VARIoT IoT vulnerabilities database

CompleteFTP is an FTP service program. The CompleteFTP server does not properly handle user requests, and remote attackers can exploit vulnerabilities for denial of service and directory traversal attacks. - The FTP service has an input validation error. The directory traversal attack downloads or replaces any file other than the FTP ROOT directory. - There is an error in handling a large number of authentication requests, and an attacker can consume a large amount of memory in the system and cause the service to be unavailable. CompleteFTP is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. This may aid in further attacks. CompleteFTP 3.3.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: CompleteFTP Server Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA39191 VERIFY ADVISORY: http://secunia.com/advisories/39191/ DESCRIPTION: A vulnerability has been discovered in CompleteFTP Server, which can be exploited by malicious users to bypass certain security restrictions and compromise a vulnerable system. The vulnerability is confirmed in version 3.3.0. SOLUTION: Restrict FTP access to trusted users only. PROVIDED AND/OR DISCOVERED BY: zombiefx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in Open Direct Connect Hub (aka Open DC Hub or OpenDCHub) 0.8.1 allows remote authenticated users to execute arbitrary code via a long MyINFO message. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. Get a free trial, contact sales@secunia.com ---------------------------------------------------------------------- TITLE: Fedora update for opendchub SECUNIA ADVISORY ID: SA39664 VERIFY ADVISORY: http://secunia.com/advisories/39664/ DESCRIPTION: Fedora has issued an update for opendchub. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA39199 SOLUTION: Apply updated packages using the yum utility ("yum update opendchub"). ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Open DC Hub "myinfo()" Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA39199 VERIFY ADVISORY: http://secunia.com/advisories/39199/ DESCRIPTION: Pierre Nogu\xe8s has discovered a vulnerability in Open DC Hub, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "myinfo()" function in commands.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted "MyINFO" message. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in version 0.8.1. Other versions may also be affected. SOLUTION: Restrict network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Pierre Nogu\xe8s ORIGINAL ADVISORY: http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Workaround ========== There is no known workaround at this time. Resolution ========== All Open DC Hub users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/opendchub-0.8.2" References ========== [ 1 ] CVE-2010-1147 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1147 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201311-12.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Integer overflow in Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a very popular multimedia player. BACKGROUND --------------------- "Apple QuickTime is software that allows Mac and Windows users to play back audio and video on their computers. But taking a deeper look, QuickTime is many things: a file format, an environment for media authoring and a suite of applications" from Apple.com II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a vulnerability in Apple Quicktime. III. Exploits - PoCs & Binary Analysis ---------------------------------------- In-depth binary analysis of the vulnerability and an exploit code have been released by VUPEN through the VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to Apple QuickTime version 7.6.6 : http://www.apple.com/quicktime/download/ VI. CREDIT -------------- The vulnerability was discovered by Nicolas Joly of VUPEN Security VII. ABOUT VUPEN Security --------------------------------- VUPEN is a leading IT security research company providing vulnerability management and security intelligence solutions which enable enterprises and institutions to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. Governmental and federal agencies, and global enterprises in the financial services, insurance, manufacturing and technology industries rely on VUPEN to improve their security, prioritize resources, cut time and costs, and stay ahead of the latest threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Binary Analysis & Exploits Service : http://www.vupen.com/exploits VIII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/0746 http://support.apple.com/kb/HT4104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0527 IX. DISCLOSURE TIMELINE ----------------------------------- 2009-05-28 - Vendor notified 2009-05-28 - Vendor response 2009-07-18 - Status update received 2009-10-30 - Status update received 2010-01-07 - Status update received 2010-03-11 - Status update received 2010-03-31 - Coordinated public Disclosure

