storage Manager r11.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 2, 2007 by Digital Vaccine protection filter ID 4925. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow a remote attacker to inject arbitrary SQL into the backend database on vulnerable installations of CA BrightStor Hierarchical Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws exist in the CsAgent service that listens by default on TCP port 2000. An opcode parsing switch statement multiplexes data funneling across various vulnerable routines. At least 7 out of the available 68 opcodes are vulnerable to SQL injections, including: 0x07 - 0x09, 0x1E, 0x32, 0x36, 0x40. -- Vendor Response: http://supportconnectw.ca.com/public/bstorhsm/infodocs/bstorhsm-secnot.asp -- Disclosure Timeline: 2006.11.01 - Vulnerability reported to vendor 2007.10.02 - Digital Vaccine released to TippingPoint customers 2007.10.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-15: Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability
TPTI-07-15: Automated Solutions Modbus TCP Slave ActiveX Control Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/TPTI-07-15.html September 17, 2007 -- CVE ID: CVE-2007-4827 -- Affected Vendor: Automated Solutions -- Affected Products: Modbus RTU/ASCII/TCP Slave ActiveX Control -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since September 7, 2007 by Digital Vaccine protection filter ID 5598. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of the Automated Solutions Modbus TCP Slave ActiveX Control. Authentication is not required to exploit this vulnerability. The specific flaw exists within MiniHMI.exe which binds to TCP port 502. When processing malformed Modbus requests on this port a controllable heap corruption can occur which may result in execution of arbitrary code. -- Vendor Response: Automated Solutions has issued an update to correct this vulnerability. More details can be found at: http://www.automatedsolutions.com/pub/asmbslv/setup.exe -- Disclosure Timeline: 2007.08.20 - Vulnerability reported to vendor 2007.09.07 - Digital Vaccine released to TippingPoint customers 2007.09.17 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Ganesh Devarajan, TippingPoint DVLabs. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities
TPTI-07-14: HP OpenView Multiple Product Shared Trace Service Stack Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-14 August 14, 2007 -- CVE ID: CVE-2007-1676 -- Affected Vendor: Hewlett-Packard -- Affected Products: HP OpenView Internet Service HP OpenView Performance Manager HP OpenView Performance Agent HP OpenView Reporter HP OpenView Operations HP OpenView Operations Manager for Windows HP OpenView Service Quality Manager HP OpenView Network Node Manager HP OpenView Business Process Insight and Related Products HP OpenView Dashboard HP OpenView Performance Insight -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 14, 2007 by Digital Vaccine protection filter ID 4787. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of multiple Hewlett-Packard (HP) OpenView products, including: Performance Manager, Performance Agent, Reporter, Operations, Operations Manager, Service Quality Manager, Network Node Manager, Business Process Insight, Dashboard and Performance Insight. Authentication is not required to exploit these vulnerabilities. The specific flaws exists within the OpenView Shared Trace Service. A service that is distributed with multiple products as ovtrcsvc.exe and OVTrace.exe. The vulnerable service may be found bound to TCP port 5053 (ovtrcsvc.exe) or TCP port 5051 (OVTrace.exe). Specially crafted data through opcode handlers 0x1a and 0x0f can result in arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued updates to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0851 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068 -- Disclosure Timeline: 2006.10.10 - Vulnerability reported to vendor 2007.08.14 - Digital Vaccine released to TippingPoint customers 2007.08.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Pedram Amini, Aaron Portnoy of TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-13: Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability
TPTI-07-13: Borland Interbase ibserver.exe Create-Request Buffer Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-13 http://dvlabs.tippingpoint.com/blog/1024/Step-by-Step-of-Discovery July 24, 2007 -- CVE ID: CVE-2007-3566 -- Affected Vendor: Borland -- Affected Products: Borland InterBase 2007 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 1, 2007 by Digital Vaccine protection filter ID 5066. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Borland Interbase. Authentication is not required to exploit this vulnerability. The specific flaw exists within the database service, ibserver.exe, which binds to TCP port 3050. The service receives socket data in the following format: [4-byte request][request arguments][data] A vulnerability exists in Interbase when specifying a "create" request (0x14). The request is broken down as such: [0x0014][4-byte id][4-byte size][data] The vulnerability exists during an inline string copy operation. 0x0043A0C5 mov ecx, [ebp+var_8D8] 0x0043A0CB and ecx, 0h 0x0043A0D1 mov esi, [ebp+arg_8] 0x0043A0D4 mov edi, [ebp+var_1C] 0x0043A0D7 mov eax, ecx 0x0043A0D9 shr ecx, 2 0x0043A0DC rep movsd Where ecx is our 4-byte size, esi is our data, and edi a stack pointer. When a large value is specified in the size, the associate data is copied to the stack resulting in a classic overflow. With enough data the SEH pointer can be compromised and arbitrary code execution is trivial. -- Vendor Response: Borland has released InterBase 2007 SP2 which addresses this vulnerability. More details can be found at: http://www.codegear.com/downloads/regusers/interbase -- Disclosure Timeline: 2007.01.31 - Vulnerability reported to vendor 2007.02.01 - Digital Vaccine released to TippingPoint customers 2007.07.24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-12: Multiple Vendor Progress Server Heap Overflow Vulnerability
