WorldCIST'14 - World Conference on IST; Submission deadline: November 29
Apologies if you are receiving this mail more than once... ** WorldCIST'14 The 2014 World Conference on Information Systems and Technologies April 15 - 18, Madeira Island, Portugal http://www.aisti.eu/worldcist14/ ** The 2014 World Conference on Information Systems and Technologies (WorldCIST'14: http://www.aisti.eu/worldcist14) is a global forum for researchers and practitioners to present and discuss the most recent innovations, trends, results, experiences and concerns in the several perspectives of Information Systems and Technologies. We are pleased to invite you to submit your papers to WorldCISTI'14. All submissions will be reviewed on the basis of relevance, originality, importance and clarity. THEMES Submitted papers should be related with one or more of the main themes proposed for the Conference: A) Information and Knowledge Management (IKM); B) Organizational Models and Information Systems (OMIS); C) Intelligent and Decision Support Systems (IDSS); D) Software Systems, Architectures, Applications and Tools (SSAAT); E) Computer Networks, Mobility and Pervasive Systems (CNMPS); F) Human-Computer Interaction (HCI); G) Health Informatics (HIS); H) Information Technologies in Education (ITE). TYPES OF SUBMISSIONS AND DECISIONS Four types of papers can be submitted: Full paper: Finished or consolidated RD works, to be included in one of the Conference themes. These papers are assigned a 10-page limit. Short paper: Ongoing works with relevant preliminary results, open to discussion. These papers are assigned a 7-page limit. Poster paper: Initial work with relevant ideas, open to discussion. These papers are assigned to a 4-page limit. Company paper: Companies' papers that show practical experience, R D, tools, etc., focused on some topics of the conference. These papers are assigned to a 4-page limit. Submitted papers must comply with the format of Advances in Intelligent Systems and Computing Series (see Instructions for Authors at Springer Website or download a DOC example) be written in English, must not have been published before, not be under review for any other conference or publication and not include any information leading to the authors identification. Therefore, the authors names, affiliations and bibliographic references should not be included in the version for evaluation by the Program Committee. This information should only be included in the camera-ready version, saved in Word or Latex format and also in PDF format. These files must be accompanied by the Consent to Publication form filled out, in a ZIP file, and uploaded at the conference management system. All papers will be subjected to a double-blind review by at least two members of the Program Committee. Based on Program Committee evaluation, a paper can be rejected or accepted by the Conference Chairs. In the later case, it can be accepted as the type originally submitted or as another type. Thus, full papers can be accepted as short papers or poster papers only. Similarly, short papers can be accepted as poster papers only. In these cases, the authors will be allowed to maintain the original number of pages in the camera-ready version. The authors of accepted poster papers must also build and print a poster to be exhibited during the Conference. This poster must follow an A1 or A2 vertical format. The Conference includes Work Sessions where these posters are presented and orally discussed, with a 5 minute limit per poster. The authors of accepted full papers will have 15 minutes to present their work in a Conference Work Session; approximately 5 minutes of discussion will follow each presentation. The authors of accepted short papers and company papers will have 11 minutes to present their work in a Conference Work Session; approximately 4 minutes of discussion will follow each presentation. PUBLICATION AND INDEXING To ensure that a full paper, short paper, poster paper or company paper is published in the Proceedings, at least one of the authors must be fully registered by the 24th of January 2014, and the paper must comply with the suggested layout and page-limit. Additionally, all recommended changes must be addressed by the authors before they submit the camera-ready version. No more than one paper per registration will be published in the Conference Proceedings. An extra fee must be paid for publication of additional papers, with a maximum of one additional paper per registration. Full and short papers will be published in Proceedings by Springer, in Advances in Intelligent Systems and Computing Series. Poster and company papers will be published in Proceedings by AISTI. Published full and short papers will be submitted
Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials
Product: Product NetCam WiFi Camera With Night Vision, purchased August 2013 Summary: Live video stream is accessible with user/password of admin/admin. The user/password combination admin/admin cannot be changed by the user. This feature is undocumented. To reproduce: 1. Connect webcam to Ethernet or WiFi 2. Access webcam's IP address through a browser, e.g. http://1.2.3.4/ 3. Enter admin/admin as user/password. This will produce an empty page with a copyright notice of Go Ahead Software Inc., 1994-2000 as an HTML comment 4. Access relative URL /goform/video, e.g. http://1.2.3.4/goform/video to see M-JPEG live video from the camera Status: * Reported to Belkin August 6th. * To the best of my knowledge, Belkin: * has not notified existing users of the product of the vulnerability * has not recalled products * is not actively encouraging users to upgrade their firmware * has improved the firmware in unspecified ways since the initial report. (direct communication) * has not published details or release notes of the firmware improvements, or stated whether and when the new version started shipping on NetCams. The PDF user manual on the Belkin site as of today still references firmware version 2.3.0.
