VARIoT IoT vulnerabilities database

-HP Printers running FTP Print Server are prone to a buffer-overflow vulnerability. This issue occurs because the application fails to boundscheck user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

QuickTime for Java on Mac OS X 10.4 through 10.4.8, when used with Quartz Composer, allows remote attackers to obtain sensitive information (screen images) via a Java applet that accesses images that are being rendered by other embedded QuickTime objects. Apple Mac OS X is prone to an information-disclosure vulnerability. Attackers may exploit this issue by convincing victims into visiting a malicious website. If this tool is used in conjunction with Quartz Composer, it is possible to capture graphics containing local information. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Quicktime/Quartz Composer Information Disclosure SECUNIA ADVISORY ID: SA23438 VERIFY ADVISORY: http://secunia.com/advisories/23438/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: A vulnerability has been reported in Mac OS X, which can be exploited by malicious people to gain knowledge of sensitive information. SOLUTION: Apply Security Update 2006-008. PROVIDED AND/OR DISCOVERED BY: The vendor credits Geoff Beier. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=304916 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in W29N51.SYS in the Intel 2200BG wireless driver 9.0.3.9 allows remote attackers to cause memory corruption and execute arbitrary code via a series of crafted beacon frames. NOTE: some details are obtained solely from third party information. Intel 2200BG driver is prone to a remote code-execution vulnerability due to a race condition. Failed exploit attempts will likely cause denial-of-service conditions. Intel 2200BG is a mini PCI wireless network card used in notebooks. code. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Intel 2200BG W29N51.SYS Driver Beacon Frame Race Condition SECUNIA ADVISORY ID: SA23338 VERIFY ADVISORY: http://secunia.com/advisories/23338/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Intel Wireless LAN Driver 9.x http://secunia.com/product/12914/ DESCRIPTION: Berno Silva has reported a vulnerability in Intel 2200BG drivers, which potentially can be exploited by malicious people to compromise a vulnerable system. This can be exploited to overwrite certain kernel memory structures via sending multiple specially crafted beacon frames to the wireless card. The vulnerability is reported in version 9.0.3.9. Other versions may also be affected. SOLUTION: Turn off the wireless card when not in use. PROVIDED AND/OR DISCOVERED BY: Berno Silva, Open Communications Security ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Allied Telesis AT-9000/24 Ethernet switch accepts management packets from arbitrary VLANs, contrary to the documentation, which allows remote attackers to conduct attacks against the switch from unexpected locations. Allied Telesis AT-9000/24 switches are prone to an unauthorized-management-VLAN-access vulnerability. Exploiting this issue allows attackers with access to any port on affected switches to access the management VLAN. This may aid them in further attacks. Allied Telesis AT-9000/24 ​​is a 24-port Gigabit switch made by Allied Telesis in the United States. Allied Telesis AT-9000/24 ​​has loopholes in the managed access control, and attackers may gain unauthorized access to the device. Under normal circumstances, the remote management (SNMP, TELNET, HTTP) of the switch should only be performed through the management VLAN. The only management VLAN option for the AT-9000/24 ​​is Default VLAN. However, if the switch is configured to contain multiple VLANs instead of just the Default VLAN, it can be managed from all of these VLANs. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Simple Web Content Management System "id" SQL Injection SECUNIA ADVISORY ID: SA23590 VERIFY ADVISORY: http://secunia.com/advisories/23590/ CRITICAL: Moderately critical IMPACT: Manipulation of data, Exposure of system information, Exposure of sensitive information WHERE: >From remote SOFTWARE: Simple Web Content Management System http://secunia.com/product/13142/ DESCRIPTION: DarkFig has discovered a vulnerability in Simple Web Content Management System, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id" parameter in page.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows retrieval of arbitrary files from the database server. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: DarkFig ORIGINAL ADVISORY: http://acid-root.new.fr/poc/18070102.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AntiHook 3.0.0.23 - Desktop relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. (1) PEB Inside ImagePathName (2) PEB Inside CommandLine (3) PEB Inside WindowTitle field. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. A remote attacker can use the spoofed process to bypass the control of the security check. Including (1) the image directory name, (2) the command line, and (3) the WINDOWS header text in the PEB

Soft4Ever Look 'n' Stop (LnS) 2.05p2 before 20061215 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. Controls that allow remote attackers to bypass security checks by spoofing the process. Including (1) the image directory name, (2) the command line, and (3) the WINDOWS header text in the PEB