Race condition in the installation package in Apple iTunes before 9.1 on Windows allows local users to gain privileges by replacing an unspecified file with a Trojan horse. Apple iTunes is prone to a local privilege-escalation vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Versions prior to Apple iTunes 9.1 on Microsoft Windows platforms are vulnerable. Note: This BID was originally titled 'Apple iTunes Privilege Escalation and Denial of Service Vulnerabilities'; the denial-of-service issue has been given its own record (BID 39113) to better document it. Local users can replace unknown files with files carrying Trojan horses to obtain permissions. ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Apple iTunes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39135 VERIFY ADVISORY: http://secunia.com/advisories/39135/ DESCRIPTION: Some vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or compromise a user's system. 1) Multiple errors in the ColorSync and ImageIO components when handling images can be exploited to disclose application memory or potentially execute arbitrary code. For more information see vulnerabilities #1 through #4 and #9 in: SA38932 2) An error when processing MP4 files can be exploited to trigger the execution of an infinite loop and render the application unusable after its restart via e.g. a specially crafted podcast. As standard permissions allows any user to write files to the path, this can be exploited to either create malicious files with specific names before installation or malicious libraries after installation, allowing execution of arbitrary code with SYSTEM privileges. The vulnerabilities are reported in versions prior to 9.1. SOLUTION: Update to version 9.1. PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sojeong Hong, Sourcefire VRT 3) Jason Geffner, NGSSoftware CHANGELOG: 2010-03-31: Added additional information provided by NGSSoftware. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4105 OTHER REFERENCES: SA38932: http://secunia.com/advisories/38932/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Systems Affected: iTunes 9.0.0, iTunes 9.0.1, iTunes 9.0.2, iTunes 9.0.3 (version previous to iTunes 9.0.0 not tested) Risk: High Apple Security Advisory ID: APPLE-SA-2010-03-30-2 [1] Apple Knowledge Base Article: HT4105 [2] CVE-ID: CVE-2010-0532 Status: Published ============ Introduction ============ This paper discusses how an unprivileged local attacker can elevate their privileges during an initial installation or update of iTunes for Windows. and this advisory was not released until a fixed build of iTunes was released. ========== Background ========== "iTunes is a proprietary digital media player application, used for playing and organizing digital music and video files. The program is also an interface to manage the contents on Apple's popular iPod and other digital media players such as the iPhone and iPad. Additionally, iTunes can connect to the iTunes Store via the Internet to purchase and download music, music videos, television shows, applications, iPod games, audiobooks, podcasts, feature length films and movie rentals (not available in all countries), and ringtones (only used for iPhone). 10/22/09 Automated response received from Apple Inc. 10/28/09 Automated response received from Apple Inc. 10/29/09 iTunes 9.0.2 released 12/23/09 Status request sent to Apple Inc. 01/06/10 First personal response formally received from Apple Inc. 02/01/10 iTunes 9.0.3 released 03/30/10 iTunes 9.1.0 released, fixing elevation of privilege vulnerability 03/31/10 Advisory released ============= Vulnerability ============= Upon first-time installation, iTunes installs GEAR Software ASPI driver components and Microsoft Driver Install Frameworks API components in "%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86" for 32-bit installations and in "%ALLUSERSPROFILE%\Application Data\ {0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64" for 64-bit installations. The installer installs in this directory DifXInstall32.exe or DifXInstall64.exe for 32-bit or 64-bit installations, respectively, along with DIFxAPI.dll and other files. After the installer writes these files to the directory, it will execute DifXInstall32.exe or DifXInstall64.exe in the context of Local System, a privileged user. On a standard Windows installation, unprivileged users have write-access to "%ALLUSERSPROFILE%\Application Data". As such, prior to a first-time iTunes installation, an unprivileged attacker can create these directories and place a malicious executable at "%ALLUSERSPROFILE%\Application Data\ {755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or "%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\ DifXInstall64.exe", which could for example add the unprivileged attacker to the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe is executed by a privileged user. During installation, the installer won't overwrite an existing DifXInstall32.exe or DifXInstall64.exe; it will execute the existing program in the context of Local System. On the other hand, if iTunes is already installed on the system, an unprivileged attacker won't have access to overwrite DifXInstall32.exe, DifXInstall64.exe, or DIFxAPI.dll. However, unprivileged attackers still have write-access to create new files in "%ALLUSERSPROFILE%\Application Data\ {755AC846-7372-4AC8-8550-C52491DAA8BD}\x86" or "%ALLUSERSPROFILE%\ Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64". Therefore, an unprivileged attacker could place into the directory a malicious DLL that DifXInstall32.exe, DifXInstall64.exe, or DIFxAPI.dll depends on. For example, DIFxAPI.dll imports setupapi.dll; an unprivileged attacker could place a malicious setupapi.dll file into that directory such that when DifXInstall32.exe or DifXInstall64.exe is executed, it loads DIFxAPI.dll, which in turn loads the malicious setupapi.dll, which could for example add the unprivileged attacker to the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe is executed by a privileged user. When an existing iTunes installation is updated to a newer version, the update installer will execute DifXInstall32.exe or DifXInstall64.exe in the context of Local System. ======= Exploit ======= Ideally, the attacker's DLL should have all the functionality of the DLL that the application expected to load, including the same exported functions. An attacker can patch the original DLL so that the attacker's code runs before the DLL's original DllMain code is executed, after which the original DllMain code is called. This allows the DLL to continue to operate as normal. The program at http://www.malwareanalysis.com/releases/dllpatcher.zip [4] can be used to redirect a given DLL's entrypoint (which originally pointed to DllMain) to point to code that has been patched into the DLL. This patched-in code will add a given user to the Administrators group in Windows (assuming that it's being run in the context of a privileged user), after which it will transfer control back to the DLL's original DllMain. The patcher also updates the Import Table for the DLL since the patched-in code relies on the function NetLocalGroupAddMembers(...) from netapi32.dll. The only other side effect of the patcher is that it clears the Bound Imports for the DLL; the only adverse side effect of this is that this may cause the DLL to take a few extra milliseconds to load. The patcher is compatible with both 32-bit and 64-bit DLLs and displays usage instructions when executed without command line arguments. As an example, an attacker could use this patcher as follows to patch setupapi.dll so that it will add unprivileged user MyComputer\Jason to the Administrators group when the DLL is loaded by a privileged user: DllPatcher.exe %WINDIR%\system32\setupapi.dll "%ALLUSERSPROFILE%\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\setupapi.dll" MyComputer\Jason ========== Conclusion ========== Proper ACLs should be used to prevent such elevation of privilege attacks and great care should be taken when choosing which directories to use for executable files. NGSSoftware would like to thank Alex Ionescu for his assistance in communications with the Apple Product Security Team. =============== Fix Information =============== This issue has now been resolved. iTunes 9.1.0 can be downloaded from: http://www.apple.com/itunes/download ========== References ========== [1] http://lists.apple.com/archives/security-announce/2010/Mar/msg00003.html [2] http://support.apple.com/kb/HT4105 [3] http://en.wikipedia.org/wiki/ITunes [4] http://www.malwareanalysis.com/releases/dllpatcher.zip NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070

