VARIoT IoT vulnerabilities database
| VAR-200809-0570 | CVE-2008-3972 | OpenSC of pkcs15-tool Vulnerabilities exploiting vulnerabilities in |
CVSS V2: 6.6 CVSS V3: - Severity: MEDIUM |
pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235. Opensc is prone to a local security vulnerability. OpenSC is a smart card program and application library. ----------------------------------------------------------------------
Do you need accurate and reliable IDS / IPS / AV detection rules?
Get in-depth vulnerability details:
http://secunia.com/binary_analysis/sample_analysis/
----------------------------------------------------------------------
TITLE:
SUSE Update for Multiple Packages
SECUNIA ADVISORY ID:
SA32099
VERIFY ADVISORY:
http://secunia.com/advisories/32099/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of sensitive information, Privilege
escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
SUSE Linux Enterprise Server 9
http://secunia.com/advisories/product/4118/
SUSE Linux Enterprise Server 10
http://secunia.com/advisories/product/12192/
openSUSE 11.0
http://secunia.com/advisories/product/19180/
openSUSE 10.3
http://secunia.com/advisories/product/16124/
openSUSE 10.2
http://secunia.com/advisories/product/13375/
SOFTWARE:
Novell Open Enterprise Server 1.x
http://secunia.com/advisories/product/4664/
DESCRIPTION:
SUSE has issued an update for multiple packages. ----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Fedora update for opensc
SECUNIA ADVISORY ID:
SA34362
VERIFY ADVISORY:
http://secunia.com/advisories/34362/
DESCRIPTION:
Fedora has issued an update for opensc. This fixes some security
issues, which can be exploited by malicious people to bypass certain
security restrictions.
For more information:
SA31330
SA34052
SOLUTION:
Apply updated packages using the yum utility ("yum update opensc").
ORIGINAL ADVISORY:
FEDORA-2009-2267:
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html
OTHER REFERENCES:
SA31330:
http://secunia.com/advisories/31330/
SA34052:
http://secunia.com/advisories/34052/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0572 | CVE-2008-3631 | Apple iPod touch and iPhone of Application Sandbox Vulnerable to reading arbitrary files |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and iPhone 2.0 through 2.0.2, does not properly isolate third-party applications, which allows attackers to read arbitrary files in a third-party application's sandbox via a different third-party application. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities:
1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A remote code-execution vulnerability.
Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.
These issues affect versions prior to iPod touch 2.1 and iPhone 2.1. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple iPod Touch Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31823
VERIFY ADVISORY:
http://secunia.com/advisories/31823/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Spoofing, Exposure of sensitive
information, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple iPod touch
http://secunia.com/advisories/product/16074/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iPod touch,
which can be exploited by malicious applications to bypass certain
security features and by malicious people to poison the DNS cache,
spoof TCP connections, or potentially compromise a user's device. This
can be exploited by one application to read another application's
files.
2) Multiple errors exist in the included version of FreeType, which
potentially can be exploited by malicious people to execute arbitrary
code when accessing specially crafted font data.
For more information:
SA30600
3) mDNSResponder does not provide sufficient randomization, which can
be exploited to poison the DNS cache.
For more information:
SA30973
4) Generation of predictable TCP initial sequence numbers can be
exploited to spoof TCP connections or hijack sessions.
5) A use-after-free error in WebKit when handling CSS import
statements can potentially be exploited to execute arbitrary code via
a specially crafted website.
SOLUTION:
Update to version 2.1.
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Nicolas Seriot of Sen:te and Bryce Cogswell.
3) The vendor credits Dan Kaminsky, IOActive.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3026
OTHER REFERENCES:
SA30600:
http://secunia.com/advisories/30600/
SA30973:
http://secunia.com/advisories/30973/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA31823
An error in the handling of emergency calls has also been reported.
This can be exploited to bypass the Passcode Lock feature and allows
users with physical access to an iPhone to launch applications
without the passcode
| VAR-200809-0567 | CVE-2008-3612 | Apple iPod touch and iPhone In TCP Vulnerability with predictable initial sequence number |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
The Networking subsystem in Apple iPod touch 2.0 through 2.0.2, and iPhone 2.0 through 2.0.2, uses predictable TCP initial sequence numbers, which allows remote attackers to spoof or hijack a TCP connection. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities:
1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A remote code-execution vulnerability.
Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.
These issues affect versions prior to iPod touch 2.1 and iPhone 2.1. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple iPod Touch Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31823
VERIFY ADVISORY:
http://secunia.com/advisories/31823/
CRITICAL:
Highly critical
IMPACT:
Hijacking, Security Bypass, Spoofing, Exposure of sensitive
information, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple iPod touch
http://secunia.com/advisories/product/16074/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iPod touch,
which can be exploited by malicious applications to bypass certain
security features and by malicious people to poison the DNS cache,
spoof TCP connections, or potentially compromise a user's device.