Re: Word 2003 SP2 .doc fork bomb on WinXP SP3
Someone without a name wrote: # Exploit Title: Word 2003 SP2 .doc fork bomb on WinXP SP3 [...] # Tested on: Windows XP SP3 Word 2003 SP2 (11.6568.6568) OUCH! The current service pack for Office 2003 and Word 2003 is SP3. The current version of Word 2003 is 11.0.8407, see https://support.microsoft.com/kb/2826020 alias http://technet.microsoft.com/security/bulletin/MS13-086 Whoever uses outdated and vulnerable versions of products is just stupid! Stefan Kanthak
[SECURITY] [DSA 2793-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2793-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 09, 2013 http://www.debian.org/security/faq - - Package: libav Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0844 CVE-2013-0850 CVE-2013-0853 CVE-2013-0854 CVE-2013-0857 CVE-2013-0858 CVE-2013-0866 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. The CVE IDs mentioned above are just a small portion of the security issues fixed in this update. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9 For the stable distribution (wheezy), these problems have been fixed in version 0.8.9-1. For the unstable distribution (sid), these problems have been fixed in version 9.10-1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlJ+RYcACgkQXm3vHE4uylqkTwCfZdzvMgdNka3GaGRdHhNwPhgu kLUAn2ttuJ9K+UKLG4xdJI6sdwi2Y1Tu =I9iq -END PGP SIGNATURE-
XADV-2013003 Linux Kernel bt8xx Video Driver IOCTL Heap Overflow
++
| XADV-2013003 Linux Kernel bt8xx Video Driver IOCTL Heap Overflow |
++
Vulnerable versions:
- linux kernel 2.6.18 =
Testbed: ubuntu
Type: Local
Impact: Critical
Vendor: http://www.kernel.org
Author: x90c geinblues *nospam* gmail dot com
Site: x90c.org
=
ABSTRACT:
=
The bt8xx video driver is a video capture driver. It supports Bt848
Bt849, Bt878, and Bt879.
The bt8xx video driver in the linux kernel has a vulnerability to
occur kernel heap overflow. It's at do ioctl code for bt8xx and
copy_from_user() larger user-supplied data to the kernel heap buffer
than kmalloc'd kmem.
=
DETAILS:
=
(1) vulnerable reason: 8 bytes v4l2_clip struct. (sizeof v4l2_clip? 8 bytes)
[~linux-2.6.18/include/linux/videodev2.h]
struct v4l2_clip
{
struct v4l2_rectc;
struct v4l2_clip__user *next;
};
v4l2_clip struct is 8 bytes!
[~linux/2.6.18/include/linux/videodev.h]
struct video_window
{
__u32 x,y;/* Position of window */
__u32 width,height; /* Its size */
__u32 chromakey;
__u32 flags;
struct video_clip __user *clips; /* Set only */
int clipcount;
#define VIDEO_WINDOW_INTERLACE 1
#define VIDEO_WINDOW_CHROMAKEY 16 /* Overlay by chromakey */
#define VIDEO_CLIP_BITMAP -1
/* bitmap is 1024x625, a '1' bit represents a clipped pixel */
#define VIDEO_CLIPMAP_SIZE (128 * 625)
};
*clips member varaible of video_window is a pointer.
(2) Do exploit: bttv IOCTL!
[~/linux-2.6.18/drivers/media/video/bt8xx/bttv-driver.c]
static int bttv_do_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, void *arg)
{
case VIDIOCSWIN:
{
struct video_window *win = arg; // XXX win = arg.
struct v4l2_window w2;
if (no_overlay 0) {
printk (VIDIOCSWIN: no_overlay\n);
return -EINVAL;
}
w2.field = V4L2_FIELD_ANY;
w2.w.left= win-x;
w2.w.top = win-y;
w2.w.width = win-width;
w2.w.height = win-height;
w2.clipcount = win-clipcount; // clipcount! (copy size / 8)
w2.clips = (struct v4l2_clip __user *)win-clips; // clips! (to
copy src)
retval = setup_window(fh, btv, w2, 0); // XXX vulnerable
setup_window() called!
