VARIoT IoT vulnerabilities database

Race condition in Comodo Internet Security before 4.1.149672.916 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. Multiple vendors' security software is prone to security bypass vulnerabilities. These issues may allow attackers to bypass certain security restrictions and perform malicious actions

** DISPUTED ** Race condition in 3D EQSecure Professional Edition 4.2 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute. ** Unsettled ** This case has not been confirmed as a vulnerability. This vulnerability is also known as argument-switch Attack, or KHOBE It is called an attack. Multiple vendors' security software is prone to security bypass vulnerabilities. These issues may allow attackers to bypass certain security restrictions and perform malicious actions

Mini Web Server is an easy to use web server. Mini Web Server does not properly handle user-submitted requests, and remote attackers can exploit vulnerabilities for cross-site scripting and directory traversal attacks. The target user's sensitive information or any file content on the system can be obtained. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks

The Tele Data's Contact Management Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database Tele Data's Contact Management Server 0.9 is vulnerable; other versions may also be affected.

An arbitrary code execution vulnerability exists in several EUR Form and EUR products.A remote attacker could execute arbitrary code through the affected web pages. There are currently no detailed vulnerability details available, and the vulnerability can execute arbitrary code in the security context of an application (such as Internet Explorer). Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. Internet Explorer. Please see the vendor's advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-003/index.html OTHER REFERENCES: JVN: http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-001395.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apache ActiveMQ is an open source messaging bus that supports the JMS Provider implementation of the JMS 1.1 and J2EE 1.4 specifications. The Apache ActiveMQ 'admin/queueBrowse' script does not properly filter input submitted by the user to the \"feedType\" variable. Successful exploitation of the vulnerability can steal COOKIE information such as for authentication, or obtain or modify sensitive data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ActiveMQ 5.3.0 and 5.3.1 are affected; other versions may also be vulnerable

Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames under /tmp for temporary files and directories, which (1) allows local users to cause a denial of service (application outage) by creating a file with a pathname that the product expects is available for its own internal use, (2) allows local users to overwrite arbitrary files via symlink attacks on certain files in /tmp, (3) might allow local users to delete arbitrary files and directories via a symlink attack on a directory under /tmp, and (4) might make it easier for local users to obtain sensitive information by reading files in a directory under /tmp, related to (a) lib/wafp_pidify.rb, (b) utils/generate_wafp_fingerprint.sh, (c) utils/online_update.sh, and (d) utils/extract_from_db.sh. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible

Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter. Microsoft SharePoint Server is a server feature integration suite that provides comprehensive content management and enterprise search, accelerates shared business processes, and facilitates cross-border information sharing. The \"/_layouts/help.aspx\" script does not properly filter the input submitted by the user to the \"cid0\" variable. Successful exploitation of the vulnerability can steal COOKIE information such as for authentication, or obtain or modify sensitive data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter. Microsoft SharePoint Server is a server feature integration suite that provides comprehensive content management and enterprise search, accelerates shared business processes, and facilitates cross-border information sharing. The \"/_layouts/help.aspx\" script does not properly filter the input submitted by the user to the \"cid0\" variable. Successful exploitation of the vulnerability can steal COOKIE information such as for authentication, or obtain or modify sensitive data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-159B Microsoft Updates for Multiple Vulnerabilities Original release date: June 08, 2010 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Office * Microsoft SharePoint Services * Microsoft .NET Framework Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office, Microsoft SharePoint Services, and Microsoft .NET Framework. I. Description The Microsoft Security Bulletin Summary for June 2010 describes vulnerabilities in Microsoft Windows, Internet Explorer, Office, SharePoint Services, and .NET Framework. Microsoft has released updates to address the vulnerabilities. II. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2010. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for June 2010 - <http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-159B.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-159B Feedback VU#855166" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 08, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTA6Wzj6pPKYJORa3AQLl4Qf/dTsaW53BBruyFOcypbooTw5ULG9E5wPa /DEiksCuX8hYOoev9jDDyhXZQIaE2OrkWdLpJJBtXwJJ4XhBqyni3fhQFrIkwGVQ 3w3068TGE6v/sjV/W/qWmkZjl4r+FIcR9VRlulLet9ZZAxoJ7VgTg/1O8eixr7SO HpO+Xb3l3d4/XUGtTKCu5DsTTD1l6qQr66m3l4o26Bj834qfh0fvfneZHXCy3PUH /lE3nFxH3M+JOQEdapgc/aYVnrcroZKix61lfs2S1NIUxvBAxea0UFZtywIId0hK Sh2LGp7tUlXpfk8oo8LMgKG1y25xYmLE5WYIhO4E6Mas3jT/9ArwHQ== =mq6Z -----END PGP SIGNATURE-----