1) An error in the application sandbox causes it to not properly
enforce access restrictions between third-party applications. This
can be exploited by one application to read another application's
files.
2) Multiple errors exist in the included version of FreeType, which
potentially can be exploited by malicious people to execute arbitrary
code when accessing specially crafted font data.
For more information:
SA30600
3) mDNSResponder does not provide sufficient randomization, which can
be exploited to poison the DNS cache.
5) A use-after-free error in WebKit when handling CSS import
statements can potentially be exploited to execute arbitrary code via
a specially crafted website.
SOLUTION:
Update to version 2.1.
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Nicolas Seriot of Sen:te and Bryce Cogswell.
3) The vendor credits Dan Kaminsky, IOActive.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3026
OTHER REFERENCES:
SA30600:
http://secunia.com/advisories/30600/
SA30973:
http://secunia.com/advisories/30973/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
For more information:
SA31823
An error in the handling of emergency calls has also been reported.
This can be exploited to bypass the Passcode Lock feature and allows
users with physical access to an iPhone to launch applications
without the passcode
| VAR-200809-0573 | CVE-2008-3632 | Apple iPod touch and iPhone of WebKit In Cascading Style sheet (CSS) Vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2, and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a web page with crafted Cascading Style Sheets (CSS) import statements. Apple iPod touch and iPhone are prone to multiple remote vulnerabilities:
1. A vulnerability that may allow users to spoof websites.
2. An information-disclosure vulnerability.
3. A remote code-execution vulnerability.
Successfully exploiting these issues may allow attackers to execute arbitrary code, crash the affected application, obtain sensitive information, or direct unsuspecting victims to a spoofed site; other attacks are also possible.
These issues affect versions prior to iPod touch 2.1 and iPhone 2.1.
1) An error in the application sandbox causes it to not properly
enforce access restrictions between third-party applications. This
can be exploited by one application to read another application's
files.
2) Multiple errors exist in the included version of FreeType, which
potentially can be exploited by malicious people to execute arbitrary
code when accessing specially crafted font data.
For more information:
SA30600
3) mDNSResponder does not provide sufficient randomization, which can
be exploited to poison the DNS cache.
For more information:
SA30973
4) Generation of predictable TCP initial sequence numbers can be
exploited to spoof TCP connections or hijack sessions.
3) The vendor credits Dan Kaminsky, IOActive.
For more information:
SA31823
An error in the handling of emergency calls has also been reported.
This can be exploited to bypass the Passcode Lock feature and allows
users with physical access to an iPhone to launch applications
without the passcode. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA35379
VERIFY ADVISORY:
http://secunia.com/advisories/35379/
DESCRIPTION:
Some vulnerabilities have been reported in Apple Safari, which can be
exploited by malicious people to disclose sensitive information or
compromise a user's system.
1) An error in the handling of TrueType fonts can be exploited to
corrupt memory when a user visits a web site embedding a specially
crafted font.
Successful exploitation may allow execution of arbitrary code.
2) Some vulnerabilities in FreeType can potentially be exploited to
compromise a user's system.
For more information:
SA34723
3) Some vulnerabilities in libpng can potentially be exploited to
compromise a user's system.
For more information:
SA33970
4) An error in the processing of external entities in XML files can
be exploited to read files from the user's system when a users visits
a specially crafted web page.
Other vulnerabilities have also been reported of which some may also
affect Safari version 3.x.
SOLUTION:
Upgrade to Safari version 4, which fixes the vulnerabilities.
PROVIDED AND/OR DISCOVERED BY:
1-3) Tavis Ormandy
4) Chris Evans of Google Inc.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3613
Chris Evans:
http://scary.beasts.org/security/CESA-2009-006.html
OTHER REFERENCES:
SA33970:
http://secunia.com/advisories/33970/
SA34723:
http://secunia.com/advisories/34723/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ===========================================================
Ubuntu Security Notice USN-676-1 November 24, 2008
webkit vulnerability
CVE-2008-3632
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
libwebkit-1.0-1 1.0.1-2ubuntu0.1
After a standard system upgrade you need to restart any applications that
use WebKit, such as Epiphany-webkit and Midori, to effect the necessary
changes
| VAR-200809-0206 | CVE-2008-3634 | Apple Mac OS X upper Apple iTunes Issue with incorrect information displayed on the firewall |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Apple iTunes before 8.0 on Mac OS X 10.4.11, when iTunes Music Sharing is enabled but blocked by the host-based firewall, presents misleading information about firewall security, which might allow remote attackers to leverage an exposure that would be absent if the administrator were given better information.
This issue may lead to a false sense of security, potentially aiding in network-based attacks.
Versions prior to Apple iTunes 8.0 are vulnerable to this issue
| VAR-200809-0201 | CVE-2008-3628 | Windows upper Apple QuickTime In PICT Vulnerabilities related to illegal pointers in image processing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.5.5 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image, related to an "invalid pointer issue.".
