VARIoT IoT vulnerabilities database

Multiple heap-based buffer overflows in QuickTime.qts in Apple QuickTime Player 7.0.3 and iTunes 6.0.1 (3) and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a .mov file with (1) a Movie Resource atom with a large size value, or (2) an stsd atom with a modified Sample Description Table size value, and possibly other vectors involving media files. NOTE: item 1 was originally identified by CVE-2005-4127 for a pre-patch announcement, and item 2 was originally identified by CVE-2005-4128 for a pre-patch announcement. Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of Targa (TGA) image format files could allow a remote attacker to execute arbitrary code on a vulnerable system. Apple From QuickTime Version that fixes multiple vulnerabilities in 7.0.4 Has been released.Arbitrary code may be executed by a remote third party, DoS You can be attacked. For more information, see the information provided by the vendor. These issues arise when the application handles specially crafted QTIF, TGA, TIFF, and GIF image formats. Successful exploits of these issues may allow remote attackers to trigger a denial-of-service condition or to gain unauthorized access. This issue affects both Mac OS X and Microsoft Windows releases of the software. This issue may be triggered when the application processes a malformed movie (.MOV) file. Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user. This issue affects Apple QuickTime 7.0.3 and iTunes 6.0.1. Earlier versions may also be affected. Multiple buffer overflow vulnerabilities exist in QuickTime.qts. This specific flaw exists within the QuickTime.qts file which many applications access QuickTime's functionality through. By specially crafting atoms within a movie file, a direct heap overwrite is triggered, and reliable code execution is then possible. Technical Details: Technical Description: The code in QuickTime.qts responsible for the size of the Sample Description Table entries from the 'stsd' atom in a QuickTime-format movie on the heap. According to developer.apple.com, the format of the Sample Description Atom is as follows: Field Description ---------------------------------------------------------------- Size 32-bit int Data Format 4 char code Reserved 6 bytes that must be 0 Data Reference Index 16-bit int Hint Track Version 16-bit unsigned int Last compatible hint track version 16-bit unsigned int Max Packet Size 32-bit int Additional Data Table Variable By setting the size of the Sample Description Table to a size of 00 15 - 00 D0 will cause a heap-based overflow. By supplying the "Last compatible hint track version" field with the value of 00 05 - 00 09, an insufficiently-sized heap block will be allocated, resulting in a classic complete heap memory overwrite during the RtlAllocateHeap() function and the attacker can control memory with data taken from the filename of the .MOV file. This vulnerability can be successfully exploited via an embedded media player in an HTML page, email, or HTML link. References QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CVE-2005-4092. Credit: Discovery: Karl Lynn Greetings: 0x41414141 Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----

Memory leak in Avaya TN2602AP IP Media Resource 320 circuit pack before vintage 9 firmware allows remote attackers to cause a denial of service (memory consumption) via crafted VoIP packets. Avaya TN2602AP IP Media Resource 320 is prone to a remote denial of service vulnerability. A successful attack can result in a memory leak and lead to a denial of service condition due to a crash. Avaya TN2602AP IP Media Resource 320 versions prior to vintage 9 firmware are vulnerable to this issue. The vulnerability is caused due to an unspecified error. This can be exploited to cause memory leaks, which can potentially cause a DoS via specially crafted packets. SOLUTION: Update to vintage 9 firmware. http://support.avaya.com/japple/css/japple?temp.documentID=236667&temp.productID=136527&temp.releaseID=228560&temp.bucketID=108025&PAGE=Document#TN2602 PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.avaya.com/elmodocs2/security/ASA-2005-231.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Security Agent (CSA) 4.5.0 and 4.5.1 agents, when running on Windows systems, allows local users to bypass protections and gain system privileges by executing certain local software. This issue only affects computers running affected versions of Cisco Security Agent on the Microsoft Windows platform. Further details are not currently available, this BID will be updated as information becomes available. Cisco Security Agent adopts behavior-based evaluation criteria to identify and protect servers and terminal computers, instead of relying only on signature matching for analysis and identification, successfully solving the security risks brought by unknown viruses. The vulnerability is caused due to an unspecified error in CSA on the Windows platform. This can be exploited by malicious users to gain SYSTEM privileges on a vulnerable system. The vulnerability has been reported in the following versions: * Cisco CSA version 4.5.0 (all builds) managed and standalone agents. * Cisco CSA version 4.5.1 (all builds) managed and standalone