Opera before 10.53 on Windows and Mac OS X does not properly handle a series of document modifications that occur asynchronously, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop, leading to attempted use of uninitialized memory. NOTE: this might overlap CVE-2006-6955. This vulnerability CVE-2006-6955 And may be duplicated.By a third party JavaScript Any code can be executed via, or service disruption (DoS) There is a possibility of being put into a state. Opera Web Browser is prone to a denial-of-service vulnerability. It supports multi-window browsing and a customizable user interface. The vulnerability could result in the use of uninitialized memory. ---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. Get a free trial, contact sales@secunia.com ---------------------------------------------------------------------- TITLE: Opera Content Writing Uninitialised Memory Vulnerability SECUNIA ADVISORY ID: SA39590 VERIFY ADVISORY: http://secunia.com/advisories/39590/ DESCRIPTION: A vulnerability has been discovered in Opera, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error when e.g. continuously writing content to a page using document.write() and results in a function call using uninitialised memory when a user visits a specially crafted web page. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in version 10.52 for Windows. Other versions may also be affected. SOLUTION: Do not browse untrusted web sites of follow links from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Reported as a crash by Mathias Karlsson. Additional information provided by Secunia Research. ORIGINAL ADVISORY: Mathias Karlsson: http://h.ackack.net/?p=258 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Wing FTP Server is a professional cross-platform FTP server. Wing FTP Server has multiple security vulnerabilities that allow attackers to obtain sensitive information. - Inputs passed to the web client are not properly filtered before use, and directories traversal attacks can access files outside the user's HOME directory. - An unspecified error exists when using the HTTP protocol to leak sensitive information

The embedded HTTP server in multiple Lexmark laser and inkjet printers and MarkNet devices, including X94x, W840, T656, N4000, E462, C935dn, 25xxN, and other models, allows remote attackers to cause a denial of service (operating system halt) via a malformed HTTP Authorization header. Lexmark printers are currently very popular printer devices on the market. A remote attacker could trigger this vulnerability by sending a malicious request with invalid characters to the Authorization field of the HTTP header sent to TCP port 80, 443, 8000, or 631, causing the printer to crash. Exploiting this issue allows remote attackers to crash the affected device, resulting in a denial-of-service condition