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
2) A boundary error in QuickTimeInternetExtras.qtx when parsing files
via the third-party Indeo3.2 codec for QuickTime can be exploited to
cause a stack-based buffer overflow via a specially crafted movie
file.
3) A boundary error in the parsing of panorama atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
4) A boundary error in the parsing of panorama PDAT atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
stack-based buffer overflow via a QTVR file containing specially
crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0203 | CVE-2008-3630 | Windows for Apple Bonjour of Bonjour Namespace Provider In DNS Vulnerability forged response |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an application uses the Bonjour API for unicast DNS, does not choose random values for transaction IDs or source ports in DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. this is CVE-2008-1447 Is a different vulnerability.By a third party DNS The response may be spoofed and spoofed as a legitimate address.
An attacker may leverage this issue to forge unicast hostname resolution responses in applications that may use the application's API for DNS. Successful exploits allow attackers to redirect network traffic, which can aid in man-in-the-middle attacks.
Versions prior to Bonjour for Windows 1.0.5, included in Apple iTunes 8.0, are vulnerable to this issue. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mDNSResponder: Multiple vulnerabilities
Date: January 20, 2012
Bugs: #290822
ID: 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in mDNSResponder, which could
lead to execution of arbitrary code with root privileges.
Background
==========
mDNSResponder is a component of Apple's Bonjour, an initiative for
zero-configuration networking.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/mDNSResponder < 212.1 >= 212.1
Description
===========
Multiple vulnerabilities have been discovered in mDNSResponder. Please
review the CVE identifiers referenced below for details.
Impact
======
A local or remote attacker may be able to execute arbitrary code with
root privileges or cause a Denial of Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mDNSResponder users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mDNSResponder-212.1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 21, 2009. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2007-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2386
[ 2 ] CVE-2007-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3744
[ 3 ] CVE-2007-3828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3828
[ 4 ] CVE-2008-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0989
[ 5 ] CVE-2008-2326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2326
[ 6 ] CVE-2008-3630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3630
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
1) A NULL pointer dereference error in the Bonjour Namespace Provider
component when resolving ".local" domain names can be exploited to
cause a crash the application via a specially crafted ".local" domain
name containing an overly long DNS label.
SOLUTION:
Update to version 1.0.5.
http://www.apple.com/support/downloads/bonjourforwindows105.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Mario Ballano, 48bits.com.
2) Reported by the vendor.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT2990
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0208 | CVE-2008-3636 | Gear Software CD DVD Filter driver privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\.\GEARAspiWDMDevice in this GEARAspiWDM.sys. However, the root cause is the integer overflow in the API call itself. Windows upper Apple iTunes Contains an integer overflow vulnerability in the included third-party driver.Privilege may be elevated to a malicious local user.
Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial-of-service condition. Windows is a very popular operating system of Microsoft Corporation. [ HTML FORMATED Advisory ]
http://www.wintercore.com/advisories/advisory_W021008.html
[TEXT VERSION]
GearSoftware Powered Products Local Privilege Escalation
+ GEARASpiWDM.sys Insecure Method
+ Microsoft Windows Kernel IopfCompleteRequest Integer Overflow
:: Summary
1. Background
2. Non-technical description
3. Technical Description
4. Exploiting it
5. References
6. Affected Products
7. Credits
8. Disclosure Timeline
9. Contact
1. GEAR develops solutions for
professional premastering, DVD editing and authoring, and is also a
leading provider of development tools that enable software companies to
integrate optical recording technology into their own products. GEAR
technology is integrated into solutions from some of the world's most
prominent technology organizations, including Apple, Symantec, Siemens,
Kodak, Philips and Bosch, among many others"
www.gearsoftware.com
2. However,
the attack vector needed for taking advantage of this weakness has not
been identified on a out-of-box Windows installation. Therefore, a
third-party application is, so far, the unique possible attack vector
to exploit this issue.
This advisory covers the attack vector found in a widely extended
licensed application, GearSoftware Recording SDK, which was exposing the
kernel flaw to user-mode attackers through one of its filter drivers:
GEARAspiWDM.sys
Since this driver is a licensed solution, it is bundled with several
well-known products. To clarify as much as possible this vulnerability,
we should distinguish three different elements which make up the problem.
1.
2. The Attack Vector: GearAspiWDM.sys Insecure Method.
3. Vulnerable Products: Every GearSoftware powered product that is
bundled with GEARAspiWDM.sys. (e.g Norton 360, Apple iTunes...)
Whilst the underlying vulnerability is, under our point of view, a real
vulnerability, the Attack Vector may or may not be considered a
vulnerability by itself. Note that if we supress the underlying
vulnerability from the equation, then the attack vector turns out to be
practically useless, however by patching only the attack vector we will
always be facing the risk that another one comes to light.On the other
hand, this fact is not impossible but seems very unlikely.