agents. * Cisco CSA version 4.5.0 (build 573) for CallManager. * Cisco CSA version 4.5.1 (build 628) for CallManager. * Cisco CSA version 4.5.1 (build 616) for Intelligent Contact Management (ICM), IPCC Enterprise, and IPCC Hosted. * Cisco CSA version 4.5.0 ( build 573) for Cisco Voice Portal (CVP) 3.0 and 3.1. SOLUTION: Update to version 4.5.1.639. Management Center for Cisco Security Agents: http://www.cisco.com/pcgi-bin/tablebuild.pl/csa CSA for CallManager: http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des CSA for ICM, IPCC Enterprise, and IPCC Hosted: http://www.cisco.com/pcgi-bin/tablebuild.pl/csa10-crypto CSA for CVP 3.0 and 3.1: http://www.cisco.com/pcgi-bin/tablebuild.pl/csa-cvp-20 PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20051129-csa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.2 allows remote attackers to cause a denial of service (system slowdown) via a Javascript BODY onload event that calls the window function. Safari is prone to a denial-of-service vulnerability. Apple Safari is a web browser software

Cross-site scripting (XSS) vulnerability in Cisco IOS Web Server for IOS 12.0(2a) allows remote attackers to inject arbitrary web script or HTML by (1) packets containing HTML that an administrator views via an HTTP interface to the contents of memory buffers, as demonstrated by the URI /level/15/exec/-/buffers/assigned/dump; or (2) sending the router Cisco Discovery Protocol (CDP) packets with HTML payload that an administrator views via the CDP status pages. NOTE: these vectors were originally reported as being associated with the dump and packet options in /level/15/exec/-/show/buffers. Cisco IOS include HTTP Server Is show buffers Memory dump results were generated dynamically using commands etc. Web When displaying a page, the output result is not properly sanitized, so there is a vulnerability that allows arbitrary commands to be inserted.An arbitrary command may be executed and as a result, administrator privileges may be obtained. Cisco IOS HTTP service is prone to an HTML-injection vulnerability. An attacker can submit malicious HTML and script code through the '/level/15/exec/-/buffers/assigned' and '/level/15/exec/-/buffers/all' scripts. This code may run in the browser of an administrator when they attempt to view the contents of memory buffers through the vulnerable scripts of the HTTP service. IOS 11.0 through 12.4 are affected. IOS XR is not vulnerable. This issue is documented by Cisco Bug ID CSCsc64976. NOTE: Since this is an HTML-injection vulnerability that targets users of the IOS web interface, devices with the HTTP service disabled are not affected. The attacker can also run arbitrary commands on a vulnerable device. Successful exploits may allow the attacker to manipulate routing information, create accounts, and access all other functionality available to administrators. The vulnerability is caused due to the memory dump feature of the HTTP server not properly sanitising the data in received packets before displaying them to the user in a HTML formatted page when the user views the "/level/15/exec/-/buffers/assigned/dump" link. This can be exploited to execute arbitrary script code in a user's browser session when the user views a memory dump containing malicious Javascript/HTML code from a received packet. E.g. changing the "enable" password by injecting HTML code that requests for the "/level/15/configure/-/enable/secret/" link. SOLUTION: Disable active scripting when viewing memory dumps. PROVIDED AND/OR DISCOVERED BY: Hugo Vazquez Carames ORIGINAL ADVISORY: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is related to: SA17780 The vulnerability has been reported in IOS 11.2(8.11)SA6. SOLUTION: Update to Cisco IOS 12. Alternatively, disable CDP functionality if it is not required, or disable the web administration interface

Cross-site scripting (XSS) vulnerability in vTiger CRM 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the account name. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vtiger CRM is prone to an SQL injection vulnerability, an arbitrary local file include vulnerability and an arbitrary file upload vulnerability. Several of the issues disclosed by SEC-CONSULT in their referenced security advisory, were previously discussed in BID 15562 (VTiger CRM Multiple Input Validation Vulnerabilities). Users are advised to consult that BID for other vulnerabilities affecting vtiger. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The uploads module in vTiger CRM 4.2 and earlier allows remote attackers to upload arbitrary files, such as PHP files, via the add2db action. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vtiger CRM is prone to an SQL injection vulnerability, an arbitrary local file include vulnerability and an arbitrary file upload vulnerability. Several of the issues disclosed by SEC-CONSULT in their referenced security advisory, were previously discussed in BID 15562 (VTiger CRM Multiple Input Validation Vulnerabilities). Users are advised to consult that BID for other vulnerabilities affecting vtiger. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vtiger CRM is prone to an SQL injection vulnerability, an arbitrary local file include vulnerability and an arbitrary file upload vulnerability. Several of the issues disclosed by SEC-CONSULT in their referenced security advisory, were previously discussed in BID 15562 (VTiger CRM Multiple Input Validation Vulnerabilities). Users are advised to consult that BID for other vulnerabilities affecting vtiger. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username in the login form or (2) record parameter, as demonstrated in the EditView action for the Contacts module. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vtiger CRM is prone to an SQL injection vulnerability, an arbitrary local file include vulnerability and an arbitrary file upload vulnerability. Several of the issues disclosed by SEC-CONSULT in their referenced security advisory, were previously discussed in BID 15562 (VTiger CRM Multiple Input Validation Vulnerabilities). Users are advised to consult that BID for other vulnerabilities affecting vtiger. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SQL injection vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary SQL commands and bypass authentication via the (1) user_name and (2) date parameter in the HelpDesk module. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to gain administrative access, retrieve username and password pairs, steal cookie-based authentication credentials and retrieve arbitrary local files in the context of the Web server process; other attacks are also possible. Some of these issues may be related to those discussed in BID 11740 (SugarCRM Multiple Input Validation Vulnerabilities) discovered by James Bercegay and Damon Wood of the GulfTech Security Research Team, as vtiger is a fork of the SugarCRM project. An independent study by Daniel Fabian of SEC-CONSULT has confirmed the existence of several of these issues. Please see the referenced advisory for more information. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources. This can further be exploited to include and execute arbitrary PHP code injected into the "vtigercrm.log" log file. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vTiger CRM is prone to multiple SQL injection, HTML injection, cross-site scripting and local file include vulnerabilities. An attacker can exploit these issues to gain administrative access, retrieve username and password pairs, steal cookie-based authentication credentials and retrieve arbitrary local files in the context of the Web server process; other attacks are also possible. Some of these issues may be related to those discussed in BID 11740 (SugarCRM Multiple Input Validation Vulnerabilities) discovered by James Bercegay and Damon Wood of the GulfTech Security Research Team, as vtiger is a fork of the SugarCRM project. An independent study by Daniel Fabian of SEC-CONSULT has confirmed the existence of several of these issues. Please see the referenced advisory for more information. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources. This can further be exploited to include and execute arbitrary PHP code injected into the "vtigercrm.log" log file. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file. vtiger CRM is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. vTiger CRM is prone to multiple SQL injection, HTML injection, cross-site scripting and local file include vulnerabilities. An attacker can exploit these issues to gain administrative access, retrieve username and password pairs, steal cookie-based authentication credentials and retrieve arbitrary local files in the context of the Web server process; other attacks are also possible. Some of these issues may be related to those discussed in BID 11740 (SugarCRM Multiple Input Validation Vulnerabilities) discovered by James Bercegay and Damon Wood of the GulfTech Security Research Team, as vtiger is a fork of the SugarCRM project. An independent study by Daniel Fabian of SEC-CONSULT has confirmed the existence of several of these issues. Please see the referenced advisory for more information. Users are advised to consult that BID for other vulnerabilities affecting vtiger. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17693 VERIFY ADVISORY: http://secunia.com/advisories/17693/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: vtiger CRM 4.x http://secunia.com/product/6211/ DESCRIPTION: Christopher Kunz has reported some vulnerabilities in vtiger CRM, which can be exploited by malicious people to conduct cross-site scripting, script insertion, and SQL injection attacks, disclose sensitive information, and compromise a vulnerable system. 1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) An input validation error in the RSS aggregation module can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when data from the malicious RSS feed is viewed. 3) Input passed to the "date" parameter and the username field when logging into the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can further be exploited to bypass the authentication process and access the administration section where sensitive user data can be disclosed or manipulated. Successful exploitation requires that "magic_quotes_gpc" is disabled. 4) Input passed to the "action" and "module" parameters isn't properly verified, before it is used to include files. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been reported in version 4.2 and prior. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised and verified. PROVIDED AND/OR DISCOVERED BY: Christopher Kunz, Hardened PHP Project ORIGINAL ADVISORY: http://www.hardened-php.net/advisory_232005.105.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Novell ZENworks for Desktops 4.0.1, ZENworks for Servers 3.0.2, and ZENworks 6.5 Desktop Management does not restrict access to Remote Diagnostics, which allows local users to bypass security policies by using Console One. Novell ZENworks Remote Diagnostics is prone to an unauthorized access vulnerability. This vulnerability may facilitate disclosure of sensitive data and may aid in other attacks against a vulnerable computer. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972567.htm PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098818.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco PIX 6.3 and 7.0 allows remote attackers to cause a denial of service (blocked new connections) via spoofed TCP packets that cause the PIX to create embryonic connections that that would not produce a valid connection with the end system, including (1) SYN packets with invalid checksums, which do not result in a RST; or, from an external interface, (2) one byte of "meaningless data," or (3) a TTL that is one less than needed to reach the internal destination. Versions of Cisco PIX firewalls do not validate the checksum of transiting TCP packets. Attackers may be able to use this problem to create a sustained denial-of-service under certain conditions. Cisco PIX Firewall Is illegal TCP SYN When a packet is processed, the packet and source and destination information for a certain period of time (IP Address and port ) There is a function that rejects packets that match, and there is a vulnerability that prevents communication from a legitimate host if the source information of the wrong packet is spoofed by that of a legitimate host.From a specific source TCP Communication is interrupted for a certain period of time (DoS) It may be in a state. This issue allows attackers to temporarily block network traffic to arbitrarily targeted TCP services. By repeating the attack, a prolonged denial-of-service condition is possible. Cisco PIX is a hardware firewall solution. Remote attackers may use this loophole to cause a denial of service attack on legitimate access sources. So an attacker can send a specially crafted TCP packet with a wrong checksum, setting the source/destination IP and port to a legitimate host. Once the PIX firewall receives such a message, it cannot establish a new TCP session with the credentials specified in the malicious message. The default time is 2 minutes and 2 seconds, and then it will resume normal operation. Gavrilenko has reported a vulnerability in Cisco PIX, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the firewall failing to verify the checksum of a TCP SYN packet before it is allowed through the firewall and a connection state is setup to track the half-open connection. Packets with incorrect checksum values will be silently discarded by the destination host without a RST reply. This causes the connection state to be held up to two minutes before it is cleared. In the meantime, legitimate SYN packets with the same protocol, IP addresses, and ports are discarded by the firewall. Successful exploitation allows an attacker to prevent a host from establishing connections to another host through the firewall. The vulnerability has been reported in PIX 6.3 and PIX/ASA 7.0. SOLUTION: The vendor recommends the following workaround. 1) Issue the commands "clear xlate" or "clear local-host <ip address on the higher security level interface>" to allow the firewall to pass connections again. 2) Modify the default TCP embryonic connection timeout to a lower value. e.g. 10 seconds. 3) Configure TCP Intercept to allow PIX to proxy all TCP connection attempts originated from behind any firewall interface after the first connection. This will have a performance impact. PROVIDED AND/OR DISCOVERED BY: Konstantin V. Gavrilenko, Arhont Ltd ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038983.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.2 (aka 416.12) allows remote attackers to spoof the URL in the status bar via the title in an image in a link to a trusted site within a form to the malicious site. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Safari is prone to a remote security vulnerability. The problem is that the browser fails to show the correct URL in the status bar if an image control has been enclosed in a hyperlink and uses a form to specify the destination URL. This may cause a user to follow a link to a seemingly trusted website when in fact the browser opens a malicious website. This is related to: SA17565 Example: <form action="[malicious site]"> <a href="[trusted site]"><input type="image" src="[image]"></a> </form> The weakness has been confirmed in version 2.0.2 (416.12). Other versions may also be affected. SOLUTION: Do not follow links from untrusted sources. PROVIDED AND/OR DISCOVERED BY: Reported in Safari by marc. Originally discovered in Internet Explorer and Opera by Claudio "Sverx". OTHER REFERENCES: SA17565: http://secunia.com/advisories/17565/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Hitachi Cosminexus Collaboration Portal 06-00 through 06-10-/B, Groupmax Collaboration Portal 07-00 through 07-10-/B, and Groupmax Collaboration Web Client 07-00 through 07-10-/A allow remote attackers to cause a denial of service of unspecified impact via repeated invalid requests to the Schedule component. This vulnerability may be triggered by multiple invalid requests sent to the schedule. No further details have been provided. These are due to a lack of proper sanitization of user-supplied input. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS05-023_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Cosminexus Collaboration Portal 06-00 through 06-10-/B, Groupmax Collaboration Portal 07-00 through 07-10-/B, and Groupmax Collaboration Web Client 07-00 through 07-10-/A allow remote attackers to inject arbitrary web script or HTML via the (1) Schedule and (2) Calendar components. These are due to a lack of proper sanitization of user-supplied input. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks. TITLE: Hitachi Products Cross-Site Scripting and Denial of Service SECUNIA ADVISORY ID: SA17634 VERIFY ADVISORY: http://secunia.com/advisories/17634/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote SOFTWARE: Cosminexus 6.x http://secunia.com/product/5795/ Groupmax Collaboration Portal 6.x http://secunia.com/product/6162/ Groupmax Collaboration Web Client 7.x http://secunia.com/product/6161/ DESCRIPTION: Some vulnerabilities have been reported in various Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS05-023_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unquoted Windows search path vulnerability in iTunesHelper.exe in iTunes 4.7.1.30 and iTunes 5 for Windows might allow local users to gain privileges via a malicious C:\program.exe file. iTunes is Apple's player software for iPod and mp3 files. Multiple Vendor Insecure Call to CreateProcess() Vulnerability iDEFENSE Security Advisory 11.15.05 www.idefense.com/application/poi/display?id=340&type=vulnerabilities November 15, 2005 I. BACKGROUND The Microsoft Windows API includes the CreateProcess() function as a means to create a new process and it's primary thread. CreateProcessAsUser() is similar but allows for the process to be run in the security context of a particular user. II. DESCRIPTION The format of the CreateProcess() function is as follows: BOOL CreateProcess( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ); The 'lpApplicationName' variable contains the name of the module to be executed. However, this can be a NULL value, in which case, the module name to be executed will be the first white space-delimited token in the lpCommandLine string. It is a known issue, that if lpApplicationName contains a NULL value and the full module path in the lpCommandLine variable contains white space and is not enclosed in quotation marks, it is possible that an alternate application will be executed. Consider the following scenario: CreateProcess( NULL, c:\program files\sub dir\program.exe, ... ); In this case, the system will successively expand the string when interpreting the file path, until a module is encountered to execute. The string used in the above example would be interpreted as follows: c:\program.exe files\sub dir\program name c:\program files\sub.exe dir\program name c:\program files\sub dir\program.exe Therefore, if a file named program.exe existed in the c:\ directory, it would be executed instead of the intended application. This is a known issue, discussed directly in the API documentation: http://msdn.microsoft.com/library/en-us/dllproc/base/createprocessasuser.asp III. ANALYSIS Despite the fact that this is a known issue, several popular applications, insecurely call the CreateProcess() and CreateProcessAsUser() functions. This creates a scenario whereby arbitrary code could be executed. In the scenario detailed above, if an attacker were able to install arbitrary code in a file at c:\program.exe, when the vulnerable application was launched, the code would be executed. The arbitrary code would generally be executed under the privileges of the executing user but could also be launched with elevated privilegs if an insecure call were made CreateProcessAsUser() using elevated privileges. This attack would involve some form of social engineering or need to be combined with another attack to first get the arbitrary code installed in the correct location. IV. DETECTION The following applications have been confirmed to be vulnerable: Vendor: RealNetworks Application: RealPlayer 10.5 Files: realplay.exe realjbox.exe Vendor: Kaspersky Application: Kaspersky Anti-Virus for Windows File Servers 5.0 (English) - Installation File Files: kav5.0trial_winfsen.exe Vendor: Apple Application: iTunes 4.7.1.30 Files: iTunesHelper.exe Vendor: VMWare Application: VMWare Workstation 5.0.0 build-13124 Files: VMwareTray.exe VMwareUser.exe Vendor: Microsoft Application: Microsoft Antispyware 1.0.509 (Beta 1) Files: GIANTAntiSpywareMain.exe gcASNotice.exe gcasServ.exe gcasSWUpdater.exe GIANTAntiSpywareUpdater.exe Note: The vulnerability in Microsoft Antispyware was previously discussed on the Full-Disclosure mailing