[Full-disclosure] ZDI-12-201 : Microsoft Office Word PAPX Section Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-201 : Microsoft Office Word PAPX Section Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-201 December 21, 2012 - -- CVE ID: CVE-2012-0182 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Office Word - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11933. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a PAPX FKP sections. When parsing a PAPX FKP section, the application will store a calculation. However, when repairing a damaged document, the application will explicitly trust this calculation in a loop that is used to index into an array of objects. This will allow for an out-of-bounds access of an object which can lead to code execution under the context of the application. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-064 - -- Disclosure Timeline: 2011-05-25 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRa+VVtgMGTo1scAQLlWAf+Jjl7W056kyGU3AGbmPhW1+dd3b0Skh3Q EHGGJtrR4sGu5g2GaluVqSd7JZA0zbTzZhKgj4IuC8xfThtAfeU/5EuF7eX7LEXz vz92fQDx9ulv41tFLw81nTR9yk63Baq93CT6FwszPF5Edr9jrVyw/havhU5OgoFp vsknQnmDyIyXXkYN0iRWEKhDmopssY1Mnmj1ZvrKtYc8lRUd7p9vD8PQ8P6in9pS 0IoENc3SoKb4CDbAUY1PVjbeAF0+3sHjG95DNoycmFsRc8xvw1eJwW9vx5EvRAwU JsUTdLb/LK81dB+PNoov3feYNOUAwaLHW5vQX6ybOS02MHEfyMozCg== =ooOU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-203 : Honeywell HMIWeb Browser ActiveX Control RequestDSPLoad Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-203 : Honeywell HMIWeb Browser ActiveX Control RequestDSPLoad Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-203 December 21, 2012 - -- CVE ID: CVE-2012-2054 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Honeywell - -- Affected Products: Honeywell HMIWeb - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11490. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Honeywell HMIWeb. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ActiveX control defined within the HSCDSPRenderDll.dll file. The RequestDSPLoad method does not properly verify the length of a supplied argument before copying it into a fixed-length heap buffer. A remote attacker can abuse this to execute arbitrary code under the context of the user running the browser. - -- Vendor Response: Honeywell states: http://www.us-cert.gov/control_systems/pdf/ICSA-12-150-01.pdf - -- Disclosure Timeline: 2011-11-23 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRbzFVtgMGTo1scAQKiCwgAoxez+OmYBC/g4SrLZ087spc8UA8fa9K0 eAdCpN0+rQ5MeJJQt4/ndN9x138HIEqRFUECf+pkNExG9KOGgrn3nI3n06Lig1w+ HtKwTSeYatzo7fLdTwT/9yp5rXsi31o2yUsxFYnDLLHTA9ElGQTWa/RHLKYUHafi AltA6yv4PfgvlJx2DJbPiwrBSMgg0kQGRc2o/g9lvjltLvXoYnFQQKoHRsTQdGcY LP8Ki5emZcqf675IJ5VWi0a+TG43UMXb/wwsooK5EB8CycqvGrq/+9Mr/xh0FBlq Ej7BDhk9LjLZ+wtgJIjG2Z+CzhzdSpBSx58q8sscRS5gL6JxpzY51g== =PNOJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-202 : Oracle Outside In WordPerfect File Processing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-202 : Oracle Outside In WordPerfect File Processing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-202 December 21, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Outside In - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of WordPerfect files. When parsing font records the code within vswp5.dll does not validate the datasize value prior to performing arithmetic on it. The result is used to make a heap allocation that can be undersized which can be leveraged to corrupt memory leading to arbitrary code execution under the context of the user running the application. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRbS1VtgMGTo1scAQLtawf+NavpWL26tU6y1s3RFh81GzTU2csrKhs0 dwA25lag4dNG6rFop9kYSqZStxLMoel3HZnk0M8xEQkLtNTzHL30FKtabUUFRYG+ 5oIZkP/xf8LbVCnrCwqwz+vpzQScYUpxFt9zn7gGkBeTJfmTygC5JLNR3k/j9NI7 b2B5UKwuZRK6M0j8wwxeZ9MyDw4Khn4Jy8S+Mx2wnyiZH/MbeYJsK05SigXUthY/ 49tZGNy4JDAHITDoL8BkmLcrRWqgHpAaXB5+ad7vDuXy9IlXRCzrSsyvhf7p7CD6 vR+a6rINBLS9lqXfF13nhLS/j/WqMJANLT6Nm6V846Oar4wRBcRDpQ== =9CB1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-200 : Microsoft Internet Explorer 9 CTreeNode Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-200 : Microsoft Internet Explorer 9 CTreeNode Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-200 December 21, 2012 - -- CVE ID: CVE-2012-2548 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer 9 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12584. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles CTreeNode objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. The issue lies in a possible type confusion between a CTreeNode object and an ISpanQualifier instance during the layout of a document being performed. An attacker can leverage this vulnerability to execute code under the context of the current process. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/advisory/2757760 - -- Disclosure Timeline: 2012-07-24 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRal1VtgMGTo1scAQIdiAf+N0Ri4mHa6zefY/tisSShB3G5ZWJ076cC hBUmPKnLfsbOtDfvk7rBn7Z8sM3aDeF3nTxFPd2bJcwMsG1udvjBhZ7nxEb6nKpi 7iqzb0rqw0oKagzYSScM9JPd6SRTgcf8koS0MQZ3j4QoPAsoy/u9KfadXoa2agY/ f8CQ9KMtimUU4cJJM/VUNWmmgBY9Lv8Ju1DzrTpUwp7zXSsHDFcU11p9ImAunSTL Of1Be64loCpkj71OtkOVjkIyoa1EqCM2buol5tzx4VrkfSMnn/s8iregl8p2QRAY KYPf07uIrBrf83LbzKuUcQ1ar+4dHYBhamOQXl1DVjs7WF1wl+JYmQ== =imrZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-198 : Microsoft Internet Explorer CMarkup outerText Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-198 : Microsoft Internet Explorer CMarkup outerText Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-198 December 21, 2012 - -- CVE ID: CVE-2012-2557 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer 8 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12583. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles CMarkup objects. By manipulating a document's elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/advisory/2757760 - -- Disclosure Timeline: 2012-07-24 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRZxVVtgMGTo1scAQIgDQf+IPWSxIQC3lbJYccpZMt8bAWuzl/O+wPa ZqfrwLhJCPDiDbaD9S6V/z/vVAG5lPpjc097EY48C1vcE7/uKOA2v78tA/cW2rNm 5XrR9JxrC2SLf1MSGL8hlbxjKDSTICYvfnEpMlpbSg7q8pafCv+42tDUkBdoO3eW cLu9tn41U3aiWavcL7LvA+NXc85UdzOPbVCPIOJuuDiFASHrR/V+TKqSSFpAZ2Ab RBvE4p1TPyVUEuWgdLJeRC6soJObw5MWgQUY0rhmAh+hk++KS+lcAdZS+fgZDSZz l/u8L7NxYbo8D5ovgrc09HviITKaDvXVbJQPsBu2mCVcqiQKHgCYbg== =7Ii2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-197 : Oracle Java java.beans.Statement Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-197 : Oracle Java java.beans.Statement Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-197 December 21, 2012 - -- CVE ID: CVE-2012-1682 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Java Runtime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.beans.Expression class. Due to unsafe handling of reflection of privileged classes inside the Expression class it is possible for untrusted code to gain access to privileged methods and properties. This can result in remote code execution under the context of the current process. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-18357 15.html - -- Disclosure Timeline: 2012-07-24 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * James Forshaw (tyranid) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRZdVVtgMGTo1scAQKYuAf8C4LTqhJ1Bk+usVtZ2mRjALe7+gTVvTk6 j/q9Zqy/XsimBYXIiJW2QRt+CJqS/9e/8M+xH14FkSmZRGhHDaVR0tZ8cTuHPopm C3XnhzIJOk9XdoA8HdHVnMmd7vACA+ILyAX4n8feDHDHqUH7eTBZ3zdILxNTidQi cZgB67wqsOtsl8shsblGivkRWzlcheIC5492M17wwCr+PgMcg9xtSp3uD7MbNsNL BSOojIqMEhEhzDZ8P2wOBcSMN1EaSAxJYhHAI+ABfdp8LZ9IJt6GfIfoyzf34GQY dE7XrJMm0BVfd6oHQaArEcH6sI6XPU7RlMVJNvXUH4XuJH9Qww/lRw== =TyDY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-196 : Novell Groupwise GWIA ber_get_stringa Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-196 : Novell Groupwise GWIA ber_get_stringa Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-196 December 21, 2012 - -- CVE ID: CVE-2012-0417 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Novell - -- Affected Products: Novell Groupwise - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12495. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability. The flaw exists within the Groupwise Internet Agent component, specifically the optional LDAP server which listens on tcp port 389. When parsing a BER encoded parameter the specified size is used to allocate a destination buffer. A properly encoded BER chunk could cause an integer size value to wrap before buffer allocation. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM account. - -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/kb/doc.php?id=7010770 - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Francis Provencher From Protek Research Lab's - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRZJlVtgMGTo1scAQK79gf+JjzJEnHzMsddv86rxWEgVxgPaHb+Ih0N 2OT1aPxDpHIDBA3hZg6iAGMuQVYj8Ot623NsLWKyAM7dpdEcaHgifW8zgThyEhdP m5eMslAOkuQ93NuqQqL4HAm0L6caNHQJ6Eqwn3Skg0UC5osJrH3SWmagLSGaiLJ1 SlfYD3CxbI/NeShIV93lSRqRXvqIf9wFsQrXNoJgw0shlJw3MBe+t4/NX5wt5fba Vo/5BtmcpHZQawOd8FMmwoggvfhkoFc5BE1nncZSSfWCpeZ1raIUAmIFwZVj4THy 91GD++j9PKHc4QYJO2FVrlA0xJqXrSehz2XSLb/z9QZeCk3S1lKBGg== =P609 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-195 : RealNetworks RealPlayer ATRAC Sample Decoding Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-195 : RealNetworks RealPlayer ATRAC Sample Decoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-195 December 21, 2012 - -- CVE ID: CVE-2012-0928 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: RealNetworks - -- Affected Products: RealNetworks RealPlayer - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12482. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks Real Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when the application attempts to decode an audio sample that is encoded with the ATRAC codec. While parsing sample data, the application will explicitly trust 2-bits as a loop counter which can be used to write outside the bounds of the target buffer. This can lead to code execution under the context of the application. - -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/09072012_player/en/ - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrzej Dyjak - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRYylVtgMGTo1scAQIvqwf+InLpJWTUfaN65tPUF5tIc5bkT3QBCEe6 tkvHCcTDLyftl1dBgXSkiy8wtCYrcDp0pWaOHYXtlRTzOxOZA4hjf2Tn66EPYVBy JPKFWnTrkHhlC6Bc/6l44LeVtV/LcygPtANr4J7FNqWfIUZ4eaV1NLqGra7tm4hJ kW/Vn8Syno9+WICi1FbV23KLeSvooRqvHtiNCKhsrKqFOyOBfSQlMO6Gp+n0j8JF Bl1XfWPEGRM6do4I/+1Sk9GuyKT6Smu8qcwT6X2334UHYfEHZLGDlHgNiAtB++XE KAamtcf8JRIMxT05hwJl8T10U5LiKucuxTr/gVT86niHTDPG2+A0Cg== =77vg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-194 : Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-194 : Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-194 December 21, 2012 - -- CVE ID: CVE-2012-1878 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12388. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles the onbeforedeactivate callback function for certain elements. During the execution of the onbeforedeactivate callback function it is possible to alter the DOM tree of the page which can lead to a use-after-free vulnerability when the function returns. This can result in remote code execution under the context of the current process. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: https://technet.microsoft.com/en-us/security/bulletin/ms12-037 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRYXVVtgMGTo1scAQIroAgAt/563d86coSO3lzRBv3abXO4+lC1IhEJ DOGYcqAPqJ7IIURCpFI6k+8CqRa6gG+HZIv7WrIyiZnya7HcC64Kb6stQjL2aaTw lrAa9J5FsuWyOW7/1UM7nfJ06EXe0splcFFNYVjdjJlNSI0RClzQNYNreLtGbDbB Gqve1qSbbGwmb8b9nxkfsgrd0nA1jNyJULfd0OLAg5WRZkoFyvKG3UXEBPPslUtH uOBG1mb8S7l0zfweTVObNQlie23ccgr9Yd97HcH8lc3fUW4W/gROgk54J4gocmZz Jk+xYyAlAa8p0ejV0Y7BY2VoBDYiYPSNH2Kz65b+ecK81BFera9xbA== =dDcB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-193 : Microsoft Internet Explorer insertAdjacentText Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-193 : Microsoft Internet Explorer insertAdjacentText Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-193 December 21, 2012 - -- CVE ID: CVE-2012-1879 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12383. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles repeated calls to insertAdjacentText. When the size of the element reaches a certain threshold Internet Explorer fails to correctly relocate key elements. An unitialized variable in one of the function can cause memory corruption. This can lead to remote code execution under the context of the program. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: https://technet.microsoft.com/en-us/security/bulletin/ms12-037 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRYAlVtgMGTo1scAQLIzwgAifwtcC6Rt0S7xdrcLHpBiw+vrM598Ccl UBkbArcNGipQLDGVgW6sC3h0gPGayQbaQsyW8J1ar6MNUWmfKnEJetAUa24ZgDWl cOATZkDyf0HYwV6a+gATJA4CVJk6cHYjf4Pn9vkguogBebsBMX3mGBLsrSfbcxQc 1tOfbV7VogCOHceFLNxVx8Ir8/rpHfbfduflYFPbSLcKgcERcLq5kGJOZkiNPRID kRs8dd6vfjEyueO5/NwyPXi9mNaDqNCYgelRCGi3xF/FjabtuV3BVbS81NDoJ8Ak O3VFfeHisnRN/ZvPs84fEdfWG5lDy5fzNgEtsTP4+zOMfws21I/7uA== =2V0z -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-192 : Microsoft Internet Explorer insertRow Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-192 : Microsoft Internet Explorer insertRow Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-192 December 21, 2012 - -- CVE ID: CVE-2012-1880 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12382. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles consecutive calls to insertRow. When the number of rows reaches a certain threshold the program fails to correctly relocate certain key objects. This can lead to a use-after-free vulnerability which can result in remote code execution under the context of the current process. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: https://technet.microsoft.com/en-us/security/bulletin/ms12-037 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRXqlVtgMGTo1scAQIolwgAlfWawonK1BetraIK8viDhg/z4Eb5RTse hOfWDOxNdY0glskLeI1ylrtr0nXJSvj+8q5T6DcsEaz48nEdsv/ObO+d6JREzwTL 3gUJ9fUeMWZubmUmm2cKkgdenmEkK0p8EZqQ5puUpuVffeFC/f8Dn679MGlwL73v Zato0rHoJuBedfxOYsQ+UkYwre97ickYkw/dl0LMgce5IRxKROnsR3u4+yPUVOWt Vqo0zEPXKGdPUY3L/AjgowwqvOGsf0OmQESBLZi+pGhO2PxWjb5aBm+gFPBkRpNl ON1yduQfblrmsrCEHZf/od/A/r7YyLeI4dxkOGb0vR7FmBr2OcZfBA== =/GjQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-191 : Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-191 : Webkit HTMLMedia Element beforeLoad Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-191 December 21, 2012 - -- CVE ID: CVE-2011-3071 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: WebKit.Org - -- Affected Products: WebKit.Org WebKit - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12492. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the library's implementation of a HTMLMedia element. After a source element is created, an attacker can catch the beforeLoad event before the element is used, and delete the element. The pointer to the source element will then be referenced causing a use-after-free condition, which can lead to code execution under the context of the application. - -- Vendor Response: WebKit.Org has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * pa_kt / twitter.com/pa_kt - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRXVlVtgMGTo1scAQL8swgAm/RnsOnH3MOpjeTII0WcvV9txZO0itaC yRlwICYXXHUUVvuSxlN8KS7P6Wmf5F0gj+VQXP647KhCxIhXZsrx+DL+aZS+Fb17 pcHGwZFhntNNPn5Gwgy8c0cZeSBVmGByU5BBDT6e3ciGpyidlAzUOga63ahOKN22 HSi4uiwHn4WX4gxpLt0Yyd14Ro1fdtqi7puUc+KGuzVtBwWypv023ubuPz/qRZ85 L9R+n+SfoCHL/o2kEHaoM3xpRQeKiAkxRCwS7SVGq8ltnckI3kkdl38t3SfxmjIQ yAsYkKbYIkZgHbFhFPfffNhBa8YSdcp4YTMjH2Cjqbrh2TElnhH7Jg== =FjqC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-190 : Microsoft Internet Explorer Title Element Change Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-190 : Microsoft Internet Explorer Title Element Change Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-190 December 21, 2012 - -- CVE ID: CVE-2012-1877 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer 9 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12385. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the 'onpropertychange' user callback function for the document.title. If the function changes the document in the callback function by using, for example, a document.write call, this can result in a use-after-free vulnerability. This can lead to remote code execution under the context of the program. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: https://technet.microsoft.com/en-us/security/bulletin/ms12-037 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRW21VtgMGTo1scAQKc7gf+OEjWyyQYkCYucuwZivLId/up2Px3MbYR omQMFCjxijYj0rx77RRQGBcPC8ROhW6Gt9VEA+C86gi1hynG/zTEz+AA6iRxJVfp 6fUmWVL119kh6tcQml4Mz49vjz1tV9zaALpK/jv7V1EuQ7nS5oSbAi4H0M9oXmLX Fht71iOmiFvrnWj+rSZOYJ7Ctd2+DHLGrR72kYEgtU2SLm3cGgJqiEHbbjq/Y7J6 Ba2Y8mHEJKvdpx3012zJ7BrU0ZOUKRhiiibtJj1A+KAX5fwc+TS5mGMGXgTY/WVe sr7diAuRz+R1Uuv1n8ieiV3SuUNcy7NmPlvsXa4VJQsEvB7I9QQIXA== =aqcy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-189 : Oracle Java WebStart Changing System Properties Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-189 : Oracle Java WebStart Changing System Properties Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-189 December 21, 2012 - -- CVE ID: CVE-2012-1721 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Java Runtime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists because it is possible to change system properties through trusted JNLP files. If a JNLP file requests "" and only references signed, trusted JAR files, it can set all System properties. By referencing a trusted JNLP file from an untrusted one it is possible to change System Properties that can lead to remote code execution under the context of the current user. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.ht ml - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Chris Ries - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRWf1VtgMGTo1scAQL17Af+PLKQVLcU5Y6zbxi8z9zDy8lZV/qhycKN nSRaC5SOh+aVBVN3hvRc8LkRpD1me4kWLk5uvfP4dV9yZToRCt1dZOvIFBgJOYdd ztiOTFgQCGapxv4bdvI9VRvx9bUzO8Rl2k3L32xV1gLpe9UKiQbJw5qC8SbhYqWY 8j4JA03/66hyTZqT+M6tWKtB80P2lCuYp4aoF6kcIn//5tyS4h0RgPWRTaxzmBcU p6V2m3rxDpaTyPRZxN7Q9c8JvN3ClWla1gcNdYAFsh7bnYgiOeI4cvk0vY6v312s +3gKQKsU2w+Its1gekAIEk11tlyR3SRtd/mFnk4fEzvlhkSjytAvgQ== =VL7/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-188 : Microsoft Internet Explorer OnRowsInserted Event Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-188 : Microsoft Internet Explorer OnRowsInserted Event Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-188 December 21, 2012 - -- CVE ID: CVE-2012-1881 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles 'onrowsinserted' callback functions for certain elements. It is possible to alter the document DOM tree in a onrowsinserted callback function which can lead to a use-after-free condition when the function returns. This can result in remote code execution under the context of the current process. - -- Vendor Response: Microsoft states: https://technet.microsoft.com/en-us/security/bulletin/ms12-037 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-12-21 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUNRWElVtgMGTo1scAQLRbQgAqGyxowWyS6ENL3tdOoUpU3QxweD2KGcW rrYxmRKfZxIOw8dtXe/CPLw+ANGLy8y0IfMD2JAgTwqigzjOsLvxXJx77827jjkZ D5FvAe4CWWXSiQQlN7b+VKDldvqH18FPSMSiKW+nAX5Pi6RwnK7xMdq4f/fyj1tu 0f/N271a4PB83wICFJT8GbB3xM2CEObMs5sEYd3GAF6i0snn9DZGHF+PVdaqmFXD scBVoqVHGW2EeePeRkGWaVJIGG2b4kV0vzFoIXeyZ5e24cJ5fmeTQPsPOtcVDRec eA6WqHdWSRGWPYSjTU3AQUTfaVdzXZmTFet4VvtO0/a6Qq3aPDh/PQ== =EDil -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-187 : RealNetworks RealPlayer RV20 Frame Size Array Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-187 : RealNetworks RealPlayer RV20 Frame Size Array Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-187 November 19, 2012 - -- CVE ID: CVE-2012-0923 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: RealNetworks - -- Affected Products: RealNetworks RealPlayer - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a particular array contained within a Real Media file and then uses the data. When allocating and reading frame size information, the application will fail to check the bounds of how this array is used. The application will use results in this array as an allocation for the size of a buffer. When initializing this new buffer, the application can then write outside it's bounds which will lead to code execution under the context of the application. - -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/09072012_player/en/ - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-11-19 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKpB2FVtgMGTo1scAQIHwgf/Zpod1KwI5rFw1SBFP1WTptCNHDFck84d Y6t8a5HaFMu5DwBAZCbT9BjXuEGdlo2GO+o0NwKZ0fYEU6zfkl6bbd0e2dmRQOii KTbIAaw/5pdGpnht1Cejvpf5IrUm/L3IdLFu/U7xakiwjKUKPFN66WzMnBLxjHLG P+4EUcl9W+UVSGAU3z55gGDkk5LZ4yh/xX42u4PsHXeqsj2n64z2hHFuyJTaFwA+ 3SiJM7WphLKn3G297xI+mKHPjhlEVUMjuXKM2uZUAVOHVnQnbdi/sFelJbzxVIAp YQXSF3PMtf8Ujkf3CYDaEKIE6I3YRMhWkkzbbem10/lWK22VINmftg== =QyRN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-186 : Microsoft Office 2007 RTF Mismatch Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-186 : Microsoft Office 2007 RTF Mismatch Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-186 November 15, 2012 - -- CVE ID: CVE-2012-0183 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Office - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12309 . For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of RTF files. The code responsible for lexing control words from the input file does not properly validate that all objects are properly defined. By removing terminating values within an RTF file an attacker can cause the program to re-use a freed object. Combined with basic memory layout control an attacker can abuse this situation to achieve code execution under the context of the user running the application. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-029 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-11-15 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKT7+FVtgMGTo1scAQKREwf9G28x2Sgu2UiX6QdulNsWXUHp9Iwf8pMq TFtQz4lSKtIO+JwlzslUehuOGt61eTz8QUnahNCZ0hsEx9T4nbYuvV2bKTPzF7gH G1HrJSJZlHMsjzPOJSE62DI8DBB0g7rj9vQ3CMDLhpQyG2gPbNC0xJtFmnBYBj5O v5VAKjA7XZchnNRXWMdI/2UScC/OfRLi3wRmgzhMG0wAdZ2MtIhLH79Pd9tNdQ5X nM8fQ2asid/QvGxdV9Yf9qvU2pothauwCgAm63jYDqoSfu9MS6S8srwrMgNfSVtl 4JoVm1/9koIsKIEafjNI1xCtH3S6oP+NHJstUZ0xQdiVFqSUyDZIQA== =5F2V -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-185 : Apple Mac OS X DirectoryService SwapProxyMessage Unchecked objOffset Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-185 : Apple Mac OS X DirectoryService SwapProxyMessage Unchecked objOffset Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-185 November 15, 2012 - -- CVE ID: CVE-2012-0650 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Apple - -- Affected Products: Apple OS X - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Mac OSX. Authentication is not required to exploit this vulnerability. The flaw exists within the DirectoryService daemon. This process listens on TCP port 625 by default on Mac OSX Server pre 10.7. Request types to the service include a sComProxyData structure having a translate field which is responsible for describing the endianness of the payload. When passing a message to SwapProxyMessage for byte-reordering, multiple user controlled fields are trusted including lengths and offsets. When processing this data with DSSwapObjectData, the process will address memory out of the bounds of the allocated region. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-11-15 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * aazubel - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKT7f1VtgMGTo1scAQIlHQf/QnM7bofxiLdPTJR3lQRTUh56ctLsMSGz VmKZt4wkOaMhRX73nmmg4SbMFVlXmEEbCxgFHWNh+K66MD5vLSNrLT8iWEsopHUt 5ogXz+rrw8S5DY8UCaZy4ZHAOqQXBlzmk31b6bUG6VTtisc44t4EFUrLYDAqmOui pZc1MUrj+0P2PJrOnnzq6ZyF6RxODiw4Ex1iEQIn9HAdY2cl+qY3nqWD6hHDFYbq 0qLg5anzQo/cPpVBgwe/bbistnyKIDrnbBFpyKnzV1uH8329SFygKArI5YRIavZe MmyH6GkGbI7t5AaJ4igD/JPgzr6z8O4023P99VMEXOO/wqE06JAjIg== =ocwX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-184 : Microsoft Excel Feature11/Feature12 Record Trusted Counter Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-184 : Microsoft Excel Feature11/Feature12 Record Trusted Counter Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-184 November 15, 2012 - -- CVE ID: CVE-2012-2543 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Office Excel - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12612. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Excel's parsing of Feature11/Feature12 records. The process trusts a supplied counter value without validating its size and proceeds to use it within a copy operation to the stack. An attacker can abuse this to execute arbitrary code under the context of the user running Excel. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-076 - -- Disclosure Timeline: 2012-07-24 - Vulnerability reported to vendor 2012-11-15 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKT6gFVtgMGTo1scAQKIEgf/ZGKs7rUvbu90dJA5rkK+/8c6y+/ORgyM a77S1rb5oN1FT5iK6g/B1hWYSc1c4ePDSmnp9ikoSV6YJs+TUfGN8vLDuCuF6YkG BvKLQzrGEtGjB3waypehRU9gjRaa52Gmn61DootEwDt+fwwsHAPE48EOo5UwI1mk Yet8SlBFCmp+RUEUZqMswOfclEjGvULn4rE9nlNOGkhFYfPQBzBq6Juj3msCxs81 +HHmV2rDmL37ElMxdEw99b4qGV4thaZTgHsvRVZGLMUZcmnXOnrVGiZQCkJZMuUu PFA+toXswVYCrjPaLHkdfVDi4TzrnPgxffwJuvghrn/qT/WhCF8o9Q== =n1W3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-183 : RealNetworks RealPlayer RV40 Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-183 : RealNetworks RealPlayer RV40 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-183 November 15, 2012 - -- CVE ID: CVE-2012-0925 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: RealNetworks - -- Affected Products: RealNetworks RealPlayer - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. User interaction is required in that a target must visit a malicious page or open a malicious file. The flaw exists within the rv40.dll component for RealNetworks RealPlayer. When parsing a stream containing RV40 sample data, a value is miscalculated before being used as an offset from a base pointer address. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. - -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/09072012_player/en/ - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-11-15 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Dan Rosenberg of Virtual Security Research * Damian Put - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUKT351VtgMGTo1scAQKtEAf/TnGCmBhleNjQueNOrb9B11rDxO+Ym6Rh fZGjovQEGEWVbuOB2ysUm7xsb2JbH9LMyJ8k3ZmtALFudsCOueuT79D/+JV8k5/1 UHbnnnh2vruspwH11M1A28cZyDfPOqvXe5tpXNL/jgoEMQsfIo6sA5QFaZI4bdqK 819RFmsG7N12Q/6eupPWIrqUl764rSxH0rdXFa6ITiR+CWZTtdBLz9+heZawpV0A +R7VRJ5gAF1yIRVOxb7ad41Q2q1/Jtsxmv2LrGsP6KIPVd/SM1mnQ+NX659k4RSE of4nakoLcxngWmUC/lBUVeFGYDE/MrPRJO/P+ExuH3strWILc+A+vQ== =ISmm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-182 : EMC AppXtender WxSuperCtrl650.ocx ActiveX Control Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-182 : EMC AppXtender WxSuperCtrl650.ocx ActiveX Control Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-182 August 29, 2012 - -- CVE ID: CVE-2012-2289 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: EMC - -- Affected Products: EMC ApplicationXtender Workflow - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12483. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC ApplicationXtender. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WxSuperCtrl650.ocx ActiveX control. By manipulating a combination of the DisplayImageFile, AnnoLoad and AnnoSave methods, the vulnerable AnnoSave() method can enable an attacker to save arbitrary files inside arbitrary locations. The attacker is able to control the file extension and the creation path via a directory traversal issue. An attacker can leverage this vulnerability to execute code under the context of the process. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/523993/30/0/threaded - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4ik1VtgMGTo1scAQLBjQgAhOXGeG2NUDoOnPJ08obrL+gDERXO21v3 ZhkZDPPwrgpdJJ32N2pnIcVKZjhLxSKai6Ds2UhynUFKLwDalhvbasbr3Lu0oMK1 A94nm42TIaEmblfAfU0AsPUKoUJ46Voz1QNWTGn9K3RuLiVFjEEgoVdHJBPBMDHz vOe6y0eDU3V2KQxeJVpcM2fRQO/HDvZQZT4AjvcxZp+qAkhbRC8VMnJtUZxQYoyV 5SwDrj4VccPP1/uXLQUZfBFDarOVVO0mnmCk+yuhT4naYGd+SolD+mR2dCgUk+kh AlK/7ynZnLQ+bKoUsJXVb9kEMgq/7f2HFePkcKOxdXRdrR1F6D3qcA== =DC2u -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-180 : Novell ZENWorks AdminStudio ISGrid.dll ActiveX Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-180 : Novell ZENWorks AdminStudio ISGrid.dll ActiveX Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-180 August 29, 2012 - -- CVE ID: - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Novell - -- Affected Products: Novell ZENworks Admin Studio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12491. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENworks Admin Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ISGrid.dll ActiveX control. The process performs insufficient bounds checking on user-supplied data passed in the DoFindReplace() method which results in heap corruption. This vulnerability can be leveraged to execute code under the context of the process. - -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayK C&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID= 125341070&stateId=00 125337386 - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4hKFVtgMGTo1scAQLvmwf/ddqYchdLG8QICq+qdeGQP9rtpQp5iAhZ O5nuLyZAoJzZSu9uem8dHNQhrEJS3dP8vD9++dB0Z+ivLa4HNnpskC6l2byCWUa8 XcQckxRVSx6ajzHrmBNGqpqmw2uWgrbPFAgjMHQWuTVMClkOgfOfk55wfkhFMdOi lqj5qvWnWne19EpZb9fQ98d3TNfxvI8gbrBteqh8B10gc9/DGsx8hbYLILaY6Hxg zm2qdYvbU3ZmW7JYiQcin/C40f+2cKuo8k20cIvZ0vT6ANo07fmKvFEDXLfL8Xpe Cm4spZRVbW+orPFtvWu9EOp1AfNETp3MlcOuUCI0/yLOFQh/Ue9MFw== =Rg54 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-181 : Novell iPrint nipplib.dll client-file-name Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-181 : Novell iPrint nipplib.dll client-file-name Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-181 August 29, 2012 - -- CVE ID: CVE-2011-4186 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Novell - -- Affected Products: Novell iPrint - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11195. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the nipplib component which is used by both the ActiveX and Netscape compatible browser plugins as well as the Microsoft Windows spooler service. When handling certain requests the client-file-name parameter is improperly copied to a local stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM. - -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/kb/doc.php?id=7008708 - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Ivan Rodriguez Almuina - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4hd1VtgMGTo1scAQJQaAf/QK/dLFxsY7cHBokaZqaeGsO9r6TyGnO6 N2RI1MqpEbv0MB/m7S678CXzNzmrzkHoQA1mqRuQa3/DqHKYWkkj/ZGfchE/mWh2 c0jsNFR7vl0BZruXFVa7R2iLbTVQhJ169Wo4GYTMH0escQFtBGOSk8FFRet2O1Lt DsaaJQhhrR3rcSHlJLbc3BrnbqE16/W6eDpl1yVBo5FkdubRkxO/BqyOLIzPIf5k aewd3r6NKt85HSDGSF9vFNYwrf/gpXpvUqvdlkN/i574yZCgSUPeV/USTIU85YuG FSRn5k/yYpfrJXm9AY5+2r2V5XyOuKEzzY4mVseXIEJIkb0BHUMQYg== =JWv3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-179 : EMC ApplicationXtender Desktop Viewer AEXView ActiveX AnnoSave Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-179 : EMC ApplicationXtender Desktop Viewer AEXView ActiveX AnnoSave Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-179 August 29, 2012 - -- CVE ID: CVE-2012-2289 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: EMC - -- Affected Products: EMC ApplicationXtender Workflow - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12483. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC ApplicationXtender. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AEXView.ocx ActiveX control. By manipulating a combination of the DisplayImageFile, AnnoLoad and AnnoSave methods, the vulnerable AnnoSave() method can enable an attacker to save arbitrary files in arbitrary locations. The attacker is able to control the file extension and the creation path via a directory traversal issue. An attacker can leverage this vulnerability to execute code under the context of the process. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/523993/30/0/threaded - -- Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4g3FVtgMGTo1scAQJ/swf/T8uBK8yee584Htk/Bdj9QE8yje15DvEw MyrFWRU+fzQK0iZVNOqqpboPRS8cvof3M0dJo3aKavu32HOCtpaf7D8NDMqIzdz3 nZN8plIlKcB6PHWhRusKHkoxmA3RelpHfMBGzMoIxqzeqYBIvbo99jsuSxOmZYBP lgndcEeOx/MmV7boRecUamFQZzGCkq/ppgDVeOGNrDcEAH3wFAluTS+CnMaGOXpt trJv+PYIRc3waFjCgqYj53hai1g3dgLORk8zkXgIUxOUkUrjngRtzrVH5+KnOgI0 P/yzXojSwgcINHoSdxIxkT1O+mf0SbBzEKmxP8ruRDQcjrlOhYsroA== =dIDK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-178 : (0Day) HP SiteScope SOAP Call update Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-178 : (0Day) HP SiteScope SOAP Call update Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-178 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12502. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is update() which allows an unauthenticated user to update the admin credentials. This can lead to remote code execution under the context of the current process. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4giFVtgMGTo1scAQLRPgf+JxL5j+aklwaI3qK+giwPSzjDhddFXpuW QqrjC/Vj2k4VVzp6eNZ1kMUOOZM3dDUrGCHTF1PXF2tQYe/ZtRuc2pFaE+4CnFmz 4oGCIvUv/bd3iyFpfFLED0tnqp1Y3nRbAsv6UKW8z3QeyZig5zqACLwPRfSxgQ02 KCoEZG7tzAlXApHSRKWXSjrhDTHDtn1DqzPc4hKHl14NjN4kOCch5LxUv9eH4X2T 4fo1ZpvGw1piYcWdLDx2i4GVmHJ42kntlRZlBh6X9x4H4htXF0Hq+X4DOsr9Xmrs NCOJFj3DQei41IFv1+c39w3igCItMDMdIYKM2CcrYj0VpPeb0HFyfw== =WQOQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-177 : (0Day) HP SiteScope SOAP Call loadFileContent Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-177 : (0Day) HP SiteScope SOAP Call loadFileContent Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-177 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12493. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is loadFileContent() which will return the content of any local file on the server including the configuration files containing password information. This can lead to remote code execution under the context of the current process. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4gLlVtgMGTo1scAQIY/QgAhFnlLyiw9kIX5+dpjHgBKnvaOPLGK3yE 5Vw171zkNyTBaUrSCklyfXvQryZc2xB5KWYwfB5jLh4yR+iqQzG2OWEtYqKJIUdN Ljzf017LKMyIRWa0dO8MQX/1NeQ/xW2KIVTWN3lyLkGwQWJ9IpP6Df3nfhfkfspA STk/3ocu2KXfFRfQIufOYWeT2i3YxVD3TkPKQovmcvbmT2TzkvwLGWSKStgUFyjK RPninKH0jZariieqK++8VSrZLXdk9ZtYBsvTQWmy6DFinkipmHE+li8oZbACInXO 0LLmVoDw9pdU4SxjpY8mMVvuk98bnKCQW+IVig2POotX/y8AggvMNg== =2l1A -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-175 : (0Day) HP SiteScope SOAP Call create Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-175 : (0Day) HP SiteScope SOAP Call create Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-175 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12486,12487. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is create() which allows unauthenticated user to create a new user account for the service. This account has access to an DownloadFilesHandler which contains a flaw that allows you to download any file from the server inclusing the server configuration files that contains the admin credentials. This can lead to remote code execution under the context of the current process. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4fiVVtgMGTo1scAQLq2gf/eMsudL5lTbtdWXXdSIYv07m72HG/HRQ/ jIcTlBBjbztuK2Ea1ru4+2kfSDWn8vrvYHbTAJHTsDc5MqJiWPG1VNZxKqKKDIsX 8U6Ne1tSD436qWq9rMFuSOP/RXhzxsf60lEIbIHkZAGYMtO4SaE7OX3Pyx+qY3pB B3q4afIHiFanlOy6/6l/RxAX9ok3duzHJtQ+d8gGtD3spXa7broSg2B3SDt0Ndmn DtSdxO9Tbzf1mnyjDV/nYTpDIooxqc6sueQhqG//j0RxQYeksm127OdtF+X8ctfF MIONwUeonhiX4WiNYz5HoHFHY7j8zTfUc8XWTZD7fy+Yb2ojBfEcEQ== =sJ1L -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-176 : (0Day) HP SiteScope SOAP Call getFileInternal Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-176 : (0Day) HP SiteScope SOAP Call getFileInternal Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-176 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12488. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is getFileInternal() which will return the content of any local file on the server including the configuration files containing password information. This can lead to remote code execution under the context of the current process. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4f4VVtgMGTo1scAQLEDQf/Th8T3Nf62AS+MJqNvfLM5/SUj0NfA4bh q92dTs8duOCKsMeN90pTn/Zrr5FI9iEL6+4bNhssc9MQ5LsFayxCZvaYHTnUUmNk LJVT5vFux6FWWqDzJUg2xKrxm4Qt3KOuzx8bgVHK4Q9zkeA+3nf5Nkp3YO7qdJzP tJzRA88ovPqCO4ikpnmlrm6CZaFvk1aKHVeQ/DeIkPpaQ82U1at5etZNe6QHRDNP QVUXZdR8hNwEr4SzO+O3e2gFqC8ulYF7DlExwkI7bNKExI1wUe9j+/nSwNhyEYDP iqgXNvhz5lUJR/hQMuUKoXaWWna9IEzWcsCb0tOWLLbKlhD5ecWWrw== =tGtc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-174 : (0Day) HP SiteScope UploadFilesHandler Remote Code Execution Vulnerability
ZDI-12-174 : (0Day) HP SiteScope UploadFilesHandler Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-174 August 29, 2012 -- CVE ID: -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard SiteScope -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12485. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw is a directory traversal in the UploadFilesHandler url that allows you to upload files to the server into a directory on the server that allows for scripting. This vulnerability could lead to remote code execution under the context of the current process. -- Vendor Response: -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-173 : (0Day) HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-173 : (0Day) HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-173 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12484. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability. The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is getSiteScopeConfiguration() which will return the current configuration of the server including the administrator login and password information. A remote attacker could abuse this vulnerability to login to SiteScope with administrative privileges then execute arbitrary code through the underlying functionality. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4e61VtgMGTo1scAQIFRQgAqS2x7p/9CUcVKcTAVT3tfpy3vqWMxIqT CbPhcCz3TH0Q0fBWGGkNMw0/uQUVTZcxdIMDnuCBV1alnbzlvkkA+Gqi6gYzJFM3 D1Eq3JMW6ot7HpnnLcLGwrYGPjklsO0H1Hl1y0U7GOLyOYZtj/X92axmKsjGWjZg AYJ5Y4Ohd3nsWzPu6vSc6QpxY1FWYZ1TcEbm04MH86PRWzD7I8w6KaPdLqrMDhsR puFONjZueV+viVOhyTzn++1w28N8m5XKtrDEnGNg0F3NKORFTIU+HOJkRzGuYQJw N4JT59DB3vdHSYFN39Wx0A3lBjNT3fy+3FteqZzGAlwZ/rioKxQ1FQ== =kv53 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-172 : (0Day) HP Operations Orchestration RSScheduler Service JDBC Connector Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-172 : (0Day) HP Operations Orchestration RSScheduler Service JDBC Connector Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-172 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Operations Orchestra - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12497. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Operations Orchestration. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RSScheduler service JDBC component of Operations Orchestra which listens by default on TCP port 9001. The component is vulnerable to SQL injection attacks. Remote, unauthenticated attackers can exploit this vulnerability by injecting malicious SQL into the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user. - -- Vendor Response: - -- Mitigation: The overall design of Operations Orchestra assumes it runs as an application on a Windows server. Given the stated purpose of Operations Orchestra, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP Operations Orchestra service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4eDlVtgMGTo1scAQI55Af/Tfb7p7aGXe4nvic54nedwpEBFLk0ADOg we07cQIvVEdispCUsPCZK9Pt/nBGZpUKmxQpmY4Nu2VDWRFAMPOVMOeltlO0fNz/ 7yy3kMrgn6IokiDbPzwmX3mZXpcflJsMxPmPnLe1teOIavPlW55Oj7mo/NlTT3dG uSQXx2on/uoXQZZq1RD4P1CE1g170vGc6uQBtzyeobg5zww82RmM/NN/UmiSPPK7 ck7u75EFWEaH35j0K/Jri5rHHic9lDzHhoU7pK4x3ZV62sywWhGZGnartFM6dcKO uEgDSla2ObYpc8xOUI76GoVoc378qNGAuaxTEq+cFJBKXr1FNMp/4Q== =Vf0r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-171 : (0Day) Hewlett-Packard Intelligent Management Center UAM sprintf Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-171 : (0Day) Hewlett-Packard Intelligent Management Center UAM sprintf Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-171 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Intelligent Management Center - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12500. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability. The flaw exists within the uam.exe component which listens by default on UDP port 1811. When logging received actions to a log file, sprintf is used to build the log message. The process does not properly verify the destination buffer on the stack is of sufficient size to handle the newly created string. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. - -- Vendor Response: - -- Mitigation: The overall design of the Intelligent Management Center assumes it runs as an application on a Windows server. Given the stated purpose of Intelligent Management Center, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP Intelligent Management Center should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4dyFVtgMGTo1scAQJ0WAf/TKZ0KjWMUnMRGnfOejRv61x+6AckOKZD I5jN0spwPVtYuvo58pjbbWWkpNJSebezoT726Jg4qRZU2FcQ3WEflgioz3RhPZNX j9ceM8rN+u4Xp70fM9gtbb9NLZaLRXQriSwkiYlRN/FHLBgHpCuiYWXdynL5it0r 9wOj9l1qaKkRlo8SHBIhQWgG9+D33wWg69VxsYAT1xBXC2YuQuAxaz/gL232vMrB 2Z93xyq/+yomRQRmwGlxn9fM6OmM81716lrgwwS88YNa5qnlTVh1izxeVQPqtR1K AQJ9NUOf9lDjRMu3Ok2/ic179blMNFf1fKQrFDqpTvoxt1is+Ogh9Q== =bdYB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-170 : (0Day) HP Application Lifecycle Management XGO.ocx ActiveX Control Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-170 : (0Day) HP Application Lifecycle Management XGO.ocx ActiveX Control Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-170 August 29, 2012 - -- CVE ID: - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Application Lifecycle Management - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12498, 12540. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Application Lifecycle Management. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XGO.ocx ActiveX control. The control exposed two vulnerable functions: 'SetShapeNodeType', which is vulnerable to a type confusion allowing user specified memory to be used as an object; and 'CopyToFile' which allows an attacker to create and overwrite files on the system of the user invoking the control. The attacker can utilize these vulnerabilities to execute remote code under the context of the process. - -- Vendor Response: - -- Mitigation: Given the stated purpose of Application Lifecycle Management, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP Application Lifecycle Management service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-08-12 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4dVlVtgMGTo1scAQKJgAf/frg+WEHp+FNzLb7i75lPVzxmVJoyJvnV ls+dyLj1cLVZOmJHHvATsi1UKEdD8a0uPqG3mar/BdyzGf8+HK6DnDiSzcQ2Dm1A woT0tHP2vt9rzCcOieBh0kZXL8lD1ipXUw6nE4PENObVSy3G8rgBsAtAQa0tHvi9 MtlI/faiPe1CU38JFnHz/vY3Wvn+W+MrWzcBagiJPY+rZJCi22o6g0X1t/ngQFdO gnA6epRt067UixHvEnzF+51cn7Llj+vTTLxLiHueDih+Y9N9QmScIVuQhl0ob7XB RZzDnIVFloz2oZ738PI1ou1qyarfLayxMnmgoLqO+X2khVeyWSEQwA== =pQWm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-169 : GE Proficy Historian KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-169 : GE Proficy Historian KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-169 August 29, 2012 - -- CVE ID: CVE 2012-2516 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: GE - -- Affected Products: GE Proficy Historian - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11626. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy Historian. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the KeyHelp.ocx ActiveX control. The control contains a LaunchTriPane function that allows launching of the HTML Help executable (hh.exe) with customized command line parameters. By using the -decompile switch, an attacker can specify the folder to decompile to and a UNC path to a specially crafted .chm file. The attacker can utilize this vulnerability to execute remote code under the context of the process. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863 - -- Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cxVVtgMGTo1scAQI1/wf/fb3iWK8lB8HeWQV1TqUheLZqqXVzhClT K6W/V2OD2fD/JGUVy62AZX7frRIbxPzlEU+ywKhQO2WL8mDsybkaZr5YWO7/ri6r KZy+7VWLHaoqnp2jZpVma1xIrh6MAeTuBtuyzIkN+//n1eLc7ZHSeuiBq29Px1y9 X6odtLQiyB7laVtRVUq9IrwFOxKHNKHs3LRKWWxDjCCdO3UR1sn9ofzrw19RV4TA 0nSzx0eyHxrj4gaVa6yAi8ysuB+x9g4AbXAtoDz+8m0bcNQaRbYNHM0ABZTqAIkH CVNIshqTZrnowzrdlZ2ljM3vgaNNWZMmse1ft/2WhpHtCpbGdlYw8A== =xHh0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-167 : (0Day) Novell File Reporter NFRAgent.exe VOL Tag Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-167 : (0Day) Novell File Reporter NFRAgent.exe VOL Tag Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-167 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Novell - -- Affected Products: Novell File Reporter - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell File Reporter Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within NFRAgent.exe which communicates with the Agent component over HTTPS on TCP port 3037. When parsing tags inside the VOL element, the process performs insufficient bounds checking on user-supplied data prior to copying it into a fixed-length buffer on the stack. This vulnerability can result in remote code execution under the context of the SYSTEM account. - -- Vendor Response: - -- Mitigation: Given the stated purpose of File Reporter, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the Novell File Reporter Agent should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Tenable Network Security - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cB1VtgMGTo1scAQKcZAf9G6c0ylCbFg5nDqGKzP3BeeVmCW+nNpEc hSGsakkN+4XwNg46Ujl4YkkWiMHK+ii11jz95K5ieOiNgSHoCRYg0N13lZCNfY4j 2g0dxjPzuvcFBUVH0DG9c24n+IM3RZKlxeOHjwPUPXdii7zsskmzJHpDoVqs5IBM Y+m9jVEbQ7j8KS5HMZ5PyNDh1Pq7PsW1/wrGuFPeXfcMe7SdrhD28OSrmfr5qk36 mUsJtwDtHNB9B8wrP+iLkUvVVypAPc08ibEwel/jnsDTwPOyxD6szBPMYRM8Y7e5 E7Rf7wEIRgWG1JqMWS6Ig/ywj8p4hnGFrBw+BGDAoQEiiWYPCVWTEw== =evGX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-168 : InduSoft Thin Client ISSymbol InternationalSeparator Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-168 : InduSoft Thin Client ISSymbol InternationalSeparator Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-168 August 29, 2012 - -- CVE ID: CVE-2011-0340 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Indusoft - -- Affected Products: Indusoft WebStudio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12446. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Indusoft Thin Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ISSymbol.ocx ActiveX component. The process performs insufficient bounds checking on user-supplied data passed in as the 'InternationalSeparator' parameter which results in a heap overflow. This vulnerability can be leveraged to execute code under the context of the user running the browser. - -- Vendor Response: Indusoft has issued an update to correct this vulnerability. More details can be found at: http://www.indusoft.com/hotfixes/hotfixes.php - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-29 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUD4cZ1VtgMGTo1scAQJoagf/ZpDTiahOQlERNABRglBe8krgQHhSHddX qVTQjFEyoOL8df5cA/I3JLJxEYRzcT0k8FSdoHUAMDWA8Oxv1BB62r7fgHC1BFjp jbH6u0mL+eYd95jqwfYaruakhABiCRR73nCxYvYGb1Bvx6piBDneD9E+Nx+qycF5 HKb5Fr0wwT+sWssIsnAHx5jDUamdRyQfOR1MAzb6GfKWDsRqwr/T5hWvRLqbZ3Cj VXwmd+MIIAQZIMJ8swKgBvbSeV4tcePun1NhqJYAJtySYR6a6oF112Gk+kXlNXDi EvynyGSXvzLMKEd+vmzSBbVeftCxNQJ8Ce4Vg+LYMGk0YHfoupt3gQ== =Fw26 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-166 : (0Day) HP LeftHand Virtual SAN Appliance Unauthenticated Access Remote Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-166 : (0Day) HP LeftHand Virtual SAN Appliance Unauthenticated Access Remote Command Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-166 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard LeftHand Virtual SAN - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP LeftHand Virtual SAN Appliance. Authentication is not required to exploit this vulnerability. The flaw exists within the hydra component which listens by default on 13841/tcp. The hydra daemon is responsible for management remote operations such as user creation, snapshots, etc. Insufficient authentication is performed prior to performing administrative level tasks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. - -- Vendor Response: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-22 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUNlFVtgMGTo1scAQI5wQf/cNfMAs0lXDhwybdRq8KuQ6HgruM0EZBC CyQMGayQKCY4Ge+eSNweIvuNVOiwL3rOXrSwbv7lCwblkvpHjQugQRhMUzQ/PXGY xlNJNCBZw81m4mZ48CdzY8zXGVxNZbOHiOfkpTk3dDJ/xb5Cyrv4qm/OZ9hzQXWl 4KpUvp0KanhmL+HtfEtiz7AvdFD899EBaavV6K79RUOtIGoW7aU3eOQ/A/xVcPsz rx8Gj0tY9/3uObxyCbFFQsPOm7GQ8NIuK5wyQCbRzE979upYoIiNAOXdxt8xIKA3 yOkhVAXBNm8UpnwJ1qAIHrKYXguicABIhkV7rqjZ3OSk8k4YRoV71Q== =RDbz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-165 : (0Day) HP Operations Agent for NonStop Server HEALTH Packet Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-165 : (0Day) HP Operations Agent for NonStop Server HEALTH Packet Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-165 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Operations Agent for NonStop - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Operations Agent for NonStop Server. User interaction is required to exploit this vulnerability in that the target must check the status of an existing node on the network. The specific flaw exists within ELinkService process which listens on TCP ports 7771 and 8976 by default. The process performs insufficient bounds checking on user-supplied data within in a HEALTH packet prior to copying it into a fixed-length buffer on the stack. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user. - -- Vendor Response: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-22 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUNHVVtgMGTo1scAQK2wwgAqvcFdEeDz1SOMKuwxmpLfm2qW1SkzF2i NDQKBlZx8V2DAJQxTznhLSbi0ARO/wv10XMKXEGhjczHPprSfS0iUcjGybRFiMP7 +nBjVJ/38AE/bru3HGIbAjaFcMkdw0TjulOHikDKdPmiaiTPbmt7yYEuBNkFcp3U xsYlesdcKSUTK0nt0jbvDSe3fTZsARKtxsevKx3p5NLAD7SXg8t6t0KUavhdE1VL 3I0wH8D5NufQhw1g19j0/ppf2FgxPl3SMCF3+v/3SEzx4+dlGO6E3mZ/AvuwlP/m UpOLZ3vb4iuI8MYnjhI/C7RuKSPySdEdqXt37ARjsqcICu+2QJX1ew== =7mba -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-164 : (0Day) HP Intelligent Management Center img.exe Integer Wrap Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-164 : (0Day) HP Intelligent Management Center img.exe Integer Wrap Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-164 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Intelligent Management Center - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the img.exe component, which listens by default on TCP port 8800. When handling message packets, the process performs arithmetic on an unvalidated user-supplied values used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. By sending a specially crafted packet, an attacker can leverage this vulnerability to execute code under the context of the user. - -- Vendor Response: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-08-22 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUMv1VtgMGTo1scAQLhWwf/R952WZeHDyb9Hk7wG+VH/L9eZReXzEJ0 vDy+duqYPQXCIEtQXrm2N37pCb/6YapVO0ewRnJgCMp3M7DiSGw8c5Hpn8GZHyB9 CLZ1H4h5d8DO37r00SShDbYB5hSspArD8XZGYPRcZVFjd7nU8jBh3ZoPvzi60x2C 40+11r6NZl3yXpxmAeQJRAdqaBrwLjRn98nTRk+zngAeG9+WpXMWXeMzbrAgOrkG gcOWnmF/69bvhhzIaQu+pPGGU5a4bodvBJN5l6aGPvlCmgh37G3eI9CfzawyAyD2 IYOLXYHKPpTnUevw/y7YTmzaexwlFOMiLrM5zFBQEgSXa6NUADjMAA== =IyPq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-163 : (0Day) HP iNode Management Center iNodeMngChecker.exe Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-163 : (0Day) HP iNode Management Center iNodeMngChecker.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-163 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard iNode Management Center - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP H3C/3Com iNode Management Center. Authentication is not required to exploit this vulnerability. The flaw exists within the iNOdeMngChecker.exe component which listens by default on TCP port 9090. When handling the 0x0A0BF007 packet type the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. - -- Vendor Response: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-08-22 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Anonymous * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUMP1VtgMGTo1scAQJabggApXzB3iONWQ0vTfCMJUusGDUHIF+24W9n XDbhwEPjg86NcRQh5qgmOTnAwukGWO9BCyY2Az2LMJCr20UjOtAUGggNsCuT9XjZ qbq5MkqR0ojUWwi2mis1FPzcQET0izUGdPbABdahRpzFQ0OFMA+2XgW6sNRTGy7O mMJvOnfr4+D1MFYiKfjUbtJlsvhLDZst3YYwNTygcfrKYOVGI5iXhIZVZFBhXhEY GsIUWkUZo11BpgAddmIv1mSpvASWMwVYFAOSBBB/GbUnSeiRQmQXC8/jfZethsNh kthJ6++x/q7Cg6FqeCUK+DCmDnIyNJAI5rgLWtRQ3Tr3IUlFPokuMw== =6nEZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-162 : (0Day) HP Diagnostics Server magentservice.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-162 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard Diagnostics Server - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Diagnostics Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the magentservice.exe process which listens on port 23472 by default. The process performs insufficient bounds checking on user-supplied data prior to copying it into a fixed-length buffer on the stack. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user. - -- Vendor Response: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-22 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDULnVVtgMGTo1scAQJlfAgAsNv+UyZMwwzEukieb56vAg4q31aalY2s 9nXRIKNtMVKVIbzACYhH8TIvAtnAOPaHU2Mm/cMFGr24oGFV8H+qlW6dKSVQrvfM ctkkB4hzNqE3oOi7Ana3LQC10HyvWQ31N2mf5AdaIWTsQVc6XU3AX85ODVOk44EY CbBBz8kXT2Sl1fnjRULIJRDju9hkeH1L25lMOsPF8Arzmx4cwQWn0URlfTLzQUpi HpPhACCSD4sl3JudNjVF3ZABLMiRH++ZfunlvWj+cRTaXEYSoNuSUjGgTvSjxCM+ 1jmvKz6TrMdyoragwc+RDQ3+UdX2esVsTULFLU69IwMXmkg+jc0cNg== =s2vm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-161 : EMC AutoStart ftAgent Opcode 0x2d Subcode 0x1194 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-161 : EMC AutoStart ftAgent Opcode 0x2d Subcode 0x1194 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-161 August 22, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Autostart ftAgent, which is deployed on machines managed by EMC Autostart by default. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing routines for op-codes used by EMC Autostart ftAgent's proprietary network protocol. This ftAgent.exe service listens on TCP port 8045, and performs arithmetic for memory size calculation using values read from the network without validation. This arithmetic is susceptible to integer overflow, causing the memory allocation to be undersized, ultimately allowing for heap-based memory corruption. An attacker can exploit this condition to gain remote code execution as user SYSTEM. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUIe1VtgMGTo1scAQLGywf/bRP1RwY+fFbY9VK/G+ffa1scCPrx3A8A 7CE4KWWiqA4yq/UTiYfJ5Bol6hlWrhpWqapbfjakbUt1BSGTraui6kKPPoiV+/Vb U5dkbPUWWYT8RskhVVv6ef6dUHjpQFUU/+5wfMC67PipoxwMOvH3g6FZvoTBF/JG NAxqJKj2l9i4cl1hDYkueU5ieBcmYvFITrGwQBM8+GjTvQ6CkDjhb3Ii78DgEdau RSn9I6L2/3lBJmxk5lZ+y7rCtWk/HBmlyE8B/7ab7PH0K9t8pwjyGbhTxMYLwoZ4 amHgZlBEh3wcEXR8uf4q/JeEHmcgWBBQn1IEeEUrBk9pqHtZYuzlfA== =Tt/B -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-160 : EMC AutoStart ftAgent Opcode 0x14 Subcode 0x7F8 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-160 : EMC AutoStart ftAgent Opcode 0x14 Subcode 0x7F8 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-160 August 22, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Autostart ftAgent, which is deployed on machines managed by EMC Autostart by default. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing routines for op-codes used by EMC Autostart ftAgent's proprietary network protocol. This ftAgent.exe service listens on TCP port 8045, and performs arithmetic for memory size calculation using values read from the network without validation. This arithmetic is susceptible to integer overflow, causing the memory allocation to be undersized, ultimately allowing for heap-based memory corruption. An attacker can exploit this condition to gain remote code execution as user SYSTEM. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUIMlVtgMGTo1scAQK98wgAsKmpy4IJxT81PxljMF0hSaNjRfb5GXRQ +JVbiwJ7pv2U+etzyI4l5ATcyMOECu9f3qEg5PCLev+/mxZl+lrprhCL31venm/+ 95v739FNRxQPFzTG9VZC2LX11AO1iIJpBhuY4JzyPpd9fB/MX9/vSHvYeytoiHOf 2yXvXlOzv8KDdGfqlYrhoOpv2DU8OBYGfPLiyDJ1VyJFKtvKypyLj79E2l05mIe/ etoUr4umb6P6maRuaXXObYI/NQkKjVv80kWqnjNix0ihsu3gIYy/Hgwh6g5f6ITo jbuHXfyo8m9TqbWQyEUVg0gPypT3wwhi3wL+r50yhMsK7TMb0rPUPw== =o9V2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-159 : EMC AutoStart ftAgent Opcode 0x14 Subcode 0x7e7 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-159 : EMC AutoStart ftAgent Opcode 0x14 Subcode 0x7e7 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-159 August 22, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Autostart ftAgent, which is deployed on machines managed by EMC Autostart by default. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing routines for op-codes used by EMC Autostart ftAgent's proprietary network protocol. This ftAgent.exe service listens on TCP port 8045, and performs arithmetic for memory size calculation using values read from the network without validation. This arithmetic is susceptible to integer overflow, causing the memory allocation to be undersized, ultimately allowing for heap-based memory corruption. An attacker can exploit this condition to gain remote code execution as user SYSTEM. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUH2lVtgMGTo1scAQJRHwf+PeDMLygaLFIeZMqsyQfm07umuVMqldmm HnUU5W4TcSDqx1MurHIOVyxN3oTYvLKdngPaxPY5h3Ef3khdA1zdvd9IWl2DH4d0 KS9J5iq5gqIX5S0FhfTSXbg8CYuBjhc9HSfQgtngVJbxw3qUW6OtqdoGd0IM9u3d F/aeCpdzqQ3guWSskRuAEMH+7rPa6E9MlypU8NHluIDiXw97RYwRzDxkB1zPMTVs DdZD6cqR5Ge8x6ZJzg2qFp6Cn5x+ClF/Fqo5PH4C81b3GsHMHgs9Xd47MUNQZbCX v5kEOCOdgcXOD/ZsQztX7a2A4z7qYTo1XxAW85RDyFyCV0HsFk+tFw== =H2sX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-158 : Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-158 : Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-158 August 22, 2012 - -- CVE ID: CVE-2012-1891 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Internet Explorer 9 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10761. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the MSADO component. When handling the a user specified CacheSize property the process uses this value to calculate the 'real' cache size. This value is used without proper validation. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. This bug is a failed fix for CVE-2011-0027 / http://www.zerodayinitiative.com/advisories/ZDI-11-002/ - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-045 - -- Disclosure Timeline: 2012-02-13 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUHcVVtgMGTo1scAQILrgf/aH/JINoyJwdDIbMV5vsllkW6NktM1NPS ax9+zRYjY2UCS9JT+Q6iW7f0AQNFkuCLojff385mtrMvYrZiFbHbiUoFUiA2yUOF KWWe9nsVN9m8kbM4YUQ3l4e5HmEoyhPzt7z3wHSxE5bXiTR1Bnw07UguLA/M/xuY hJGJ1gngFztkUepQ6szAk3VDUlLGMx8gWBgIHbFfqQNMOb3pZWKtOl20Ov/eO567 PT1KNfAdMJtgEa7ypBpuF6PBbcHJDlLMfIfTlRAW5zn7KBaU/DvdjZdKD4+A6IvV K8SMLB8j/AzsQ7ZVjO2CnwYe9uuqn4/NV5TUugCm4BNUIGLQJD6qBA== =uvhX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-157 : Microsoft Excel Series Record Parsing Type Mismatch Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-157 : Microsoft Excel Series Record Parsing Type Mismatch Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-157 August 22, 2012 - -- CVE ID: CVE-2012-1847 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Office - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12480. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Series records. The code within Excel.exe makes an assumption about the data types within a Series record and can be made to write beyond the bounds of a heap buffer when a specific combination of fields are set to unexpected values. This corruption can be leveraged to achieve code execution under the context of the user running the application. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: https://technet.microsoft.com/en-us/security/bulletin/MS12-030 - -- Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUHFVVtgMGTo1scAQK15AgAu3BVJgeZ1k05EDhgIEWYc3BvPIDuNzDt /pjNllZN0PAgZUaiFyCQhc0MLvMkv5qD+PI04XcgfbTiaPj6KEtJY+Ip3tI5ZVnq p1NTlifNcqm4HfjdpCpRi8xQs+AzEvod4oUu43xOk6/kW36SrbsI+dUE3CvZAKNp G6pDTZVx0EPP9GMdZZP/QUI/Bvj9czjn2S9wd9ChHr/qRjarasfNRMnd4zt1532l YoaWvU/4ApKLY/A8LdvyOD0/SUYTqee+fNURJ0FLPEradoo4MR5qcYHriWA1tUby 6W924jCgbilJ3HduRaWF8Kk02bejmnGblhgZN4DJBRulEsgeut6yhQ== =ePd5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-156 : Cisco AnyConnect VPN Client Arbitrary Program Instantiation Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-156 : Cisco AnyConnect VPN Client Arbitrary Program Instantiation Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-156 August 22, 2012 - -- CVE ID: CVE-2012-2493 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Cisco - -- Affected Products: Cisco AnyConnect VPN Client - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco AnyConnect VPN Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to insufficient signature checks with the Cisco AnyConnect VPN Client. When the client is invoked through the ActiveX control it downloads and checks a file called vpndownloader.exe. This file has to be properly signed by Cisco. Once this file is downloaded it is run and downloads additional configuration files. Within the downloaded config file it is possible to force a download of executable files. Those files are not properly checked for valid certificates and are run on the host as soon as they are downloaded. - -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco - -sa-20120620-ac - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUGKFVtgMGTo1scAQJBPAf9H07i4XSMxk4rQiyN2q+nbl3EtBX0Rl1e xAplYDC/F+HWp0ZZGEQC+PDyvkkgMqlOpYVNcgZr7jHfxH82Aon4cWY02qb5C5mZ HJZbQkd0tvIUANGrOC860lPgHXkQQEroOdwSXAC+AM/11UN+3wDPdM/FSXEnzndT mQxcSgj7e5TzubW6A9NI0iHj8v+Ci38hPxC2r0JbmR3VKcbcBHqfV9By5PYDogGx Hgq87lolCGF/+DG6JP9e6zeYtPPntpq0SPHNZ77Ew5Vr/9cARf0iZn41auS20pgW j0hZC4YsC5nsQwYkns7jYO3nf6e9Jq69k3BjdudkbVe7zgb3/986Jg== =pj7G -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-155 : InduSoft Thin Client ISSymbol InternationalOrder Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-155 : InduSoft Thin Client ISSymbol InternationalOrder Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-155 August 22, 2012 - -- CVE ID: CVE-2011-0340 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Indusoft - -- Affected Products: Indusoft WebStudio - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12505. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Indusoft Thin Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within ISSymbol.ocx ActiveX component. When an overly large string is passed as the 'InternationalOrder' parameter, a heap overflow occurs. This vulnerability can be leveraged to execute code under the context of the user running the browser. - -- Vendor Response: Indusoft has issued an update to correct this vulnerability. More details can be found at: http://www.indusoft.com/hotfixes/hotfixes.php - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUFHFVtgMGTo1scAQJ1Twf8C0MRiovFv7JVpAgg+lOYT3HW7MYdUKAx /I+4hvkGyeKKCCkvIOkx0y7eSdwp4paxVZAd0WYTfsG0K1h+bBngt6m+3Nicx0Iq YuqyOluJTW4ymXUSwvX8MZ39709DQXEl5yp9JvIX+Dc4WY7TKauGYKIfbb/VRMQq VYgQPhnlv8laGORlVREpu+yrOPdYLbQSucewpaLXd4b8uw1+Kmurjepiil5vxqPD G3fD23i1jGrbg6aX0AlvECo1M12alERft7wjtI21D7VP7G3uBYwiAJ8jxutavMQY Yf5K6rzdbx+96MuFco7aYB49GBQDpMYvWeWur3YEv1GqR7bSotpO1Q== =Yxrq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-154 : IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-154 : IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-154 August 22, 2012 - -- CVE ID: CVE-2012-2174 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Lotus Notes - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11839. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Notes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within notes.exe. When handling URLs, it is possible to inject the -RPARAMS command line argument into the call to notes.exe, which will then launch rcplauncher.exe. Including the java -vm command will allow for the attacker to execute code under the context of the process. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-304.ibm.com/support/docview.wss?uid=swg21598348 - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Moritz Jodeit - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUEz1VtgMGTo1scAQJ/bggAqlRPPa/9m/PYcfpm1w/66uerv/HUV9m8 ZgBA6/EUsl83PNb3BeCgqJprCv3GM3J6knYTVO1RC5DDc5Z3f2XWN1gmZC9b7ZGj Fb6O+A710Yfw7VfUxsBfcNuobQreS5e8sV1Rr9YV+grWHzonObPyT6JSTYPb0Ldi IlnlILy6CDrFafmDW16l6yir5lBQ5TCdtstbPCO5A+IJT911KXo44fGuO5hc+1VQ 9Zy+L9By/onjFA9AdH/WH62lp0NmUkDJX0yydlnNNlOEEF0fnBqNBPxQSnMWr5Cl 6THwlcLwGYFm/bSHh7D7F3BOpspWh/VuulRvNnkSEZxNS+xnrj3Hcg== =gM97 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-153 : Apple QuickTime sean Atom Size Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-153 : Apple QuickTime sean Atom Size Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-153 August 22, 2012 - -- CVE ID: CVE-2012-0670 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12490. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Quicktime.qts when parsing the 'sean' atom. The size specified in the atom's header is added to 0x0C and subsequently allocated. File data is then copied into that buffer along with a series of nulls. If the buffer is undersized, the copy operation can be made to corrupt adjacent memory. An attacker can leverage this vulnerability to execute code under the context of the process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT5261 - -- Disclosure Timeline: 2012-01-24 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Tom Gallagher (Microsoft) & Paul Bates (Microsoft) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUEaFVtgMGTo1scAQL/SAf+KSHektXotMcLnoBVBgoSwELmbpz/kbns U6TQUmdFvIFBIgz4M+mu/rqgNOSoEMv3ZTtDET+8WHGkV8Ue7WOF+N11WVBh8E18 Kd37zjq2C8CJjiz6yynpRLDjLXCfwcUm9LHu1f4Z8bw7sDOKlGnVJhWoc7k0OqS5 FHC3stUuQ7Hcq1knDmVmM2v6MAWLzSqC+KwL1UpWZJdc8hYqTUZqoDrENs7CedZX adrPF4UmZfAocY/tcorpu/on4XZhsOn5cEY/k8HUNyCxNGda8+cgir4Cx4SOrqp8 Xy1cYMOoAP+vC4nglhNypc5+bRzrwAZbeqK/lUmTBGL2BXev3ODy+A== =0qk0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-152 : Oracle Outside In Excel MergeCells Record Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-152 : Oracle Outside In Excel MergeCells Record Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-152 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Outside In - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of applications that utilize Oracle's Outside In Technology. User interaction is required to exploit this vulnerability in that the target must visit open a malicious file. The specific flaw exists within the parsing of Excel files. When handling the MergeCells record, the process does not properly validate size values which can lead to an integer overflow. The resulting value is used to allocate a heap buffer which can be corrupted by an attacker to execute arbitrary code under the context of the application. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUD/VVtgMGTo1scAQILXggAmofQAB8Ip0B0dCxsXYbH5dpfYsLpS9V4 iHoK4nOx11u3eFSp1Sj8qEYYAZjyvFRIoqQded48CfkAwThgeA+qJI1VCE3pGZx9 sMTyfifkmXawfwMjvPWHgkfZZX/NkyUxKbmWAXtkj4e8Q1Qs1Il1YjJsUpa6TYcZ Nzd7AZaae29mU2hr87kP0gF6i+n9cKc2sd5pyJlFN8Xe6abVKbdnZkewBjUr+MZX PE3hy4L93s6BEd1v1JKBH1wP/nF7lRPNCZd9HgwW/XNGimPAox0auW6LcgnpDLit yuj3zvpKCfWdBW46NTtyuJRV4z4kVmUF0tiu34xCbkl4ucOeYERFmQ== =E6Y8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-151 : Oracle Outside In Excel File TxO Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-151 : Oracle Outside In Excel File TxO Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-151 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Outside In - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of products utilizing Oracle's Outside In Technology. User interaction is required to exploit this vulnerability in that the target must open a malicious file. The specific flaw exists within the library's parsing of Excel files. When handling the TxO record, the vseshr.dll module can be made to wrap an integer value when parsing a specific field. This can lead to an improper memory allocation that can be leveraged to corrupt the heap leading to arbitrary code execution under the context of the user running the application. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwlabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDUB+VVtgMGTo1scAQJ/ywf8DysZiLoNwtue/qI/tzrADTRmeO8Nj+bi 7mzBQ5Q0GzeSHiSP9VNE3A5YkxU+x4o1rQcSiuYZ0CzXiMGzLuBbqW7+I9CFpd2F +p+ncbqET709djyMBE2zAveLTM4qkPF0FAZia3jJ26ciTUxX+4PNHM1knVC+INiu gb8cn17sIdzzbn/FMBFQ05Y2eDCc7gv10yloEGO8SwzUelxV44O+XT3GfIScDjFm AUw5DdZTI6vT35cVxpFSEy1as4YVCCFGVv8GUxRPJuWqkR7UyroKPm5VVaH/nssk yMk7tbGDjyxsKE5WRfWZ1VlFLhQ6nAwsecUl+ajmh4EKBpy4qPI1AA== =5glj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-150 : Oracle Outside In XPM Processing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-150 : Oracle Outside In XPM Processing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-150 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Outside In - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In Technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XPM files. When parsing the chars_per_pixel element the code within vsgdsf.dll does not validate that the data can fit within a stack buffer prior to copying it. This can be leveraged by a remote attacker to execute code under the context of the user running the application. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html - -- Disclosure Timeline: 2011-12-19 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT/m1VtgMGTo1scAQLebAf/ZlDMinlSupdB+BuDP4iDXnYqD4NZagPZ FhEmo8zBp/DYQtwbvVjsYnza6M51zIiZoVzxR1QvJY8tKoK5k57yVs9euTBm+80t wQbJ/5lV/7gy/oZFT7ekRziNibOIhw5DHMiOQNHAgLTQ7UuWYnbkDoKNvtqHuVfZ LZTvc/R6bNPCCO8nNDkX52xXQ1uswSHGL8/SF+4TF2bQuI0sDFGDsivTw08eVA97 csXe9VEksYeOt8L+huuIduLwN/iV53pBArnfSiA6lbETG4h9NvIIFvqrlV+/NIr/ K++wcOACaJSwf0qjNvyTtO6Sn5iFLcY4t3VdEirlNv2gYpYkWevJ/g== =ZrDB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-149 : Cisco AnyConnect VPN Client Verification Bypass Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-149 : Cisco AnyConnect VPN Client Verification Bypass Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-149 August 22, 2012 - -- CVE ID: CVE-2012-2494 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Cisco - -- Affected Products: Cisco AnyConnect VPN Client - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco AnyConnect VPN Client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists because the VPN AnyConnect helper program does not check the version number of the vpndownloader.exe program it downloads. As such it is possible to forcefully install an older version of the vpndownloader.exe that is vulnerable to previously patched issues. - -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco- sa-20120620-ac - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT/PFVtgMGTo1scAQLLzgf9HBKVYWR/BvvgxJa3/JvOrqcitJ3YJbtB w1mms3xSCBArm9xVo3FyeM4is6+94bG5v6gSD2Q774+1JP8eLsPSJgCGygL8qrxI jKKd2vpaIVEska4Q1yGBOaGh/Gbh6zoGOErL1KjbHD2nEG9olu8aKkMw+4JEPewe ZtL6XOAPZlPvpR9pG9nAxB4BqyhY10Hc+s35ovQIMQQO9S3GUR18GrVy+bXsQKpe nm6ovRLqHaSwq0hCHbHmhKwiCepqV+1KFy9aZSbCXU4VpiaO1N1llDB1L+o3g9bQ q9vBUrbuw4rJqb5hSdQSi+ZJylSVmuHTLo8tOHwXmJlK1lrs3lUiww== =8yO6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-148 : GE Proficy Real-Time Information Portal Remote Interface Service Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-148 : GE Proficy Real-Time Information Portal Remote Interface Service Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-148 August 22, 2012 - -- CVE ID: CVE-2012-0232 - -- CVSS: 9.4, AV:N/AC:L/Au:N/C:C/I:C/A:N - -- Affected Vendors: GE - -- Affected Products: GE Proficy Real-Time Information Portal - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11491. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy Real-Time Information Portal. Authentication is not required to exploit this vulnerability. This specific flaw exists within the Remote Interface Service (rifsrvd.exe). The Remote Interface Service listens on TCP port 5159 by default. The process does not sufficiently validate two input strings that are used to create a configuration file on the server. Remote, unauthenticated attackers can exploit this vulnerability by sending malformed ID_SAVE_SRVC_CFG message packets to the target, which could ultimately lead to remote code execution under the context of the SYSTEM user. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14768 - -- Disclosure Timeline: 2011-10-17 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT+zlVtgMGTo1scAQKDJAf/eocBDbik7+EJStiu8UIZ5cFL0Rh4dpl9 i+rz9uc/CcYUUfTthpX02GRclDb7PsuKrgxA1mj8a/1D21hfNPUMAVkKvgFDM02e oPBBv9Rn2i7w3KPpJ0NFsJHXP/yqeuP/D1ead+JoAPycFSToFmcm3ZZ8SXKHLLLH SWmqcf+SGRrvzjLrqZZceGpKJJhS7SSwLyhdT3XUKYeiQBcCsx2XgrhgMBR+uSDm 9KvvqU1tAPXUF6f2h+pIshwD5T/r6YkYFgBl7IkaqKV+e0QlurIa2lUOEajLTPVp jTksxLAx75ohmSpuII+MQXzqxgoc7FMCvF0Seh7NjtTamJiUL0v59Q== =2JFM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-147 : WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-147 : WebKit ContentEditable swapInNode Use-After-Free Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-147 August 22, 2012 - -- CVE ID: CVE-2011-3897 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: WebKit.Org - -- Affected Products: WebKit.Org WebKit - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12492. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the WebKit library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists when the library attempts to replace a particular element due to an HTML5 ContentEditable command. Due to the library not accommodating for DOM mutation events that can be made to occur, an aggressor can modify the tree out from underneath the library, leading to a type change. This can be used to trigger a use-after-free condition at which point can lead to code execution under the context of the application. - -- Vendor Response: WebKit.Org has issued an update to correct this vulnerability. More details can be found at: https://bugs.webkit.org/show_bug.cgi?id=71145 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * pa_kt / twitter.com/pa_kt - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT+WlVtgMGTo1scAQKAQwgAkQ8y6IcjxipRJq9js7H9tFuNBDftljEO KUT2IfmJSyIvBwf+vWWqiLNR52W+0YdkeCyKscNVyx3fqQXDF2Xd207b+4L9wXm0 zZKR9HiuYM84Ed1eWyHphrx8cr5qZdaUkRITmYUDhxce4hTsIrCjzXZ3+X+cZJY4 08kKu2U9AoKInGNRwwmxEd3kdxkG90fKzf45VPuOwjbHEVB17VROqbxW6FuC1eBR +IM3n5QyzAVVdGjNww1WagWNiWRvZE+mVL7kK4rQhcg3U6QPx74VcFsUweyomxKN BTwB8lXlppZDTTan20dhR3HJrxFSiUUWmMa3s/VLzCDnuVbHYPy8fw== =A7x+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-146 : Novell eDirectory RelativeToFullDN Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-146 : Novell eDirectory RelativeToFullDN Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-146 August 22, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Novell - -- Affected Products: Novell eDirectory - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12472. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell eDirectory. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the service handles a specially formatted LDAP request. When handling a particular set of commands, the server will copy a string described in the packet into a statically sized buffer without validating it's length. This leads to a stack-based overflow and as such can be exploited to achieve code execution under the context of the application. - -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/kb/doc.php?id=7009947 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT9+1VtgMGTo1scAQLxEgf8DY6yr+EWRnYSftl5Gl77gGW1ie6lL+mf RLjgtttfk0/OfqGRL8slGml2HJQF/PG8t5yNROI+PcsTgaCFuyw7nyv5Uy8rEbG4 NRs+gpQe7lXxujZFNILS2To2jyZUqUve8tMHRt8x20zCSeUFKoHwdD861yTIL+9+ qNXP9ijkG4//bv8bMQYIuRVKnn8yA+v3r+mMjJB5oMwl4V8o2TyXY0apQe6h/O+u O8LuOhOiAJHbeXXRgbZBH42mbQDd5J7JZl1JjszLDOOAATKLILZZPDqIb3KfyAAE PxqToKwC3MEHbr+e39TOJ0ppzfvhtLUBcrlz5jL5AWLlKAIGXVvIcg== =2mou -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-145 : Symantec Endpoint Protection SemSvc.exe AgentServlet Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-145 : Symantec Endpoint Protection SemSvc.exe AgentServlet Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-145 August 22, 2012 - -- CVE ID: CVE-2012-0289 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Symantec - -- Affected Products: Symantec Endpoint Protection - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Endpoint Protection. Authentication is not required to exploit this vulnerability. The specific flaw exists within SemSvc.exe which listens by default on TCP port 8443 (https). The SemSvc service exposes a servlet called 'AgentServlet" which allows remote users to activate certain tasks without prior authentication. In doing so, it is vulnerable to directory traversal attacks and arbitrary file deletion. When certain files are deleted, the eval() method will allow for executing user supplied commands. An attacker can leverage these vulnerabilities to execute code under the context of the SYSTEM. - -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120522_01 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-08-22 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUDT9g1VtgMGTo1scAQKg3Qf/dA9cUNwx8YswHs8L6NVK+TE5j3r55dVl oOKWMnPLfl2i4nnohn5StYe6aKcXE2cBnZM4laojomDqjF9Kr2B4dwnnmx5w84II 9tDxU7PlHZfxEPnXmTIJa8BHp0yXxZQ3/8EvTwy6xqm7YuYmr8UcRphL36biVe2d 2HcAzHkaFT+4vZj3cZ6FdhImFLHTixzS/zgqaJgteOe8g0gpl3fdg3zJPO7FVeRO kXdnEdN4tHvDeW4pzaC0QOZtZeqHgL/QTpImnw/IvxPq4wS1Fup2l4/SFn1wiVJR Qg8iiOufLKqyA722AB7f4QhYEuhJIaLwbzBKas8MysX7Aiab9XZ94Q== =3L/w -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-144 : EMC AutoStart ftAgent Opcode 0x4B Subcode 0x1D4C Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-144 : EMC AutoStart ftAgent Opcode 0x4B Subcode 0x1D4C Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-144 August 17, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Autostart ftAgent, which is deployed on machines managed by EMC Autostart by default. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing routines for op-codes used by EMC Autostart ftAgent's proprietary network protocol. This ftAgent.exe service listens on TCP port 8045, and performs arithmetic for memory size calculation using values read from the network without validation. This arithmetic is susceptible to integer overflow, causing the memory allocation to be undersized, ultimately allowing for heap-based memory corruption. An attacker can exploit this condition to gain remote code execution as user SYSTEM. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5m6VVtgMGTo1scAQIAxwgAnEKUMNwvzkNTkTKSvfyE5vQ22rS43kyf Ebv4REchciMQpVrE2lynPvWRiGRXi6fV43TvGuhCCELifJXjD0mG6K8T29g8KE+7 pbHDsY6dLGZ8fvUaZcpkIktvll8EiNQVa5a1XOzxfhLJIBQeChMu5Kn+skBleJOQ 1A3167kZ8FUP9Vlnt7lhntLF8fYNHMj7EbXknDnopxromjbz7tmrRXxWBDWKwmxT gQ0lsv6xN18rhZzYyr23DAf02pIGwHeYvkQL6vReRtJcCN4flAdQT81MhbZreHsE bpr43WuNjxhAbf3xSKNNBxo1jEXsrt0yO6H0gvYuN26+5E5EO4S1wA== =v+Y+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-143 : Microsoft Visio DWGDP MTEXT Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-143 : Microsoft Visio DWGDP MTEXT Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-143 August 17, 2012 - -- CVE ID: CVE-2012-1888 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Office - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Visio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DWGDP.DLL, which is responsible for parsing DXF files. When processing MTEXT strings in the ENTITIES section of the DXF file, certain characters are sought after to end the string copy function. If these characters are not found, the copy function will continue to copy data outside of the stack buffer, causing memory corruption. An attacker can utilize this vulnerability to execute code under the context of the program. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-059 - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5mk1VtgMGTo1scAQKSBgf/YRs5XnJLZ/7YSWogWA7GyqVVVHgLHL98 bQnTS7y1KgQcWegcrT5zJwOBPd7oNypDE9Q+LAEzYKOD8ez3x5LDfq7qhwEw8hQu ECrUEnzeZeeXHl1/BiDTAJBmkZGIAuFBPKS1sawfVo1hV/IdGCEAtxwYlzEzRIj7 j6+u1pecg4IqwkJywbYM8DgyLV8LWy47twGmrdg6U36oUfv51Iye6qv2slL3iY+0 E2sUz50h1XtNgB1yb/xHbwIzjji515eUQxqXxmeJ5BE1H5yhqTPuYRjooXnn/4Tu IJoXZee8LxXlc+l1j4JCOv4eSpR090MADC4oBpXOCpR3hxzUCbWIHQ== =FJYp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-142 : Oracle Java WebStart Browser Argument Injection Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-142 : Oracle Java WebStart Browser Argument Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-142 August 17, 2012 - -- CVE ID: CVE-2012-1713 - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: Oracle - -- Affected Products: Oracle Java Runtime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the BasicService.showDocument Java Webstart function. This function allows additional parameters to be passed to the browser. Depending on which browser the user has set as default browser this could lead to remote code execution under the context of the current user. - -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.ht ml - -- Disclosure Timeline: 2012-03-14 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Chris Ries - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5loFVtgMGTo1scAQIcNwf/SkkJ16y4Npcp7jmNwqzluznqLyVCJwVT NueILgJCdMbA/RMIB8uZmuiaIgsUdEut5ryN4ytOj3axJfmj1gOl25pDFuTAkZQP YptYL/+XtU2mEXifJizPDtLceDyo2e7WDgixjbmFy50GzoiQb5Fc3D7e8ZebnAiQ T12jjKHu0ILQZrMew1wCTRvScogMLGONZ1J2Xa0yN9hQ5aeP1AzbzY8sTxg2FqNo 5HmX5dyVg/NDiZUO+HQkmjpWMJ4Nqe8wggOLKen12ByBkttW7RpKZuYb5qoUCtfu Hx0mdjViwOtI03DHsVolBV6fbdSPFFUhA/LHL0RSFJpgC6ayKJ+JfQ== =UqcN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-141 : Microsoft .NET Framework Clipboard Unsafe Memory Access Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-141 : Microsoft .NET Framework Clipboard Unsafe Memory Access Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-141 August 17, 2012 - -- CVE ID: CVE-2012-1855 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft .NET - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within Microsoft .NET XAML Browser Application (XBAP) handling of Clipboard object data. It is possible to cause unsafe memory access within System.Windows.Forms.Clipboard, allowing an attacker to control the memory used by an object's native code. This unsafe access allows for control of a function pointer, which can be exploited to remotely execute code. In the case of Internet Explorer, execution of attacker code occurs outside of the Protected Mode sandbox. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-038 - -- Disclosure Timeline: 2012-01-12 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Vitaliy Toropov - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5lTVVtgMGTo1scAQJQZgf/UA2bBcKNlJ/F1WN4HZ3/c9Qv/TJBSB5M h26DGtCuXtoKdb1l5pgyBQiuTY0rtbwQ5lUQvLooDifC+W6TVQOF+x3bqKpi4fcY LoJPgojumYsjesEdj46pVfATyFLHESpVULjL7eLyZqVLdoxp/k72G/zbk4ISzNHd C0kCYV0cVlq7S/xIE4fl6CXuEaHl09ymBVSnJBAeTuGtZaypu9ElOjSGUmnQ+Utv j/Q02w91hxPxo3cgnNc7isLzWbfA4Umcs0Q2Y019PYeSJyyhgXzSMxWYlvx685Zs cM6G/VALPUSDZ9i5Tr2PZwobkQIqsSmyVa5f3yWcoaRMlB9NJhTJBA== =IRHW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-140 : McAfee SmartFilter Administration Server SFAdminSrv.exe JBoss RMI Remote Code Execution Vulnerabilty