TPTI-07-12: Multiple Vendor Progress Server Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-12.html July 12, 2007 -- CVE ID: CVE-2007-2417 -- Affected Vendor: Progress Software -- Affected Products: RSA Authentication Manager Progress Database -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since May 22, 2007 by Digital Vaccine protection filter ID 5326. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RSA Authentication Manager and other products that include the Progress server. User interaction is not required to exploit this vulnerability. The specific flaw exists in the Progress Server listening by default on TCP ports 5520 and 5530. The _mprosrv.exe process trusts a user-supplied DWORD size and attempts to receive that amount of data into a statically allocated heap buffer. The user-supplied size parameter is used directly as an argument to recv() as shown below: _mprosrv.exe: 0044F24F mov eax, [esp+42Ch+buf] ; 1012 byte heap buffer 0044F253 push0 ; flags 0044F255 pushesi ; attacker-controlled size 0044F256 pusheax ; 1012 byte heap buffer 0044F257 pushedi ; s 0044F258 callrecv The heap buffer which is received into is 1012 bytes. Sending more than 1012 bytes will overflow into subsequent heap chunks. This heap corruption can be leveraged by an attacker to execute arbitrary code in the context of the SYSTEM user. -- Vendor Response: RSA has made hot fixes available to registered users through RSA Customer Support. For more information, please visit the RSA website for the appropriate product: For RSA ACE/Server 5.2, apply the following hot fix on top of Patch 1: https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_as52p.asp For RSA Authentication Manager 6.0, apply the following hot fix on top of the Patch 2 - (scroll down to the second half of the page) https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_am60p2.asp For RSA SecurID Appliance 2.0, apply the following hot fix on top of the Upgrade 2.0.1: https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_app.asp For RSA Authentication Manager 6.1, apply the 6.1.2 patch: https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_am60p2.asp RSA recommends that all customers using RSA ACE/Server 5.2, RSA Authentication Manager 6.0 and 6.1, and RSA SecurID Appliance 2.0 install the hot fixes. RSA states "Notification was recently (June 28, 2007) sent to RSA SecurCare customers about the vulnerability and the correct way to resolve it. -- Disclosure Timeline: 2007.03.14 - Vulnerability reported to vendor 2007.05.22 - Digital Vaccine released to TippingPoint customers 2007.07.12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-07-040: Symantec AntiVirus Engine CAB Parsing Heap Overflow Vulnerability
ZDI-07-040: Symantec AntiVirus Engine CAB Parsing Heap Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-040.html July 12, 2007 -- CVE ID: CVE-2007-0447 -- Affected Vendor: Symantec -- Affected Products: Symantec AntiVirus Engine -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 30, 2006 by Digital Vaccine protection filter ID 4875. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of Symantec's AntiVirus Engine. User interaction is not required to exploit this vulnerability. The specific flaw exists during the process of scanning multiple maliciously formatted CAB archives. The parsing routine implicitly trusts certain user-supplied values that can result in an exploitable heap corruption. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/avcenter/security/Content/2007.07.11f.html -- Disclosure Timeline: 2006.11.09 - Vulnerability reported to vendor 2006.11.30 - Digital Vaccine released to TippingPoint customers 2007.07.12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-09: Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflow Vulnerability
TPTI-07-09: Macrovision FLEXnet boisweb.dll ActiveX Control Buffer Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-09 June 4, 2007 -- CVE ID: CVE-2007-2419 -- Affected Vendor: Macrovision -- Affected Products: Update Service 3.x Update Service 4.x Update Service 5.x FLEXnet Connect 6 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 6, 2006 by Digital Vaccine protection filter ID 4323, 4327. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Business Objects Crystal Reports. Exploitation requires the target to visit a malicious web site. This specific flaw exists within the ActiveX control with CLSID 85A4A99C-8C3D-499E-A386-E0743DFF8FB7. Specifying large values to two specific functions available in this control results in an exploitable stack based buffer overflow. The vulnerable function / parameters include: * DownloadAndExecute(), second of five parameters * AddFileEx(), third of seven parameters -- Vendor Response: Notification was recently (January) sent to Macrovision customers about the vulnerability and the correct way to resolve it (patching to a newer version of the agent resolves the issue). The exact timing of this deployment is left to our customers and partner. -- Disclosure Timeline: 2006.06.22 - Vulnerability reported to vendor 2006.11.06 - Digital Vaccine released to TippingPoint customers 2007.06.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint DVLabs CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability
TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-08 June 4, 2007 -- CVE ID: CVE-2007-2279 -- Affected Vendor: Symantec -- Affected Products: Veritas Storage Foundation -- Vulnerability Details: This vulnerability allows an attacker to execute arbitrary code on vulnerable installations of Symantec Veritas Storage Foundation. Authentication is not required to exploit this vulnerability. The specific flaw exists in the functionality exposed by the Storage Foundation for Windows Scheduler Service, VxSchedService.exe, which listens by default on TCP port 4888. During normal use an administrator may add schedules to be run using the management console which requires authentication. However, if an attacker connects directly to the scheduler service and issues the commands, there exists no validation of credentials. The packet is parsed for requests as shown in the following snippet: .text:01016720 mov eax, [ebp-80h] ; controlled buffer .text:01016723 dec eax ; .text:01016724 mov byte ptr [ebp-4], 1 .text:01016728 jz create_registry .text:0101672E dec eax .text:0101672F jz short delete_registry .text:01016731 dec eax .text:01016732 dec eax .text:01016733 jz short modify_registry A malicious attacker is able to add, modify, or delete registry values from HKEY_LOCAL_MACHINE\Software\Veritas\VxSvc\CurrentVersion\Schedules which holds the schedules for snapshots. Each schedule has a PreScript and PostScript field which allow for arbitrary commands to be executed when the schedule is run. Modification or either of these fields will allow for remote code execution. -- Vendor Response: http://seer.entsupport.symantec.com/docs/288627.htm -- Disclosure Timeline: 2007.02.08 - Vulnerability reported to vendor 2007.06.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint DVLabs CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-10: Centennial Software XferWan.exe Stack Overflow Vulnerability