Microsoft, as the vendor affected by the underlying vulnerability, Apple
and Symantec as Vulnerable Products were directly contacted . After
verifying the details provided Microsoft did not consider this flaw
elegible for a patch. Therefore,with the help of the US-CERT, Symantec,
Apple, GearSoftware and Wintercore were coordinated during the process
of resolving this issue by patching GEARAspiWDM.sys driver.
The final outcome is that the Attack Vector has been patched although
the underlying vulnerability still remains unpatched.
3. Technical Description.
The problem lies in how the stack locations are traversed while trying
to complete an IRP. Let's see
lkd> dt nt!_IRP
[...]
+0x022 StackCount : Char *signed*
+0x023 CurrentLocation : Char *signed*
[...]
Module: ntoskrnl.exe
Version: XP SP2
.text:0040CC01
.text:0040CC01 ; __fastcall IopfCompleteRequest(x, x)
.text:0040CC01 @IopfCompleteRequest@8 proc near ; CODE XREF:
IoPerfCompleteRequest(x,x)+88p
.text:0040CC01 ;
IoPerfCompleteRequest(x,x)+B8p ...
.text:0040CC01
.text:0040CC01 var_C = dword ptr -0Ch
.text:0040CC01 var_8 = dword ptr -8
.text:0040CC01 var_1 = byte ptr -1
.text:0040CC01
.text:0040CC01
.text:0040CC01 mov edi, edi
.text:0040CC03 push ebp
.text:0040CC04 mov ebp, esp
.text:0040CC06 sub esp, 10h
.text:0040CC09 push ebx
.text:0040CC0A push esi
.text:0040CC0B mov esi, ecx
.text:0040CC0D mov cl, [esi+23h] ; Irp->CurrentLocation
.text:0040CC10 mov [ebp+var_8], edx
.text:0040CC13 mov dl, [esi+22h] ; Irp->StackCount
.text:0040CC16 xor ebx, ebx
.text:0040CC18 inc dl ; Irp->StackCount+1
.text:0040CC1A cmp cl, dl
.text:0040CC1C push edi
.text:0040CC1D mov [ebp+var_C], ebx
.text:0040CC20 jg sub_444F81
.text:0040CC26 cmp word ptr [esi], 6 ; Irp->Type == IO_TYPE_IRP
.text:0040CC2A jnz sub_444F81
.text:0040CC30 mov edi, [esi+60h] ; Irp->CurrentStackLocation
.text:0040CC33 inc cl
.text:0040CC35 cmp cl, dl
.text:0040CC37 lea eax, [edi+24h]
.text:0040CC3A mov [esi+23h], cl ; Irp->CurrentLocation++
.text:0040CC3D mov [esi+60h], eax
;Irp->Tail->Overlay.CurrentStackLocation++
.text:0040CC40 jg short loc_40CCA6
.text:0040CC42 add edi, 3
{...}
.text:0040CC8D
.text:0040CC8D loc_40CC8D: ; CODE XREF: IopfCompleteRequest(x,x)+13Cj
.text:0040CC8D add dword ptr [esi+60h], 24h ; StackLocation++
.text:0040CC91 mov eax, [esi+60h]
.text:0040CC94 add edi, 24h
;Irp->Tail.Overlay.CurrentStackLocation++
.text:0040CC97 inc byte ptr [esi+23h] ; Irp->CurrentLocation++
.text:0040CC9A mov dl, [esi+22h] ; Irp->StackCount
.text:0040CC9D mov cl, [esi+23h] ; Irp->CurrentLocation
.text:0040CCA0 inc dl
.text:0040CCA2 cmp cl, dl ; if CurrentLocation <= StackCount+1
.text:0040CCA4 jle short loc_40CC45 ; Signed comparison - FLAW -
pStack = IoGetCurrentIrpStackLocation( Irp )
for( pStack,
Irp->Tail.Overlay.CurrentStackLocation++
Irp->CurrentLocation++;
Irp->CurrentLocation <= (CHAR) (Irp->StackCount + 1);
pStack++,
Irp->Tail.Overlay.CurrentStackLocation++
Irp->CurrentLocation++ )
{
...
}
Well, let's imagine an IRP where the StackCount and CurrentLocation = =
0x7e (pretty unusual but possible indeed)
After the first iterate within the for(){...} , CurrentLocation will be
0x80 which is a negative value so Irp->CurrentLocation <= (CHAR)
(Irp->StackCount+1) becomes TRUE.Hence, remaining iterations will be
running out of allocated memory, traversing arbitrary and invalid stack
locations.
4. Exploiting it.
Digging into the for{} loop we found out the following:
Module: ntoskrnl.exe
XP SP2 (32-bit)
.text:0040CD30 loc_40CD30: ; CODE XREF:
IopfCompleteRequest(x,x)+4B47j
.text:0040CD30 push dword ptr [edi+1Dh]
.text:0040CD33 push esi
.text:0040CD34 push eax
.text:0040CD35 call dword ptr [edi+19h]
.text:0040CD38 cmp eax, 0C0000016h
.text:0040CD3D jnz loc_40CC8D ; StackLocation++
pStack->CompletionRoutine(...)