list (http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033909.html) but remains unpatched. V. WORKAROUND Ensure that unexpected files are not stored in locations that can be used for this attack. Windows XP SP2 will alert a user of the existence of a file named c:\program.exe when it first boots, however, any path containing white space where a vulnerable application is stored could be used in this attack. VI. VENDOR RESPONSE The following vendor responses have been provided. Apple: "Due to the way iTunes 5 launches its helper application, multiple system paths are searched for which program to run. iTunes 6 addresses this issue and can be obtained from http://www.apple.com/itunes/download/. Credit to iDEFENSE for reporting this issue to us." Kaspersky: "We are currently looking into the problem, and it seems that this is not present in the current version of KAV for File Servers." Microsoft: "Microsoft has confirmed that the Beta 2 version of its Antispyware product, targeted for release later this year, will address the issue reported by iDEFENSE." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to this issue. RealNetworks RealPlayer 10.5 CAN-2005-2936 Kaspersky Anti-Virus 5.0 CAN-2005-2937 Apple iTunes 4.7.1.30 CAN-2005-2938 VMWare Workstation 5.0.0 build-13124 CAN-2005-2939 Microsoft Antispyware 1.0.509 (Beta 1) CAN-2005-2940 Theses are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/19/2005 Initial vendor notification 11/15/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright \xa9 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

The Internet Key Exchange version 1 (IKEv1) implementation in the libike library in Solaris 9 and 10 allows remote attackers to cause a denial of service (in.iked daemon crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ I SAKMP (Internet Security Association and Key Management Protocol) Authentication, key management, and SA (security association) of 3 A collective term for multiple protocols. ISAKMP Derived from IKE Is IPSec Key exchange protocol for encrypted communication. In many environments IKEv1 Is used. IKE Communication by phase 1 And phase 2 Divided into phases 1 Then establish a secure communication path, ISAKMP SA Called IKE Exchange own messages. In multiple products ISAKMP/IKE Implementation is illegal ISAKMP Phase 1 There is a problem that causes abnormal behavior when receiving this packet because there is a flaw in the processing of the packet. IKE When a deliberately created packet is sent by a remote attacker with specific information for communication by ISAKMP Services or devices that implement the may be in a service outage.Please refer to the “Overview” for the impact of this vulnerability. TITLE: Symantec Firewall/VPN/Gateway ISAKMP Message Processing Denial of Service SECUNIA ADVISORY ID: SA17684 VERIFY ADVISORY: http://secunia.com/advisories/17684/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Symantec Gateway Security 400 Series http://secunia.com/product/6175/ Symantec Gateway Security 300 Series http://secunia.com/product/6176/ Symantec Gateway Security 3.x http://secunia.com/product/6177/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ Symantec Gateway Security 1.x http://secunia.com/product/876/ Symantec Firewall/VPN Appliance 100/200/200R http://secunia.com/product/552/ SOFTWARE: Symantec Enterprise Firewall (SEF) 8.x http://secunia.com/product/3587/ DESCRIPTION: Symantec has acknowledged a vulnerability in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA17553 Successful exploitation causes a DoS of the dynamic VPN services. The vulnerability has been reported in the following products. * Symantec Enterprise Firewall version 8.0 (Windows) * Symantec Enterprise Firewall version 8.0 (Solaris) * Symantec Gateway Security 5000 Series version 3.0 * Symantec Gateway Security 5400 version 2.0.1 * Symantec Gateway Security 5310 version 1.0 * Symantec Gateway Security 5200/5300 version 1.0 * Symantec Gateway Security 5100 * Symantec Gateway Security 400 version 2.0 * Symantec Gateway Security 300 version 2.0 * Symantec Firewall /VPN Appliance 200/200R * Symantec Firewall /VPN Appliance 100 SOLUTION: Apply hotfixes. Symantec Enterprise Firewall version 8.0 (Windows): Apply SEF8.0-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8/files.html Symantec Enterprise Firewall version 8.0 (Solaris): Apply SEF8.0-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8_sol/files.html Symantec Gateway Security 5000 Series version 3.0: Apply SGS3.0-2005114-02. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_5600_3/files.html Symantec Gateway Security 5400 version 2.0.1: Apply SGS2.0.1-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_201_5400/files.html Symantec Gateway Security 5310 version 1.0: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5310/files.html Symantec Gateway Security 5200/5300 version 1.0: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_52005300/files.html Symantec Gateway Security 5100: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5110/files.html Symantec Gateway Security 400 version 2.0: Update to build 1103. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_2_400/files.html Symantec Gateway Security 300 version 2.0: Update to build 1103. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_300s_2/files.html Symantec Firewall /VPN Appliance 200/200R: Update to build 1.8F. http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_200r/files.html Symantec Firewall /VPN Appliance 100: Update to build 1.8F. http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_100/files.html ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2005.11.21.html OTHER REFERENCES: SA17553: http://secunia.com/advisories/17553/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in multiple unspecified implementations of Internet Key Exchange version 1 (IKEv1) have multiple unspecified attack vectors and impacts related to denial of service, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of information in the original sources, it is likely that this candidate will be REJECTed once it is known which implementations are actually vulnerable. Numerous vulnerabilities have been reported in various Internet Key Exchange version 1 (IKEv1) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause an IKEv1 implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ I SAKMP (Internet Security Association and Key Management Protocol) Authentication, key management, and SA (security association) of 3 A collective term for multiple protocols. ISAKMP Derived from IKE Is IPSec Key exchange protocol for encrypted communication. In many environments IKEv1 Is used. IKE Communication by phase 1 And phase 2 Divided into phases 1 Then establish a secure communication path, ISAKMP SA Called IKE Exchange own messages. In multiple products ISAKMP/IKE Implementation is illegal ISAKMP Phase 1 There is a problem that causes abnormal behavior when receiving this packet because there is a flaw in the processing of the packet. IKE When a deliberately created packet is sent by a remote attacker with specific information for communication by ISAKMP Services or devices that implement the may be in a service outage.Please refer to the “Overview” for the impact of this vulnerability. TITLE: Symantec Firewall/VPN/Gateway ISAKMP Message Processing Denial of Service SECUNIA ADVISORY ID: SA17684 VERIFY ADVISORY: http://secunia.com/advisories/17684/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Symantec Gateway Security 400 Series http://secunia.com/product/6175/ Symantec Gateway Security 300 Series http://secunia.com/product/6176/ Symantec Gateway Security 3.x http://secunia.com/product/6177/ Symantec Gateway Security 2.x http://secunia.com/product/3104/ Symantec Gateway Security 1.x http://secunia.com/product/876/ Symantec Firewall/VPN Appliance 100/200/200R http://secunia.com/product/552/ SOFTWARE: Symantec Enterprise Firewall (SEF) 8.x http://secunia.com/product/3587/ DESCRIPTION: Symantec has acknowledged a vulnerability in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA17553 Successful exploitation causes a DoS of the dynamic VPN services. The vulnerability has been reported in the following products. * Symantec Enterprise Firewall version 8.0 (Windows) * Symantec Enterprise Firewall version 8.0 (Solaris) * Symantec Gateway Security 5000 Series version 3.0 * Symantec Gateway Security 5400 version 2.0.1 * Symantec Gateway Security 5310 version 1.0 * Symantec Gateway Security 5200/5300 version 1.0 * Symantec Gateway Security 5100 * Symantec Gateway Security 400 version 2.0 * Symantec Gateway Security 300 version 2.0 * Symantec Firewall /VPN Appliance 200/200R * Symantec Firewall /VPN Appliance 100 SOLUTION: Apply hotfixes. Symantec Enterprise Firewall version 8.0 (Windows): Apply SEF8.0-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8/files.html Symantec Enterprise Firewall version 8.0 (Solaris): Apply SEF8.0-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_ent_firewall/sym_ent_fw_8_sol/files.html Symantec Gateway Security 5000 Series version 3.0: Apply SGS3.0-2005114-02. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_5600_3/files.html Symantec Gateway Security 5400 version 2.0.1: Apply SGS2.0.1-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_201_5400/files.html Symantec Gateway Security 5310 version 1.0: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5310/files.html Symantec Gateway Security 5200/5300 version 1.0: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_52005300/files.html Symantec Gateway Security 5100: Apply SG7004-20051114-00. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw_security_1_5110/files.html Symantec Gateway Security 400 version 2.0: Update to build 1103. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_2_400/files.html Symantec Gateway Security 300 version 2.0: Update to build 1103. http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sgs_300s_2/files.html Symantec Firewall /VPN Appliance 200/200R: Update to build 1.8F. http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_200r/files.html Symantec Firewall /VPN Appliance 100: Update to build 1.8F. http://www.symantec.com/techsupp/enterprise/products/sym_fw_vpn_appliance/sym_fw_vpn_appliance_100/files.html ORIGINAL ADVISORY: Symantec: http://securityresponse.symantec.com/avcenter/security/Content/2005.11.21.html OTHER REFERENCES: SA17553: http://secunia.com/advisories/17553/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------