TPTI-07-10: Centennial Software XferWan.exe Stack Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-10 June 4, 2007 -- CVE ID: CVE-2007-2514 -- Affected Vendor: Centennial Software -- Affected Products: Symantec Discovery 6.5 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2007 by Digital Vaccine protection filter ID 5231. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing Centennial Software XferWan. Authentication is not required to exploit this vulnerability. The specific flaw exists during the parsing of overly long requests to the XferWAN process. When logging requests, user-supplied data is copied to the stack resulting in an exploitable buffer overflow condition. The following disassembly excerpt from the logging function demonstrates the issue: 004047A0 mov cl, Filename[eax] 004047A6 mov [esp+eax+890h+ExistingFileName], cl 004047AD inc eax 004047AE test cl, cl 004047B0 jnz short loc_4047A0 A lack of sanity checking on the size of 'Filename' results in an exploitable stack-based buffer overflow vulnerability that can result in a system compromise running under the context of the SYSTEM user. -- Vendor Response: Centennial has rectified an issue in the XFERWAN omponent of Centennial Discovery which could be remotely exploited by malicious people to compromise a system. This issue only affects systems running non-secure communications, which comprise a very small percentage of installations worldwide. Customers can find instructions on how to identify if they are susceptible to the vulnerability and correct, if necessary on the Centennial Customer Support website. -- Disclosure Timeline: 2007.03.07 - Vulnerability reported to vendor 2007.04.03 - Digital Vaccine released to TippingPoint customers 2007.06.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint DVLabs CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability
TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-07 May 10, 2007 -- CVE ID: CVE-2007-0754 -- Affected Vendor: Apple -- Affected Products: QuickTime Player 7.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 31, 2006 by Digital Vaccine protection filter ID 4109. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of malformed Sample Table Sample Descriptor (STSD) atoms. Specifying a malicious atom size can result in an under allocated heap chunk and subsequently an exploitable heap corruption. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=304357 -- Disclosure Timeline: 2006.06.16 - Vulnerability reported to vendor 2006.01.31 - Digital Vaccine released to TippingPoint customers 2007.05.10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Ganesh Devarajan, TippingPoint DVLabs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-06: Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
TPTI-07-06: Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption http://dvlabs.tippingpoint.com/advisory/TPTI-07-06 May 2, 2007 -- CVE ID: CVE-2007-2418 -- Affected Vendor: Cerulean Studios -- Affected Products: Trillian Pro 3.1 build 121 and below -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since May 2, 2007 by Digital Vaccine protection filter ID 5328. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cerulean Studios Trillian Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging and Presence Protocol) messaging subsystem. Trillian locates nearby users through the '_presence' mDNS (multicast DNS) service on UDP port 5353. Once a user is registered through mDNS, messaging is accomplished via XMPP over TCP port 5298. Within plugins\rendezvous.dll the follow logic is applied to received messages: 4900C470 str_len: 4900C470 mov cl, [eax] ; *eax = message+1 4900C472 inc eax 4900C473 test cl, cl 4900C475 jnz short str_len 4900C477 sub eax, edx 4900C479 add eax, 128 ; strlen(message+1) + 128 4900C47E push eax 4900C47F call _malloc The string length of the the supplied message is calculated and a heap buffer in the amount of length + 128 is allocated to store a copy of the message which is then passed through expatxml.xmlComposeString(), a function called with the following prototype: plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *); struct xml_string_t { unsigned int struct_size; char *string_buffer; struct xml_tree_t *xml_tree; }; The xmlComposeString() routine calls through to expatxml.19002420() which, among other things, HTML encodes the characters &, > and < as &, > and < respectively. This behavior can be seen in the following disassembly snippet: 19002492 push 0 19002494 push 0 19002496 push offset str_Amp ; "&" 1900249B push offset ampersand ; "&" 190024A0 push eax 190024A1 call sub_190023A0 190024A6 push 0 190024A8 push 0 190024AA push offset str_Lt; "<" 190024AF push offset less_than ; "<" 190024B4 push eax 190024B5 call sub_190023A0 190024BA push 190024BC push 190024BE push offset str_Gt; ">" 190024C3 push offset greater_than ; ">" 190024C8 push eax 190024C9 call sub_190023A0 As the originally calculated string length does not account for this string expansion, the following subsequent in-line memory copy operation within rendezvous.dll can trigger an exploitable memory corruption: 4900C4EC mov ecx, eax 4900C4EE shr ecx, 2 4900C4F1 rep movsd 4900C4F3 mov ecx, eax 4900C4F5 and ecx, 3 4900C4F8 rep movsb Note that binary data can be transmitted across the XMPP protocol via UTF-8 encoding. -- Vendor Response: Cerulean Studios has issued an update to correct this vulnerability. More details can be found at: http://blog.ceruleanstudios.com/ -- Disclosure Timeline: 2007.02.15 - Vulnerability reported to vendor 2007.05.02 - Digital Vaccine released to TippingPoint customers 2007.05.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities
TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 May 2, 2007 -- CVE ID: CVE-2007-1868 -- Affected Vendor: IBM -- Affected Products: Tivoli Provisioning Manager for OS Deployment -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Tivoli Provisioning Manager for OS Deployment. Authentication is not required to exploit this vulnerability. The specific flaws exist in the handling of HTTP requests to the rembo.exe service listening on TCP port 8080. Several components of an HTTP request can be modified to trigger buffer overflows. For example, by supplying an overly long filename an attacker is able to overflow a 150 byte stack buffer and subsequently execute arbitrary code. The overflow occurs during a string copy loop, shown here: 00431136 lea edi, [ebp+var_3C4] ; 150 byte stack buffer ... 00431148 stringcopy: 00431148 mov al, [edx] ; edx -> our data 0043114A add edx, 1 0043114D mov [edi], al ; edi -> stack buffer 0043114F add edi, 1 00431152 test al, al 00431154 jnz short stringcopy The Host and Authorization fields are also vulnerable to similar exploitable overflows. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-1.ibm.com/support/docview.wss?uid=swg24015664 -- Disclosure Timeline: 2006.12.18 - Vulnerability reported to vendor 2007.05.02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability
TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-07-04.html April 13, 2007 -- CVE ID: CVE-2007-1674 -- Affected Vendor: LANDesk -- Affected Products: Management Suite 8.7 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 23, 2007 by Digital Vaccine protection filter ID 5210. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of LANDesk Management Suite. User interaction is not required to exploit this vulnerability. The specific flaw exists in the Alert Service listening on UDP port 65535. The Aolnsrvr.exe process accepts user-supplied data and performs an inline memory copy into a 268 byte stack-based buffer. Supplying additional data results in a buffer overflow and SEH overwrite. The vulnerable memory copy is shown here: 0041EF49 mov edi, eax ; edi pointer to stack buffer 0041EF4B mov eax, ecx 0041EF4D shr ecx, 2; total size of data 0041EF50 rep movsd 0041EF52 mov ecx, eax 0041EF54 mov eax, ebx 0041EF56 and ecx, 3 0041EF59 rep movsb Exploitation allows an attacker to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: LANDesk has issued an update to correct this vulnerability. More details can be found at: http://kb.landesk.com/display/4n/kb/article.asp?aid=4142 -- Disclosure Timeline: 2007.03.08 - Vulnerability reported to vendor 2007.03.23 - Digital Vaccine released to TippingPoint customers 2007.04.13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution Vulnerability
TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution http://www.tippingpoint.com/security/advisories/TSRT-07-03.html March 30, 2007 -- CVE ID: CVE-2006-5820 -- Affected Vendor: America Online -- Affected Products: America Online 9.0 Security Edition -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since November 6, 2006 by Digital Vaccine protection filter ID 4553. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of America Online with Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the LinkSBIcons() method exposed through the ActiveX control 'Sb.SuperBuddy.1' with the following CLSID: 189504B8-50D1-4AA8-B4D6-95C8F58A6414 The affected control implements the IObjectSafety interface and therefore allows a web site to invoke the control under default Internet Explorer settings without any further user interaction. The vulnerable method is defined as: int LinkSBIcons(IUnknown *interface) As the method accepts an unchecked user-controlled value specifying a pointer to an object, a subsequent function dereference is completely under attacker control. This can easily lead to arbitrary code execution under the context of the logged in user. It is important to note that many PCs ship with this vulnerable component by default, including Dell and Hewlett-Packard among others. Since AOL is addressing this issue as an update through their internet service, many users are left without any recourse for mitigation. Concerned users can specify a "kill bit" for the affected control to prevent it from loading within Internet Explorer. To do so, create the following registry key: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\ ActiveX Compatibility\ {189504B8-50D1-4AA8-B4D6-95C8F58A6414} With the value 'Compatibility Flags' set to 0x400. -- Vendor Response: America Online has issued an update to correct this vulnerability as of 3/29/2007. The update is automatically applied the next time users log into the AOL service. -- Disclosure Timeline: 2006.07.18 - Vulnerability reported to vendor 2006.11.06 - Digital Vaccine released to TippingPoint customers 2007.03.30 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities
TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-07-01.html February 20, 2007 -- CVE ID: CVE-2007-1070 -- Affected Vendor: Trend Micro -- Affected Products: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by Digital Vaccine protection filter ID 5050. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information: // opcode: 0x00, address: 0x65741030 // uuid:2528-bd5b-11d1-9d53-0080c83a5c2c // version: 1.0 error_status_t rpc_opnum_0 ( [in] handle_t arg_1, [in] long trend_req_num, [in][size_is(arg_4)] byte overflow_str[], [in] long arg_4, [out][size_is(arg_6)] byte arg_5[], [in] long arg_6 ); The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x000a which results in a call to StRpcSrv.65673970(). The original arguments to the RPC endpoint are then passed to this called routine: 657416E6 mov eax, opnum0_call_table[eax*4] 657416ED test eax, eax 657416EF jnz short loc_65741707 ... 65741707 loc_65741707: 65741707 mov [ebp+var_4], 0 6574170E mov edx, [ebp+sizeof_arg5] 65741711 push edx 65741712 mov edx, [ebp+arg5_array] 65741715 push edx 65741716 mov edx, [ebp+sizeof_overflow_str] 65741719 push edx 6574171A mov edx, [ebp+overflow_str] 6574171D push edx 6574171E push ecx ; trend_req_num 6574171F call eax ; call handler The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'. --[ Vulnerability One A subcode value of either 0x0011 or 0x0017 results in the following call: 65674D7F push ebx ; overflow_str 65674D80 call CMON_NetTestConnection A stack overflow occurs within the routine CMON_NetTestConnection() due to an unbounded widechar wsprintf() into a 44 byte stack based buffer as shown in the following relevant excerpt: 65634AC5 xor ecx, ecx 65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer 65634ACB mov cx, [eax] 65634ACE push ecx 65634ACF push ebx ; 1st arg 65634AD0 push offset str_SC ; "%s\\%c$" 65634AD5 push edx ; LPWSTR 65634AD6 call ds:wsprintfW; vuln! --[ Vulnerability Two A subcode value of either 0x0008 or 0x0009 results in calls to CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of these routines subsequently call StCommon.65631220() which can result in a stack overflow due to an unbounded widechar lstrcat() into a 2k stack-based buffer as shown in the following relevant excerpt: 65631311 lea edx, [esp+0A78h+buf] 65631318 push ebp ; lpString2 65631319 push edx ; lpString1 6563131A call ebx ; lstrcatW ; stack overflow The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user. -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 -- Disclosure Timeline: 2007.01.16 - Digital Vaccine released to TippingPoint customers 2007.01.19 - Vulnerability reported to vendor 2007.02.20 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-07-02.html February 20, 2007 -- CVE ID: CVE-2007-1070 -- Affected Vendor: Trend Micro -- Affected Products: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information: // opcode: 0x00, address: 0x65741030 // uuid:2528-bd5b-11d1-9d53-0080c83a5c2c // version: 1.0 error_status_t rpc_opnum_0 ( [in] handle_t arg_1, [in] long trend_req_num, [in][size_is(arg_4)] byte overflow_str[], [in] long arg_4, [out][size_is(arg_6)] byte arg_5[], [in] long arg_6 ); The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine: 657416E6 mov eax, opnum0_call_table[eax*4] 657416ED test eax, eax 657416EF jnz short loc_65741707 ... 65741707 loc_65741707: 65741707 mov [ebp+var_4], 0 6574170E mov edx, [ebp+sizeof_arg5] 65741711 push edx 65741712 mov edx, [ebp+arg5_array] 65741715 push edx 65741716 mov edx, [ebp+sizeof_overflow_str] 65741719 push edx 6574171A mov edx, [ebp+overflow_str] 6574171D push edx 6574171E push ecx ; trend_req_num 6574171F call eax ; call handler The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'. --[ Vulnerability One A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt: 61190FC7 lea edx, [esp+288h+szShortPath] 61190FCB push esi 61190FCC push edx 61190FCD call _wcscpy --[ Vulnerability Two A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt: 6118A161 mov esi, [esp+780h+arg_0] 6118A168 lea eax, [esp+780h+var_778] 6118A16C push esi 6118A16D push eax 6118A16E call _wcscpy The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user. -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 -- Disclosure Timeline: 2007.02.01 - Vulnerability reported to vendor 2007.01.16 - Digital Vaccine released to TippingPoint customers 2007.02.20 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability
TSRT-06-15: Citrix Presentation Server Client ActiveX Heap Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-15.html December 6, 2006 -- CVE ID: CVE-2006-6334 -- Affected Vendor: Citrix -- Affected Products: Citrix Presentation Server Client for Windows < v9.230 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since February 2006 by a pre-existing Digital Vaccine protection filter ID 4163. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Citrix Presentation Server Client for Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw resides in the SendChannelData function of the ActiveX control Wfica.ocx (CLSID 238F6F83-B8B4-11CF-8771-00A024541EE3). The function is prototyped as follows: SendChannelData(ChannelName As String, Data As String, DataSize As Long, DataType As ICAVCDataType) Specifying an undersized buffer length as the 'DataSize' parameter and supplying a large buffer as the 'Data' parameter results in an exploitable heap corruption. -- Vendor Response: Citrix has issued an update to correct this vulnerability. More details can be found at: http://support.citrix.com/article/CTX111827 -- Disclosure Timeline: 2006.02.01 - Pre-existing Digital Vaccine released to TippingPoint customers 2006.09.19 - Vulnerability reported to vendor 2006.12.06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Aaron Portnoy, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities
TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-14.html December 4, 2006 -- CVE ID: CVE-2006-5855 -- Affected Vendor: IBM -- Affected Products: Tivoli Storage Manager <5.2.9 Tivoli Storage Manager <5.3.4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4248. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager. Authentication is not required to exploit these vulnerabilities. The specific flaws are similar and exist in the processing of messages by the Tivoli Storage Manager service, bound on TCP port 1500. The messages are structured in the form [index][size]. The 'index' field specifies an integer offset into the body of the message for a specific field, and the 'size' field specifies the size of the indexed field. As no validation is done on the index fields, an attacker can force the service to look beyond the end of the packet, often landing in unallocated memory and resulting in a denial of service. The size fields are often checked to ensure they do not exceed the bounds of the destination buffers that data is being copied to. However, we have found the following four instances where the size files are left unchecked: Overflow 1 The initial sign-on request contains a field to specify the language. In normal cases we've seen, this string is dscenu.txt. Typically the server will validate that the language string is no longer than 0x100 bytes. However, if the first byte of the language string is 0x18, this check will not occur, and a fixed sized buffer will be overrun. Overflows 2 and 3 There is an overflow vulnerability in messages processed by the SmExecuteWdsfSession function. There are two fields in this request, both are copied into fixed sized buffers, without any validation of their lengths. Overflow 4 There is an overflow in the open registration message due to an unchecked copy into a fixed size buffer for the contact field of the registration. All four of the above detailed overflows can lead to arbitrary code execution under the context of the Tivoli service. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-1.ibm.com/support/docview.wss?uid=swg21250261 -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.05.09 - Vulnerability reported to vendor 2006.12.04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by the TippingPoint Security Research Team. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-13: HP OpenView Client Configuration Manager Device Code Execution Vulnerability