Apple iTunes before 9.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted MP4 podcast file. Apple iTunes is prone to a remote denial-of-service vulnerability. Successful exploits may allow an attacker to crash the application, resulting in a denial-of-service condition. Versions prior to iTunes 9.1 are vulnerable. Note: This issue was previously described in BID 39092 (Apple iTunes Privilege Escalation and Denial of Service Vulnerabilities) but has been given its own record to better document it. Apple iTunes is a media player program. ---------------------------------------------------------------------- Secunia CSI + Microsoft SCCM ----------------------- = Extensive Patch Management http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Apple iTunes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39135 VERIFY ADVISORY: http://secunia.com/advisories/39135/ DESCRIPTION: Some vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or compromise a user's system. 1) Multiple errors in the ColorSync and ImageIO components when handling images can be exploited to disclose application memory or potentially execute arbitrary code. For more information see vulnerabilities #1 through #4 and #9 in: SA38932 2) An error when processing MP4 files can be exploited to trigger the execution of an infinite loop and render the application unusable after its restart via e.g. a specially crafted podcast. 3) During installation iTunes for Windows installs and executes certain files in a directory in the ""%ALLUSERSPROFILE%\Application Data\" path. As standard permissions allows any user to write files to the path, this can be exploited to either create malicious files with specific names before installation or malicious libraries after installation, allowing execution of arbitrary code with SYSTEM privileges. SOLUTION: Update to version 9.1. PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Sojeong Hong, Sourcefire VRT 3) Jason Geffner, NGSSoftware CHANGELOG: 2010-03-31: Added additional information provided by NGSSoftware. ORIGINAL ADVISORY: http://support.apple.com/kb/HT4105 OTHER REFERENCES: SA38932: http://secunia.com/advisories/38932/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types of uploaded files, which allows remote attackers to obtain sensitive information or possibly have unspecified other impact via a crafted file, as demonstrated by a Java applet. Apple Mac OS X Wiki Server is prone to a security-bypass vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to upload active content to the application; this may let the attacker access sensitive information or launch other attacks. This issue affects Mac OS X Server 10.5.8 and prior. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Remote attackers can trick Wiki Server users into viewing sensitive information by uploading malicious applets