The ioctl argument to win struct pointer and store the win-clipcount and
win-clips to w2 struct for each. and called vulnerable setup_window().
(3) Result: kernel heap overflow occured.
[~/linux-2.6.18/drivers/media/video/bt8xx/bttv-driver.c]
static int setup_window(struct bttv_fh *fh, struct bttv *btv,
struct v4l2_window *win, int fixup)
{
struct v4l2_clip *clips = NULL;
int n,size,retval = 0;
if (NULL == fh-ovfmt)
return -EINVAL;
if (!(fh-ovfmt-flags FORMAT_FLAGS_PACKED))
return -EINVAL;
/* XXX no win.clipcount/clips validation. */
retval = verify_window(bttv_tvnorms[btv-tvnorm],win,fixup);
if (0 != retval)
return retval;
/* copy clips -- luckily v4l1 + v4l2 are binary
compatible here ...*/
n = win-clipcount; /* XXX win(ioctl arg)-clipcount! */
// (2) less size kmalloc'd. ( If clipcount = 0x, 0x4000c size
kmalloc'd.)
size = sizeof(*clips)*(n+4); // 0x+4*4(0x4000C)
clips = kmalloc(size,GFP_KERNEL); // less size kmalloc'd!
if (NULL == clips)
return -ENOMEM;
/*
* (kernel heap overflow!)
* XXX copied 8(sizeof struct v4l2_clip) * 0x=size(0x7FFF8) win-clips
to 0x4000c heap buf!
*/
if (n 0) {
if (copy_from_user(clips,win-clips, sizeof(struct v4l2_clip)*n)) {
kfree(clips);
return -EFAULT;
}
}
===
EXPLOIT CODES:
===
-
=
PATCH CODES:
=
[bt8xx_heap_overflow.patch]
-
+ if(n = size) { // n = size kmalloc'd?
+ kfree(clips);
+ return -EINVAL;
+}
if (copy_from_user(clips,win-clips, sizeof(struct v4l2_clip)*n)) {
kfree(clips);
return -EFAULT;
}
===
VENDOR STATUS:
===
2013/11/10 - I discovered the security bug.
2013/11/10 - The advisory released.
GREETS:
my stuffs are more favorite than rebel's stuffs.
DISCLAIMER:
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.
[ MDVSA-2013:265 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:265 http://www.mandriva.com/en/support/security/ ___ Package : kernel Date: November 10, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service (memory consumption or system crash) via a crafted application (CVE-2013-4483). The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation (CVE-2013-4348). The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c (CVE-2013-4470). The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test (CVE-2013-2015). net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet (CVE-2013-4387). The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network (CVE-2013-4350). The updated packages provides a solution for these security issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4350 ___ Updated Packages: Mandriva Business Server 1/X86_64: 3e07dbbb16fbf8343e7886d39e59d560 mbs1/x86_64/cpupower-3.4.68-1.1.mbs1.x86_64.rpm a8d76e647c25732e008d5fe0cc901b74 mbs1/x86_64/kernel-firmware-3.4.68-1.1.mbs1.noarch.rpm df7a5f41d1a57b5330ef9670e3029b45 mbs1/x86_64/kernel-headers-3.4.68-1.1.mbs1.x86_64.rpm c5e3580627b85cd13fe34f01ecd281ff mbs1/x86_64/kernel-server-3.4.68-1.1.mbs1.x86_64.rpm 191a77d39e1608ba61bedad37934ee59 mbs1/x86_64/kernel-server-devel-3.4.68-1.1.mbs1.x86_64.rpm 60757fbb2e02db7a65abb068d668bbeb mbs1/x86_64/kernel-source-3.4.68-1.mbs1.noarch.rpm 1d3d7fa9c0343a0f864888af7ae6adf2 mbs1/x86_64/lib64cpupower0-3.4.68-1.1.mbs1.x86_64.rpm 9dcc6574393b87fb14cf61dae7d1bdb6 mbs1/x86_64/lib64cpupower-devel-3.4.68-1.1.mbs1.x86_64.rpm 4e2890287eb20fe8c838201e01c2b630 mbs1/x86_64/perf-3.4.68-1.1.mbs1.src.rpm e457d243d932d91bfffc0526c61f3edd mbs1/x86_64/perf-3.4.68-1.1.mbs1.x86_64.rpm 7b16a80336ac11a7b874e698bf95faf6 mbs1/SRPMS/cpupower-3.4.68-1.1.mbs1.src.rpm 2613ea858b6691a30613bc1edc14e245 mbs1/SRPMS/kernel-firmware-3.4.68-1.1.mbs1.src.rpm 9d28c4f34a316d012fc30a864dbb6b8e mbs1/SRPMS/kernel-headers-3.4.68-1.1.mbs1.src.rpm 574f76f01511c7c33606f60be964ea95 mbs1/SRPMS/kernel-server-3.4.68-1.1.mbs1.src.rpm 3bb6f3c5e0efe45d41c169cb5a2269cf mbs1/SRPMS/kernel-source-3.4.68-1.mbs1.src.rpm 2c7c1b9db777af54dfc3dcd43649 mbs1/SRPMS/perf-3.4.68-1.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by