Rumba FTP is a graphical FTP client that supports file encryption transfer. The Rumba FTP client handles boundary errors in the long file names in the returned directory list, constructing a malicious FTP server, convincing the user to access, and triggering a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions with application privileges. Rumba FTP Client is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on server-supplied data. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. The vulnerability is caused due to a boundary error when processing overly long file names returned in directory listings. The vulnerability is reported in version 4.2. Other versions may also be affected. SOLUTION: Do not connect to untrusted FTP servers. PROVIDED AND/OR DISCOVERED BY: zombiefx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The 3Com H3C SR6600 Series is a high-end multi-service router that combines high-performance forwarding, highly flexible service processing and high-density access. There is an unspecified error in the 3Com H3C SR6600 SNMP processing. A remote attacker can exploit the vulnerability to submit a malicious request to restart the device. The 3Com H3C SR6600 is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause the affected device to restart, denying service to legitimate users. ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: 3Com H3C SR6600 Series SNMP Denial of Service SECUNIA ADVISORY ID: SA39479 VERIFY ADVISORY: http://secunia.com/advisories/39479/ DESCRIPTION: A vulnerability has been reported in 3Com H3C SR6600 Series Routers, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Update to Comware 5.20 Release 2419. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://support.3com.com/documents/H3C/Routers/6600/H3C_SR6600-CMW520-R2419_Release_Notes.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. Apple Mac OS X is prone to a local denial-of-service vulnerability. Exploiting this issue allows local, unprivileged users to crash affected system, denying further service to legitimate users. Apple Mac OS X 10.6.2 and 10.6.3 are affected; other versions may also be vulnerable. Apple Mac is the operating system used by the Apple family of computers. MacOSX/XNU HFS Multiple Vulnerabilities Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ =================== On November 8th, I've reported vulnerability in hard links for HFS+ (CVE-2013-6799) http://cxsecurity.com/issue/WLB-2013110059 The HFS+ file system does not apply strict privilege rules during the creating of hard links. The ability to create hard links to directories is wrong implemented and such an issue is affecting os versions greater or equal to 10.5. Officially Apple allows you to create hard links only for your time machine. <see wiki> Vulnerability CVE-2013-6799 (incomplete fix for CVE-2010-0105) allow to create hard link to directory and the number of hard links may be freely high. To create N hard links, you must use a special algorithm which creates links from the top of the file system tree. This means that first we create the directory structure and once created we need to go from up to down by creating hard links. The last time I've mentioned of the possibility of a kernel crash by performing the 'ls' command. This situation occurs in conjunction with the 'find' application. Commands such as 'ls' behave in unexpected ways. Apple are going find this crash point in code. To create huge hard links structure, use this code http://cert.cx/stuff/l2.c ----------------------------------- h1XSS:tysiak cx$ uname -a Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16 19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64 h1xss:tysiak cx$ gcc -o l2 l2.c h1xss:tysiak cx$ ./l2 1000 ... h1xss:tysiak cx$ cat loop.sh #!/bin/bash while [ 1 ] ; do ls -laR B > /dev/null done h1xss:tysiak cx$ sh ./loop.sh ls: B: No such file or directory ls: X1: No such file or directory ... ls: X8: Bad address ls: X1: Bad address ls: X2: Bad address ... ls: X8: No such file or directory ./loop.sh: line 4: 8816 Segmentation fault: 11 ls -laR B > /dev/null ./loop.sh: line 4: 8818 Segmentation fault: 11 ls -laR B > /dev/null ls: B: No such file or directory ls: X1: No such file or directory ls: X2: No such file or directory ... ls: X1: No such file or directory ls: X2: No such file or directory ----------- ... ----------- Feb 9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for ls[9418] version 230 to /Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash ----------- That what we can see here is unexpected behavior of LS command. LS process is also affected for infinite loop (recursion?). ----------- h1xss:tysiak cx$ ps -fp 8822 UID PID PPID C STIME TTY TIME CMD 501 8822 8810 0 7:36 ttys002 62:19.65 ls -laR B ----------- or used parallely with (find . > /dev/null) command cause a kernel crash ----------- Mon Mar 31 20:30:41 2014 panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838, type 13=general protection, registers: CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c, CR4: 0x00000000001606e0 RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000, RDX: 0x0000000000000000 RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018, RDI: 0xffffff802f23bcd0 R8: 0xffffff8140d9bc1c, R9: 0xffffff802f26e960, R10: 0xffffff8140d9ba2c, R11: 0x0000000000000f92 R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0, R15: 0xffffff802f26e960 RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS: 0x0000000000000008, SS: 0x0000000000000010 Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU: 0x0 Backtrace (CPU 0), Frame : Return Address 0xffffff811eee8c50 : 0xffffff8004422fa9 BSD process name corresponding to current thread: ls ----------- XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system. We can try to see HFS implementation code. Let's start static code analysys using cifrex.org tool! -1.