TSRT-06-13: HP OpenView Client Configuration Manager Device Code Execution Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-12.html November 8, 2006 -- CVE ID: CVE-2006-5782 -- Affected Vendor: Hewlett-Packard -- Affected Products: OpenView Client Configuration Manager 1.0 -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable device installations of HP OpenView Client Configuraton Manager (CCM). Authentication is not required to exploit this vulnerability. The CCM server is not affected. The specific flaw exists within the Radia Notify Daemon, radexecd.exe, which binds to TCP port 3465 on default CCM device installs. The vulnerable daemon expects to receive data in the following format: port\x00username\x00password\x00command Where 'port' specifies a connect back port on the connecting client. Due to a design flaw a correct username and password is not required in order to execute arbitrary commands within the radexecd.exe install directory. This exposes at least two pre-authentication issues. The first, allows attackers to reboot affected devices by launching radbootw.exe, which reboots the system without any further prompts. The second, allows attackers to generate an arbitrary file by launching radcrecv.exe. radcrecv will listen to an arbitrary port as specified on the command line and receive files via multicast download. The filename and contents can be specified by the attacker and is saved to the same directory as radexecd.exe. Once a malicious file has been generated, it can then be launched as before. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00795552 -- Disclosure Timeline: 2006.10.10 - Vulnerability reported to vendor 2006.11.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-11: CA Multiple Product DBASVR RPC Server Multiple Buffer Overflow Vulnerabilities
TSRT-06-11: CA Multiple Product DBASVR RPC Server Multiple Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-11.html October 5, 2006 -- CVE ID: CVE-2006-5143 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor ARCserve Backup R11.5 Client BrightStor ARCserve Backup R11.5 Server BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 27, 2006 by Digital Vaccine protection filter ID 4268. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup, Enterprise Backup, Server Protection Suite and Business Protection Suite. Authentication is not required to exploit this vulnerability and both client and servers are affected. The problem specifically exists within DBASVR.exe, the Backup Agent RPC Server. This service exposes a number of vulnerable RPC routines through a TCP endpoint with ID 88435ee0-861a-11ce-b86b-1b27f656 on port 6071. The most trivial of the exposed vulnerabilities results in an exploitable stack overflow. The vulnerable routines include: /* opcode: 0x01, address: 0x00401A70 */ long sub_401A70 ( [in][string] char * arg_1, [in][string] char * arg_2, // stack overflow [out][size_is(8192), length_is(*arg_4)] char * arg_3, [in, out] long * arg_4 ); /* opcode: 0x02, address: 0x00401CC0*/ long sub_401CC0 ( [in][string] char * arg_1, [in][string] char * arg_2, // stack overflow [in][string] char * arg_3, [out] long * arg_4 ); /* opcode: 0x18, address: 0x004041C0*/ long sub_4041C0 ( [in][string] char * arg_1, [in][string] char * arg_2, // stack overflow [out] long * arg_3 ); The first two vulnerable subroutines are the result of inline strcpy()/memcpy()'s. The third vulnerable subroutine is due to an insecure call to lstrcat(). -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp -- Disclosure Timeline: 2006.03.27 - Digital Vaccine released to TippingPoint customers 2006.03.28 - Vulnerability reported to vendor 2006.10.05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-12: CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability
TSRT-06-12: CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-12.html October 5, 2006 -- CVE ID: CVE-2006-5142 -- Affected Vendor: Computer Associates -- Affected Products: BrightStor ARCserver Backup R11.5 Client BrightStor ARCserver Backup R11.5 Server -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since March 27, 2006 by Digital Vaccine protection filter ID 4267. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Computer Associates ARCserver Backup. Authentication is not required exploit this vulnerability and both the client and server are affected. The problem specifically exists within the handling of long messages received over the Mailslot named 'CheyenneDS'. As no explicit MaxMessageSize is supplied in the call to CreateMailslot, an attacker can cause an exploitable stack-based buffer overflow. The vulnerable Mailslot creation occurs: casdscsvc.exe -> Asbrdcst.dll 20C14E8C push 0 ; lpSecurityAttributes 20C14E8E push 0 ; lReadTimeout 20C14E90 push 0 ; nMaxMessageSize 20C14E92 push offset Name; ".\\mailslot\\CheyenneDS" 20C14E97 stosb 20C14E98 call ds:CreateMailslotA 20C14E9E cmp eax, INVALID_HANDLE_VALUE 20C14EA1 mov mailslot_handle, eax Note there is no explicit MaxMessageSize specified. Later the mailslot handle is read from into a 4k buffer. The read data is also passed to a routine which calls vsprintf into a 1k buffer. casdscsvc.exe -> Asbrdcst.dll 20C15024 mov eax, mailslot_handle 20C15029 lea edx, [esp+1044h+Buffer_4k] 20C1502D push ecx ; nNumberOfBytesToRead 20C1502E push edx ; lpBuffer 20C1502F push eax ; hFile 20C15030 call edi ; ReadFile 20C15032 test eax, eax 20C15034 jz short read_failed 20C15036 lea ecx, [esp+3Dh] 20C1503A push ecx ; char 20C1503B push offset str_ReadmailslotS ; "ReadMailSlot: %s\n" 20C15040 call not_interesting_call_to_vsnprtinf 20C15045 add esp, 8 20C15048 lea edx, [esp+3Dh] 20C1504C push edx ; va_list 20C1504D push offset str_ReadmailslotS_0 ; "ReadMailSlot: %s" 20C15052 push 0; for_debug_log 20C15054 call vsprintf_into_1024_stack_buf_and_debug_log As mentioned in TSRT-06-02, exploitation of this vulnerability is possible due to the ability to exceeding the second-class Mailslot message size limitation. -- Vendor Response: Computer Associates has issued an update to correct this vulnerability. More details can be found at: supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp -- Disclosure Timeline: 2006.03.27 - Digital Vaccine released to TippingPoint customers 2006.04.27 - Vulnerability reported to vendor 2006.10.05 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-10: Microsoft HLINK.DLL Hyperlink Object Library Buffer Overflow Vulnerability