We must note that once the flaw has been triggered the for{} is
traversing invalid stack locations where *(edi+19h) points to
undetermined memory. We also have to take into account the internals of
the IO Manager where the memory allocated for the IRPs is zeroed.
Therefore, it has been proven that by allocating user-mode memory at 0x0
we can control the function pointer dereferenced.
However, that's not always true since we may be traversing uninitialized
memory that holds random values. For that cases, it is also possible to
seed the memory by issuing FSCTL/IOCTL requests before triggering the
flaw,thus we can assure a high reliability exploiting this flaw.
Anyway, the hardest task is to discover a suitable attack vector since
you need to force a huge driver stack. The patched driver was found
implementing an insecure method by which, an unlimited number of calls
to IoAttachDevice (TargetDevice is also user-controlled) were available
from user-land, simply by issuing an IOCTL request.Since GearspiWDM.sys
is signed in Vista 64-bit, it is possible to bypass certain kernel
restrictions by exploiting this issue sucessfully.
The driver's insecure method is exposed via the following "free-for-all"
device:
+ "\\.\GEARAspiWDMDevice"
The flaw lies within the handler for the IOCTL = = 0x222020
Module: GEARspiWDM.sys
(32-bit)
.text:000114B2 loc_114B2: ; CODE XREF: sub_1137E+7Bj
.text:000114B2 cmp [ebp+var_1], 0
.text:000114B6 jz short loc_114CC
.text:000114B8 cmp [edi+54h], ecx
.text:000114BB jz short loc_114CC
.text:000114BD push ebx
.text:000114BE mov ecx, edi
.text:000114C0 call sub_11CA2 ; IRP_MJ_DEVICE_CONTROL Dispatch Routine
{...}
.text:00011CA2 mov eax, [esp+arg_0]
.text:00011CA6 mov edx, [eax+60h]
.text:00011CA9 mov edx, [edx+0Ch]
.text:00011CAC push esi
.text:00011CAD mov esi, 222010h
.text:00011CB2 cmp edx, esi
.text:00011CB4 ja short loc_11CF7
.text:00011CB6 jz short loc_11CEF
.text:00011CB8 sub edx, 222000h
.text:00011CBE jz short loc_11CE7
{...}
.text:00011D10 loc_11D10: ; CODE XREF:
sub_11CA2+65j
.text:00011D10 push eax ; DeviceObject
.text:00011D11 call sub_11B90
||
\/
Module: GEARspiWDM.sys
(32-bit)
.text:00011B90 ; int __stdcall sub_11B90(PDEVICE_OBJECT DeviceObject)
.text:00011B90 sub_11B90 proc near ; CODE XREF:
sub_11CA2+6Fp
.text:00011B90
.text:00011B90 TargetDevice = UNICODE_STRING ptr -10h
.text:00011B90 var_8 = dword ptr -8
.text:00011B90 var_4 = dword ptr -4
.text:00011B90 DeviceObject = dword ptr 8
.text:00011B90
.text:00011B90 push ebp
.text:00011B91 mov ebp, esp
.text:00011B93 sub esp, 10h
.text:00011B96 mov eax, [ebp+DeviceObject]
.text:00011B99 mov eax, [eax+3Ch]
.text:00011B9C push ebx
.text:00011B9D xor ebx, ebx
.text:00011B9F cmp eax, ebx
.text:00011BA1 push edi
.text:00011BA2 mov edi, ecx
.text:00011BA4 mov [ebp+var_8], eax
.text:00011BA7 mov [ebp+DeviceObject], ebx
.text:00011BAA jnz short loc_11BB6
.text:00011BAC mov eax, 0C000000Dh
.text:00011BB1 jmp loc_11C9C
.text:00011BB6 ;
---------------------------------------------------------------------------
.text:00011BB6
.text:00011BB6 loc_11BB6: ; CODE XREF:
sub_11B90+1Aj
.text:00011BB6 push eax ; SourceString
.text:00011BB7 lea eax, [ebp+TargetDevice]
.text:00011BBA push eax ; DestinationString
.text:00011BBB call ds:RtlInitUnicodeString
{...}
.text:00011C3E lea edi, [esi+10h]
.text:00011C41 push edi ; AttachedDevice
.text:00011C42 lea eax, [ebp+TargetDevice]
.text:00011C45 push eax ; TargetDevice ;
user-controlled
.text:00011C46 push [ebp+DeviceObject] ; SourceDevice
.text:00011C49 call ds:IoAttachDevice
5. References
GearSoftware Updated Drivers:
http://www.gearsoftware.com/support/drivers.cfm
KB-CERT: http://www.kb.cert.org/vuls/id/146896
Symantec:
http://www.symantec.com/avcenter/security/Content/2008.10.07a.html
Apple: http://support.apple.com/kb/HT3025
6. Affected Products
Product/File
Vulnerable Version
GearAspiWDM.sys
< 2.011.2 (32-bit) < 2.008.2.1 (64-bit)
Microsoft Windows Kernel All versions 32/64-bit + 2000 + 2003 + XP + Vista
Apple iTunes 7.x
Symantec Norton 360 2.0 and earlier
Symantec Norton Ghost 14.0 and earlier
Symantec Norton Save and Restore 2.0 and earlier
Symantec Backup Exec System Recovery 6.x, 7.x and 8.x
7. Credits
Vulnerability discovered and researched by Ruben Santamarta,
Wintercore.