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c --- hfs_vfsops.c ---------------------------- /* * HFS filesystem related variables. */ int hfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t *oldlenp, user_addr_t newp, size_t newlen, vfs_context_t context) { ... if ((newlen <= 0) || (newlen > MAXPATHLEN)) return (EINVAL); bufsize = MAX(newlen * 3, MAXPATHLEN); MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK); if (filename == NULL) { <===================================== filename CHECK error = ENOMEM; goto encodinghint_exit; } MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK); if (filename == NULL) { <====================================== double CHECK? error = ENOMEM; goto encodinghint_exit; } error = copyin(newp, (caddr_t)filename, newlen); if (error == 0) { error = utf8_decodestr((u_int8_t *)filename, newlen - 1, unicode_name, &bytes, bufsize, 0, UTF_DECOMPOSED); if (error == 0) { hint = hfs_pickencoding(unicode_name, bytes / 2); error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0, (int32_t *)&hint); } } --- hfs_vfsops.c---------------------------- Twice checking of 'filename' has no sense. Probably 'unicode_name' should be checked in second condition. -2.--------------------------------------------------------- Possible Buffer Overflow in resource fork (hfs_vnops.c) Unverified value returned by snprintf() may be bigger as a declared buffer (MAXPATHLEN). https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html --- The snprintf() and vsnprintf() functions will write at most n-1 of the characters printed into the out-put output put string (the n'th character then gets the terminating `\0'); if the return value is greater than or equal to the n argument, the string was too short and some of the printed characters were discarded. The output is always null-terminated. --- Code: http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c --- hfs_vnops.c ---------------------------- ... /* * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode that is * found in 'vp'. The rsrc fork vnode is returned with the cnode locked and iocount * on the rsrc vnode. * ... */ int hfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp, int can_drop_lock, int error_on_unlinked) { ... /* * Supply hfs_getnewvnode with a component name. */ cn.cn_pnbuf = NULL; if (descptr->cd_nameptr) { MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK); cn.cn_nameiop = LOOKUP; cn.cn_flags = ISLASTCN | HASBUF; cn.cn_context = NULL; cn.cn_pnlen = MAXPATHLEN; cn.cn_nameptr = cn.cn_pnbuf; cn.cn_hash = 0; cn.cn_consume = 0; cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN, <================ "%s%s", descptr->cd_nameptr, _PATH_RSRCFORKSPEC); } dvp = vnode_getparent(vp); error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL, <================ descptr, GNV_WANTRSRC | GNV_SKIPLOCK, &cp->c_attr, &rsrcfork, &rvp, &newvnode_flags); --- hfs_vnops.c ---------------------------- Pattern is '%s%s' where sum of length descptr->cd_nameptr and _PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN). Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is #define _PATH_RSRCFORKSPEC "/..namedfork/rsrc" where length is 17 chars. Possible up to 17 chars overflow here?. Now let's see hfs_getnewvnode function http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c --- hfs_cnode.c ---------------------------- hfs_getnewvnode( struct hfsmount *hfsmp, struct vnode *dvp, struct componentname *cnp, <======== WATCH THIS struct cat_desc *descp, int flags, struct cat_attr *attrp, struct cat_fork *forkp, struct vnode **vpp, int *out_flags) { ... if ((*vpp != NULL) && (cnp)) { /* we could be requesting the rsrc of a hardlink file... */ vnode_update_identity (*vpp, dvp, cnp->cn_nameptr, cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME)); ... --- hfs_cnode.c ---------------------------- and call to vnode_update_indentity() http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c --- vfs_cache.c ---------------------------- void vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int name_len, uint32_t name_hashval, int flags) { ... if ( (flags & VNODE_UPDATE_NAME) ) { if (name != vp->v_name) { if (name && *name) { if (name_len == 0) name_len = strlen(name); tname = vfs_addname(name, name_len, name_hashval, 0); <== NAMELEN HERE } } else flags &= ~VNODE_UPDATE_NAME; } ... const char * vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags) { return (add_name_internal(name, len, hashval, FALSE, flags)); <== CALL } --- vfs_cache.c ---------------------------- And invalid memory reference in add_name_internal() --- vfs_cache.c ---------------------------- static const char * add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t need_extra_ref, __unused u_int flags) { struct stringhead *head; string_t *entry; uint32_t chain_len = 0; uint32_t hash_index; uint32_t lock_index; char *ptr; /* * if the length already accounts for the null-byte, then * subtract one so later on we don't index past the end * of the string. */ if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE len--; } if (hashval == 0) { hashval = hash_string(name, len); } --- vfs_cache.c ---------------------------- -3.