Vulnerability in Pydio/AjaXplorer = 5.0.3
Vulnerability in Pydio/AjaXplorer = 5.0.3 Background: Pydio allows you to instantly turn any server into a powerful file sharing platform. Formerly known as AjaXplorer Description of vulnerability There is a path traversal vulnerability in the zoho plugin that is distributed with Pydio/AjaXplorer 5.0.3 core to 3.3.5. An attacker may use this vulnerability to retrieve arbitrary information from the server. Or arbitrarily delete files that the application has access to. Exploiting this vulnerability does not require authentication. Details: /plugins/editor.zoho/agent/save_zoho.php The zoho plugin location it isn't protected from direct access and will allow file inclusions/path traversal attacks that will allow arbitrary local files to be accessed. Files that the application has access to will also be unlinked (impact to integrity/availability). CVE: The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2013-6226 to this issue. This is a candidate for inclusion in the CVE list. Vendor Response: Upgrade to Pydio v5.0.4 or higher. http://pyd.io/pydio-core-5-0-4/ Timeline: October 10, 2013, Vulnerability identified October 10, 2013, Vendor Notified October 10, 2013, Vendor initial patch review October 10, 2013, Patch released November 10, 2013, Disclosure Research: Craig Arendt (Redfsec) http://www.redfsec.com/CVE-2013-6226
[SECURITY] [DSA 2794-1] spip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2794-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 10, 2013 http://www.debian.org/security/faq - - Package: spip Vulnerability : several Problem type : remote Debian-specific: no Debian Bug : 729172 Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site request forgery on logout, cross-site scripting on author page, and PHP injection. For the oldstable distribution (squeeze), these problems have been fixed in version 2.1.1-3squeeze7. For the stable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 2.1.24-1. For the experimental distribution, these problems have been fixed in version 3.0.12-1. We recommend that you upgrade your spip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSf81MAAoJEAVMuPMTQ89E/vYQAIlFrnkS8B29u6ub8qVnm79W CXCwAbm+J2SmBSgTBoF9ne54Ea0CTdUr7cTQsp72dpcZ9z/n6zWiiayVwrn98TEH yGUs1PJMsRq2uO/9gOywqgl8euMuT7qjfU851tJlZiJY5U5d+J2s6wK8ZbPNuZ8H pcJUhz/+cuTMSxM4h/gpqoHBbsyEFAioYdAcew/FmeKaNb3x13tuMIy/WlCsyM8l O8r831dK8lShncxieHFLIJAi4k0S8oHfHOjUTNelNmK6gokAGqHwDcQAteqOMi/I XGIfyThXhPPLI/USTinR64TRezFKtE9YQs9JGwUgt3qOkuxTg2f0zk5rSujXYSh8 SHRV3YQAVvJY/jKiHHOByxU6JjNk+OdZ2UgtgkiG/Axeld4JDf8BRee1xb1Z9X7L ikSQIOD6uvpnc7k0GDM9XQIasWt9zniV5U0OwRNhCmw6Kbq4ZNIpAxklo6GGUrOA 9+nl42Z9nFriwDoJaSoxVhg54wKaG55D9hoZhGK8IHT9vRVazK+DArVkdzl/XQoL bPsPpkmv+sbiuY8Wdp7XQAK1Yn0l2Yo0rZHGb4DYISuk+W+Y7kOF9P/yz9W3L1J0 VlHA0IE1bI0bW0oUfznXdmzA7aAw8K62huJLntB8ew94AQzRWibcAdVQRgcYWpqk MpAcnoCn4uoICsGSrtQ4 =RQB4 -END PGP SIGNATURE-
Re: Word 2003 SP2 .doc fork bomb on WinXP SP3
I am sorry, but can this be edited to include Word 2003 SP3 as well? I forgot to mention I tested on both SP2 and SP3 of Word 2003. Thanks, James