Server Admin in Apple Mac OS X Server 10.5.8 does not properly determine the privileges of users who had former membership in the admin group, which allows remote authenticated users to leverage this former membership to obtain a server connection via screen sharing. Apple Mac OS X is prone to a security-bypass vulnerability that occurs in the Server Admin component. A remote attacker with former administrator privileges may exploit this issue to gain unauthorized access to the vulnerable computer. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Stack-based buffer overflow in PS Normalizer in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PostScript document. An attacker can exploit this issue by enticing a user into opening a specially crafted PostScript file. A successful exploit will allow attackers to execute arbitrary code with the privilegs of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines

Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted color tables in a movie file, related to malformed MediaVideo data, a sample description atom (STSD), and a crafted length value. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of malformed MediaVideo data from a sample description atom (STSD). The application will read a length from the file, subtract 1 and then use it as a counter for a loop. Certain values may cause memory corruption and can result in code execution under the context of the current user. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a media player software from APPLE, a popular multimedia player that supports multiple media formats. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-08-20 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in QuickTime.qts in Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PICT image with a BkPixPat opcode (0x12) containing crafted values that are used in a calculation for memory allocation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the primary QuickTime.qts library when parsing the BkPixPat opcode (0x12) within a PICT file. The application will use 2 fields within the file in a multiply which is then passed as an argument to an allocation. As both operands in the multiply are user-controllable, specific values can cause an under allocation which will later result in a heap overflow. Successful exploitation can lead to code execution under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data when parsing PICT images. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4104 -- Disclosure Timeline: 2009-11-06 - Vulnerability reported to vendor 2010-04-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted BMP image. Apple QuickTime is prone to a memory-corruption vulnerability because it fails to sufficiently validate user-supplied data when viewing BMP images. These issues arise when the application handles specially crafted H.264, MPEG-4, and FlashPix video files. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Versions prior to QuickTime 7.6.6 are vulnerable on Windows 7, Vista, XP, and Mac OS X platforms. Apple QuickTime is a very popular multimedia player

CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDMC encoding. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the QuickTimeAudioSupport.qtx library when parsing malformed QDMC and QDM2 codec atoms. By modifying specific values within the stream an attacker can cause heap corruption which can lead to arbitrary code execution under the context of the currently logged in user. Apple QuickTime is prone to a memory-corruption vulnerability when decoding QDMC and QDMC2 encoded atoms. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. A buffer overflow vulnerability exists in CoreAudio for Apple Mac OS. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-09-22 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed .3g2 movie file with H.263 encoding that triggers an incorrect buffer length calculation. The code within QuickTime trusts various values from MDAT structures and uses them during operations on heap memory. By crafting specific values the corruption can be leveraged to execute remote code under the context of the user running the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within quicktime.qts when parsing sample data from a malformed .3g2 file that is utilizing the h.263 codec. While parsing data to render the video stream, the application will miscalculate the length of a buffer. Later when decompressing data to the heap chunk, the application will overflow the under allocated buffer leading to code execution under the context of the currently logged in user. Failed exploit attempts will likely result in a denial-of-service condition. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4077 -- Disclosure Timeline: 2009-08-10 - Vulnerability reported to vendor 2010-04-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Multiple 3Com H3C switches have security issues, and remote attackers can exploit vulnerabilities to perform denial of service attacks on their SSH servers. An unspecified error exists in the built-in SSH server. The attacker sends a specially constructed SSH message to restart the device. Multiple 3Com H3C devices are prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause the affected device to restart, denying service to legitimate users. This issue affects the H3C S3100, Switch 4500, and Switch 4200G series of products. ---------------------------------------------------------------------- Looking for a job? Secunia is hiring skilled researchers and talented developers. The vulnerability is caused due to an unspecified error and can be exploited to cause an affected device to reboot by sending specially crafted SSH packets to it. Successful exploitation requires that the device is configured as SSH server. SOLUTION: Update to the latest versions. H3C S3100-52P: Update to Comware 3.10 Release 1702P13. 3Com Switch 4500: Update to version 3.03.02p09 3Com Switch 4200: Update to version 3.2.4. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: 3Com H3C (LSOD09619): http://support.3com.com/documents/H3C/switches/3100/H3C_S3100-52P_CMW3.10.R1702P13_Release_Notes.pdf http://support.3com.com/documents/switches/4500/Switch_4500_V3.03.02p09_Release_Notes.pdf 3Com H3C (LSOD09646) http://support.3com.com/documents/switches/4200G/Switch_4200G_V3.02.04_Release_Notes.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Microsoft wireless keyboard uses XOR encryption with a key derived from the MAC address, which makes it easier for remote attackers to obtain keystroke information and inject arbitrary commands via a nearby wireless device, as demonstrated by Keykeriki 2. There is a vulnerability in the encryption algorithm of the Microsoft wireless keyboard

SFLServer in OS Services in Apple Mac OS X before 10.6.3 allows local users to gain privileges via vectors related to use of wheel group membership during access to the home directories of user accounts. Apple Mac OS X is prone to a local privilege-escalation vulnerability affecting the 'SFLServer' application. Successful exploits can allow attackers to execute arbitrary code with system-level privileges, resulting in the complete compromise of the affected computer. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 through 10.6.2 Mac OS X Server 10.6 through 10.6.2 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it

Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a MARQUEE element. iPod Touch is prone to a denial-of-service vulnerability. Apple iPhone is the latest smartphone from Apple

Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) via a JavaScript loop that attempts to construct an infinitely long string. Apple iPhone is the latest smartphone from Apple

Mail in Apple Mac OS X before 10.6.3 does not disable the filter rules associated with a deleted mail account, which has unspecified impact and attack vectors. An attacker can exploit this issue to perform unauthorized actions. NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Mac OS X is the operating system used by the Apple family of machines. When deleting an email account, the user-defined filtering rules associated with the account are still in effect, which may lead to unexpected operations

Buffer overflow in Image RAW in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PEF image. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. The following are vulnerable: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6 prior to 10.6.3 Mac OS X Server 10.6 prior to 10.6.3 NOTE: This issue was previously covered in BID 39020 (Apple Mac OS X APPLE-SA-2010-03-29-1 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. Viewing a specially crafted PEF graph may lead to an unexpected application termination or arbitrary code execution