--------------------------------------------------------- Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not only Please pay attention that a buffer length check (stored in some variable) should be performed; also return from *alloc() function family should be verified for possible NULL pointers. Here are a few FALSE / POSITIVE examples. http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c --- hfs_catalog.c ---------------------------- /* * builddesc - build a cnode descriptor from an HFS+ key */ static int builddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint, u_int32_t encoding, int isdir, struct cat_desc *descp) { int result = 0; unsigned char * nameptr; size_t bufsize; size_t utf8len; unsigned char tmpbuff[128]; /* guess a size... */ bufsize = (3 * key->nodeName.length) + 1; if (bufsize >= sizeof(tmpbuff) - 1) { <============================ MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <= MALLOC FAIL } else { nameptr = &tmpbuff[0]; } result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, <============================ ... maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) / SMALL_DIRENTRY_SIZE)); bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator); if (extended) { bufsize += 2*sizeof(struct direntry); } MALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK); <============================ bzero(buffer, bufsize); ... FREE(nameptr, M_TEMP); MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <============== result = utf8_encodestr(key->nodeName.unicode, key->nodeName.length * sizeof(UniChar), nameptr, (size_t *)&utf8len, bufsize, ':', 0); } ... cnp = (const CatalogName *)&ckp->hfsPlus.nodeName; bufsize = 1 + utf8_encodelen(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), ':', 0); MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <======== result = utf8_encodestr(cnp->ustr.unicode, cnp->ustr.length * sizeof(UniChar), new_nameptr, &tmp_namelen, bufsize, ':', 0); --- hfs_catalog.c ---------------------------- The above examples does not look nice, too. Are you among them is the crux of the problem applications and kernel crash? I informed Apple of those possible errors, it has passed more than a month and I still have not received any comment nor solution. --- 1. References --- http://cxsecurity.com/issue/WLB-2014040027 http://cxsecurity.com/cveshow/CVE-2013-6799/ http://cxsecurity.com/cveshow/CVE-2010-0105/ --- 2. Greetz --- Kacper George and Michal --- 3. Credit --- Maksymilian Arciemowicz http://cxsecurity.com/ http://cifrex.org/ http://cert.cx/ Best regards, CXSEC TEAM http://cxsec.org/ . Apple MacOSX 10.9 Hard Link Memory Corruption Date: 08.11.2013 http://cxsecurity.com/ http://cvemap.org/ URL: http://cxsecurity.com/issue/WLB-2013110059 - 0. Description --- In most UNIX-like systems a hard link to a directory is only reserved for the 'root' user when possible at all. In MacOSX 10.6 there was one such a vulnerability (CVE-2010-0105) causing the filesystem being resulting corrupted; the creation of many hard links was the cause. A notable exception to this is Mac OS X v10.5 (Leopard) and newer, which use hard links on directories for the Time Machine backup mechanism only.' 'Only for the Time Machine' is not True. Let's see quick PoC A plain program performing a system call (link) ---------------------------------------------- mac-cxs-XK:pochd XK$ cat test.c #include <stdio.h> #include <unistd.h> void usage(const char* program) { const char* message = " [src_dir] [target_dir]"; fprintf(stderr, "%s%s\n", program, message); } int main(int argc, char* argv[]) { if (argc!=3) { usage(argv[0]); return 1; } int ret = link(argv[1],argv[2]); fprintf(stderr,"link(3) return= %d\n", ret); return ret; } mac-cxs-XK:pochd XK$ gcc -o test test.c mac-cxs-XK:pochd XK$ ls test test.c mac-cxs-XK:pochd XK$ mkdir DIR1 mac-cxs-XK:pochd XK$ ./test DIR1 Hardlink1 link(3) return= -1 mac-cxs-XK:pochd XK$ mkdir DIR1/DIR2 mac-cxs-XK:pochd XK$ ./test DIR1/DIR2 Hardlink2 link(3) return= 0 mac-cxs-XK:pochd XK$ cd DIR1 mac-cxs-XK:DIR1 XK$ mkdir DIR2/DIR3 mac-cxs-XK:DIR1 XK$ ../test DIR2/DIR3 Hardlink3 link(3) return= 0 mac-cxs-XK:DIR1 XK$ cd DIR2 mac-cxs-XK:DIR2 XK$ mkdir DIR3/DIR4 mac-cxs-XK:DIR2 XK$ ../../test DIR3/DIR4 Hardlink4 link(3) return= -1 ---------------------------------------------- Hardlink1 and Hardlink4 failed instead Hardlink2 and Hardlink3 did not; so which may be the cause? In my opinion we should recognize it as a security flaw and if Apple is not going to fix this vulnerability then someone should change the Wikipedias at least. Operation (functionality) of hard links differs from those described in "Unix Internals: The New Frontiers" book (by Uresh Vahalia) Old unix standards simply prevent to create any hard link to whatever directory for any user (root included). Is that new CWE-DesignError vulnerability or new UNIX style? There may be many possible bad consequences coming out from wrong 'hard link' handling. We will not yet public full description of this problem but we do know that it exists and that it may exhaust kernel/system resources, it may cause application crashes or kernel panics. Let's wait for new MacOSX version. A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A: total 0 Process 14413 stopped * thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290) frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18 libsystem_c.dylib`strlen + 18: -> 0x7fff948f7812: pcmpeqb (%rdi), %xmm0 0x7fff948f7816: pmovmskb %xmm0, %esi 0x7fff948f781a: andq $15, %rcx 0x7fff948f781e: orq $-1, %rax (lldb) (lldb) bt * thread #1: tid = 0x90ba, 0x00007fff948f7812 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0xffb21290) frame #0: 0x00007fff948f7812 libsystem_c.dylib`strlen + 18 .. Does the kernel panic correspond to 'ls' ? More details soon. Credit --- Maksymilian Arciemowicz ( http://cert.cx/ ) Frist CVE&CWE compatible bugtraq http://cxsecurity.com/ http://cvemap.org/