Sygate Personal Firewall 5.6.2808 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. Remote attackers can use spoofed processes to bypass the control of security checks. Including (1) image directory name, (2) command line, and (3) WINDOWS header text in PEB

Filseclab Personal Firewall 3.0.0.8686 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. Remote attackers can use spoofed processes to bypass the control of security checks. Including (1) image directory name, (2) command line, and (3) WINDOWS header text in PEB

Comodo Personal Firewall 2.3.6.81 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. (1) PEB Inside ImagePathName (2) PEB Inside CommandLine (3) PEB Inside WindowTitle field. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. Remote attackers can use spoofed processes to bypass the control of security checks. Including (1) image directory name, (2) command line, and (3) WINDOWS header text in PEB

AVG Anti-Virus plus Firewall 7.5.431 relies on the Process Environment Block (PEB) to identify a process, which allows local users to bypass the product's controls on a process by spoofing the (1) ImagePathName, (2) CommandLine, and (3) WindowTitle fields in the PEB. (1) PEB Inside ImagePathName (2) PEB Inside CommandLine (3) PEB Inside WindowTitle field. Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process-spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. The following software is vulnerable; other versions may also be affected: InfoProcess AntiHook version 3.0.0.23 AVG Anti-Virus plus Firewall version 7.5.431 Comodo Personal Firewall version 2.3.6.81 Filseclab Personal Firewall version 3.0.0.8686 Look 'n' Stop Personal Firewall version 2.05p2 Symantec Sygate Personal Firewall version 5.6.2808. are all very popular firewalls. There are loopholes in the processing of user-mode process information in multiple host security software, and attackers may use this loophole to bypass security restrictions. Personal firewalls, HIPS, and similar security software that enforce security on a per-process basis must be able to identify processes attempting to perform privileged operations. A remote attacker can use the spoofed process to bypass the control of the security check. Including (1) the image directory name, (2) the command line, and (3) the WINDOWS header text in the PEB

Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EXE files such as .COM files, which allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments, as demonstrated using win.com when it is in a web directory with certain permissions. IIS is prone to a remote security vulnerability

Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_READ_DATA for Everyone) for %WINDIR%\pchealth\ERRORREP\QHEADLES, which allows local users to write and read files in this folder, as demonstrated by an ASP shell that has write access by IWAM_machine and read access by IUSR_Machine. IIS is prone to a local security vulnerability

D-LINK DWL-2000AP+ firmware 2.11 allows remote attackers to cause (1) a denial of service (device reset) via a flood of ARP replies on the wired or wireless (radio) link and (2) a denial of service (device crash) via a flood of ARP requests on the wireless link. Dwl-2000Ap%2B is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: D-LINK DWL-2000AP+ Denial of Service SECUNIA ADVISORY ID: SA23332 VERIFY ADVISORY: http://secunia.com/advisories/23332/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: D-Link DWL-2000AP+ http://secunia.com/product/12883/ DESCRIPTION: poplix has reported a vulnerability in D-LINK DWL-2000AP+, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of ARP packets and can be exploited under certain circumstances to crash the device via ARP flooding attacks. The vulnerability is reported with firmware version 2.11. Other versions may also be affected. SOLUTION: Use another product. PROVIDED AND/OR DISCOVERED BY: poplix ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-LINK DWL-2000AP + is a popular wireless access router.  DWL-2000AP + has a vulnerability in processing a large number of ARP requests, and remote attackers may use this vulnerability to cause the device to malfunction.  D-LINK DWL-2000AP + did not properly handle the arp flood, resulting in two denial of service vulnerabilities. If an attacker can send a large number of arp replies at a high speed through a wired connection or broadcast, it will cause the wireless connection (802.11) to be reset and the arp table rebuilt, and all clients connected to the AP will be disconnected. The second vulnerability only affects wireless connections. If there are no other D-LINK Ethernet products in the AP range and wep encryption is enabled, an attacker can broadcast a large number of arp requests through a wireless connection at high speed, causing a denial of service. This attack works only 90% of the time, because APs can sometimes ban the client that sent the flood before completing the attack.

Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file. Adobe Download Manager contains a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to run arbitrary code with the privileges of the affected user or cause a denial-of-service condition. Adobe ColdFusion is prone to an information-disclosure vulnerability. Successfully exploiting this issue allows remote attackers to gain access to the contents of arbitrary files that are not interpreted by ColdFusion. This includes the source of scripting files not handled by ColdFusion, configuration files, log files, and other data files. Information harvested may aid attackers in further attacks. Adobe ColdFusion MX7, 7.0.1 and 7.0.2 are vulnerable. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. ".cfm". Other versions may also be affected. SOLUTION: Apply hotfix (See vendor's advisory for details). Adobe Macromedia ColdFusion Source Code Disclosure Vulnerability iDefense Security Advisory 01.09.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 09, 2007 I. BACKGROUND Adobe Macromedia ColdFusion is an application server and development framework for websites. More information is available at the following URL. http://www.adobe.com/products/coldfusion/ II. DESCRIPTION Remote exploitation of an input validation vulnerability in Adobe Systems Inc.'s Macromedia ColdFusion MX 7 may allow an attacker to view file contents on the server. The vulnerability specifically exists in that URL encoded filenames will be decoded by the IIS process and then again by the ColdFusion process. By supplying a URL containing a double encoded null byte and an extension handled by ColdFusion, such as '.cfm', it is possible to view the contents of any file which is not interpreted by ColdFusion. III. Although this vulnerability does not in itself allow execution of code on the server, it may allow an attacker to discover sensitive information such as passwords or to discover vulnerabilities in other scripts on the system or potentially bypass some security restrictions. IV. DETECTION iDefense has confirmed this vulnerability exists in Adobe Macromedia ColdFusion MX 7.0.2, with all available fixes, running on Microsoft IIS vulnerable. V. WORKAROUND iDefense is unaware of any effective workarounds for this vulnerability. VI. VENDOR RESPONSE Adobe has released a patch for this issue. For more information consult their advisory at the link below. http://www.adobe.com/support/security/bulletins/apsb07-02.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-5858 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/08/2006 Initial vendor notification 11/09/2006 Initial vendor response 01/09/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Inge Henriksen. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Adobe Download Manager AOM Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA23233 VERIFY ADVISORY: http://secunia.com/advisories/23233/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Adobe Download Manager 1.x http://secunia.com/product/7045/ Adobe Download Manager 2.x http://secunia.com/product/12814/ DESCRIPTION: A vulnerability has been reported in Adobe Download Manager, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when handling section names in the "dm.ini" file as created by Adobe Download Manager when processing AOM files. This can be exploited to cause a stack-based buffer overflow via a specially crafted AOM or "dm.ini" file. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website. SOLUTION: Update to version 2.2. PROVIDED AND/OR DISCOVERED BY: Derek Soeder, eEye Digital Security. The vendor also credits Zero Day Initiative. ORIGINAL ADVISORY: Adobe: http://www.adobe.com/support/security/bulletins/apsb06-19.html eEye Digital Security: http://research.eeye.com/html/advisories/published/AD20061205.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

F-Secure Anti-Virus for Linux Gateways 4.65 allows remote attackers to cause a denial of service (possibly fatal scan error), and possibly bypass virus detection, by inserting invalid characters into base64 encoded content in a multipart/mixed MIME file, as demonstrated with the EICAR test file. Various security products are prone to a filter-bypass weakness. These products include: - BitDefender Mail Protection for SMB 2.0 - ClamAV 0.88.6 - F-prot AntiVirum for Linux x86 Mail Servers 4.6.6 - Kaspersky Anti-Virus for Linux Mail Server 5.5.10 Other applications and versions may also be affected. This issue occurs because the application fails to handle malformed input that may allow an attacker to bypass the file-filtering mechanism. There is a security bypass vulnerability in F-Secure Anti-Virus for Linux Gateways. Such as passing the EICAR test file