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-140 : McAfee SmartFilter Administration Server SFAdminSrv.exe JBoss RMI Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-140 August 17, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: McAfee - -- Affected Products: McAfee Smart Filter - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee SmartFilter Administration Server. Authentication is not required to exploit this vulnerability. The flaw exists within the Remote Method Invocation (RMI) component which is exposed by SFAdminSrv.exe process. This process exposes various RMI services to TCP ports (JBoss RMI HTTPInvoker), 1098 (rmiactivation), 1099 (rmiregistry). Requests to these services are not authenticated and can be used to instantiate arbitrary classes or to upload and execute arbitrary archives. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. - -- Vendor Response: McAfee has issued an update to correct this vulnerability. More details can be found at: https://kc.mcafee.com/corporate/index?page=content&id=SB10029 - -- Disclosure Timeline: 2011-11-21 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5k81VtgMGTo1scAQLQCAf/VZ6RJ8FNo73pAoxCb1U0ZLIIxYXe2agX GypoOEoQpWB0nLoxwoWoqo8d4iZRSCP7aixOrBRUx4vYqBM+5VaUryFvEXjKoCXa wh5rWOGXj11xSgvWfp7vbLNwv1Sov7PkwPg8TmMsxtHZ0HG3s1YOqWJ4mZcYO5j8 ESwy+11EH0zP8SgThCAUE5ocZdNP1t2eWu3Td4uWuuvym9omo3BZaXAlioQgJMxI u8DkTOE/lVz6ARO+P6XMI6xciS2ZPzhE+k4Yh3Uw80RgGCk8yxNI9TeOPvwmF2C8 rSs1nc/Zd2974RF/CjWieKFqgdwiLFQO7vxlJ28OpbUapqeajRofEw== =XtKs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-139 : SAP Crystal Reports crystalras.exe OBUnmarshal Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-139 : SAP Crystal Reports crystalras.exe OBUnmarshal Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-139 August 17, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP Crystal Reports - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability. The flaw exists within the ebus-3-3-2-7.dll component which is used by the crystalras.exe service. This process listens on a random TCP port. When unmarshalling GIOP ORB encapsulated data the process invokes a memcpy constrained by a user controlled value. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: https://service.sap.com/sap/support/notes/1662272 - -- Disclosure Timeline: 2011-11-21 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5kllVtgMGTo1scAQINwgf/UIOzUF6WsKUTTcSC+xflsBo/DCIV6i+G NMaoh/zAFEXihtINiVTOs1mp1/wY6RxcC33FkighgNJrXkvgvmKEoxnpi6GWkODY uTweHgvXCiOucEMLniGufC6xH7wmeIB8y1KSUS3LUbHYEUdRwz5u+wCIbWoft8cW cGYrAbwHcxntieTxDdQ1MexFj9do7Jn+J+RpI7aHyPc7XSN7IF7/9uQmtDS9oz47 8hYF+V0uZ0N3Xa/ilfDSANtMjqXV9ESDP02xXJjcrGcP974zfVF6TkItGjxVN7Rf Px5uvZycU2fNx6cjiGe7ud+zJIah4+0+uH33gRsPcQhbLsyapPfkyA== =rT/w -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-138 : SAP Business Objects Financial Consolidation CtAppReg.dll username Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-138 : SAP Business Objects Financial Consolidation CtAppReg.dll username Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-138 August 17, 2012 - -- CVE ID: - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: SAP - -- Affected Products: SAP Business Objects Financial Consolidation - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Business Objects Financial Consolidation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within CtAppReg.dll. In the Check function, there is a vulnerability in the handling of the username parameter. If an overly long string is used as the username, it can overwrite heap memory. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: https://service.sap.com/sap/support/notes/1685003 - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5kOlVtgMGTo1scAQJ1pQf/WgR/nzewWw16MtyPQWAaQQOccX2gDu0U HRlD42kLXc0ErH2rTjDMxEDAyCRg6axZ4/WAGYG+e/EqA+4E8myueAz1pQU3kcqX o3zcWfoN6Tv48K5Guhh8BUwkS6zB+MQflcR9EObHqSPlfpLFzhuBw4UE1eF3kU8q SobaxmDVVzxIwsCn8sP/KhSqOL0Ce5bJXWpD78O/zupBc/VfIQzdKIWGEnysXGCA LjQkAd0/5/2Qa38f+d9VYgyORGehqXFiBznU+oskpKt8/OxifJJj/W6t1u79OOjC XPdLd8rHYOqxArNhv3+RgZx6bIiC1yQUjIFsvYzQ1WDzrbFETMoC8w== =4HKl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-137 : Apple Mac OS X libsecurity_cdsa_plugin Malloc Integer Truncation Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-137 : Apple Mac OS X libsecurity_cdsa_plugin Malloc Integer Truncation Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-137 August 17, 2012 - -- CVE ID: CVE-2012-0651 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Apple - -- Affected Products: Apple OS X - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Mac OSX. Authentication is not required to exploit this vulnerability. The flaw exists within the libsecurity_cdsa_plugin which implements routines defined in libsecurity_cssm. The library defines an allocation routine as having an argument type uint32. The implemented methods in the cdsa_plugin accept parameter having type size_t, this value is truncated from 64 bits to 32 bits when being passed to the library routine. This can lead to an underallocated memory region and ultimately a write out of bounds. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * aazubel - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5j51VtgMGTo1scAQJVbAf/eZ0SlfaZYtTyV0Iy6YUeeOD9mcRc3pHU 2A1qvoQryl5xDHvLh+m/iZZ+a3oQb8AtqWwRfZb4qpXA3cXIbd+qOtCU3yYX3oso 5h9Ag8iAbn79P+tMoWu0d6iwJIuw4RHMeoNtSnQ+Lzl8lwfJo7OItIaoXKEgiydS jTv69en5X65Fni0ofsXvKrZ4lu/PBZahhegy1Jd/5LmGCLTp6hRlhlhjmSD2CPBg yBYfQy844mfupGBSkgkUsjCt8kMJn0iDwW+NldfRGkxKUynoxCMV4C0shXe7lkfs x8ZDEe/7xy6R7+Qk/PBusKfBwWUfV2ns03EUTpgibKQxa+4wsu0uGw== =nb/B -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-136 : Apple QuickTime Invalid Public Movie Atom Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-136 : Apple QuickTime Invalid Public Movie Atom Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-136 August 17, 2012 - -- CVE ID: CVE-2011-3220 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple's QuickTime player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within how the application handles a malformed atom type when playing a movie encoded with uncompressed audio. When decoding the audio sample the application will use a 16-bit length for allocating a buffer, and a different one for initializing it. This can cause memory corruption which can lead to code execution under the context of the application. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-17 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUC5jalVtgMGTo1scAQLuNAf9H19sAiyxk8pcZQF5mIIUgYOgmDYL//oC 3OJ5DoKa5/b6haVHagBOluLMP7epMRLH+9m2keVtbA8TN0/BGJV1W7sQh/rj6Hyg 4hP95wuXU0lEMLwHqm1df3BIrlWcahiA47xsPCntim9qdMchrEKurI8koOCCT+k9 9q6AWe5MpZNuGROSiOStBs+YCftZzjdGVyOx+1hJdH+XRBLlOZ438yMnJTB0y9BM jo3ifV9OwOb3mMlkMOgVmSgvZVzSDkRPVS3ubuGcH+BY53ynbx7XwrmjbxZPvQIM aNYov87jOUVQIS09/AN4yNqStb/ZQbFmpx6KaocJHmPBteA0tlToPA== =sqAI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-135 : Apple QuickTime JPEG2k Sample Size Atom Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-135 August 3, 2012 - -- CVE ID: CVE-2012-0661 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Apple QuickTime handles movies with the jpeg2k codec. When the size for a sample defined in the stsz atom is too big the QuickTime player fails to allocate the required memory for that sample. A pointer to the previous sample data still exists after the previous sample got freed. This pointer normally gets updated to point to the current sample data, but this does not happen when the allocation fails. The QuickTime player then re-uses the stale pointer and a use-after-free situation occurs. This can lead to remote code execution under that context of the current process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Damian Put - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwsnlVtgMGTo1scAQKEnwf9GAYOfc9ZSFXF6Im/trySm24x08qSirsT 8BFtEPk/7Sn6rBT5ml/kQx4XAmJCKfHz9vyYzmj5m9FF2xrdh2YPHOapkLI3yg4K JSoGfeHUP3nzVTAWUp+jXj3+OoM0XBA8illhCfGyOTe7juSV5T3BSXCIkOPdkWoD vw/tm811JUm9i7ek2eQyd8HM4WfI+PcdcSBwFLmzF6y0voV7Q/DSwwZ3D/Wof/bF KjprrQn5soKuxMeDt7F6x49L65SDeozdZLiBVk44USeykYWWATheF39WudQ2t+Mi 90sgcExl0hPpMz3eHKpFJ//KloamgJLnSTqPdmIM6Xs0BPrSLlqing== =sIB5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-134 : IBM Lotus Quickr QP2 ActiveX _Times Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-134 : IBM Lotus Quickr QP2 ActiveX _Times Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-134 August 3, 2012 - -- CVE ID: CVE-2012-2176 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Lotus Quickr - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Quickr. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the QP2.cab ActiveX control. When passing a long string argument to the Attachment_Times or Import_Times parameters during the control's instantiation it is possible to overflow a stack buffer causing memory corruption. This can be leveraged by an attacker to execute code under the context of the user running the browser. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21596191 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Gaurav Baruah of eSecForte Technologies Pvt. Ltd - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwsSVVtgMGTo1scAQL/egf/QwYro6VmqvYm9h0AX3jOHnbmH4zo5dC1 ld+ILONNZW7IFGo7j/Gsp2IeNEJcbZeNcuPTjhAIbm3ky4kQJsRzXJp6d6B0BHRD eHgHbSqTpLmvX0F3J0xQMC2jDaPnvHUVJ+ExTQVQMKnOTPwtvn4kWoDwoQypoQRz 5/32ZZkGwzat23/QOY0gj6+maalukgvmb+2pXsMxLJIKRCP2qyvWoJQh7D0IJ+Og CXHfOam5T1SqavZgCFEBEGZc093MgIc2jZviRApZezUW29ckwpoktCGqzTQi+qbq jTW43jsp77Fwj2ZeG6xBVYwRa3t2nxR5MPWT6j0H+Co4vVei/a3Nqg== =IGE9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-132 : IBM Lotus iNotes dwa85W ActiveX Attachment_Times Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-132 : IBM Lotus iNotes dwa85W ActiveX Attachment_Times Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-132 August 3, 2012 - -- CVE ID: CVE-2012-2175 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Lotues iNotes - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus iNotes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the dwa85W.cab ActiveX control. When passing a long string argument to the Attachment_Times parameter during the control instantiation it is possible to overflow a stack buffer causing memory corruption. This can be leveraged by an attacker to execute code under the context of the user running the browser. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-304.ibm.com/support/docview.wss?uid=swg21596862 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Gaurav Baruah of eSecForte Technologies Pvt. Ltd - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwrkVVtgMGTo1scAQLDoAf+IZ1F4hevyOm+7M8TYeEdzc6E/dBa3TG4 5INgrgsCo6dr1xasyofkFx0k2Svv102GOwcxPMNY+joIz0EXUK94Ky2SKEzya9Lu owePlf45Lv87dOxJFlWuuqKQb3KIKAnD27fVn5rD2hO/Jv/e14+wof0iOA9ttIKP klINomKgNetXHSlXtj+5t/euOUA5YGfvfL9mfTdss/ZG92M1zsdxx95Mr08Lk4xX DJPErUq/2IajpCEH5LXVWStUyDO/XvkytLA+XG5DxXWUmavqwcsohDu1faYCje9O s0ta/smSKccMCazFEfsZX/0GAsvSjdZ7CkpR7EJvHajfzx27lOM8BA== =VJ4A -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-133 : GE Proficy Historian ihDataArchiver.exe Multiple Opcode Parsing Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-133 : GE Proficy Historian ihDataArchiver.exe Multiple Opcode Parsing Remote Code Execution Vulnerabilities http://www.zerodayinitiative.com/advisories/ZDI-12-133 August 3, 2012 - -- CVE ID: CVE-2012-0229 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: GE - -- Affected Products: GE Proficy Historian ihDataArchiver - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. By providing malformed data for opcodes 6, 7, 8, 10, and 12 the process can be made to corrupt memory which can lead to arbitrary code execution in the context of the user running the service. - -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14767 - -- Disclosure Timeline: 2011-10-17 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwr11VtgMGTo1scAQLJgQf/ch8WS423yg6HqmDf02bbhylP979o5mVq k6XN4d0u0bl6oa74wadnd0ch1iZE70b9icervXe2IEdaZEQenQ9nOYBGdXg+/Sr7 V5qOvm+gOUT3kta9ogW8RLO5gZnMjA0MnY68laphjuTFqVaz0w24D+NjrxflR0IL WT0s2ct0S6L5MvVYQWYse/dLqr3KGuY1YaTkDfALwjXXDRv9UYf+4QMgDD2Jw0+f qRqlTUhe8iEdju/mstYLNsZ6g4plUFvs9piBmZG82K5NsxZjyX8GHuWv48siQbUP hlreFBPJ89cvqVX9ap+5AlioJkWPg8bGuK80jpStIJFYjy6aY4u13Q== =L3hq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-131 : Microsoft .NET Framework Undersized Glyph Buffer Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-131 : Microsoft .NET Framework Undersized Glyph Buffer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-131 August 3, 2012 - -- CVE ID: CVE-2012-0162 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft .NET - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Microsoft .NET handling of XAML Browser Applications (XBAP) graphics components. It is possible to cause an undersized allocation for a buffer which is populated with user-supplied glyph data, resulting in memory corruption which can be leveraged to remotely execute code. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-034 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Vitaliy Toropov - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwrLlVtgMGTo1scAQL3jAf/U9T6mxWrH5pqT77gThXFsNAKdT0hqVV7 bqMapoc0minh05LMm9wm7m5kkZIO57U6RlnRdm81cvI3j4OUHbWPX34SFAxu2xgS fGHgwoZsGyTruR32VDqp1ZuJsN3qKc7ydk7KXt0E/HX57hBK6TCN25Cyiivj7Pmy uux8k0+TZ/L3/ZryhRLololNOMKZ6hXwNXjFCzNhfWQLUT6JWrIlYUycxxge5ICQ f4ZEy2qMypRf9yj6FyqTS0WiIEg5FtTl6jk2agswHO3FN+8lM1R8pSHLNve/FAOr UNPruwZ9bRlIe28mEH60dXciRPVxYTcj9suY1ejfGRq2JvxkrWA5Uw== =VUCP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-130 : Apple QuickTime Player MP4A Uninitialized Pointer Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-130 : Apple QuickTime Player MP4A Uninitialized Pointer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-130 August 3, 2012 - -- CVE ID: CVE-2011-3458 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a header containing codec-specific data. When handling an error case, the application will forget to initialize a pointer which will later be used in a memory operation. This can lead to code execution under the context of the application. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma * pa_kt / twitter.com/pa_kt / e1c14ba6 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwq1FVtgMGTo1scAQLLhQf+Iorsy2Bs4oNOD3aHooXgTpiWxfqEjWBe UZXlPFpe4k8oOIZI6Dqt9hEZlvRELXCgIvcbQq5HMDviszmu39H+z+4Dl5bgzzFX edTpZEvI2L1TYdqplxhaT+x5qNwY3ezaSm2gRcE8fCHsSyTrLWWDFhOu+1zAZmXb wa957fwQedLDAgBH6dxEMhQd6wp8W8LGHNirwKgfKSDLBwjN0u7MDP9rK6uRvLts Vv3z8GApNmY/1cuBjivf4eRHQGZbTTpLg6tDc31OEhfCT3sf+fkQvCT5zmHkujoq NzkGpDWgzDt1q+2whej02233e6hAYh7tIKMQFrV3NvItPHGx3s3LeQ== =iQAP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-129 : Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability (Remote Kernel)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-129 : Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability (Remote Kernel) http://www.zerodayinitiative.com/advisories/ZDI-12-129 August 3, 2012 - -- CVE ID: CVE-2012-0159 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Microsoft - -- Affected Products: Microsoft Windows XP SP3 Microsoft Windows Vista Microsoft Windows 7 - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code from the contact of kernelspace on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the kernel's support for TrueType font parsing of compound glyphs. A sign extension error exists in win32k.sys when processing compound glyphs having a total number of contours above 0x7FFF. This can be exploited to corrupt kernel heap memory placed below the space allocated for the "flags" buffer and potentially execute arbitrary code in kernel space. - -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://technet.microsoft.com/en-us/security/bulletin/ms12-039 - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alin Rad Pop (binaryproof) - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwqM1VtgMGTo1scAQKiCgf/d6FeYgGgRzwbN+PfzCyA7jU2TMEZzomm sCTQAOD+hpQGzwGk/gsZtbvh0NqzFtfoQ968pyrNHpA+x8B0ORry2C9v351Spz5E hnqxeOUd7IFnrjxcGLBMDBwFGVWeyTJTpT9oEW+sXNnDNy/Dcjok7LWlI+M4cvKa fB9XE7yT+qST/HLjYezvc8iazrJOxqeh4YYflrST7cCmAzqojcXSpZXYZxqgliuU OChxDT2QpWOyyY6y6dQKE/nVtC5kHT61sNjCVURtTSzPuZgjv6fbOqCrUW8OsOwC EzYTDrMpeWMP5FwzfnICPTK9nWp/hsHuV/BunebzjExdwrFu00u2jg== =bMzV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-128 : Mozilla Firefox nsHTMLSelectElement Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-128 : Mozilla Firefox nsHTMLSelectElement Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-128 August 3, 2012 - -- CVE ID: CVE-2011-3671 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Mozilla - -- Affected Products: Mozilla Firefox - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12460. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within nsINode::ReplaceOrInsertBefore() in content/base/src/nsGenericElement.cpp. A use-after-free condition can be triggered by adding an already parented option element to an option collection and then removing its associated select element during an event handler execution. Successful exploitation of this vulnerability will lead to code execution in the context of the browser. - -- Vendor Response: Mozilla has issued an update to correct this vulnerability. More details can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=335998 - -- Disclosure Timeline: 2011-12-07 - Vulnerability reported to vendor 2012-08-03 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * regenrecht - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUBwnsVVtgMGTo1scAQIaWQf7BZ+Yc7GrNbsgyzXp2W3Uqu94N4Vwfxy0 zF6u1dZwhM6jaCEBMvgzhJSvtwxnj8oGZ8f1yx/MkC8idp7D8jMx/+whpUsZMTDi Rl1tTWpgiaZLc2voPUddM3cmciwxHq7lBVcxecDp3yk2JXAC8eNXlhs6bhhTT4Sq Iw7IoDjWoYxEEQh6ghcU+QA51BYhhVyP/DzMlUBpyLCwxlo1jgJ30xSyFWeNkUmi e/tqTSIBbxCLs2lCpnRNc6JJgSx0617Gv/I7wagKH65FdPLTrGgGZEd1o5n251UL umFB7kR7xBRmJcsaElQzuwad8yU/xARuch6hJVf4XMMJ2HdOC7zJqg== =zVBZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-127 : (0Day) HP StorageWorks File Migration Agent RsaFTP.dll Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-127 : (0Day) HP StorageWorks File Migration Agent RsaFTP.dll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-127 July 18, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard StorageWorks - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11980. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP StorageWorks File Migration Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HsmCfgSvc.exe service which listens by default on TCP port 9111. When processing FTP archives the process does not properly validate the size of the root path specified and proceeds to copy the string into a fixed-length buffer on the stack. This can be exploited to execute arbitrary remote code under the context of the running service. - -- Vendor Response: Hewlett-Packard states: The overall design of the File Migration Agent (FMA) assumes it runs as an application on a Windows server. Given the stated purpose of FMA, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP StorageWorks File Migration Agent should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2012-07-18 - 0-Day advisory release - -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUAch11VtgMGTo1scAQI4tgf/TvzF7WYWTvUBbsmAW+9Z29M+RCnGhotX 2j3Q1aV+yfTQqGDkpgRxgv2O44iMiVEDuivykmtSklgyIQY/+EX+O/HoH5kcIpwj pXMuk6NgE4QPuAmB4zOl0HqQG6XHx11ARLny87w0YTbxoBD1wY3QaDJgiMDERgKj Cl2p7NhHL2d0pygVdAwAnR7npAVKw0XU+JivLSuOa86JVV+S92Z9ghl0vAUOpm0W ltpS6evJXjSGgaB+2lluDxsJ62RLQbfOe5yTuZJeGdRXchlj9ZhudaiH50HSGtFS Bwyon3JMABl4yxlA3nqZol5krwzUrMEIUBRwEteOWmNz65xVbA== =9p95 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-126 : (0 day) HP StorageWorks File Migration Agent RsaCIFS.dll Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-126 : (0 day) HP StorageWorks File Migration Agent RsaCIFS.dll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-126 July 18, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard StorageWorks - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12455. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP StorageWorks File Migration Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HsmCfgSvc.exe service which listens by default on TCP port 9111. When processing CIFS archives the process does not properly validate the size of the archive name and proceeds to copy the string into a fixed-length buffer on the stack. This can be exploited to execute arbitrary remote code under the context of the running service. - -- Vendor Response: Hewlett-Packard states: The overall design of the File Migration Agent (FMA) assumes it runs as an application on a Windows server. Given the stated purpose of FMA, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP StorageWorks File Migration Agent should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2012-07-18 - 0-Day advisory released - -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBUAcgc1VtgMGTo1scAQJnNQf/eoP1MhV/r6rMOagx7Vvbitd6oUOwF8Ic 4OdBpfRb5gJuybjzPWt1dYbzynvNcnzgNnWUcIIkYNG3cAS+dlHm8scrXkoFdEXR r6QsQTMN5KkpGUZn9z5k4fWQbS1KybAS2VUycxS3LYhNY2YnpPkXHhhWTELuDJBK z6XFv6rD/ZWxEanpFOUb1kPFkapl7S2wY+DA6GOn/2tUPTpjevjBdtNhCsegUBRt HG6KQeWcvSsiSfYXiMCBCtIuO4YzddS18N365HS+xfLYnNISHQqHu5Q2H4AZOPm1 VEXQC+V3OTRUGSxSpgd0imwvpYrmenrOhQIWDd9kE6qV5N19r6HJ+w== =AVh6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-125: Apple Quicktime QTPlugin SetLanguage Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-125: Apple Quicktime QTPlugin SetLanguage Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-125 July 12, 2012 - -- CVE ID: CVE-2012-0666 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12440. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Quicktime.qts. The stack buffer overflow occurs as a result of an unbounded string copy function in Quicktime.qts, reachable through the IQTPluginControl::SetLanguage COM method exposed by the COM object QTPlugin.ocx. This vulnerability can be leveraged to execute code under the context of the user. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * CHkr_D591 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8HYlVtgMGTo1scAQK+sQf8D7PYEg3cCg29kLMguYjM75Gfw33jRJTg H0e0kKxOoqQGsIa+uIci4bMjgrc6sw4HVB+sx8q5AvrDfBWPUi1Ta5J41jw0XQwQ fGgA/+oxqyCezZpw2MvU8AJrA5RXzHGNIkjiqsgKrmGtTOHIOpTgCmI7qLDfCGfA rONB68yzNLQl0kA7obLrMXXNpJa2fwj6QBelIS3PgdPC9Hf0PhD1e3cArUfCpPPS PFwuZwba+4FzaenZe9d9KdZ86FDwcBa3tLzLdGPs5nBDN9mqKAKQBOAoTvSMm4Oq Kc2wPEeTBkxc9xAiMJyCcRz8iYou5JjjuDWeY/RygSOozoMwDgFQZw== =PyOC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-117 : EMC AutoStart ftAgent Opcode 50 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-117 : EMC AutoStart ftAgent Opcode 50 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-117 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 02, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-21 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8EbVVtgMGTo1scAQLuVQgAi9chpbWVuRbJWhhiRT6bbtyxR4igIU20 7UpkG/bPpEVovEIUPDdDqA/9OjmbP4Zgud5QQzvP2Me4wda47mhg2UD3ydO6h6Jm mUyoWIPwMg+I3re+iRdzJDm5Rjs93jckIc5IuDjXKTVPZXvTiHtzlfK0NRX1ytFe lHvPFKsRxouzWuxIq//QOnVoMsYevA03bnziXnaIYzywXnjMXx9DbcLw8W2kzCvF Czy6QdZZcLTcNClj6AD/ZBJnXOAyNs4t+CBo6eQyB1fndXMveCIv586mPDgUIMJN E8Ym08plwnMUQWmWagljLH1bWdW7/Vt/3bKAUDx7EuvZ0YeHuY/zLA== =hzRJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-124: EMC AutoStart ftAgent Opcode 50 Subcode 42 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-124: EMC AutoStart ftAgent Opcode 50 Subcode 42 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-124 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 42 (0x2a), the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-21 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8HA1VtgMGTo1scAQIKQwgAlYvxHGQ3c5Sx++uzE18MNIulZW6KXmLd Gh2NlpWzy19gbvDGET1K1DBTwMSdEaNdVXMw4h7cTEuDLwlwIrEFRD82Q5jDuGBy 1whV3B4Lws8spwk3k1vZfoBKgAg2inhTSFzv0ZNnwrZSSpfE4dNMM+7Em+vvX1U8 BroSz03RV8Pk0iSlbOG8ZeKAsxwE6X3VPv5S4n3KLRhO4fJQ98iCOKCjqVzk2d9v NYLfaVkjxR34R/E11Fa1BDDEnULT68KmK3B7CcxI9TYoVstNN2dmS9EPwWU5MZme n8Gd8LnKvZSl8/GIR1wSjVENtDY82M0tw5/rFcgLoDH6pWL+T9XaDQ== =FLuL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-123: EMC AutoStart ftAgent Opcode 50 Subcode 60 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-123: EMC AutoStart ftAgent Opcode 50 Subcode 60 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-123 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 60 (0xe9), the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8GtFVtgMGTo1scAQJN/Af8CPT/CvyWubFtj5Os3OqWaP/yItHS/HZK AiGKxTL/4iDOyLH+XWZog9qaGMjT/r4IpQPoj8MQnhBpdDy1wuqbR3ZyQnqhPSQE GvpARxc+OGkV013+EEIItT3E4AYvC7Xt2isqzuNy/Wf8Lk3NytyjyqMKEgHziG+y GmbL1Sfb8iUjUYUQYNKljQ/9q4IJq5+pLyi5Tj2owUi9d9MxZh7/qJskA25BQiNl uTYI3zdGGYhUFaFnaTSRApRN0fWZZQRX2uqkDesmHzvtlKnwJS52wKxlri6CUar2 rUNgfCtfzlGbPGo53NNJvsAxfdqqlFWx77CaPmpMt3E8gCsw2nIXzg== =V52q -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-122: EMC AutoStart ftAgent Opcode 65 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-122: EMC AutoStart ftAgent Opcode 65 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-122 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 65 (0x41) and subcode 18 (0x12), the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8GSVVtgMGTo1scAQIKawgAmy44i5ErM9jMML0h1KYLKfqFymTn9j0j mg2ORt44ot2MPcBwYyDZi4o5QFic+LUfJz4ccyPp8qemV0p8RSZnc/7WLmOEkaXS PCMToeI37kcSgZfejqWA0y9jB09P7WX6oa2PAMG+n1qr0MH4bHb625tEAxTmHKDy vjtWIDNGx66edcgG5u3gno1yCylxIgRbQ74TkeFf5RBG9eL/chQcnvYYZGnrH7hu DIRnq1IJO5qaXYjllQ/YHkVtFOzRfwJyy1AXTnYkZJ1O8aJDNrFCz1hidz2hv9lE I/lbf9ACFpW2/Yaw0EhjQlFW+TV1tk+o20zXosm4u8tdKKuaILZ1Iw== =pXtR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-121: EMC AutoStart ftAgent Opcode 85 Subcode 01 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-121: EMC AutoStart ftAgent Opcode 85 Subcode 01 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-121 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 85 (0x55) and subcode 01, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8F8lVtgMGTo1scAQLQGgf/ViqEnzuoIgoGzZfAKjQSPvV0d7aVohbU y+PyRQspknJ+NRWTOSHdfzHko6ICz3QAi6kynw3cwSzFCeaZVRuw+69zHO1evOOY 9nQYzbPqzJwvTQDYkARDOocE1lBD8yGm6T2Bh+aSsI3xa7bmQTJBQylRXCA1RvaK +WhPUG2SEozm9iIzJSM5K0lcFWk7mL38ZxKnhgVcxGi3s2Hh0fwVpu66blrRHPXy d+cDYRkJA2n7vf+NOOkWsPWc6mKXXmZVOGEtlPAIYHqTuyaZhv4hweXHlqQ/SIRL KV/jb+3/VEoF57wVAqd9Ad1/ETSJx2OzR5HwrQeX18O+/PVlLsrzcA== =9EUJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-120: EMC AutoStart ftAgent Opcode 85 Subcode 22 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-120: EMC AutoStart ftAgent Opcode 85 Subcode 22 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-120 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 85 (0x55) and subcode 22 (0x16), the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8Fk1VtgMGTo1scAQI9aQf9FT+wYNCKn/fE6P7wHbKw069gRiplmn1a IvfE5n77hdYUPQyGl5tRT44040lpTQw3jVUl4EFAPM7FNg9C3ww5m0AyV36udj7I gJKAVTHDslQrfsKFGF78VBLicIC44qqRrpGkvPgN6N7d3WUkI51NTlY9fccPt0pB P9SNAT4FJzVo9q3P+vwXMzd5GRDsyGIzoXCPTCCUFMzAdPJUkqHxNJbIoZkdAEMH +FMhWrLAa/sSrrMr7rJgay+/O08bfNQR62uEkfEmGK3HOLBBv08MRXGfdt1Emky0 cpgsJd+SF9TpjnyRG1nT4KwDzhhUqUGkQUBymwSNlqkiFUzY0wNf1A== =c4du -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-119: EMC AutoStart ftAgent Opcode 0x41 Subcode 0x00 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-119: EMC AutoStart ftAgent Opcode 0x41 Subcode 0x00 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-119 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 65 (0x41) and subcode 00, the vulnerable function uses a uninitialized stack variable in calculating a memory pointer. Also, the function uses signed extension and signed comparison when checking the uninitialized stack variable, which allows arbitrary negative values to bypass the check. This could result in corruption of a controlled memory location, which can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8FNVVtgMGTo1scAQK78wf/fkQ+iWzGOke0MikKXafD/3Xok37hKzkk wkCOjHZBeykZ67LrdonK6MH268TVeYx3lphGqdqMt1F0god1jFMd7vXi+rqrriRa 5q5FPoL9JONV2auAMZEIUPEZATXfElZdFyej1y5F8qMMj803Xg+Ylidsmw68w6zw PI2eKxVDMRV0DmtqNGgRrtvWbPRnt/8ZDjrMDGPMm8T/45yVqCOisg3Q433/NERp QGY1LH/Tte6D/BGYvOX1+rW/C7GwePsVxc5EStWsAE0SZ2qCxXpfToOZb347COH4 0p9S4eEVMlt6YkXbMcdi7Bt6SuifJqyar2tRHaqowON9KoyyqwpPNQ== =inBD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-118: EMC AutoStart ftAgent Opcode 0x03 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-118: EMC AutoStart ftAgent Opcode 0x03 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-118 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 03 and subcode 04, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap to cause a heap buffer overflow. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8EylVtgMGTo1scAQKXWQgAgQlPDhZ7V/WCBhg7ooDSm+k68GJLcO87 Ktmb7HTVxxjqzywyHijP5jiVRlVTsBAHa7LFy38M68zmY8nt3+5XSs0Y229x4Oyr jLeh0XtaMQW2mcxU5nlpOXtEYULQRGXNCDSzmX96HTJEFfw4GavON5K4gojeWPPY GlqhoyMqoZz76g5XKQCbBn4iGH3+N2CZa+Mo0U7gCMhVm+68XU4CC6giAIyXfeES sAjhkopVo2qqGF6wIRdhP1ShLypteCTAGCNeDDCVN8pEaCpncMaQg2+o+Jb58ApB IEBSP2EjvhrY3beTGK0ViRrjZupX/+dYL5NUY0iNc+AslL4AiUuK9w== =Ec0D -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-116 : EMC AutoStart ftAgent Opcode 50 Subcode 04 Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-116 : EMC AutoStart ftAgent Opcode 50 Subcode 04 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-116 July 12, 2012 - -- CVE ID: CVE-2012-0409 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: EMC - -- Affected Products: EMC AutoStart - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12435. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Autostart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ftAgent.exe service, which listens by default on TCP port 8045. When handling messages with opcode 50 (0x32) and subcode 04, the process performs arithmetic on an unvalidated user-supplied value used to determine the size of a new heap buffer, allowing a potential integer wrap. This user supplied value is also used to determine how many times a loop will parse the data into the buffer. Combined, the vulnerable code will allow for the heap to be corrupted. This vulnerability can be leveraged to execute code under the context of the SYSTEM user. - -- Vendor Response: EMC has issued an update to correct this vulnerability. More details can be found at: http://www.securityfocus.com/archive/1/522835/30/0/threaded - -- Disclosure Timeline: 2011-11-21 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * gwslabs.com - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8EGFVtgMGTo1scAQKJqwf/bhtvV9tkvy3ExQXQolG6jX4v5a1g4vdL mKn5G/m+p1NoOBI2JIsbjLPYJeHGEJHPH7jBLq17qvv7Gx67L03PKxm0R+wyfZC8 NFjGtXADETZZXO2YDfcIMvx7rc5IeSYvIm05qxGVGp0oA8ou8UlKi5IUuzOmdeR/ bt1gD/PoOYeCbjY6fM7qdJ2UHyXmanurMtwA/dNkXNiTvxYfM7S4oa616d9dosKQ os08ZVHVOJuNFTbnSSlE43eQjK2LqZtoFTCkG6tYPH4FRc0cvy9KLxWsgJgQSq2c GZvSiM+2ZwEwSBSSkxHhtTv8Khq7BMwBl0511hj7oBlSoCS/hxStcQ== =U77t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-115 : HP OpenView Performance Agent coda.exe Opcode 0x8C Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-115 : HP OpenView Performance Agent coda.exe Opcode 0x8C Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-115 July 12, 2012 - -- CVE ID: CVE-2012-2020 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard OpenView Performance Agent - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12448. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView Performance Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the coda.exe process which listens on a random TCP port by default. The process trusts a value within a GET request as a size. It then proceeds to copy that many bytes of user-supplied data into a fixed-length buffer on the stack. Remote unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user. - -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_ na-c03397769 - -- Disclosure Timeline: 2011-08-12 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8CvFVtgMGTo1scAQLzJAf9FW0olntWHXrZ/VjUjOO7GOli1kTmjL40 7Y4zpljcp/8kK7VqmnL0P0C0Mw4icWPR8rmKCxeOLCJjJrt0QH/TjqsdNR6Yh195 HTxkiNFU1qYTVmyfZpxvBBBwe7OmrZCh1PkHmDCEF7q3ze7yKr9rV09gEUcJuiRY tvw717y90vlrWJ4iXvfkdDXIrv/CE85+nwFn3cd+4LnIzx5jPjTrPu7Ctk7o3vpL FU5AVmvLwikDdoVEQJ86IbZvNdO+AD/gcVI+hQ+Yb3K+5z2D3LkR0rKalbCDgElo wK+5VoTxZP/LzZAiGgUvulBjj/Tc6Jd3uMIN0W3+MpOmEi0zT5xvAw== =IhUO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-114 : HP OpenView Performance Agent coda.exe Opcode 0x34 Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-114 : HP OpenView Performance Agent coda.exe Opcode 0x34 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-114 July 12, 2012 - -- CVE ID: CVE-2012-2019 - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard OpenView Performance Agent - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12448. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP OpenView Performance Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the coda.exe process which listens on a random TCP port by default. The process trusts a value within a GET request as a size. It then proceeds to copy that many bytes of user-supplied data into a fixed-length buffer on the stack. Remote unauthenticated attackers can exploit this vulnerability by sending malformed message packets to the target, which could ultimately lead to arbitrary code execution under the context of the SYSTEM user. - -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_ na-c03397769 - -- Disclosure Timeline: 2011-08-12 - Vulnerability reported to vendor 2012-07-12 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Luigi Auriemma - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT/8CV1VtgMGTo1scAQLuNAf+Jy3YqaOJdcYngccRA2mowdFOZv9hDt1k TP/LZxgwAGvhkgVo79RV/tsFEisKuE8UrD3gll/yUZ9OeNKwqNXVgiFkPbo+VfzW 2bXkSS1JM/lP/aQ+sawCfmfRE/w+4RLDMiPpkl0aJSm/gGKwXQbE9CVG9mXL83ah XfeViOEJppaIvzS5P7SeHlLO/gBpJ8zFEU4YuiKVqNnVXlZp1m5hvK+v0m6Vsx8R GTWtai6tWNz5Fod6tf5I+aJhNIoHo5cJn+cuTTp5Td9ZDoq5ca/gsojTj3IncVxj AJfdGFJljayDk5Ipvth0029RWaAXLRTo7xe8hu2F+xp2fL+BGG0l4g== =ktl8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-12-05: Oracle AutoVue ActiveX SetMarkupMode Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TPTI-12-05: Oracle AutoVue ActiveX SetMarkupMode Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-12-05 June 29th, 2012 - - -- CVE ID - - -- Affected Vendors Oracle - - -- Affected Products AutoVue - - -- TippingPoint(tm) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 12286. For further product information on the TippingPoint IPS: http://www.tippingpoint.com - - -- Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle AutoVue. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AutoVueX.ocx ActiveX object. There exists a method SetMarkupMode() that takes an unbounded string as an argument and copies it to a fixed-length buffer on the stack. This can lead to memory corruption which can be leveraged to execute code under the context of the process. - - -- Vendor Response Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html - - -- Disclosure Timeline 2011-11-29 - Vulnerability reported to vendor 2012-06-29 - Coordinated public release of advisory - - -- Credit This vulnerability was discovered by: Brian Gorenc HP DVLabs - - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+3fmlVtgMGTo1scAQItjQf/Sc1sQMUZTsExyt5kWqHc+AAKf+lRB7Pp A9IXwF7bDan10a3Go7ZgqgYPnEEub6SlhTzUFkxmTxxcKvyNFjqIVXULyQX83P7v YiNW8I9tq/TLgUnIOfxmkFOcjelGakct4UkV29UkUElqge9670W/i3O2imVVDeWa wZzxw26dumW2u1xz+a/uReLJNQQQ6Qx2TZeueDJeT7aRQ1GVCTr66c6JdhREKiwJ URlIv1xQ5TyStXs3M4SpilD+t0+uC0Jc3NgIlEtkBU21KtkiF9R8E09UL3s2k9QU 8Psdwdz3Z7p5lhKNuXBS8bJOJ0Xp93YlgTxvr2s6k3IxqYm0MnumAA== =OSAM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-12-06: Hewlett-Packard Data Protector DtbClsAddObject Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TPTI-12-06: Hewlett-Packard Data Protector DtbClsAddObject Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-12-06 June 29th, 2012 - - --CVE ID CVE-2012-0123 - - --Affected Vendors Hewlett-Packard - - --Affected Products Data Protector - - --TippingPoint(tm) IPS Customer Protection TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 12378. For further product information on the TippingPoint IPS: http://www.tippingpoint.com - - --Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dpwintdb.exe process which listens by default on TCP port 3817. When parsing data within a DtbClsAddObject request, the process copies data from the network into a fixed-length buffer on the stack via an unchecked loop. This can be leveraged by attackers to execute arbitrary code under the context of the SYSTEM user. - - --Vendor Response Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr _na-c03229235 - - --Disclosure Timeline 2012-01-24 - Vulnerability reported to vendor 2012-06-29 - Coordinated public release of advisory - - --Credit This vulnerability was discovered by: Aaron Portnoy HP DVLabs - - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+3e21VtgMGTo1scAQIFjgf+N2ubdTbCx5gKj+gp2tQtaquwT3Vm8F3z xjTqCVTUqiJmUb19LKVTqsJwzX4I/BEAjeNRXF/Riw2gtmOXZ8vQN5dtZISWER8Y AqUMEd2fstoa7UuZCc52yFfap7P4kgrQAuXUrybfPJwgKCKx91p8MYMY2jQlgYQK 6y6U0exke4nI1km/SOU3k8zQqbGFzT+nlMbHk1dd8i0LkrdAyjKXUSWzPaXDXNIN JN2w5f/ijSfsIYEVOHS5XLhY/YHHxhjzbuvJ+v7a76Zy05RQldkSIyWLbQLRFhIS JLcIUJF8rC0sCM6c+IP/tnPMCk0yIL0vp/U0cB0HMPKXfsUuSdWXqA== =Sm7f -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-113 : IBM Rational ClearQuest CQOle ActiveX Control Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-113 : IBM Rational ClearQuest CQOle ActiveX Control Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-113 June 28, 2012 - -- CVE ID: CVE-2012-0708 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: IBM - -- Affected Products: IBM Rational ClearQuest - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12368. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Rational ClearQuest. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CQOle ActiveX control. A function prototype mismatch in an ActiveX wrapper results in an extra argument to be pushed onto the stack, thereby misaligning the stack offset. When the function returns, it can be made to jump to a memory address provided via the ActiveX method call. This can be leveraged to execute arbitrary code under the context of the user running the browser. - -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-304.ibm.com/support/docview.wss?uid=swg21591705 - -- Disclosure Timeline: 2011-11-29 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yybVVtgMGTo1scAQLhTwf8DTXlvFzhESf83BkKyQzhgtA/j7NxbnPl 0QfoNEuHOMZ0c2SCz5p+XlHFApCBIMX690zilnFl2EnPAeJyR373KiEbxjdFsg+m nswZzsflezebM5DgYiVZ6yTnioqdnJtCqBDo16hjbesTJkUkp/6y5YdCeGnR1T84 ZVxz9Q5yfyAHBKYqsFIYhkc/WBAB6EfxHqPXu0nCssgfOvnORstulE9UtWhIs+Sb BYslLpuuPqaEYNO/Z1VsRBj9/BNR0w7QvxCBzErnqgm9jk2ikNpaic5dO9jwjGaA koO7V9argc7VgRetxM7ajQuZJlP95GatfKJWN1jgC9e2L1qWA31RPg== =6HYm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-112 : SAP Netweaver ABAP msg_server.exe Parameter Name Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-112 : SAP Netweaver ABAP msg_server.exe Parameter Name Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-112 June 28, 2012 - -- CVE ID: - -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP NetWeaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a Parameter Name string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. The location of this null byte is dependent on user supplied data and the resulting stack corruption can lead to remote code execution under the context of the running processs. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+ytV1VtgMGTo1scAQKbkwf9HlNu7Erwl+mPGcOx8WWu981FgGcd1n32 zld+NhXF086ZqW0TEgb5ZLrvlZ1czWCO3sZoYOfj376yv7BRY0zkkr9mJKANdfBA qSUFZZqj0cx8WzI9R2xI8WFfDsIWrEZA/Ns9F2QDZXytT1DBG6t6ZgL9O/ARlLKt oTez+yf959j0jRmApjnwKgJWhAk2FCOKaKZBFRBwiWZPezKGe9sjDlp0HGtzMdxa yMasjhyEFRxJ4393oQUnLNVjmUs4fspe5Pb/JU5NKhIYfl2B+zNPmfkYShzLIgE3 4E/HP65TZsaNMH8IkSRZMtNkDswpO8gcefj+jNi1ZOQ2bL5kjRyYyg== =4xNJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-111 : SAP Netweaver ABAP msg_server.exe Opcode 0x43 Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-111 June 28, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yszFVtgMGTo1scAQLv/wf+MRiEiaRsMyaVgI7MTDUo9sXprBObQ6QM yIlVyGLjwEQrO9KsUMlCj/pfLkgjcHYpCNxcrB0+6ZgtphkIQhrB3w0sj/fjRyn1 Vuugvjazu8xffqujZ2ymaQHR+toaQjeKrtWvVbaTdJI6EFuUi+qT5MrZQfRWhE2X uqXdLphMXYH+SRhNtD+zJhxg4U4emVvirqNJa9YLwFE0UpxGRksKCB4Cx89o2QWE NiC9bPznAVCMOBh/R/8uROXkg1Jg9YBhEu7wzJY95Yfsl4oWpSO0cQOCF0WAWiHi TsUy3xHAjW7gMz7v/QMleok6C/7safK/7qjJRMDrGUQO1csmlZUkAg== =FVga -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-110 : Mozilla Firefox AttributeChildRemoved Use-After-Free Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-110 : Mozilla Firefox AttributeChildRemoved Use-After-Free Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-110 June 28, 2012 - -- CVE ID: CVE-2011-3659 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Mozilla - -- Affected Products: Mozilla Firefox - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12418. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Firefox handles nsDOMAttribute child removal. It is possible to remove a child without setting the removed child pointer to NULL, thus leaving it still accessible as a dangling pointer. Subsequent use of this pointer allows for remote code execution. - -- Vendor Response: Mozilla has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2012/mfsa2012-04.html - -- Disclosure Timeline: 2011-12-01 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * regenrecht - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yr1FVtgMGTo1scAQIqsAf8Dk5PYTzZWAOMlWjHCQNqQtERHuekPYg7 L2i2Wodd1a25AV/4XXnQYOwhXv6SfkuRZ/nBi3dFaEb12XpiRQl4+ibmzisGYo8/ 6/VsgVMhgxPv1oW5CV2juMSMLkE6pUFIRGW6z1qeuttvsvD1x/Dx4lKu7RSBfZ9R XqgTwAjaSMyT0pYjAncLOMuspjMCN6KwWS59s8J98+dTg6z7pXlU42F+7Xg7a6xo syBEa4e/rRsPiCdYFwUNNpVylSAuPxnoui4EFRjGnaVrIE1wsABKiq3Jk+XxMwMS 6CXqLpmpAOB3qRRRIZp2U9WfLuy+doAN62Aj9Kau1OCW8VqK9VY24g== =Vcpo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-109 : Apple Quicktime TeXML Karaoke Element Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-109 : Apple Quicktime TeXML Karaoke Element Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-109 June 28, 2012 - -- CVE ID: CVE-12-0663 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12422. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the karaoke XML element the code within QuickTime3GPP.qtx does not properly validate the length of the data within specific sub-fields. By providing specially crafted data, the code can be made to copy too much data into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime. - -- Vendor Response: - -- Disclosure Timeline: 2011-11-04 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yqZ1VtgMGTo1scAQK0ugf8DO3SRuw4SpLaQzpnj0lu3TrhMeQXdlRN OgRtuHn1PT+eJ9vCziDxYFftRl38ppQgcQVq4RkDirJCA9/a8dEgVSccWC0IM8K5 eWoI4wtRrp5yE75AnoXsXcI0NRv3EV9Od0QbAC7SMxZMKMSaCx1MuN8EDiAdPykI oeZN9LAHwRtDUl/KydJEkwuPx3sq3mPXUKxyE2T7muEQokP8ufCwZinmK/emgNu3 WrUMma2g/YhqwNw3Cf6bvkoAntTvaOLUpsiRLhm+dOaIyWn/TfyoDQlA18stjxSY EJRUkjzGCzB+CE1hTqU+RYIFXAqbbrTbeqG4SEpMn8fcJ9yAFBZmiQ== =1VlU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-108 : Apple Quicktime TeXML sampleData Element Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-108 : Apple Quicktime TeXML sampleData Element Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-108 June 28, 2012 - -- CVE ID: CVE-12-0663 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12424. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the sampleData element the code within QuickTime3GPP.qtx does not properly validate the length of the data within a color sub-field before copying it into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yqMVVtgMGTo1scAQLrngf8Dd0CBjksyBTP9+U/PxTeGyGd7LNAwksj D/jHfo6KU78G5ls00RbMGxfWUXiRdqsR6Kk98Sk71Ei4Zyhm7owS3ddymuaMocwZ IPw2pEr35ZGOTBKXFGkK4C7r/ov4ynZpu/n+hTIlWIoWMuCFbkzIlBMXzfEIesub cTp3HFDnEfylmvyEkpkn5pKAUPkuD0CWZldJlXdSh7FWRRiTubC1bqknLozzw/t0 iOAYzUli04Jk2SxtniMEH9V/AwV+F/IFnduwCmKQMMlcWlr6Exy2m+blhwuFjB1z Df/FZXiAnDfqWFB18QqicTSAlX5a7+n3rEhaMV+3ZvYpOOLrhlTzEA== =0bjF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-107 : Apple Quicktime TeXML Style Element Parsing Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-107 : Apple Quicktime TeXML Style Element Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-107 June 28, 2012 - -- CVE ID: CVE-2012-0663 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12406. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML elements within a TeXML file. Specifically, when handling the style XML element the code within QuickTime3GPP.qtx does not properly validate the length of the data within specific sub-fields. By providing specially crafted data, the code can be made to copy too much into a fixed-length buffer on the stack. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code under the context of the user running Quicktime. - -- Vendor Response: - -- Disclosure Timeline: 2011-10-21 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+ym7FVtgMGTo1scAQJkqwf/QGr16dLpSUD0fEs1fd5McnOJ70AbCkdb X2K/G3rIqNnPtkq9hHK3SdkHfwAo2PbtGdmzyO8nXRdUKodXI4ThI6kG8F/hrMRc NROdc/j8FMiQP+cF1kV5+xZKYBueJox0iOafjsCIWMci/pW5RTS607mkQET7MZNN 0Lo017U02pj633+OvxIAlqznLVHj68EDV4PlK5fhQuP9W0AmilkxYVySKVeGnE6U HSuhc/GwfHsW55tHx3S4M8hAlmViQ8ugJt1p+y7rWPEkDbRy5t6WLa4QAHFEJ6Po 1AAW0lIVR7jrJZzbsYVMFxB+a+0SoDg00Li1SWbKbRRyhFrx6+XZCw== =aetn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-106 : Avaya IP Office Customer Call Reporter ImageUpload Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ZDI-12-106 : Avaya IP Office Customer Call Reporter ImageUpload Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-106 June 28, 2012 - -- CVE ID: CVE-2012-3811 - -- CVSS: 9.7, AV:N/AC:L/Au:N/C:C/I:C/A:P - -- Affected Vendors: Avaya - -- Affected Products: Avaya IP Office - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12384. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Avaya IP Office Customer Call Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists because Avaya IP Office Customer Call Reporter allows unauthenticated users to upload files to the webserver through ImageUpload.ashx. The uploaded files will not be stripped of their file extensions and the directory where they are uploaded to has no scripting restrictions. This flaw can lead the remote code execution under the context of the user running the IP Office Customer Call Reporter, usually NETWORK SERVICE. - -- Vendor Response: Avaya has issued an update to correct this vulnerability. More details can be found at: https://downloads.avaya.com/css/P8/documents/100164021 - -- Disclosure Timeline: 2011-11-22 - Vulnerability reported to vendor 2012-06-28 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+yEQApqzihWMQCjAQg8zQf/a1qf5sTw4fHIak4IlqGItSqc1y1TxFwv LupnUHsspGYFEGkiYFHAmSTG4CcRWTiNvGQhaB9Kyo6kHf2V2zUmQ6f9zxzB77lD maGi7N6C9W+CHrAHyKpde6QxmGlGJ3/MUMDbPbhThmaPIjy7c8KJF3Ta2LJ1XJoa tNyefkQvwmPZuI4gLxHIaCYgLoKwKH46TXXmLSzN5Cb7cE9XQBGSkwgrOeyP0I3d hTexegbbaPbB43eN90n+sAouopKu9UAOHm2DKbOdcXoX8ilYfSL2IKn16H4mGDyS lnoLlFRmulW7NKyu6sResHW3yyVuLi6xdVfL42pHMcgeJEnkVlvq8g== =27jY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-12-105 : Apple Quicktime Text Track Descriptor Parsing Remote Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-12-105 : Apple Quicktime Text Track Descriptor Parsing Remote Code Execution http://www.zerodayinitiative.com/advisories/ZDI-12-105 June 27, 2012 - -- CVE ID: CVE-2012-0664 - -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - -- Affected Vendors: Apple - -- Affected Products: Apple QuickTime - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12419. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within he way Quicktime handles Text Track Descriptors. Values for almost all of the text descriptors recognized by quicktime will be read into a fixed size buffer. This can lead to a heap based buffer overflow which can result in remote code execution under the context of the current process. - -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Alexander Gavrun - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+spqFVtgMGTo1scAQJ2TAgAiWSKrhS0i4aFek9fepAXyWE86+mIFvpE yBCH7aisTAN5Wz6/L98NWI0Qt/rfwTpGqcDpJbczG69r7RnCL6NISAgqJuA/YJoy 4J+FRO8QcatofC3AiHQwfpJPnklQGLCkQHTukoFDQW4ZVr0RgMzwbt4O6IiqLIPu 9B5Y0bMQLvR6RK0gwHPYsr1jWm+Z+mC32W+zay9cbPvQhts0EIfrl25D/1Qw2S02 UvJgz/lj1Tyo6T2Ogr3Q82K1W6ZQVDkBmioAsBSn6bK/AqzcY4PS713yliEKp83R zlwPu5BSPHVg3Y/XMldroIGpoEHm9pInDCgnFWEPAL1sRWu1RPfVjw== =t1j0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