8. Disclosure Timeline
11/14/2007 - Microsoft Contacted
12/26/2007 - Symantec Contacted
12/26/2007 - Apple Contacted
10/07/2008 - Coordinated Disclosure
9. Contact
Wintercore
Agustin de Betancourt, 21. 8th Floor.
28003 Madrid.
Spain.
Phone: +(34) 91 395 63 40
contact (at) wintercore (dot) com [email concealed]
www.wintercore.com
--
Wintercore
Agustin de Betancourt, 21. 8th Floor.
28003 Madrid. Spain.
Phone: +(34) 91 395 63 40
www.wintercore.com
| VAR-200809-0202 | CVE-2008-3629 | Apple QuickTime PICT Denial of Service Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple QuickTime before 7.5.5 allows remote attackers to cause a denial of service (application crash) via a crafted PICT image that triggers an out-of-bounds read. Apple QuickTime is prone to a denial-of-service vulnerability.
This issue arises when the application handles specially crafted PICT image files. Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
NOTE: This issue was previously described in BID 31086 (Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities) but has been given its own record to better document the vulnerability.
The following are vulnerable:
QuickTime 7.5 and earlier
Apple TV 2.1 and earlier.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
2) A boundary error in QuickTimeInternetExtras.qtx when parsing files
via the third-party Indeo3.2 codec for QuickTime can be exploited to
cause a stack-based buffer overflow via a specially crafted movie
file.
3) A boundary error in the parsing of panorama atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
4) A boundary error in the parsing of panorama PDAT atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
stack-based buffer overflow via a QTVR file containing specially
crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0197 | CVE-2008-3624 | Apple QuickTime In QTVR Heap-based buffer overflow vulnerability in movie file handling |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted panorama atoms.
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0207 | CVE-2008-3635 | Windows upper Apple QuickTime Used in Indeo v3.2 Codec stack-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in QuickTimeInternetExtras.qtx in an unspecified third-party Indeo v3.2 (aka IV32) codec for QuickTime, when used with Apple QuickTime before 7.5.5 on Windows, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of QuickTime files that utilize the Indeo video codec. A lack of proper bounds checking within QuickTimeInternetExtras.qtx can result in a stack based buffer overflow leading to arbitrary code execution under the context of the currently logged in user.
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3027
-- Disclosure Timeline:
2008-08-19 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
3) A boundary error in the parsing of panorama atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0189 | CVE-2008-3615 | Windows upper Apple QuickTime Used in Indeo v5 Codec memory corruption vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
ir50_32.qtx in an unspecified third-party Indeo v5 codec for QuickTime, when used with Apple QuickTime before 7.5.5 on Windows, accesses uninitialized memory, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file.
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
3) A boundary error in the parsing of panorama atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
4) A boundary error in the parsing of panorama PDAT atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
stack-based buffer overflow via a QTVR file containing specially
crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0198 | CVE-2008-3625 | Apple QuickTime In panorama track PDAT Atom handling stack-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in Apple QuickTime before 7.5.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a QuickTime Virtual Reality (QTVR) movie file with crafted (1) maxTilt, (2) minFieldOfView, and (3) maxFieldOfView elements in panorama track PDAT atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the handling of panorama track PDAT atoms. When the maxTilt, minFieldOfView and maxFieldOfView elements are corrupted, a stack buffer overflow occurs which can be further leveraged to execute arbitrary code under the context of the current user.
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. Remote attackers can use specially constructed PICT pictures to cause program crashes and denial of service. This attack is related to null pointer assignment. ZDI-08-058: Apple QuickTime Panorama PDAT Atom Parsing Buffer Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-058
September 9, 2008
-- CVE ID:
CVE-2008-3625
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6242.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3027
-- Disclosure Timeline:
2008-06-25 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0199 | CVE-2008-3626 | Apple QuickTime of CallComponentFunctionWithStorage Function memory corruption vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The CallComponentFunctionWithStorage function in Apple QuickTime before 7.5.5 does not properly handle a large entry in the sample_size_table in STSZ atoms, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the handling of STSZ atoms within the function CallComponentFunctionWithStorage(). Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects versions prior to QuickTime 7.5.5 for OS X 10.4 and 10.5, for Microsoft Windows Vista, and for Windows XP SP2 and SP3. The issue also affects Apple TV 1.0 up to and including 2.1.