The Huawei EchoLife HG520 is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The following Huawei EchoLife HG520 firmware and software versions are vulnerable: Firmware 3.10.18.7-1.0.7.0, 3.10.18.5-1.0.7.0, 3.10.18.4 Software Versions: V100R001B120Telmex, V100R001B121Telmex

Rising is a well-known anti-virus software vendor in China. The RsAssist.sys driver used by Rising Antivirus 2010 does not properly handle IOCTL requests, and local users can execute arbitrary kernel mode code by running malicious programs. Rising Antivirus 2010 is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with superuser privileges and completely compromise the affected computer. Failed exploit attempts will result in a denial-of-service condition. The issue affects Rising Antivirus 2010 versions prior to 22.0.3.54. ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Rising Antivirus 2010 RsAssist.sys Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA39557 VERIFY ADVISORY: http://secunia.com/advisories/39557/ DESCRIPTION: A vulnerability has been reported in Rising Antivirus 2010, which can be exploited by malicious, local users to potentially gain escalated privileges. The vulnerability is caused due to an error in the RsAssist.sys driver when handling IOCTLs. This can be exploited to potentially execute arbitrary code in kernel space via a specially crafted IOCTL. SOLUTION: Update to version 22.0.3.54 or later. PROVIDED AND/OR DISCOVERED BY: NT Internals ORIGINAL ADVISORY: NT Internals: http://www.ntinternals.org/ntiadv1001/ntiadv1001.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