TSRT-06-10: Microsoft HLINK.DLL Hyperlink Object Library Buffer Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-10.html August 8, 2006 -- CVE ID: CVE-2006-3086 -- Affected Vendor: Microsoft -- Affected Products: Microsoft Windows Server 2003 SP1 and SP2 Microsoft Windows XP SP1 and SP2 Microsoft Windows 2000 Service Pack 4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4601. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable applications that utilize Microsoft Hyperlink Component Object Model (COM) objects. Specifically, this includes at least Microsoft Word, PowerPoint and Excel. Exploitation over the web is doable via Office Web Components (OWC). It is not required for the target to have OWC installed. The specific flaw exists within HLINK.DLL in the routine HrShellOpenWithMonikerDisplayName(). The vulnerability is due to an unchecked WzCopy (wide char string copy) to a stack based buffer from user-supplied data in the following call chain: HLNK_Bsc::OnObjectAvailable HLNK::HrCompleteNavigation() HLNK::HrShowTarget() HrShellOpenWithMonikerDisplayName() The specific WzCopy() responsible for the overflow is shown in the following disassembly snippet from HLINK.DLL version 5.2.3790.227 from Windows XP SP2: 7682DA6B lea eax, [ebp+overflowed_buffer] ; dst 7682DA71 push eax 7682DA72 push [ebp+var_E30] ; src 7682DA78 call WzCopy(ushort const *,ushort *) ; vulnerable call The overflowed buffer is at frame pointer offset 0x0E2C, requiring a 3,628 byte write before breaking out of the holding stack frame. Simply specifying a long URI string will not trigger the vulnerability. However, by requesting a URI that does a redirect with the HTTP "Location:" tag to a long URI, then the vulnerable code will be reached and a previous call to HrGetFullDisplayName() will pass the long URI to the vulnerable WzCopy(). The long URI must actually exist, otherwise the URI expansion will fail and the WzCopy() will never be reached. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-050.mspx -- Disclosure Timeline: 2006.02.28 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability
TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-09.html August 8, 2006 -- CVE ID: CVE-2006-3638 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4593. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the DirectAnimation.DATuple ActiveX control when improperly calling the Nth() method. By supplying a positive integer we can control a data reference calculation that is later used to control execution. The problem is due to the lack of sanity checking on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in danim.dll. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx -- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability
TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-08.html August 8, 2006 -- CVE ID: CVE-2006-3357 -- Affected Vendor: Microsoft -- Affected Products: Microsoft Windows Server 2003 SP1 and SP2 Microsoft Windows XP SP1 and SP2 Microsoft Windows 2000 Service Pack 4 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4581. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific vulnerability can lead to code execution when instantiating the Internet.HHCtrl COM object through Internet Explorer. The flaw exists due to invalid freeing of heap memory when several calls to the "Image" property of the ActiveX control are performed. By abusing the jscript.dll CScriptBody::Release() function user supplied data can be executed. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-046.mspx -- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities
TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-07.html August 8, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: Enterprise Security Analyzer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 31, 2006 by Digital Vaccine protection filter ID 4386. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit these vulnerabilities. The first flaw specifically exists within the routines responsible for handling user-supplied data on TCP port within Monitoring.exe. Upon connecting to this port the user is immediately prompted for a password. A custom string comparison loop is used to validate the supplied password against the hard-coded value "eiq2esa?", where the question mark represents any alpha-numeric character. Issuing the command "HELP" reveals a number of documented commands: - Usage: QUERYMONITOR: to fetch events for a particular monitor QUERYMONITOR&&&timer QUERYEVENTCOUNT or QEC: to get latest event counts RESETEVENTCOUNT or REC: to reset event counts REC&[ALL] or REC&dev1,dev2, STATUS: Display the running status of all the threads TRACE: TRACE&ip or hostname&. TRACE&OFF& will turn off the trace FLUSH: reset monitors as though the hour has changed ALRT-OFF and ALRT-ON: toggle the life of alerts-thread. RECV-OFF and RECV-ON: toggle the life of event-collection thread. EM-OFF and EM-ON toggle event manager DMON-OFF and DMON-ON toggle device event monitoring HMON-OFF and HMON-ON toggle host event monitoring NFMON-OFF and NFMON-ON toggle netflow event monitoring HPMON-OFF and HPMON-ON toggle host perf monitoring X or EXIT: to close the session - Supplying a long string to the TRACE command results in an overflow of the global variable at 0x004B1788. A neighboring global variable, 116 bytes after the overflowed variable, contains a file output stream pointer that is written to every 30 seconds by a garbage collection thread. The log message can be influenced and therefore this is a valid exploit vector, albeit complicated. A trivial exploit vector exists within the parsing of the actual command at the following equivalent API call: sscanf(socket_data, "%[^&]&%[^&]&", 60_byte_stack_var, global_var); Because no explicit check is made for the exact command "TRACE", an attacker can abuse this call to sscanf by passing a long suffix to the TRACE command that is free of the field terminating character, '&'. This vector is trivial to exploit. The second flaw specifically exists within the routines responsible for handling user-supplied data on TCP port 10626 within Monitoring.exe. The service will accept up to approximately 16K of data from unauthenticated clients which is later parsed, in a similar fashion to above, in search of the delimiting character '&'. Various trivial vectors of exploitation exist, for example, through the QUERYMONITOR command. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.31 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-06: Computer Associates eTrust AntiVirus WebScan Manifest Processing Buffer Overflow Vulnerability