NOTE: This issue was previously described in BID 31086 (Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities) but has been given its own record to better document the vulnerability. Apple QuickTime is a very popular multimedia player. ZDI-08-059: Apple QuickTime STSZ Atom Parsing Heap Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-059
September 9, 2008
-- CVE ID:
CVE-2008-3626
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6148.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3027
-- Disclosure Timeline:
2008-05-15 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
5) An integer overflow in the parsing of PICT images can be exploited
via a specially crafted PICT image.
7) Multiple errors when parsing H.264 encoded movie files (e.g.
8) An error in the parsing of PICT images can be exploited via a
specially crafted PICT image file.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0200 | CVE-2008-3627 | Apple QuickTime Memory corruption vulnerability in multiple atom handling |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.5.5 does not properly handle (1) MDAT atoms in MP4 video files within QuickTimeH264.qtx, (2) MDAT atoms in mov video files within QuickTimeH264.scalar, and (3) AVC1 atoms in an unknown media type within an unspecified component, which allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via a crafted, H.264 encoded movie file. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in the parsing of AVC1 atoms. An integer overflow condition is present that can result in a heap chunk being under-allocated. This heap corruption can be further leveraged to execute arbitrary code under the context of the current user.
These issues arise when the application handles specially crafted PICT image files, movies, and QTVR movies. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user and to trigger a denial-of-service condition.
Versions prior to QuickTime 7.5.5 are affected.
NOTE: Two issues that were previously covered in this BID were given their own records to better document the details:
- CVE-2008-3626 was moved to BID 31546 ('Apple QuickTime 'STSZ' Atoms Memory Corruption Vulnerability')
- CVE-2008-3629 was moved to BID 31548 ('Apple QuickTime PICT Denial of Service Vulnerability'). Apple QuickTime is a very popular multimedia player. ZDI-08-060: Apple QuickTime AVC1 Atom Parsing Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-060
September 9, 2008
-- CVE ID:
CVE-2008-3627
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6169.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3027
-- Disclosure Timeline:
2008-05-15 - Vulnerability reported to vendor
2008-09-09 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA31821
VERIFY ADVISORY:
http://secunia.com/advisories/31821/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Multiple vulnerabilities have been reported in QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) An error in the third-party Indeo5 codec for QuickTime can be
exploited to access uninitialised memory via a specially crafted
movie file.
2) A boundary error in QuickTimeInternetExtras.qtx when parsing files
via the third-party Indeo3.2 codec for QuickTime can be exploited to
cause a stack-based buffer overflow via a specially crafted movie
file.
3) A boundary error in the parsing of panorama atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
4) A boundary error in the parsing of panorama PDAT atoms in QTVR
(QuickTime Virtual Reality) movie files can be exploited to cause a
stack-based buffer overflow via a QTVR file containing specially
crafted "maxTilt", "minFieldOfView", and "maxFieldOfView" elements.
6) An error in the CallComponentFunctionWithStorage() function when
parsing STSZ atoms in movie files can be exploited to corrupt memory
via a movie file containing a overly large entry in
sample_size_table.
7) Multiple errors when parsing H.264 encoded movie files (e.g. an
integer overflow when parsing AVC1 atoms and two errors when parsing
MDAT atoms) can be exploited to corrupt memory via a specially
crafted file.
SOLUTION:
Update to version 7.5.5.
QuickTime 7.5.5 for Windows:
http://www.apple.com/support/downloads/quicktime755forwindows.html
QuickTime 7.5.5 for Leopard:
http://www.apple.com/support/downloads/quicktime755forleopard.html
QuickTime 7.5.5 for Tiger:
http://www.apple.com/support/downloads/quicktime755fortiger.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Paul Byrne, NGSSoftware.
2) Reported by an anonymous person via ZDI.
3) The vendor credits Roee Hay, IBM Rational Application Security
Research Group.
4) Reported by an anonymous person via ZDI.
5) Reported by an anonymous person via iDefense VCP.
6) Reported by an anonymous person via ZDI.
7) Reported by an anonymous person and Subreption via ZDI.
8) The vendor credits David Wharton.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3027
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-057/
http://www.zerodayinitiative.com/advisories/ZDI-08-058/
http://www.zerodayinitiative.com/advisories/ZDI-08-059/
http://www.zerodayinitiative.com/advisories/ZDI-08-060/
http://www.zerodayinitiative.com/advisories/ZDI-08-061/
http://www.zerodayinitiative.com/advisories/ZDI-08-062/
iDefense VCP:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0005 | CVE-2008-2326 | Windows for Apple Bonjour of Bonjour Namespace Provider In NULL Pointer reference vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
mDNSResponder in the Bonjour Namespace Provider in Apple Bonjour for Windows before 1.0.5 allows attackers to cause a denial of service (NULL pointer dereference and application crash) by resolving a crafted .local domain name that contains a long label. Apple Bonjour for Windows is prone to a denial-of-service issue because of a NULL-pointer dereference.