HTC Touch is a smartphone with touch function. If the phone is configured with a message preview, the script may be injected and executed due to lack of sufficient input filtering for the SMS content. An attacker may leverage this issue to execute arbitrary script code through an SMS message to carry out an attack, such as directing a user to a malicious site. This may allow attackers to carry out other attacks as well

The Cisco RVS4000 4-port Gigabit Security Router before 1.3.2.0, PVC2300 Business Internet Video Camera before 1.1.2.6, WVC200 Wireless-G PTZ Internet Video Camera before 1.1.1.15, WVC210 Wireless-G PTZ Internet Video Camera before 1.1.1.15, and WVC2300 Wireless-G Business Internet Video Camera before 1.1.2.6 do not properly restrict read access to passwords, which allows context-dependent attackers to obtain sensitive information, related to (1) access by remote authenticated users to a PVC2300 or WVC2300 via a crafted URL, (2) leveraging setup privileges on a WVC200 or WVC210, and (3) leveraging administrative privileges on an RVS4000, aka Bug ID CSCte64726. Multiple Cisco Small Business Video Surveillance cameras and a 4-port Gigabit router are prone to a remote authentication-bypass vulnerability. Successful exploits allow remote authenticated attackers to obtain other users' passwords and gain access to the vulnerable device. This will completely compromise an affected device. This issue is being tracked by Cisco bug ID CSCte64726. The vulnerability exists in the handling of requests to the web-based management interface, which can be exploited to view the device's configuration data (e.g. Successful exploitation requires "setup" privileges on the WVC200 and WVC210 models and administrative privileges on the RVS4000 model. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available on some devices. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml. No other Cisco cameras or products are currently known to be affected by this vulnerability. An administrator can restrict a user's ability to manage the device, allowing the user to employ the camera for surveillance only. The Cisco RVS4000 Gigabit Security Router delivers high-speed network access and IPsec VPN capabilities for as many as five users. The Cisco RVS4000 also provides firewall and intrusion prevention capabilities. The user could then view the passwords for all users on the device. A user on the WVC200 and WVC210 camera must have been granted setup privileges to take advantage of this vulnerability to view the passwords. The ability to configure setup privileges is not available on the other devices affected by this vulnerability. Administrative users on the RVS4000 router may be able to view the passwords of other administrative users. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCte64726 ("Unprivileged users may be able to view passwords for other users") CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability could allow an authenticated user to discover all the user passwords contained on the device. Software Versions and Fixes =========================== To determine the software version running on a camera, administrators can click the "About" tab at the top-right of the device user interface. The software version information can be obtained on the System Status page under the "Status" tab. The latest camera software can be downloaded at: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=282414029 The software version of the RVS4000 is displayed on the main router page displayed after users log in. The latest RVS4000 software can be downloaded at: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=282413304 When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. +---------------------------------------+ | Product | First Fixed Version | |-----------+---------------------------| | PVC2300 | 1.1.2.6 | |-----------+---------------------------| | WVC200 | 1.1.1.15 | |-----------+---------------------------| | WVC210 | 1.1.1.15 | |-----------+---------------------------| | WVC2300 | 1.1.2.6 | |-----------+---------------------------| | RVS4000 | 1.3.2.0 | +---------------------------------------+ Workarounds =========== There are no workarounds for the RVS4000, PVC2300, and WVC2300 cameras. On the WVC200 and WVC210 cameras, make sure that only trusted users are given setup privileges. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. * +1 866 606 1866 (toll free from within North America) * +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. Refer to http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html for additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-April-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 21, 2010 Document ID: 111641 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkvPGXQACgkQ86n/Gc8U/uBKuQCgiymrWHvk3jBZONrLFlCcKVkM 0NAAnRcF8F+XYWyzMcQup+/35mxOsmhL =xpSH -----END PGP SIGNATURE-----

An arbitrary code execution vulnerability exists in the system installed with XMAP3/Web, or it may experience unexpected shutdown of Internet Explorer. The same issues exist in the Web browser testing tool, a web system development feature that comes with XMAP3/NET and XMAP3/Enterprise Edition.A remote attacker could execute arbitrary code on the affected system. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. Internet Explorer. The vulnerability is reported in the following products: * XMAP3/Web version 4 * XMAP3/Web for Cosminexus * XMAP3/NET version 4 * XMAP3/Enterprise Edition version 4 SOLUTION: Apply patches. Please see the vendor's advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-004/index.html OTHER REFERENCES: JVN: http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-001427.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------