TSRT-06-06: Computer Associates eTrust AntiVirus WebScan Manifest Processing Buffer Overflow Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-06.html August 7, 2006 -- CVE ID: CVE-2006-3975 -- Affected Vendor: Computer Associates -- Affected Products: eTrust AntiVirus WebScan v1.1.0.1047 and earlier -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx The specific flaw exists during WebScan's processing of the actual manifest files delivered during a scanner update check. It downloads a 'filelist.txt' file from this server, which is used as a manifest file to describe the updates available. Each line of the file consists of four fields in the following form: [file name] [decimal integer] [decimal integer] [decimal integer] A lack of bounds checking on the file names specified in update manifests may lead to a buffer overflow that can be easily exploited to execute arbitrary code. As WebScan allows the server for update downloads to be specified on a web page as an initialization parameter, a malicious manifest can be delivered from any server; it is not necessary to impersonate a legitimate update server. -- Vendor Response: Computer Associates has addressed this issue in the latest version of their WebScan product. More information from the vendor is available at: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 -- Disclosure Timeline: 2006.07.17 - Vulnerability reported to vendor 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.08.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Matthew Murphy, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-05: Computer Associates eTrust AntiVirus WebScan Automatic Update Code Execution Vulnerability
TSRT-06-05: Computer Associates eTrust AntiVirus WebScan Automatic Update Code Execution Vulnerability http://www.tippingpoint.com/security/advisories/TSRT-06-05.html August 7, 2006 -- CVE ID: CVE-2006-3976 CVE-2006-3977 -- Affected Vendor: Computer Associates -- Affected Products: eTrust AntiVirus WebScan v1.1.0.1047 and earlier -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4544. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Computer Associates eTrust AntiVirus WebScan ActiveX component. Successful exploitation requires that the target user browse to a malicious web page. The vulnerable component is typically installed as a prerequisite to the free online WebScan found at: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx The specific flaw exists during the automatic update process for the WebScan ActiveX component. WebScan allows the initializing web page to specify the location that the component will use to download and install updates through the 'SigUpdatePathFTP' parameter (and potentially the 'SigUpdatePathHTTP' parameter). It downloads the 'filelist.txt' manifest and acquires any update files it lists. There is no verification performed by WebScan to assure the authenticity of the information in the file list or the files themselves. This leads to a possibility of two unique attacks. In the first attack (CVE-2006-3976), an attacker compresses a malicious file, creates a file listing that includes it and then points the update path to his/her server. The WebScan component will download and decompress the file on the local system. Other components on the system may load the file, and certain files (such as arclib.dll and vete.dll) will be loaded by WebScan itself. If either of these files is replaced by a malicious version, it becomes possible for an attacker to gain control of the system WebScan is installed on during the scanner's initialization process. In the second attack (CVE-2006-3977), an attacker compresses an outdated version of a legitimate Computer Associates file, and lists an inaccurate timestamp for the file in the update server's file listing. There is no verification on the time/date information provided by the remote server. It is possible for an attacker to install a legitimate but extremely outdated version of virus definition files or engine components to severely limit the scope of the protection provided by WebScan. -- Vendor Response: Computer Associates has addressed this issue in the latest version of their WebScan product. More information from the vendor is available at: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34509 -- Disclosure Timeline: 2006.07.17 - Vulnerability reported to vendor 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.08.07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Matthew Murphy, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities
TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities http://www.zerodayinitiative.com/advisories/TSRT-06-03.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2006 by Digital Vaccine protection filter ID 4319. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability. The flaw specifically exists within the Syslog daemon, syslogserver.exe, during the processing of long arguments passed through various commands on TCP port 10617. The following commands are known to be affected: DELTAINTERVAL LOGFOLDER DELETELOGS FWASERVER SYSLOGPUBLICIP GETFWAIMPORTLOG GETFWADELTA DELETERDEPDEVICE COMPRESSRAWLOGFILE GETSYSLOGFIREWALLS ADDPOLICY EDITPOLICY The majority of the above cases result in a stack overflow and are trivial to exploit. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.24 - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability
TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/TSRT-06-04.html July 25, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: eIQnetworks Enterprise Security Analyzer Astaro Report Manager (OEM) Fortinet FortiReporter (OEM) iPolicy Security Reporter (OEM) SanMina Viking Multi-Log Manager (OEM) Secure Computing G2 Security Reporter (OEM) Top Layer Network Security Analyzer (OEM) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2006 by Digital Vaccine protection filter ID 4500. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of eIQnetworks Enterprise Security Analyzer. Authentication is not required to exploit this vulnerability. The specific flaw exists within Topology.exe, which binds by default to TCP port 10628. During the processing of long prefixes to the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE command, a stack based buffer overflow occurs. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.24 - Digital Vaccine released to TippingPoint customers 2006.07.25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/