PhoneCtrl.exe in Linksys WIP 330 Wireless-G IP Phone 1.00.06A allows remote attackers to cause a denial of service (crash) via a TCP SYN scan, as demonstrated using TCP ports 1-65535 with nmap. Linksys WIP330 'PhoneCtrl.exe' is prone to a denial-of-service vulnerability when the device is full port-range scanning. Exploiting this issue allows remote attackers to crash and reboot affected devices, denying service to legitimate users. Linksys WIP330 firmware version 1.00.06a is affected by this issue; other versions may also be affected. Linksys WIP 330 is a VoIP network cordless phone. If I run a port-wide Nmap scan of the WIP 330's IP address with the command: nmap -P0 <WIP 330 ip address> -p 1-65535 then PhoneCtrl.exe will crash at the end of the Nmap scan. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Linksys WIP 330 "PhoneCtrl.exe" Denial of Service SECUNIA ADVISORY ID: SA23256 VERIFY ADVISORY: http://secunia.com/advisories/23256/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Linksys WIP 330 http://secunia.com/product/12837/ DESCRIPTION: A vulnerability has been reported in Linksys WIP 330, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when a nmap port scan is performed on the full port-range of the IP address of the device. This can be exploited to crash PhoneCtrl.exe resulting in a DoS. SOLUTION: Restrict usage to trusted networks only. PROVIDED AND/OR DISCOVERED BY: Armijn Hemel ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in Intel PRO 10/100, PRO/1000, and PRO/10GbE PCI, PCI-X, and PCIe network adapter drivers (aka NDIS miniport drivers) before 20061205 allows local users to execute arbitrary code with "kernel-level" privileges via an incorrect function call in certain OID handlers. Intel PRO Ethernet The driver contains a buffer overflow vulnerability. This can lead to arbitrary code execution on the local machine.A local user may execute arbitrary code with system privileges on the local machine. An attacker can trigger this issue to corrupt memory and to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer due to privilege escalation. All PCI, PCI-X, and PCIe Intel network adapter drivers are vulnerable. Intel Pro 100/1000 is a series of network card devices launched by Intel. Although the NDIS miniport driver occupies a low level, unprivileged userland code can still communicate with the driver through NIC statistics requests that need to be implemented by NDIS. If an attacker can send an IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request to \Device\{adapterguid}, it will cause NDIS.SYS to call the QueryInformationHandler routine registered by the miniport driver when calling NdisMRegisterMiniport. The input buffer provided by this IOCTL is a list of 32-bit OIDs related to statistics, each of which is passed independently to the QueryInformationHandler, which contains the code required to retrieve the statistics and return them to the output buffer. Under Windows 2000, pointers to user-supplied buffers are passed directly to the miniport driver, which means the data is user-controllable. Under Windows XP and later versions, the pointer is transferred to a temporary buffer containing undefined data in the kernel memory, so the pool memory must be controlled before the attack to control the above data. A processor with OID 0xFF0203FC copies the output buffer's string to a stack variable using the following strcpy operation: strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4) Thus, an attacker can String causes the processor to completely overwrite the return address of the function, redirecting execution flow to an arbitrary user-mode or kernel-mode address. The attack string must be at offset +0x0C in the output buffer, as NDIS itself uses the first 8 bytes. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Intel LAN Driver Unspecified Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA23221 VERIFY ADVISORY: http://secunia.com/advisories/23221/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Intel PRO 10/100 Adapters (Linux) 3.x http://secunia.com/product/12824/ Intel PRO 10/100 Adapters (UnixWare/SCO6) 4.x http://secunia.com/product/12827/ Intel PRO 10/100 Adapters (Windows) 8.x http://secunia.com/product/12821/ Intel PRO/1000 Adapters (Linux) 7.x http://secunia.com/product/12825/ Intel PRO/1000 Adapters (UnixWare/SCO6) 9.x http://secunia.com/product/12828/ Intel PRO/1000 Adapters (Windows) 8.x http://secunia.com/product/12822/ Intel PRO/1000 PCIe Adapters (Windows) 9.x http://secunia.com/product/12823/ Intel PRO/10GbE Adapters (Linux) 1.x http://secunia.com/product/12826/ DESCRIPTION: A vulnerability has been reported in Intel LAN drivers, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow by using certain function calls incorrectly. SOLUTION: Apply patches (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits eEye Digital Security. ORIGINAL ADVISORY: Intel: http://www.intel.com/support/network/sb/CS-023726.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in BOMArchiveHelper in Mac OS X allow user-assisted remote attackers to cause a denial of service (application crash) via unspecified vectors related to (1) certain KERN_PROTECTION_FAILURE thread crashes and (2) certain KERN_INVALID_ADDRESS thread crashes, as discovered with the "iSec Partners FileP fuzzer". Mac OS X of BOMArchiveHelper There is a service disruption ( Application crash ) There is a vulnerability that becomes a condition. This vulnerability "iSec Partners FileP fuzzer" It was discovered inDenial of service by attacker ( Application crash ) There is a possibility of being put into a state. The BOMArchiveHelper application is prone to multiple remote vulnerabilities when processing malformed files. Attackers may be able to exploit one or more of these issues to execute code, but this has not been confirmed. Note that these issues were discovered by using a file-fuzzing application, but have not been researched further. This BID will be updated as more information is released

Multiple SQL injection vulnerabilities in the Content module in PHP-Nuke 6.0, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via (1) the cid parameter in a list_pages_categories action or (2) the pid parameter in a showpage action. (1) list_pages_categories In action cid Parameters (2) showpage action In action pid Parameters. PHP-Nuke is prone to an sql-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. PHP-Nuke is prone to a sql-injection vulnerability. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database