Successfully exploiting this issue will allow attackers to crash the mDNSResponder system service, denying service to legitimate users.
Bonjour for Windows 1.0.4 is vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: mDNSResponder: Multiple vulnerabilities
Date: January 20, 2012
Bugs: #290822
ID: 201201-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in mDNSResponder, which could
lead to execution of arbitrary code with root privileges.
Background
==========
mDNSResponder is a component of Apple's Bonjour, an initiative for
zero-configuration networking.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/mDNSResponder < 212.1 >= 212.1
Description
===========
Multiple vulnerabilities have been discovered in mDNSResponder. Please
review the CVE identifiers referenced below for details.
Impact
======
A local or remote attacker may be able to execute arbitrary code with
root privileges or cause a Denial of Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mDNSResponder users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mDNSResponder-212.1"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since November 21, 2009. It is likely that your system is
already no longer affected by this issue.
References
==========
[ 1 ] CVE-2007-2386
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2386
[ 2 ] CVE-2007-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3744
[ 3 ] CVE-2007-3828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3828
[ 4 ] CVE-2008-0989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0989
[ 5 ] CVE-2008-2326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2326
[ 6 ] CVE-2008-3630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3630
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
Apple Bonjour for Windows mDNSResponder Vulnerabilities
SECUNIA ADVISORY ID:
SA31822
VERIFY ADVISORY:
http://secunia.com/advisories/31822/
CRITICAL:
Less critical
IMPACT:
Spoofing, DoS
WHERE:
>From remote
SOFTWARE:
Apple Bonjour for Windows 1.x
http://secunia.com/product/15636/
DESCRIPTION:
Two vulnerabilities have been reported in Apple Bonjour for Windows,
which can be exploited by malicious people to cause a DoS (Denial of
Service) or spoof DNS responses.
2) An error in the Bonjour API due to lack of randomization when
issuing unicast DNS queries can be exploited to spoof DNS responses.
SOLUTION:
Update to version 1.0.5.
http://www.apple.com/support/downloads/bonjourforwindows105.html
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Mario Ballano, 48bits.com.
2) Reported by the vendor.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT2990
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200809-0491 | No CVE | Sagem F@st 2404 Router 'wancfg.cmd' Denial of Service Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Sagem F@st 2404 is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected device to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
| VAR-200809-0058 | CVE-2008-4133 | D-Link DIR-100 upper Web In proxy service Web Vulnerability bypassing restriction filters |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web proxy service on the D-Link DIR-100 with firmware 1.12 and earlier does not properly filter web requests with large URLs, which allows remote attackers to bypass web restriction filters. D-Link DIR-100 is a small broadband router with integrated firewall function.
There are loopholes in the implementation of DIR-100's web management interface. If users use a long URL of about 1300 characters in a web browser, they can bypass URL filtering performed by the built-in firewall of D-Link DIR-100 router. Access to restricted resources. D-Link DIR-100 is affected by a vulnerability that allows attackers to bypass security restrictions and access sites that are blocked by an administrator.
D-Link DIR-100 devices with firmware 1.12 are vulnerable; other versions may be affected as well. ----------------------------------------------------------------------
We have updated our website, enjoy!
http://secunia.com/
----------------------------------------------------------------------
TITLE:
D-Link DIR-100 Ethernet Broadband Router URL Filtering Bypass
SECUNIA ADVISORY ID:
SA31767
VERIFY ADVISORY:
http://secunia.com/advisories/31767/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
D-Link DIR-100 Ethernet Broadband Router
http://secunia.com/product/19762/
DESCRIPTION:
Marc Ruef has reported a vulnerability in D-Link DIR-100 Ethernet
Broadband Router, which can be exploited by malicious people to
bypass the URL filtering functionality.
The vulnerability is caused due to an error within the parental
control when handling certain requested URLs and can be exploited to
access forbidden websites via long, specially crafted requests.
SOLUTION:
Do not rely on the filtering mechanism.
PROVIDED AND/OR DISCOVERED BY:
Marc Ruef, scip AG
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064303.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0183 | CVE-2008-6976 | MicroTik RouterOS In NMS Vulnerability whose settings are changed |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
MikroTik RouterOS 3.x through 3.13 and 2.x through 2.9.51 allows remote attackers to modify Network Management System (NMS) settings via a crafted SNMP set request. MikroTik RouterOS is prone to a security-bypass vulnerability because the software fails to sufficiently sanitize SNMP requests. This may aid in further attacks.
Versions up to and including RouterOS 3.13 and 2.9.51 are vulnerable. MicroTik RouterOS is a solution that turns a standard PC into a network router
| VAR-200809-0458 | No CVE | Hitachi JP1/File Transmission Server/FTP Unauthorized File Permission Change Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
Hitachi JP1/File Transmission Server/FTP has a vulnerability which allows unauthorized users to change file permissions.An unauthorized user could change file permissions.